Exam PAM-DEF topic 1 question 9 discussion

I think the answer should be B and D. In order to prevent credential theft, one needs to rotate passwords and make use of OTPs. Dual control is to prevent insider threat and exclusive access (check in and check out) is for user accountability.

Sample exam by cyberark says the proccess to reduce the risk is using one-time passwords. Using Dual-Control is to enforce collusion, IMO.

The Answer is: CD

The Answer is: CD

To achieve personal accountability, enable this rule and the Enforce check-in/check-out exclusive access rule together. The timeframe that an account will be available before it will be automatically changed is determined by the MinValidityPeriod platform setting or by the timeframe defined in the dual control request. https://docs.cyberark.com/privilege-cloud-standard/Latest/en/Content/Privilege%20Cloud/privCloud-master-policy-rules.htm

BD is correct

BD because if credential theft is suspected, one would rotate credentials. Only B and D present options for rotating credentials while A and C focus on non-repudiation specifically.

From my perspective, my answer is A & B A - Dual Control - Let say Password A has been hacked, but B still holding by another approval person. B - Change password x day - usually this is offer for those ID after usage or the ID keep on rotate min 1 day/1 hour after usage. Its will reduce the Password get stolen risk. C & D - Enforce means, check in and one time password seem like the security not still strong yet. Although, the method seem strong, but just give an example. Is the hacker, require try few times to enter your system ? check in check out and enforce to login one time, seem enough time to hacker go into your system. And this 2 method seem like same concept, is only allow a single person login into server. So, what is the prevent and control here ?

AC A. Require dual control password access approval: This process ensures that users must receive approval from authorized users before they can access passwords, reducing the risk of unauthorized access. C. Enforce check-in/check-out exclusive access: This process ensures that only one user can access a privileged credential at a given time, providing a clear audit trail and reducing the risk of credential theft.

BD - according to the sample CyberArk questions: Exclusive access - Non-repudation (individual accountability) One Time Password - Reduced risk of credential theft Dual Control - To force "collusion to commit"

https://docs.cyberark.com/PrivCloud/Latest/en/Content/Privilege%20Cloud/privCloud-master-policy-rules.htm

CD is correcct

A,D both impact stopping credential theft immediately

Answers: B,C https://cyberark-customers.force.com/s/article/Securing-Human-Interactive-PAM-Administrator-PowerShell-Scripts#:~:text=Shorter%20rotation%20intervals%20and%20the%20use%20of%20one-time,PAM%20administrator%20credentials%20because%20of%20their%20high-risk%20nature.