PAM-DEF Free Practice Test

What is the easiest way to duplicate an existing platform?

1. A. From PrivateArk, copy/paste the appropriate Policy.ini file; then rename it.
2. B. From the PVWA, navigate to the platforms page, select an existing platform that is similar to the new target account platform and then click Duplicate; name the new platform.
3. C. From PrivateArk, copy/paste the appropriate settings in PVConfiguration.xml; then update the policyName variable.
4. D. From the PVWA, navigate to the platforms page, select an existing platform that is similar to the new target account platform, manually update the platform settings and click “Save as” INSTEAD of save to duplicate and rename the platform.

Correct Answer: B
The easiest way to duplicate an existing platform is to use the PVWA, which is the web interface that allows users to access and manage the CyberArk Defender PAM system. The PVWA has a platforms page that displays all the platforms that are available in the system, categorized by platform types. Users can duplicate an existing platform by selecting it, clicking the ellipsis button next to it, and then clicking Duplicate. This will create a copy of the platform with the same settings and properties, which can be customized according to the user’s needs. Users can name the new platform and save it in the system.
References: Manage platforms - CyberArk

All of your Unix root passwords are stored in the safe UnixRoot. Dual control is enabled for some of the accounts in that safe. The members of the AD group UnixAdmins need to be able to use the show, copy, and connect buttons on those passwords at any time without confirmation. The members of the AD group Operations Staff need to be able to use the show, copy and connect buttons on those passwords on an emergency basis, but only with the approval of a member of Operations Managers never need to be able to use the show, copy or connect buttons themselves.
Which safe permission do you need to grant Operations Staff? Check all that apply.

1. A. Use Accounts
2. B. Retrieve Accounts
3. C. Authorize Password Requests
4. D. Access Safe without Authorization

Correct Answer: AB
To use the show, copy, and connect buttons on the accounts in the safe UnixRoot, the Operations Staff need to have the Use Accounts permission, which allows them to request access to the accounts and perform actions on them. However, since dual control is enabled for some of the accounts, they also need to have the Retrieve Accounts permission, which allows them to view the password of the account after it is authorized by another user. The Authorize Password Requests permission is not needed, as it is only required for the users who can approve the requests, not the ones who make them. The Access Safe without Authorization permission is not needed, as it would bypass the dual control mechanism and allow the Operations Staff to access the accounts without approval. References:
✑ [Defender PAM Sample Items Study Guide], page 10, question 5
✑ [CyberArk Privileged Access Security Implementation Guide], page 30, table 2-1
✑ [CyberArk Privileged Access Security Administration Guide], page 43, section 3.2.2.1

CyberArk recommends implementing object level access control on all Safes.

1. A. True
2. B. False

Correct Answer: B
CyberArk does not recommend implementing object level access control on all Safes. According to the CyberArk documentation1, enabling object level access control impacts Vault performance. Therefore, it should be used only when necessary and with caution. Object level access control is useful when you need to give granular permissions to specific passwords or files in a Safe, regardless of the Safe level member authorizations. For example, you can use it to grant access to an external vendor or technician for a specific password only, without exposing any other passwords or files in the Safe. However, if you do not need this level of granularity, you can use the regular Safe member authorizations to control user access to the Safe and its contents.

What does the Export Vault Data (EVD) utility do?

1. A. exports data from the Vault to TXT or CSV files, or to MSSQL databases
2. B. generates a backup file that can be used as a cold backup
3. C. exports all passwords and imports them into another instance of CyberArk
4. D. keeps two active vaults in sync

Correct Answer: A
The Export Vault Data (EVD) utility is used to export data from the CyberArk Vault to TXT or CSV files, or to MSSQL databases. This utility enables the creation of reports such as a list of Safes or incoming requests by exporting data from the Vault. Each report is saved in a separate file, which can then be imported into third-party applications or databases for further analysis or reporting purposes12.
References:
✑ CyberArk Docs - Export Vault Data (EVD) utility1
✑ CyberArk Docs - Export data to files

Which of the following PTA detections require the deployment of a Network Sensor or installing the PTA Agent on the domain controller?

1. A. Suspected credential theft
2. B. Over-Pass-The-Hash
3. C. Golden Ticket
4. D. Unmanaged privileged access

Correct Answer: C
According to the CyberArk Defender PAM documentation1, the PTA detection that requires the deployment of a Network Sensor or installing the PTA Agent on the domain controller is Golden Ticket. A Golden Ticket is a type of attack that involves creating a forged Kerberos Ticket Granting Ticket (TGT) that grants the attacker access to any resource in the domain. The attacker needs to compromise the domain controller and steal the KRBTGT account password hash to create the Golden Ticket. The PTA Network Sensor or the PTA Agent can detect this attack by analyzing the network traffic and identifying anomalies in the Kerberos protocol, such as TGTs with abnormal lifetime, encryption type, or renewal time. The PTA Server then alerts the security team and provides details about the attack, such as the source IP, the target domain, and the ticket properties. References:
✑ PTA Network Sensors - CyberArk