A new Vault will be deployed within a highly regulated environment. Regulations require that all operating systems on the network are regularly updated.
How does CyberArk recommend hardened Vaults are automatically updated?
AUsing a dedicated WSUS server and install patches monthly.
DIntegrate the Vault with the domain for monthly updates.
A customer has a requirement to implement CyberArk with the lowest recovery time objective possible for the vault server failure in both the primary and secondary datacenter.
Which Architecture is the most suitable for this?
ADeploy a multi cloud, multi region Architecture with 4 vaults. 2 vaults per public cloud across different regions.
BDeploy both Primary and DR vault clusters in primary and secondary datacenters.
CDeploy Distributed vaults. 1 Primary vault and 1 satellite vault in the primary datacenter and 2 satellite vaults in the secondary datacenter.
DDeploy Primary and DR standalone vaults in a single public cloud environment within the same region across different availability zones.
DRAG DROP -
Match the Conjur Services and Options:
When Dual Control is enabled for a platform in the Master Policy, exceptions can be configured in these two places. (Choose two.)
AExceptions can be configured in the safe permissions for specific users or groups.
BExceptions can be configured in the object level of individual vaulted accounts associated with that platform.
CExceptions can be configured for PSM connectivity at the platform level.
DExceptions can be configured for specific users or groups at the master policy level.
EExceptions can be configured in vault level permissions for specific users and groups.
The manager of Active Directory asks you to temporarily enable Object Level Access Control (OLAC) on a safe for which they are the owner, so that they can control which users can use a specific Domain Admin account.
What limitation of OLAC should you discuss with them?
AOLAC does not enable granular control of which users can use a specific object.
BOnce enabled, object level access control cannot be disabled.
CWith object level access control enabled, PSM operations on the managed accounts are not supported.
DNew accounts cannot be added to the safe, once OLAC is enabled.
You are installing the Digital Vault in AWS.
When does the hardening happen?
AAfter the initial installation is completed.
BIt is not recommended to harden the Vault in AWS.
CDuring the installation procedure.
DBefore the installation starts by running script.
What is a SCIM Server?
ASecure for CyberArk Identity Manager.
BSystem for Cross Identity Management.
CSystem for CyberArk Identity Management.
DSecure Compute Information Manager.
Choose the two controls that can be defined at the Master Policy level. (Choose two.)
ARequire dual control password access approval.
BEnforce one-time password access.
CAutomatically reconcile password when changing.
DPSM recording retention period.
ESet number of password versions to be retained.
Which items are required for configuring PSM external recording storage?
ASMB 3.0 supported storage, A Windows Privileged Account, Storage-level Tampering Protection.
ClientABC is moving into their DevOps space. They currently are using CCP and are considering Conjur. They've noticed that there is quite a bit of overlap.
How would you explain the difference between the two? (Choose two).
AConjur is well suited for the velocity of the CI/CD pipeline because it includes native authentication such as API keys, 1AM, and OAuth. You store the secret at the project folder level.
BCCP is a good choice if you're using client certificate authentication. With CCP you need to authenticate and pass an application ID and your query for your secret.
CConjur is best suited for static secrets. You only need to pass an API key to make the call. This is suited well for the velocity of the CI/CD pipeline because it integrates seamlessly with containers.
DCCP is best used for ad-hoc scripts. It's a great choice because you're able to use enhanced authentication mechanisms such as 'Path' and 'Hash'.
EWhen trying to decide between the two, you should generally choose CCP, as Conjur cannot be integrated with the same vault that is used for CyberArk PAM.
A customer has given you the task of onboarding more than 1,000 Local Admin accounts, the accounts are all used by the same team and exist in a control zone.
Which CyberArk feature would offer an automated way of achieving this task?
APassword Upload Utility
BAuto-Detection
CAuto-Reconcile
DRemote Control Agent
Which type of attack can CyberArk mitigate?
APass-the-Hash
BSQL Injection
CDDOS
DPhishing
What is the encryption requirement for the HSM?
AThe HSM must support AES-192 encryption in ECB mode.
BThe HSM must support Triple Data Encryption Standard (TripleDES).
CThe HSM must support AES-256 encryption in ECB and CBC modes.
DThe HSM must support Blowfish encryption algorithm.
In CyberArk Remote Access, if you want to copy files in PSM sessions, and you have more than one Remote Access Connector server, you must:
AConfigure the load balancer with sticky sessions and use a standalone HTML5 gateway server.
BConfigure the load balancer for round-robin load balancing and use a standalone HTML5 gateway server.
CConfigure the load balancer with sticky sessions and deploy a PSM server instead of an HTML5 gateway server.
DConfigure the load balancer with sticky sessions and go directly to the PSM server without an HTML5 gateway.
How is a Secondary PTA server promoted to a Primary PTA Server?
AA manual procedure.
BAutomatically using the PTA Network Sensors.
CThis is not possible.
DAutomatically using a BASH script.
Which Secrets Manager component is recommended to put behind a load-balancer, for availability and redundancy?
AApplication Server Credential Provider
BCredential Provider
CCentral Credential Provider
DConjur Synchronizer
You are implementing PAM for your globally distributed organization. These Locations are England (UK), Boston (USA) and Hong Kong (ROC).
Each location has 2 Data Centers that are physically separated for disaster mitigation.
The decision has been made to set England DC 1 as the Primary DC.
Components will be scaled Horizontally where necessary in later phases.
All DC's can Communicate with each other.
The Solution must offer the following:
Resilient Access to target Systems
Primary Location must be highly resilient
Recoverable from all locations
Global Resilience to outages
A single Master Policy should govern the solution
Load Balancing is possible between DC's in the Same Region.
What is the minimum to meet these requirements?
AUK DC 1 :- Vault, PVWA, PSM, CPM, PTAUK DC 2 :- DR Vault, PVWA, PSM, DR PTAUS DC 1 :- DR Vault, PVWA, PSM, CPMUS DC 2 :- PVWA, PSM -ROC DC 1 :- DR Vault, PVWA, PSM, CPMROC DC 2 :- PVWA, PSM
BUK DC 1 :- Vault, PVWA, PSM, CPM, PTAUK DC 2 :- PVWA, PSM, DR PTA -US DC 1 :- DR Vault, PVWA, PSM, CPMUS DC 2 :- PVWA, PSM -ROC DC 1 :- DR Vault, PVWA, PSM, CPMROC DC 2 :- PVWA, PSM
CUK DC 1 :- Vault, PVWA, PSM, CPM, PTAUK DC 2 :- DR Vault, PVWA, PSM, CPM, PTAUS DC 1 :- Vault, PVWA, PSM, CPM, PTAUS DC 2 :- DR Vault, PVWA, PSM, CPM, PTAROC DC 1 :- Vault, PVWA, PSM, CPM, PTAROC DC 2 :- DR Vault, PVWA, PSM, CPM, PTA
DUK DC 1 :- Vault, PVWA, PSM, CPM, PTAUK DC 2 :- DR Vault, PVWA, PSM, CPM, DR PTAUS DC 1 :- DR Vault, PVWA, PSM, CPMUS DC 2 :- DR Vault, PVWA, PSM, CPMROC DC 1 :- DR Vault, PVWA, PSM, CPMROC DC 2 :- DR Vault, PVWA, PSM, CPM
Which option below is an advanced Master Policy rule?
AAllow users to select a reason for access.
BAllow Manual Change.
CAllow Users to View Passwords.
DOnly Administrators can approve password access.
What risk should be considered prior to enabling OLAC (Object Level Access Control)?
AOLAC can significantly impact Vault performance.
BOLAC can increase in complexity for user access workflows.
COLAC prevents the use of PSM session isolation and recording.
DOLAC automatically grants 'Use' and 'Retrieve" authorizations to any new safe owner.
In most instances, why should a failed CPM verification, followed by a reconciliation action be treated as a security incident?
AThe secret may have been changed outside of CyberArk and is compromised.
BThe secret is not configured for automatic reconciliation.
CThe CPM should not be performing automatic reconciliation actions.
DThe secret was rotated outside of an approved change-control window.
DRAG DROP -
In CyberArk Remote Access, match the Persona with the Job Role:
DRAG DROP -
Put the events in the correct order for the PSM for SSH MFA Caching authentication workflow which is available as of v12.1.
DRAG DROP -
Customer ACME Corp has deployed EPM SaaS and is moving towards Advanced Application Policies.
As a Senior Consultant, you have to help the customer to understand the advantages & disadvantages of Application parameters vs. checksum.
Match the options below to their correct match.
DRAG DROP -
Place the steps to create a new Alero Tenant in the correct order.
Preview
