Which processes reduce the risk of credential theft? (Choose two.)
Which processes reduce the risk of credential theft? (Choose two.)
Requiring a password change every X days ensures that even if credentials are compromised, the window of opportunity for misuse is limited, since the credentials will frequently be rotated. Enforcing one-time password access significantly reduces the risk of credential theft because the password expires after a single use, making it much harder for unauthorized users to reuse stolen credentials. These processes directly focus on reducing risks associated with credential theft.
I think the answer should be B and D. In order to prevent credential theft, one needs to rotate passwords and make use of OTPs. Dual control is to prevent insider threat and exclusive access (check in and check out) is for user accountability.
Sample exam by cyberark says the proccess to reduce the risk is using one-time passwords. Using Dual-Control is to enforce collusion, IMO.
BD - according to the sample CyberArk questions: Exclusive access - Non-repudation (individual accountability) One Time Password - Reduced risk of credential theft Dual Control - To force "collusion to commit"
BD because if credential theft is suspected, one would rotate credentials. Only B and D present options for rotating credentials while A and C focus on non-repudiation specifically.
BD is correct
AC A. Require dual control password access approval: This process ensures that users must receive approval from authorized users before they can access passwords, reducing the risk of unauthorized access. C. Enforce check-in/check-out exclusive access: This process ensures that only one user can access a privileged credential at a given time, providing a clear audit trail and reducing the risk of credential theft.
To achieve personal accountability, enable this rule and the Enforce check-in/check-out exclusive access rule together. The timeframe that an account will be available before it will be automatically changed is determined by the MinValidityPeriod platform setting or by the timeframe defined in the dual control request. https://docs.cyberark.com/privilege-cloud-standard/Latest/en/Content/Privilege%20Cloud/privCloud-master-policy-rules.htm
From my perspective, my answer is A & B A - Dual Control - Let say Password A has been hacked, but B still holding by another approval person. B - Change password x day - usually this is offer for those ID after usage or the ID keep on rotate min 1 day/1 hour after usage. Its will reduce the Password get stolen risk. C & D - Enforce means, check in and one time password seem like the security not still strong yet. Although, the method seem strong, but just give an example. Is the hacker, require try few times to enter your system ? check in check out and enforce to login one time, seem enough time to hacker go into your system. And this 2 method seem like same concept, is only allow a single person login into server. So, what is the prevent and control here ?
https://docs.cyberark.com/PrivCloud/Latest/en/Content/Privilege%20Cloud/privCloud-master-policy-rules.htm
CD is correcct
A,D both impact stopping credential theft immediately
Its CD
Answers: B,C https://cyberark-customers.force.com/s/article/Securing-Human-Interactive-PAM-Administrator-PowerShell-Scripts#:~:text=Shorter%20rotation%20intervals%20and%20the%20use%20of%20one-time,PAM%20administrator%20credentials%20because%20of%20their%20high-risk%20nature.