RSA® Authentication Manager 5.2/6.1 Log Monitoring GuidelinesThe following document describes audit log messages that will...
Relevant log messages:       ACCESS DENIED, PASSCODE Incorrect (1008)       ACCESS DENIED, Token ToD Bad (1001)       ACCE...
Relevant log messages:       Token Disabled, Suspect Stolen (143)       Token Disabled, Many Failures (145)       ACCESS D...
Upcoming SlideShare
Loading in …5
×

RSA Security Advisory Part II

2,626 views
2,447 views

Published on

log monitoring guidelines 03 21-2011

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,626
On SlideShare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
24
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

RSA Security Advisory Part II

  1. 1. RSA® Authentication Manager 5.2/6.1 Log Monitoring GuidelinesThe following document describes audit log messages that will allow your organization to monitor yourRSA® Authentication Manager 5.2 and 6.1 systems for unusual authentication activity. You should alsoexamine older or archived logs to establish a baseline frequency for these events before proceeding. Inaddition, some actions like provisioning new tokens or changing PIN policy will increase the frequencyof these events.The number included in parentheses next to the relevant log messages is a unique identifier that canbe used to build custom queries.1. Bad PIN, Good Tokencode Authentications Typical cause: An end user accidently enters the wrong PIN during an authentication attempt. Why you should monitor this message: Unusually frequent occurrences of this message may indicate that an attacker is trying to guess the PINs for an end user’s RSA SecurID® tokens. Relevant log messages: Good Tokencode/Bad PIN Detected (1010)2. Passcode Reuse Attempts Typical cause: An end user accidently sends the same passcode for two separate authentication attempts. Why you should monitor this message: This message may indicate that an attacker is trying to reuse a tokencode in a replay attack. Relevant log messages: ACCESS DENIED, multiple auths (1141) PASSCODE REUSE ATTACK Detected (149)3. Failed Authentication Attempts Typical cause: An end user accidently enters the wrong passcode during an authentication attempt. Why you should monitor this message: Unusually frequent occurrences of this message may indicate that an attacker is trying to guess the passcode for your RSA SecurID tokens.RSA The Security Division of EMC March 18, 2011 (Version 1.0)
  2. 2. Relevant log messages: ACCESS DENIED, PASSCODE Incorrect (1008) ACCESS DENIED, Token ToD Bad (1001) ACCESS DENIED, Next Tokencode Bad (1000)4. Next Tokencode Attempts Typical cause: The token clock is different than what is expected by the server. (e.g., a software token with an inaccurate clock or the hardware token time has drifted) Why you should monitor this message: It is possible that this message indicates that an attacker is trying to submit out-of-date passcodes. Relevant log messages: Next Tokencode On (144) Next Tokencode Requested (1002)5. Cleared PINs Typical cause: A user has forgotten their PIN and the PIN is cleared after the Help Desk Administrator verifies the end user’s identity. Why you should monitor this message: This message may indicate that an attacker is attempting a social engineering attack by convincing a Help Desk Administrator to remove the PIN. Relevant log messages: PIN cleared (117)6. Token Disabled Typical cause: An end user has entered the wrong passcode multiple sequential times. Why you should monitor this message: A higher frequency of this message may indicate that an attacker is trying to guess the RSA SecurID token passcode.RSA The Security Division of EMC Page 2
  3. 3. Relevant log messages: Token Disabled, Suspect Stolen (143) Token Disabled, Many Failures (145) ACCESS DENIED, Token Disabled (1004)Note: If you utilize Cross Realm, consult the Admin Guide Troubleshooting section for similar CrossRealm messages.RSA The Security Division of EMC Page 3

×