SlideShare une entreprise Scribd logo

RSA Security Advisory Part III

Onomi
Onomi

Am 71 log monitoring guidelines 03 21-2011

Technologie
1  sur  4
Télécharger pour lire hors ligne
RSA® Authentication Manager 7.1 Log Monitoring Guidelines The following document describes audit log messages that will allow your organization to monitor your RSA®Authentication Manager 7.1 systems for unusual authentication activities such as passcode reuse, next tokencode, etc. You should also examine older or archived logs to establish a baseline frequency for these events before proceeding. In addition, some actions like provisioning new tokens or changing PIN policy will increase the frequency of these events. The events that should be monitored are broken into sections based on which report should be used to monitor them. Authentication Failure Event Report You can generate a customized “Login Failure Event” Authentication Activity Report for end user authentication events. To generate this report, in addition to your usual customization choose the following options and values: 1. Choose “Login Event” for “Activity Key” option 2. Choose “False” for “Display Successful Actions” 3. Choose “True” for “Display Failed Actions” 4. Choose “True” for “Display Warned Actions” Use this report to monitor the critical authentication events described below. 1. Bad PIN, Good Tokencode Authentication Event Typical cause: An end user accidently enters the wrong PIN during an authentication attempt. Why you should monitor this message: Unusually frequent occurrences of this message may indicate that an attacker is trying to guess the PINs for the end user’s RSA SecurID® tokens. Relevant log messages: Bad PIN, but good tokencode detected for token serial number 2. Bad PIN, Previous Tokencode Authentication Event Typical cause: An end user accidently enters the wrong PIN during an authentication attempt. In addition to this, the end user also enters a previous token code RSA The Security Division of EMC March 18, 2011 (Version 1.0)
Why you should monitor this message: Unusually frequent occurrences of this message may indicate that an attacker is trying to guess the PINs for and end user’s RSA SecurID tokens and the attacker has a valid but old tokencode. Relevant log messages: Bad PIN, but previous tokencode detected for token serial number 3. Passcode Reuse Attempt Event Typical cause: An end user accidently sends the same passcode for two separate authentication attempts. Why you should monitor this message: This message may indicate that an attacker is trying to reuse a tokencode in a replay attack. Relevant log messages: Passcode reuse or previous token code detected for user 4. Good PIN, Bad Tokencode Authentication Event Typical cause: An end user has entered a valid PIN but accidently enters the wrong tokencode during an authentication attempt. Why you should monitor this message: Unusually frequent occurrences of this message may indicate that an attacker is trying to guess the tokencode for an end user’s RSA SecurID tokens. Relevant log messages: Bad tokencode, but good PIN detected for token serial number 5. Failed Authentication Attempt Event Typical cause: An end user accidently enters the wrong passcode during an authentication attempt. Why you should monitor this message: Unusually frequent occurrences of this message may indicate that an attacker is trying to guess the passcode for an end user’s RSA SecurID tokens. RSA The Security Division of EMC Page 2
Relevant log messages: “User <user id> attempted to authenticate using authenticator “SecurID_Native”. The user belongs to security domain <domain name>” in the Description column of the activity report and “Authentication Method Failed” in the Reason column 6. Next Tokencode Attempt Event Typical cause: The token clock is different than what is expected by the server. (e.g. a software token with an inaccurate clock or the hardware token time has drifted) Why you should monitor this message: It is possible that this message indicates that an attacker is trying to submit out-of-date passcodes. Relevant log messages: Next tokencode mode activated for token serial number Lockout Authentication Failure Event Report You can generate a customized “Lockout Failure Event” Authentication Activity Report for end user authentication lockout events. To generate this report, in addition to your usual customization, choose the following options and values: 1. Choose “Lockout Event” for “Activity Key” option 2. Choose “False” for “Display Successful Actions” 3. Choose “True” for “Display Failed Actions” 4. Choose “True” for “Display Warned Actions” User Locked Out Event Typical cause: An end user has entered the wrong passcode multiple sequential times and is now locked out. Why you should monitor this message: A higher frequency of this message may indicate that an attacker is trying to guess the RSA SecurID token passcode. Relevant log messages: “User <user id> attempted to authenticate using authenticator “SecurID_Native”. The user belongs to security domain <domain name>” in the Description column of the activity report and “Principal locked out” in the Reason column RSA The Security Division of EMC Page 3
Administrator Activity Report You can generate a customized “Clear PIN Event” Administrative Activity Report to track how frequently PINs are being cleared. To generate this report, choose “Administrator Activity” report template. In addition to your usual customization, choose “Clear Token PIN for “Activity Key” option. Clear Pin Event Typical cause: An end user has forgotten the end user’s PIN and the PIN is cleared after the Help Desk Administrator verifies the user’s identity. Why you should monitor this message: This message may indicate that an attacker is attempting a social engineering attack by convincing a Help Desk Administrator to clear the PIN. Relevant log messages: Clear Token Pin RSA The Security Division of EMC Page 4

Recommandé

Emotions Quiz
Emotions QuizEmotions Quiz
Emotions Quizemslaubaugh
 
Survivors guide to the cloud whitepaper
Survivors guide to the cloud whitepaperSurvivors guide to the cloud whitepaper
Survivors guide to the cloud whitepaperOnomi
 
Cloud Exchange 2010
Cloud Exchange 2010Cloud Exchange 2010
Cloud Exchange 2010Onomi
 
Interoute Intelligent Monitoring
Interoute Intelligent MonitoringInteroute Intelligent Monitoring
Interoute Intelligent MonitoringOnomi
 
Jm 2010.June Long Cv
Jm 2010.June Long CvJm 2010.June Long Cv
Jm 2010.June Long CvJocelyn Marquis
 
Navigating Social Media in the Automotive Industry
Navigating Social Media in the Automotive IndustryNavigating Social Media in the Automotive Industry
Navigating Social Media in the Automotive IndustryDMEautomotive
 
Quantix virtualisation case study
Quantix virtualisation case studyQuantix virtualisation case study
Quantix virtualisation case studyOnomi
 
Osdb guarantee uk eu 2016 11-20 (002)
Osdb guarantee uk eu 2016 11-20 (002)Osdb guarantee uk eu 2016 11-20 (002)
Osdb guarantee uk eu 2016 11-20 (002)Onomi
 

Recommandé

Emotions Quiz
Emotions QuizEmotions Quiz
Emotions Quizemslaubaugh
 
Survivors guide to the cloud whitepaper
Survivors guide to the cloud whitepaperSurvivors guide to the cloud whitepaper
Survivors guide to the cloud whitepaperOnomi
 
Cloud Exchange 2010
Cloud Exchange 2010Cloud Exchange 2010
Cloud Exchange 2010Onomi
 
Interoute Intelligent Monitoring
Interoute Intelligent MonitoringInteroute Intelligent Monitoring
Interoute Intelligent MonitoringOnomi
 
Jm 2010.June Long Cv
Jm 2010.June Long CvJm 2010.June Long Cv
Jm 2010.June Long CvJocelyn Marquis
 
Navigating Social Media in the Automotive Industry
Navigating Social Media in the Automotive IndustryNavigating Social Media in the Automotive Industry
Navigating Social Media in the Automotive IndustryDMEautomotive
 
Quantix virtualisation case study
Quantix virtualisation case studyQuantix virtualisation case study
Quantix virtualisation case studyOnomi
 
Osdb guarantee uk eu 2016 11-20 (002)
Osdb guarantee uk eu 2016 11-20 (002)Osdb guarantee uk eu 2016 11-20 (002)
Osdb guarantee uk eu 2016 11-20 (002)Onomi
 
Tactical Outsourcing (Interoute)
Tactical Outsourcing (Interoute)Tactical Outsourcing (Interoute)
Tactical Outsourcing (Interoute)Onomi
 
Unified Computing Whitepaper
Unified Computing WhitepaperUnified Computing Whitepaper
Unified Computing WhitepaperOnomi
 
Hybrid Cloud Case Study (Interoute)
Hybrid Cloud Case Study (Interoute)Hybrid Cloud Case Study (Interoute)
Hybrid Cloud Case Study (Interoute)Onomi
 
SaaS 2001
SaaS 2001SaaS 2001
SaaS 2001Onomi
 
Database as a service
Database as a serviceDatabase as a service
Database as a serviceOnomi
 
Oracle ISV Cloud Presentation
Oracle ISV Cloud PresentationOracle ISV Cloud Presentation
Oracle ISV Cloud PresentationOnomi
 
SaaS exchange 2010 why make the move
SaaS exchange 2010 why make the moveSaaS exchange 2010 why make the move
SaaS exchange 2010 why make the moveOnomi
 
RSA Advisory Part I
RSA Advisory Part IRSA Advisory Part I
RSA Advisory Part IOnomi
 
Exchange server 2010 archiving and retention
Exchange server 2010 archiving and retentionExchange server 2010 archiving and retention
Exchange server 2010 archiving and retentionOnomi
 
9 Steps to Cloud Security Heaven
9 Steps to Cloud Security Heaven9 Steps to Cloud Security Heaven
9 Steps to Cloud Security HeavenOnomi
 
Exchange cloud tco analysis (Quantix)
Exchange cloud tco analysis (Quantix)Exchange cloud tco analysis (Quantix)
Exchange cloud tco analysis (Quantix)Onomi
 
TechMarketView article - Quantix Growth
TechMarketView article - Quantix GrowthTechMarketView article - Quantix Growth
TechMarketView article - Quantix GrowthOnomi
 
Quantix cloud case study
Quantix cloud case studyQuantix cloud case study
Quantix cloud case studyOnomi
 
The Oracloud
The OracloudThe Oracloud
The OracloudOnomi
 
Quantix - Cloud Computing Congress (15/10)
Quantix - Cloud Computing Congress (15/10)Quantix - Cloud Computing Congress (15/10)
Quantix - Cloud Computing Congress (15/10)Onomi
 
Cloud Business Continuity White Paper
Cloud Business Continuity White PaperCloud Business Continuity White Paper
Cloud Business Continuity White PaperOnomi
 
Cloudstorm Quantix
Cloudstorm QuantixCloudstorm Quantix
Cloudstorm QuantixOnomi
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...panagenda
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 

Contenu connexe

Plus de Onomi

Tactical Outsourcing (Interoute)
Tactical Outsourcing (Interoute)Tactical Outsourcing (Interoute)
Tactical Outsourcing (Interoute)Onomi
 
Unified Computing Whitepaper
Unified Computing WhitepaperUnified Computing Whitepaper
Unified Computing WhitepaperOnomi
 
Hybrid Cloud Case Study (Interoute)
Hybrid Cloud Case Study (Interoute)Hybrid Cloud Case Study (Interoute)
Hybrid Cloud Case Study (Interoute)Onomi
 
SaaS 2001
SaaS 2001SaaS 2001
SaaS 2001Onomi
 
Database as a service
Database as a serviceDatabase as a service
Database as a serviceOnomi
 
Oracle ISV Cloud Presentation
Oracle ISV Cloud PresentationOracle ISV Cloud Presentation
Oracle ISV Cloud PresentationOnomi
 
SaaS exchange 2010 why make the move
SaaS exchange 2010 why make the moveSaaS exchange 2010 why make the move
SaaS exchange 2010 why make the moveOnomi
 
RSA Advisory Part I
RSA Advisory Part IRSA Advisory Part I
RSA Advisory Part IOnomi
 
Exchange server 2010 archiving and retention
Exchange server 2010 archiving and retentionExchange server 2010 archiving and retention
Exchange server 2010 archiving and retentionOnomi
 
9 Steps to Cloud Security Heaven
9 Steps to Cloud Security Heaven9 Steps to Cloud Security Heaven
9 Steps to Cloud Security HeavenOnomi
 
Exchange cloud tco analysis (Quantix)
Exchange cloud tco analysis (Quantix)Exchange cloud tco analysis (Quantix)
Exchange cloud tco analysis (Quantix)Onomi
 
TechMarketView article - Quantix Growth
TechMarketView article - Quantix GrowthTechMarketView article - Quantix Growth
TechMarketView article - Quantix GrowthOnomi
 
Quantix cloud case study
Quantix cloud case studyQuantix cloud case study
Quantix cloud case studyOnomi
 
The Oracloud
The OracloudThe Oracloud
The OracloudOnomi
 
Quantix - Cloud Computing Congress (15/10)
Quantix - Cloud Computing Congress (15/10)Quantix - Cloud Computing Congress (15/10)
Quantix - Cloud Computing Congress (15/10)Onomi
 
Cloud Business Continuity White Paper
Cloud Business Continuity White PaperCloud Business Continuity White Paper
Cloud Business Continuity White PaperOnomi
 
Cloudstorm Quantix
Cloudstorm QuantixCloudstorm Quantix
Cloudstorm QuantixOnomi
 

Plus de Onomi (17)

Tactical Outsourcing (Interoute)
Tactical Outsourcing (Interoute)Tactical Outsourcing (Interoute)
Tactical Outsourcing (Interoute)
 
Unified Computing Whitepaper
Unified Computing WhitepaperUnified Computing Whitepaper
Unified Computing Whitepaper
 
Hybrid Cloud Case Study (Interoute)
Hybrid Cloud Case Study (Interoute)Hybrid Cloud Case Study (Interoute)
Hybrid Cloud Case Study (Interoute)
 
SaaS 2001
SaaS 2001SaaS 2001
SaaS 2001
 
Database as a service
Database as a serviceDatabase as a service
Database as a service
 
Oracle ISV Cloud Presentation
Oracle ISV Cloud PresentationOracle ISV Cloud Presentation
Oracle ISV Cloud Presentation
 
SaaS exchange 2010 why make the move
SaaS exchange 2010 why make the moveSaaS exchange 2010 why make the move
SaaS exchange 2010 why make the move
 
RSA Advisory Part I
RSA Advisory Part IRSA Advisory Part I
RSA Advisory Part I
 
Exchange server 2010 archiving and retention
Exchange server 2010 archiving and retentionExchange server 2010 archiving and retention
Exchange server 2010 archiving and retention
 
9 Steps to Cloud Security Heaven
9 Steps to Cloud Security Heaven9 Steps to Cloud Security Heaven
9 Steps to Cloud Security Heaven
 
Exchange cloud tco analysis (Quantix)
Exchange cloud tco analysis (Quantix)Exchange cloud tco analysis (Quantix)
Exchange cloud tco analysis (Quantix)
 
TechMarketView article - Quantix Growth
TechMarketView article - Quantix GrowthTechMarketView article - Quantix Growth
TechMarketView article - Quantix Growth
 
Quantix cloud case study
Quantix cloud case studyQuantix cloud case study
Quantix cloud case study
 
The Oracloud
The OracloudThe Oracloud
The Oracloud
 
Quantix - Cloud Computing Congress (15/10)
Quantix - Cloud Computing Congress (15/10)Quantix - Cloud Computing Congress (15/10)
Quantix - Cloud Computing Congress (15/10)
 
Cloud Business Continuity White Paper
Cloud Business Continuity White PaperCloud Business Continuity White Paper
Cloud Business Continuity White Paper
 
Cloudstorm Quantix
Cloudstorm QuantixCloudstorm Quantix
Cloudstorm Quantix
 

Dernier

Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...panagenda
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditSkynet Technologies
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 

Dernier (20)

Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance Audit
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 

RSA Security Advisory Part III

  • 1. RSA® Authentication Manager 7.1 Log Monitoring Guidelines The following document describes audit log messages that will allow your organization to monitor your RSA®Authentication Manager 7.1 systems for unusual authentication activities such as passcode reuse, next tokencode, etc. You should also examine older or archived logs to establish a baseline frequency for these events before proceeding. In addition, some actions like provisioning new tokens or changing PIN policy will increase the frequency of these events. The events that should be monitored are broken into sections based on which report should be used to monitor them. Authentication Failure Event Report You can generate a customized “Login Failure Event” Authentication Activity Report for end user authentication events. To generate this report, in addition to your usual customization choose the following options and values: 1. Choose “Login Event” for “Activity Key” option 2. Choose “False” for “Display Successful Actions” 3. Choose “True” for “Display Failed Actions” 4. Choose “True” for “Display Warned Actions” Use this report to monitor the critical authentication events described below. 1. Bad PIN, Good Tokencode Authentication Event Typical cause: An end user accidently enters the wrong PIN during an authentication attempt. Why you should monitor this message: Unusually frequent occurrences of this message may indicate that an attacker is trying to guess the PINs for the end user’s RSA SecurID® tokens. Relevant log messages: Bad PIN, but good tokencode detected for token serial number 2. Bad PIN, Previous Tokencode Authentication Event Typical cause: An end user accidently enters the wrong PIN during an authentication attempt. In addition to this, the end user also enters a previous token code RSA The Security Division of EMC March 18, 2011 (Version 1.0)
  • 2. Why you should monitor this message: Unusually frequent occurrences of this message may indicate that an attacker is trying to guess the PINs for and end user’s RSA SecurID tokens and the attacker has a valid but old tokencode. Relevant log messages: Bad PIN, but previous tokencode detected for token serial number 3. Passcode Reuse Attempt Event Typical cause: An end user accidently sends the same passcode for two separate authentication attempts. Why you should monitor this message: This message may indicate that an attacker is trying to reuse a tokencode in a replay attack. Relevant log messages: Passcode reuse or previous token code detected for user 4. Good PIN, Bad Tokencode Authentication Event Typical cause: An end user has entered a valid PIN but accidently enters the wrong tokencode during an authentication attempt. Why you should monitor this message: Unusually frequent occurrences of this message may indicate that an attacker is trying to guess the tokencode for an end user’s RSA SecurID tokens. Relevant log messages: Bad tokencode, but good PIN detected for token serial number 5. Failed Authentication Attempt Event Typical cause: An end user accidently enters the wrong passcode during an authentication attempt. Why you should monitor this message: Unusually frequent occurrences of this message may indicate that an attacker is trying to guess the passcode for an end user’s RSA SecurID tokens. RSA The Security Division of EMC Page 2
  • 3. Relevant log messages: “User <user id> attempted to authenticate using authenticator “SecurID_Native”. The user belongs to security domain <domain name>” in the Description column of the activity report and “Authentication Method Failed” in the Reason column 6. Next Tokencode Attempt Event Typical cause: The token clock is different than what is expected by the server. (e.g. a software token with an inaccurate clock or the hardware token time has drifted) Why you should monitor this message: It is possible that this message indicates that an attacker is trying to submit out-of-date passcodes. Relevant log messages: Next tokencode mode activated for token serial number Lockout Authentication Failure Event Report You can generate a customized “Lockout Failure Event” Authentication Activity Report for end user authentication lockout events. To generate this report, in addition to your usual customization, choose the following options and values: 1. Choose “Lockout Event” for “Activity Key” option 2. Choose “False” for “Display Successful Actions” 3. Choose “True” for “Display Failed Actions” 4. Choose “True” for “Display Warned Actions” User Locked Out Event Typical cause: An end user has entered the wrong passcode multiple sequential times and is now locked out. Why you should monitor this message: A higher frequency of this message may indicate that an attacker is trying to guess the RSA SecurID token passcode. Relevant log messages: “User <user id> attempted to authenticate using authenticator “SecurID_Native”. The user belongs to security domain <domain name>” in the Description column of the activity report and “Principal locked out” in the Reason column RSA The Security Division of EMC Page 3
  • 4. Administrator Activity Report You can generate a customized “Clear PIN Event” Administrative Activity Report to track how frequently PINs are being cleared. To generate this report, choose “Administrator Activity” report template. In addition to your usual customization, choose “Clear Token PIN for “Activity Key” option. Clear Pin Event Typical cause: An end user has forgotten the end user’s PIN and the PIN is cleared after the Help Desk Administrator verifies the user’s identity. Why you should monitor this message: This message may indicate that an attacker is attempting a social engineering attack by convincing a Help Desk Administrator to clear the PIN. Relevant log messages: Clear Token Pin RSA The Security Division of EMC Page 4