SlideShare une entreprise Scribd logo

RSA Security Advisory Part II

Onomi
Onomi

log monitoring guidelines 03 21-2011

Technologie
1  sur  3
Télécharger pour lire hors ligne
RSA® Authentication Manager 5.2/6.1 Log Monitoring Guidelines The following document describes audit log messages that will allow your organization to monitor your RSA® Authentication Manager 5.2 and 6.1 systems for unusual authentication activity. You should also examine older or archived logs to establish a baseline frequency for these events before proceeding. In addition, some actions like provisioning new tokens or changing PIN policy will increase the frequency of these events. The number included in parentheses next to the relevant log messages is a unique identifier that can be used to build custom queries. 1. Bad PIN, Good Tokencode Authentications Typical cause: An end user accidently enters the wrong PIN during an authentication attempt. Why you should monitor this message: Unusually frequent occurrences of this message may indicate that an attacker is trying to guess the PINs for an end user’s RSA SecurID® tokens. Relevant log messages: Good Tokencode/Bad PIN Detected (1010) 2. Passcode Reuse Attempts Typical cause: An end user accidently sends the same passcode for two separate authentication attempts. Why you should monitor this message: This message may indicate that an attacker is trying to reuse a tokencode in a replay attack. Relevant log messages: ACCESS DENIED, multiple auths (1141) PASSCODE REUSE ATTACK Detected (149) 3. Failed Authentication Attempts Typical cause: An end user accidently enters the wrong passcode during an authentication attempt. Why you should monitor this message: Unusually frequent occurrences of this message may indicate that an attacker is trying to guess the passcode for your RSA SecurID tokens. RSA The Security Division of EMC March 18, 2011 (Version 1.0)
Relevant log messages: ACCESS DENIED, PASSCODE Incorrect (1008) ACCESS DENIED, Token ToD Bad (1001) ACCESS DENIED, Next Tokencode Bad (1000) 4. Next Tokencode Attempts Typical cause: The token clock is different than what is expected by the server. (e.g., a software token with an inaccurate clock or the hardware token time has drifted) Why you should monitor this message: It is possible that this message indicates that an attacker is trying to submit out-of-date passcodes. Relevant log messages: Next Tokencode On (144) Next Tokencode Requested (1002) 5. Cleared PINs Typical cause: A user has forgotten their PIN and the PIN is cleared after the Help Desk Administrator verifies the end user’s identity. Why you should monitor this message: This message may indicate that an attacker is attempting a social engineering attack by convincing a Help Desk Administrator to remove the PIN. Relevant log messages: PIN cleared (117) 6. Token Disabled Typical cause: An end user has entered the wrong passcode multiple sequential times. Why you should monitor this message: A higher frequency of this message may indicate that an attacker is trying to guess the RSA SecurID token passcode. RSA The Security Division of EMC Page 2
Relevant log messages: Token Disabled, Suspect Stolen (143) Token Disabled, Many Failures (145) ACCESS DENIED, Token Disabled (1004) Note: If you utilize Cross Realm, consult the Admin Guide Troubleshooting section for similar Cross Realm messages. RSA The Security Division of EMC Page 3

Recommandé

Super Bowl Xliv
Super Bowl XlivSuper Bowl Xliv
Super Bowl Xlivpaforlenza
 
Quantix - Cloud Computing Congress (15/10)
Quantix - Cloud Computing Congress (15/10)Quantix - Cloud Computing Congress (15/10)
Quantix - Cloud Computing Congress (15/10)Onomi
 
Cloud Business Continuity White Paper
Cloud Business Continuity White PaperCloud Business Continuity White Paper
Cloud Business Continuity White PaperOnomi
 
SaaS 2001
SaaS 2001SaaS 2001
SaaS 2001Onomi
 
Buku "Ibu Pertiwi Memanggilmu Pulang" dan buku "Ranjau Biografi"
Buku "Ibu Pertiwi Memanggilmu Pulang" dan buku "Ranjau Biografi" Buku "Ibu Pertiwi Memanggilmu Pulang" dan buku "Ranjau Biografi"
Buku "Ibu Pertiwi Memanggilmu Pulang" dan buku "Ranjau Biografi" Pepih Nugraha
 
Hist20sppnt
Hist20sppntHist20sppnt
Hist20sppntguest3cd7df
 
Media A2 Evaluation
Media A2 EvaluationMedia A2 Evaluation
Media A2 Evaluationguestf07e12
 
Osdb guarantee uk eu 2016 11-20 (002)
Osdb guarantee uk eu 2016 11-20 (002)Osdb guarantee uk eu 2016 11-20 (002)
Osdb guarantee uk eu 2016 11-20 (002)Onomi
 

Recommandé

Super Bowl Xliv
Super Bowl XlivSuper Bowl Xliv
Super Bowl Xlivpaforlenza
 
Quantix - Cloud Computing Congress (15/10)
Quantix - Cloud Computing Congress (15/10)Quantix - Cloud Computing Congress (15/10)
Quantix - Cloud Computing Congress (15/10)Onomi
 
Cloud Business Continuity White Paper
Cloud Business Continuity White PaperCloud Business Continuity White Paper
Cloud Business Continuity White PaperOnomi
 
SaaS 2001
SaaS 2001SaaS 2001
SaaS 2001Onomi
 
Buku "Ibu Pertiwi Memanggilmu Pulang" dan buku "Ranjau Biografi"
Buku "Ibu Pertiwi Memanggilmu Pulang" dan buku "Ranjau Biografi" Buku "Ibu Pertiwi Memanggilmu Pulang" dan buku "Ranjau Biografi"
Buku "Ibu Pertiwi Memanggilmu Pulang" dan buku "Ranjau Biografi" Pepih Nugraha
 
Hist20sppnt
Hist20sppntHist20sppnt
Hist20sppntguest3cd7df
 
Media A2 Evaluation
Media A2 EvaluationMedia A2 Evaluation
Media A2 Evaluationguestf07e12
 
Osdb guarantee uk eu 2016 11-20 (002)
Osdb guarantee uk eu 2016 11-20 (002)Osdb guarantee uk eu 2016 11-20 (002)
Osdb guarantee uk eu 2016 11-20 (002)Onomi
 
Survivors guide to the cloud whitepaper
Survivors guide to the cloud whitepaperSurvivors guide to the cloud whitepaper
Survivors guide to the cloud whitepaperOnomi
 
Interoute Intelligent Monitoring
Interoute Intelligent MonitoringInteroute Intelligent Monitoring
Interoute Intelligent MonitoringOnomi
 
Tactical Outsourcing (Interoute)
Tactical Outsourcing (Interoute)Tactical Outsourcing (Interoute)
Tactical Outsourcing (Interoute)Onomi
 
Unified Computing Whitepaper
Unified Computing WhitepaperUnified Computing Whitepaper
Unified Computing WhitepaperOnomi
 
Hybrid Cloud Case Study (Interoute)
Hybrid Cloud Case Study (Interoute)Hybrid Cloud Case Study (Interoute)
Hybrid Cloud Case Study (Interoute)Onomi
 
Database as a service
Database as a serviceDatabase as a service
Database as a serviceOnomi
 
Oracle ISV Cloud Presentation
Oracle ISV Cloud PresentationOracle ISV Cloud Presentation
Oracle ISV Cloud PresentationOnomi
 
SaaS exchange 2010 why make the move
SaaS exchange 2010 why make the moveSaaS exchange 2010 why make the move
SaaS exchange 2010 why make the moveOnomi
 
RSA Advisory Part I
RSA Advisory Part IRSA Advisory Part I
RSA Advisory Part IOnomi
 
Cloud Exchange 2010
Cloud Exchange 2010Cloud Exchange 2010
Cloud Exchange 2010Onomi
 
Exchange server 2010 archiving and retention
Exchange server 2010 archiving and retentionExchange server 2010 archiving and retention
Exchange server 2010 archiving and retentionOnomi
 
9 Steps to Cloud Security Heaven
9 Steps to Cloud Security Heaven9 Steps to Cloud Security Heaven
9 Steps to Cloud Security HeavenOnomi
 
Exchange cloud tco analysis (Quantix)
Exchange cloud tco analysis (Quantix)Exchange cloud tco analysis (Quantix)
Exchange cloud tco analysis (Quantix)Onomi
 
TechMarketView article - Quantix Growth
TechMarketView article - Quantix GrowthTechMarketView article - Quantix Growth
TechMarketView article - Quantix GrowthOnomi
 
Quantix virtualisation case study
Quantix virtualisation case studyQuantix virtualisation case study
Quantix virtualisation case studyOnomi
 
Quantix cloud case study
Quantix cloud case studyQuantix cloud case study
Quantix cloud case studyOnomi
 
The Oracloud
The OracloudThe Oracloud
The OracloudOnomi
 
Cloudstorm Quantix
Cloudstorm QuantixCloudstorm Quantix
Cloudstorm QuantixOnomi
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 

Contenu connexe

Plus de Onomi

Survivors guide to the cloud whitepaper
Survivors guide to the cloud whitepaperSurvivors guide to the cloud whitepaper
Survivors guide to the cloud whitepaperOnomi
 
Interoute Intelligent Monitoring
Interoute Intelligent MonitoringInteroute Intelligent Monitoring
Interoute Intelligent MonitoringOnomi
 
Tactical Outsourcing (Interoute)
Tactical Outsourcing (Interoute)Tactical Outsourcing (Interoute)
Tactical Outsourcing (Interoute)Onomi
 
Unified Computing Whitepaper
Unified Computing WhitepaperUnified Computing Whitepaper
Unified Computing WhitepaperOnomi
 
Hybrid Cloud Case Study (Interoute)
Hybrid Cloud Case Study (Interoute)Hybrid Cloud Case Study (Interoute)
Hybrid Cloud Case Study (Interoute)Onomi
 
Database as a service
Database as a serviceDatabase as a service
Database as a serviceOnomi
 
Oracle ISV Cloud Presentation
Oracle ISV Cloud PresentationOracle ISV Cloud Presentation
Oracle ISV Cloud PresentationOnomi
 
SaaS exchange 2010 why make the move
SaaS exchange 2010 why make the moveSaaS exchange 2010 why make the move
SaaS exchange 2010 why make the moveOnomi
 
RSA Advisory Part I
RSA Advisory Part IRSA Advisory Part I
RSA Advisory Part IOnomi
 
Cloud Exchange 2010
Cloud Exchange 2010Cloud Exchange 2010
Cloud Exchange 2010Onomi
 
Exchange server 2010 archiving and retention
Exchange server 2010 archiving and retentionExchange server 2010 archiving and retention
Exchange server 2010 archiving and retentionOnomi
 
9 Steps to Cloud Security Heaven
9 Steps to Cloud Security Heaven9 Steps to Cloud Security Heaven
9 Steps to Cloud Security HeavenOnomi
 
Exchange cloud tco analysis (Quantix)
Exchange cloud tco analysis (Quantix)Exchange cloud tco analysis (Quantix)
Exchange cloud tco analysis (Quantix)Onomi
 
TechMarketView article - Quantix Growth
TechMarketView article - Quantix GrowthTechMarketView article - Quantix Growth
TechMarketView article - Quantix GrowthOnomi
 
Quantix virtualisation case study
Quantix virtualisation case studyQuantix virtualisation case study
Quantix virtualisation case studyOnomi
 
Quantix cloud case study
Quantix cloud case studyQuantix cloud case study
Quantix cloud case studyOnomi
 
The Oracloud
The OracloudThe Oracloud
The OracloudOnomi
 
Cloudstorm Quantix
Cloudstorm QuantixCloudstorm Quantix
Cloudstorm QuantixOnomi
 

Plus de Onomi (18)

Survivors guide to the cloud whitepaper
Survivors guide to the cloud whitepaperSurvivors guide to the cloud whitepaper
Survivors guide to the cloud whitepaper
 
Interoute Intelligent Monitoring
Interoute Intelligent MonitoringInteroute Intelligent Monitoring
Interoute Intelligent Monitoring
 
Tactical Outsourcing (Interoute)
Tactical Outsourcing (Interoute)Tactical Outsourcing (Interoute)
Tactical Outsourcing (Interoute)
 
Unified Computing Whitepaper
Unified Computing WhitepaperUnified Computing Whitepaper
Unified Computing Whitepaper
 
Hybrid Cloud Case Study (Interoute)
Hybrid Cloud Case Study (Interoute)Hybrid Cloud Case Study (Interoute)
Hybrid Cloud Case Study (Interoute)
 
Database as a service
Database as a serviceDatabase as a service
Database as a service
 
Oracle ISV Cloud Presentation
Oracle ISV Cloud PresentationOracle ISV Cloud Presentation
Oracle ISV Cloud Presentation
 
SaaS exchange 2010 why make the move
SaaS exchange 2010 why make the moveSaaS exchange 2010 why make the move
SaaS exchange 2010 why make the move
 
RSA Advisory Part I
RSA Advisory Part IRSA Advisory Part I
RSA Advisory Part I
 
Cloud Exchange 2010
Cloud Exchange 2010Cloud Exchange 2010
Cloud Exchange 2010
 
Exchange server 2010 archiving and retention
Exchange server 2010 archiving and retentionExchange server 2010 archiving and retention
Exchange server 2010 archiving and retention
 
9 Steps to Cloud Security Heaven
9 Steps to Cloud Security Heaven9 Steps to Cloud Security Heaven
9 Steps to Cloud Security Heaven
 
Exchange cloud tco analysis (Quantix)
Exchange cloud tco analysis (Quantix)Exchange cloud tco analysis (Quantix)
Exchange cloud tco analysis (Quantix)
 
TechMarketView article - Quantix Growth
TechMarketView article - Quantix GrowthTechMarketView article - Quantix Growth
TechMarketView article - Quantix Growth
 
Quantix virtualisation case study
Quantix virtualisation case studyQuantix virtualisation case study
Quantix virtualisation case study
 
Quantix cloud case study
Quantix cloud case studyQuantix cloud case study
Quantix cloud case study
 
The Oracloud
The OracloudThe Oracloud
The Oracloud
 
Cloudstorm Quantix
Cloudstorm QuantixCloudstorm Quantix
Cloudstorm Quantix
 

Dernier

Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 

Dernier (20)

Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 

RSA Security Advisory Part II

  • 1. RSA® Authentication Manager 5.2/6.1 Log Monitoring Guidelines The following document describes audit log messages that will allow your organization to monitor your RSA® Authentication Manager 5.2 and 6.1 systems for unusual authentication activity. You should also examine older or archived logs to establish a baseline frequency for these events before proceeding. In addition, some actions like provisioning new tokens or changing PIN policy will increase the frequency of these events. The number included in parentheses next to the relevant log messages is a unique identifier that can be used to build custom queries. 1. Bad PIN, Good Tokencode Authentications Typical cause: An end user accidently enters the wrong PIN during an authentication attempt. Why you should monitor this message: Unusually frequent occurrences of this message may indicate that an attacker is trying to guess the PINs for an end user’s RSA SecurID® tokens. Relevant log messages: Good Tokencode/Bad PIN Detected (1010) 2. Passcode Reuse Attempts Typical cause: An end user accidently sends the same passcode for two separate authentication attempts. Why you should monitor this message: This message may indicate that an attacker is trying to reuse a tokencode in a replay attack. Relevant log messages: ACCESS DENIED, multiple auths (1141) PASSCODE REUSE ATTACK Detected (149) 3. Failed Authentication Attempts Typical cause: An end user accidently enters the wrong passcode during an authentication attempt. Why you should monitor this message: Unusually frequent occurrences of this message may indicate that an attacker is trying to guess the passcode for your RSA SecurID tokens. RSA The Security Division of EMC March 18, 2011 (Version 1.0)
  • 2. Relevant log messages: ACCESS DENIED, PASSCODE Incorrect (1008) ACCESS DENIED, Token ToD Bad (1001) ACCESS DENIED, Next Tokencode Bad (1000) 4. Next Tokencode Attempts Typical cause: The token clock is different than what is expected by the server. (e.g., a software token with an inaccurate clock or the hardware token time has drifted) Why you should monitor this message: It is possible that this message indicates that an attacker is trying to submit out-of-date passcodes. Relevant log messages: Next Tokencode On (144) Next Tokencode Requested (1002) 5. Cleared PINs Typical cause: A user has forgotten their PIN and the PIN is cleared after the Help Desk Administrator verifies the end user’s identity. Why you should monitor this message: This message may indicate that an attacker is attempting a social engineering attack by convincing a Help Desk Administrator to remove the PIN. Relevant log messages: PIN cleared (117) 6. Token Disabled Typical cause: An end user has entered the wrong passcode multiple sequential times. Why you should monitor this message: A higher frequency of this message may indicate that an attacker is trying to guess the RSA SecurID token passcode. RSA The Security Division of EMC Page 2
  • 3. Relevant log messages: Token Disabled, Suspect Stolen (143) Token Disabled, Many Failures (145) ACCESS DENIED, Token Disabled (1004) Note: If you utilize Cross Realm, consult the Admin Guide Troubleshooting section for similar Cross Realm messages. RSA The Security Division of EMC Page 3