Free Practice Questions for CyberArk PAM-DEF Exam

Suspected credential theft is a detection that PTA reports when a user connects to a machine or a cloud service without first retrieving the required credentials from the Vault. To detect this event, PTA requires the following sensors:

Logs: This sensor collects log data from various sources, such as SIEM, Unix, AWS, and Azure, and forwards it to the PTA Server for analysis.

Network Sensor: This sensor taps the network and collects network traffic data, which is used by the PTA Server to run deep packet inspection algorithms and detect cyber attacks, such as PAC, OverPass the Hash, and Golden Ticket.

Vault Logs: This sensor collects log data from the Vault and forwards it to the PTA Server for analysis. The Vault logs contain information about the users’ activities in the Vault, such as password retrieval, session initiation, and audit records.

References: What Detections Does PTA Report?, PTA Network Sensors

 SSH keys are a way to authenticate to a target machine with a privileged account, and are subject to the same risks and challenges as privileged passwords. CyberArk provides an out-of-the-box target platform to manage SSH keys, called UNIX Via SSH Keys, which simplifies and automates SSH keys lifecycle management. This platform works as follows:

CyberArk stores the private keys in the Vault, where they benefit from all the security and accessibility features of the Vault, such as encryption, auditing, and backup.

CyberArk updates the public keys on the target systems, using a parent account that has access to the file that contains the public key, such as ~/.ssh/authorized_keys. CyberArk can generate new random SSH key pairs and update the public keys on the target systems according to the organizational policy, such as after a single use, after a predefined period, or manually.

CyberArk can also verify that the private and public keys are synchronized, and reconcile them if they are not, using a reconcile account that can reset the SSH key pairs on the target systems.

References: Manage SSH Keys, Use SSH Keys

The Replicate component can be used to create a tape backup of the Vault. The Replicate component is a utility that exports the encrypted contents of the Safes and the Vault metadata to a computer outside the Vault environment. A global backup system can then access the replicated files and copy them to a tape or any other backup media. The Replicate component is part of the CyberArk Backup Process, which provides a secure and easy method of backing up and restoring the Vault data12. The other components are not related to the tape backup of the Vault. Disaster Recovery is a feature that enables the Vault to recover from a catastrophic failure by using a standby Vault server3. Distributed Vaults is a feature that enables the Vault to synchronize data with other Vaults in different locations4. High Availability is a feature that enables the Vault to maintain continuous operation by using a primary and a secondary Vault server. References:

Use the CyberArk Backup Process - CyberArk, section “Use the CyberArk Backup Process”

Install the Vault Backup Utility - CyberArk, section “Backup utilities”

Disaster Recovery - CyberArk, section “Disaster Recovery”

Distributed Vaults - CyberArk, section “Distributed Vaults”

[High Availability - CyberArk], section “High Availability”

 A Reconcile account can be assigned in the Privileged Vault Web Access (PVWA) at both the account level and within the platform configuration. At the account level, a Reconcile account password can be defined which will override the account specified in the platform1. In the platform configuration, you can navigate to Platform Management, select the platform, edit it, and then expand Automatic Password Management to enter the values in the ‘ReconcileAccountSafe’ and ‘ReconcileAccountName’ fields, which will apply to all accounts attached to that specific platform2.

References:

CyberArk Docs - Reconcile Password1

CyberArk Community - Associate reconcile account with a specific platform

This configuration ensures that privileged sessions are monitored and isolated, and all session activities are recorded and saved for future reference 1.

 When a user is a member of more than one group that has authorizations on a safe, by default that user is granted the cumulative permissions of all groups to which that user belongs. This means that the user will have the highest level of access that any of the groups have on the safe. For example, if one group has View and Retrieve permissions, and another group has Add and Delete permissions, the user will have View, Retrieve, Add, and Delete permissions on the safe. This is the default behavior of the vault, unless the Exclusive option is enabled on the safe. The Exclusive option restricts the user’s permissions to only those of the group added to the safe first. References:

[Defender PAM eLearning Course], Module 3: Safes and Permissions, Lesson 3.2: Safe Permissions, Slide 8: Cumulative Permissions

[Defender PAM Sample Items Study Guide], Question 1: Safe Permissions

[CyberArk Documentation Portal], CyberArk Privileged Access Security Implementation Guide, Chapter 3: Managing Safes, Section: Safe Properties, Subsection: Exclusive

When a new domain controller is added to a domain, it is necessary to update the CyberArk infrastructure to ensure it can use the new domain controller for authentication. This involves updating the hosts file on the Vault server located at Windows\System32\Etc\Hosts to include the new domain controller’s details. Additionally, within the PVWA Application, you need to navigate to Administration > LDAP Integration > Directories > Hosts and update the information there as well. This ensures that both the Vault server and the PVWA Application are aware of the new domain controller and can authenticate against it1.

References:

CyberArk’s official documentation on configuring Active Directory integration, which includes details on setting up domain controllers for authentication2.

Information on adding Active Directory as a directory service in CyberArk Identity, which discusses the integration of domain controllers3.

The Export Vault Data (EVD) utility is used to export data from the CyberArk Vault to TXT or CSV files, or to MSSQL databases. This utility enables the creation of reports such as a list of Safes or incoming requests by exporting data from the Vault. Each report is saved in a separate file, which can then be imported into third-party applications or databases for further analysis or reporting purposes12.

References:

CyberArk Docs - Export Vault Data (EVD) utility1

CyberArk Docs - Export data to files

According to the web search results, when a DR Vault Server becomes an active vault, it will not automatically revert back to DR mode once the Primary Vault comes back online. The Vault administrator must manually set the DR Vault to DR mode by setting “FailoverMode=no” in the padr.ini file1. This file is located in the /opt/CARKaim/conf directory on the DR Vault machine2. The Vault administrator must also stop the replication process on the DR Vault and restart the PrivateArk Server service1. This procedure is known as a DR failback, which restores the original roles of the Primary Vault and the DR Vault after a failover1. The AllowFailback setting in the padr.ini file does not affect the DR failback process, as it only determines whether the DR Vault can be used as a backup for another DR Vault in a cascading DR scenario3. The dbparm.ini file is not relevant for the DR failback process, as it contains the database parameters for the Vault server. References:

Initiate a DR failback to the Production Vault - CyberArk

Install the Disaster Recovery application - CyberArk

Cascading DR - CyberArk

[dbparm.ini file - CyberArk]

 To ensure that a user group can connect through the Privileged Session Manager (PSM) without seeing the password, you must grant the Use Accounts and Retrieve Files permissions to the group for the safe. The Use Accounts permission allows users to initiate sessions using accounts without viewing the account details or passwords. The Retrieve Files permission enables users to retrieve files during PSM sessions without having access to the passwords1.

References:

CyberArk Docs - Safe Permissions