SlideShare une entreprise Scribd logo

RSA Security Advisory Part II

Onomi
Onomi

log monitoring guidelines 03 21-2011

Technologie
1  sur  3
Télécharger pour lire hors ligne
RSA® Authentication Manager 5.2/6.1 Log Monitoring Guidelines The following document describes audit log messages that will allow your organization to monitor your RSA® Authentication Manager 5.2 and 6.1 systems for unusual authentication activity. You should also examine older or archived logs to establish a baseline frequency for these events before proceeding. In addition, some actions like provisioning new tokens or changing PIN policy will increase the frequency of these events. The number included in parentheses next to the relevant log messages is a unique identifier that can be used to build custom queries. 1. Bad PIN, Good Tokencode Authentications Typical cause: An end user accidently enters the wrong PIN during an authentication attempt. Why you should monitor this message: Unusually frequent occurrences of this message may indicate that an attacker is trying to guess the PINs for an end user’s RSA SecurID® tokens. Relevant log messages: Good Tokencode/Bad PIN Detected (1010) 2. Passcode Reuse Attempts Typical cause: An end user accidently sends the same passcode for two separate authentication attempts. Why you should monitor this message: This message may indicate that an attacker is trying to reuse a tokencode in a replay attack. Relevant log messages: ACCESS DENIED, multiple auths (1141) PASSCODE REUSE ATTACK Detected (149) 3. Failed Authentication Attempts Typical cause: An end user accidently enters the wrong passcode during an authentication attempt. Why you should monitor this message: Unusually frequent occurrences of this message may indicate that an attacker is trying to guess the passcode for your RSA SecurID tokens. RSA The Security Division of EMC March 18, 2011 (Version 1.0)
Relevant log messages: ACCESS DENIED, PASSCODE Incorrect (1008) ACCESS DENIED, Token ToD Bad (1001) ACCESS DENIED, Next Tokencode Bad (1000) 4. Next Tokencode Attempts Typical cause: The token clock is different than what is expected by the server. (e.g., a software token with an inaccurate clock or the hardware token time has drifted) Why you should monitor this message: It is possible that this message indicates that an attacker is trying to submit out-of-date passcodes. Relevant log messages: Next Tokencode On (144) Next Tokencode Requested (1002) 5. Cleared PINs Typical cause: A user has forgotten their PIN and the PIN is cleared after the Help Desk Administrator verifies the end user’s identity. Why you should monitor this message: This message may indicate that an attacker is attempting a social engineering attack by convincing a Help Desk Administrator to remove the PIN. Relevant log messages: PIN cleared (117) 6. Token Disabled Typical cause: An end user has entered the wrong passcode multiple sequential times. Why you should monitor this message: A higher frequency of this message may indicate that an attacker is trying to guess the RSA SecurID token passcode. RSA The Security Division of EMC Page 2
Relevant log messages: Token Disabled, Suspect Stolen (143) Token Disabled, Many Failures (145) ACCESS DENIED, Token Disabled (1004) Note: If you utilize Cross Realm, consult the Admin Guide Troubleshooting section for similar Cross Realm messages. RSA The Security Division of EMC Page 3

Recommandé

Super Bowl Xliv
Super Bowl XlivSuper Bowl Xliv
Super Bowl Xlivpaforlenza
 
Quantix - Cloud Computing Congress (15/10)
Quantix - Cloud Computing Congress (15/10)Quantix - Cloud Computing Congress (15/10)
Quantix - Cloud Computing Congress (15/10)Onomi
 
Cloud Business Continuity White Paper
Cloud Business Continuity White PaperCloud Business Continuity White Paper
Cloud Business Continuity White PaperOnomi
 
SaaS 2001
SaaS 2001SaaS 2001
SaaS 2001Onomi
 
Buku "Ibu Pertiwi Memanggilmu Pulang" dan buku "Ranjau Biografi"
Buku "Ibu Pertiwi Memanggilmu Pulang" dan buku "Ranjau Biografi" Buku "Ibu Pertiwi Memanggilmu Pulang" dan buku "Ranjau Biografi"
Buku "Ibu Pertiwi Memanggilmu Pulang" dan buku "Ranjau Biografi" Pepih Nugraha
 
Hist20sppnt
Hist20sppntHist20sppnt
Hist20sppntguest3cd7df
 
Media A2 Evaluation
Media A2 EvaluationMedia A2 Evaluation
Media A2 Evaluationguestf07e12
 
Osdb guarantee uk eu 2016 11-20 (002)
Osdb guarantee uk eu 2016 11-20 (002)Osdb guarantee uk eu 2016 11-20 (002)
Osdb guarantee uk eu 2016 11-20 (002)Onomi
 

Recommandé

Super Bowl Xliv
Super Bowl XlivSuper Bowl Xliv
Super Bowl Xlivpaforlenza
 
Quantix - Cloud Computing Congress (15/10)
Quantix - Cloud Computing Congress (15/10)Quantix - Cloud Computing Congress (15/10)
Quantix - Cloud Computing Congress (15/10)Onomi
 
Cloud Business Continuity White Paper
Cloud Business Continuity White PaperCloud Business Continuity White Paper
Cloud Business Continuity White PaperOnomi
 
SaaS 2001
SaaS 2001SaaS 2001
SaaS 2001Onomi
 
Buku "Ibu Pertiwi Memanggilmu Pulang" dan buku "Ranjau Biografi"
Buku "Ibu Pertiwi Memanggilmu Pulang" dan buku "Ranjau Biografi" Buku "Ibu Pertiwi Memanggilmu Pulang" dan buku "Ranjau Biografi"
Buku "Ibu Pertiwi Memanggilmu Pulang" dan buku "Ranjau Biografi" Pepih Nugraha
 
Hist20sppnt
Hist20sppntHist20sppnt
Hist20sppntguest3cd7df
 
Media A2 Evaluation
Media A2 EvaluationMedia A2 Evaluation
Media A2 Evaluationguestf07e12
 
Osdb guarantee uk eu 2016 11-20 (002)
Osdb guarantee uk eu 2016 11-20 (002)Osdb guarantee uk eu 2016 11-20 (002)
Osdb guarantee uk eu 2016 11-20 (002)Onomi
 
Survivors guide to the cloud whitepaper
Survivors guide to the cloud whitepaperSurvivors guide to the cloud whitepaper
Survivors guide to the cloud whitepaperOnomi
 
Interoute Intelligent Monitoring
Interoute Intelligent MonitoringInteroute Intelligent Monitoring
Interoute Intelligent MonitoringOnomi
 
Tactical Outsourcing (Interoute)
Tactical Outsourcing (Interoute)Tactical Outsourcing (Interoute)
Tactical Outsourcing (Interoute)Onomi
 
Unified Computing Whitepaper
Unified Computing WhitepaperUnified Computing Whitepaper
Unified Computing WhitepaperOnomi
 
Hybrid Cloud Case Study (Interoute)
Hybrid Cloud Case Study (Interoute)Hybrid Cloud Case Study (Interoute)
Hybrid Cloud Case Study (Interoute)Onomi
 
Database as a service
Database as a serviceDatabase as a service
Database as a serviceOnomi
 
Oracle ISV Cloud Presentation
Oracle ISV Cloud PresentationOracle ISV Cloud Presentation
Oracle ISV Cloud PresentationOnomi
 
SaaS exchange 2010 why make the move
SaaS exchange 2010 why make the moveSaaS exchange 2010 why make the move
SaaS exchange 2010 why make the moveOnomi
 
RSA Advisory Part I
RSA Advisory Part IRSA Advisory Part I
RSA Advisory Part IOnomi
 
Cloud Exchange 2010
Cloud Exchange 2010Cloud Exchange 2010
Cloud Exchange 2010Onomi
 
Exchange server 2010 archiving and retention
Exchange server 2010 archiving and retentionExchange server 2010 archiving and retention
Exchange server 2010 archiving and retentionOnomi
 
9 Steps to Cloud Security Heaven
9 Steps to Cloud Security Heaven9 Steps to Cloud Security Heaven
9 Steps to Cloud Security HeavenOnomi
 
Exchange cloud tco analysis (Quantix)
Exchange cloud tco analysis (Quantix)Exchange cloud tco analysis (Quantix)
Exchange cloud tco analysis (Quantix)Onomi
 
TechMarketView article - Quantix Growth
TechMarketView article - Quantix GrowthTechMarketView article - Quantix Growth
TechMarketView article - Quantix GrowthOnomi
 
Quantix virtualisation case study
Quantix virtualisation case studyQuantix virtualisation case study
Quantix virtualisation case studyOnomi
 
Quantix cloud case study
Quantix cloud case studyQuantix cloud case study
Quantix cloud case studyOnomi
 
The Oracloud
The OracloudThe Oracloud
The OracloudOnomi
 
Cloudstorm Quantix
Cloudstorm QuantixCloudstorm Quantix
Cloudstorm QuantixOnomi
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 

Contenu connexe

Plus de Onomi

Survivors guide to the cloud whitepaper
Survivors guide to the cloud whitepaperSurvivors guide to the cloud whitepaper
Survivors guide to the cloud whitepaperOnomi
 
Interoute Intelligent Monitoring
Interoute Intelligent MonitoringInteroute Intelligent Monitoring
Interoute Intelligent MonitoringOnomi
 
Tactical Outsourcing (Interoute)
Tactical Outsourcing (Interoute)Tactical Outsourcing (Interoute)
Tactical Outsourcing (Interoute)Onomi
 
Unified Computing Whitepaper
Unified Computing WhitepaperUnified Computing Whitepaper
Unified Computing WhitepaperOnomi
 
Hybrid Cloud Case Study (Interoute)
Hybrid Cloud Case Study (Interoute)Hybrid Cloud Case Study (Interoute)
Hybrid Cloud Case Study (Interoute)Onomi
 
Database as a service
Database as a serviceDatabase as a service
Database as a serviceOnomi
 
Oracle ISV Cloud Presentation
Oracle ISV Cloud PresentationOracle ISV Cloud Presentation
Oracle ISV Cloud PresentationOnomi
 
SaaS exchange 2010 why make the move
SaaS exchange 2010 why make the moveSaaS exchange 2010 why make the move
SaaS exchange 2010 why make the moveOnomi
 
RSA Advisory Part I
RSA Advisory Part IRSA Advisory Part I
RSA Advisory Part IOnomi
 
Cloud Exchange 2010
Cloud Exchange 2010Cloud Exchange 2010
Cloud Exchange 2010Onomi
 
Exchange server 2010 archiving and retention
Exchange server 2010 archiving and retentionExchange server 2010 archiving and retention
Exchange server 2010 archiving and retentionOnomi
 
9 Steps to Cloud Security Heaven
9 Steps to Cloud Security Heaven9 Steps to Cloud Security Heaven
9 Steps to Cloud Security HeavenOnomi
 
Exchange cloud tco analysis (Quantix)
Exchange cloud tco analysis (Quantix)Exchange cloud tco analysis (Quantix)
Exchange cloud tco analysis (Quantix)Onomi
 
TechMarketView article - Quantix Growth
TechMarketView article - Quantix GrowthTechMarketView article - Quantix Growth
TechMarketView article - Quantix GrowthOnomi
 
Quantix virtualisation case study
Quantix virtualisation case studyQuantix virtualisation case study
Quantix virtualisation case studyOnomi
 
Quantix cloud case study
Quantix cloud case studyQuantix cloud case study
Quantix cloud case studyOnomi
 
The Oracloud
The OracloudThe Oracloud
The OracloudOnomi
 
Cloudstorm Quantix
Cloudstorm QuantixCloudstorm Quantix
Cloudstorm QuantixOnomi
 

Plus de Onomi (18)

Survivors guide to the cloud whitepaper
Survivors guide to the cloud whitepaperSurvivors guide to the cloud whitepaper
Survivors guide to the cloud whitepaper
 
Interoute Intelligent Monitoring
Interoute Intelligent MonitoringInteroute Intelligent Monitoring
Interoute Intelligent Monitoring
 
Tactical Outsourcing (Interoute)
Tactical Outsourcing (Interoute)Tactical Outsourcing (Interoute)
Tactical Outsourcing (Interoute)
 
Unified Computing Whitepaper
Unified Computing WhitepaperUnified Computing Whitepaper
Unified Computing Whitepaper
 
Hybrid Cloud Case Study (Interoute)
Hybrid Cloud Case Study (Interoute)Hybrid Cloud Case Study (Interoute)
Hybrid Cloud Case Study (Interoute)
 
Database as a service
Database as a serviceDatabase as a service
Database as a service
 
Oracle ISV Cloud Presentation
Oracle ISV Cloud PresentationOracle ISV Cloud Presentation
Oracle ISV Cloud Presentation
 
SaaS exchange 2010 why make the move
SaaS exchange 2010 why make the moveSaaS exchange 2010 why make the move
SaaS exchange 2010 why make the move
 
RSA Advisory Part I
RSA Advisory Part IRSA Advisory Part I
RSA Advisory Part I
 
Cloud Exchange 2010
Cloud Exchange 2010Cloud Exchange 2010
Cloud Exchange 2010
 
Exchange server 2010 archiving and retention
Exchange server 2010 archiving and retentionExchange server 2010 archiving and retention
Exchange server 2010 archiving and retention
 
9 Steps to Cloud Security Heaven
9 Steps to Cloud Security Heaven9 Steps to Cloud Security Heaven
9 Steps to Cloud Security Heaven
 
Exchange cloud tco analysis (Quantix)
Exchange cloud tco analysis (Quantix)Exchange cloud tco analysis (Quantix)
Exchange cloud tco analysis (Quantix)
 
TechMarketView article - Quantix Growth
TechMarketView article - Quantix GrowthTechMarketView article - Quantix Growth
TechMarketView article - Quantix Growth
 
Quantix virtualisation case study
Quantix virtualisation case studyQuantix virtualisation case study
Quantix virtualisation case study
 
Quantix cloud case study
Quantix cloud case studyQuantix cloud case study
Quantix cloud case study
 
The Oracloud
The OracloudThe Oracloud
The Oracloud
 
Cloudstorm Quantix
Cloudstorm QuantixCloudstorm Quantix
Cloudstorm Quantix
 

Dernier

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 

Dernier (20)

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 

RSA Security Advisory Part II

  • 1. RSA® Authentication Manager 5.2/6.1 Log Monitoring Guidelines The following document describes audit log messages that will allow your organization to monitor your RSA® Authentication Manager 5.2 and 6.1 systems for unusual authentication activity. You should also examine older or archived logs to establish a baseline frequency for these events before proceeding. In addition, some actions like provisioning new tokens or changing PIN policy will increase the frequency of these events. The number included in parentheses next to the relevant log messages is a unique identifier that can be used to build custom queries. 1. Bad PIN, Good Tokencode Authentications Typical cause: An end user accidently enters the wrong PIN during an authentication attempt. Why you should monitor this message: Unusually frequent occurrences of this message may indicate that an attacker is trying to guess the PINs for an end user’s RSA SecurID® tokens. Relevant log messages: Good Tokencode/Bad PIN Detected (1010) 2. Passcode Reuse Attempts Typical cause: An end user accidently sends the same passcode for two separate authentication attempts. Why you should monitor this message: This message may indicate that an attacker is trying to reuse a tokencode in a replay attack. Relevant log messages: ACCESS DENIED, multiple auths (1141) PASSCODE REUSE ATTACK Detected (149) 3. Failed Authentication Attempts Typical cause: An end user accidently enters the wrong passcode during an authentication attempt. Why you should monitor this message: Unusually frequent occurrences of this message may indicate that an attacker is trying to guess the passcode for your RSA SecurID tokens. RSA The Security Division of EMC March 18, 2011 (Version 1.0)
  • 2. Relevant log messages: ACCESS DENIED, PASSCODE Incorrect (1008) ACCESS DENIED, Token ToD Bad (1001) ACCESS DENIED, Next Tokencode Bad (1000) 4. Next Tokencode Attempts Typical cause: The token clock is different than what is expected by the server. (e.g., a software token with an inaccurate clock or the hardware token time has drifted) Why you should monitor this message: It is possible that this message indicates that an attacker is trying to submit out-of-date passcodes. Relevant log messages: Next Tokencode On (144) Next Tokencode Requested (1002) 5. Cleared PINs Typical cause: A user has forgotten their PIN and the PIN is cleared after the Help Desk Administrator verifies the end user’s identity. Why you should monitor this message: This message may indicate that an attacker is attempting a social engineering attack by convincing a Help Desk Administrator to remove the PIN. Relevant log messages: PIN cleared (117) 6. Token Disabled Typical cause: An end user has entered the wrong passcode multiple sequential times. Why you should monitor this message: A higher frequency of this message may indicate that an attacker is trying to guess the RSA SecurID token passcode. RSA The Security Division of EMC Page 2
  • 3. Relevant log messages: Token Disabled, Suspect Stolen (143) Token Disabled, Many Failures (145) ACCESS DENIED, Token Disabled (1004) Note: If you utilize Cross Realm, consult the Admin Guide Troubleshooting section for similar Cross Realm messages. RSA The Security Division of EMC Page 3