Your SlideShare is downloading. ×
RSA Security Advisory Part II
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

RSA Security Advisory Part II

2,207
views

Published on

log monitoring guidelines 03 21-2011

log monitoring guidelines 03 21-2011

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
2,207
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
22
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. RSA® Authentication Manager 5.2/6.1 Log Monitoring GuidelinesThe following document describes audit log messages that will allow your organization to monitor yourRSA® Authentication Manager 5.2 and 6.1 systems for unusual authentication activity. You should alsoexamine older or archived logs to establish a baseline frequency for these events before proceeding. Inaddition, some actions like provisioning new tokens or changing PIN policy will increase the frequencyof these events.The number included in parentheses next to the relevant log messages is a unique identifier that canbe used to build custom queries.1. Bad PIN, Good Tokencode Authentications Typical cause: An end user accidently enters the wrong PIN during an authentication attempt. Why you should monitor this message: Unusually frequent occurrences of this message may indicate that an attacker is trying to guess the PINs for an end user’s RSA SecurID® tokens. Relevant log messages: Good Tokencode/Bad PIN Detected (1010)2. Passcode Reuse Attempts Typical cause: An end user accidently sends the same passcode for two separate authentication attempts. Why you should monitor this message: This message may indicate that an attacker is trying to reuse a tokencode in a replay attack. Relevant log messages: ACCESS DENIED, multiple auths (1141) PASSCODE REUSE ATTACK Detected (149)3. Failed Authentication Attempts Typical cause: An end user accidently enters the wrong passcode during an authentication attempt. Why you should monitor this message: Unusually frequent occurrences of this message may indicate that an attacker is trying to guess the passcode for your RSA SecurID tokens.RSA The Security Division of EMC March 18, 2011 (Version 1.0)
  • 2. Relevant log messages: ACCESS DENIED, PASSCODE Incorrect (1008) ACCESS DENIED, Token ToD Bad (1001) ACCESS DENIED, Next Tokencode Bad (1000)4. Next Tokencode Attempts Typical cause: The token clock is different than what is expected by the server. (e.g., a software token with an inaccurate clock or the hardware token time has drifted) Why you should monitor this message: It is possible that this message indicates that an attacker is trying to submit out-of-date passcodes. Relevant log messages: Next Tokencode On (144) Next Tokencode Requested (1002)5. Cleared PINs Typical cause: A user has forgotten their PIN and the PIN is cleared after the Help Desk Administrator verifies the end user’s identity. Why you should monitor this message: This message may indicate that an attacker is attempting a social engineering attack by convincing a Help Desk Administrator to remove the PIN. Relevant log messages: PIN cleared (117)6. Token Disabled Typical cause: An end user has entered the wrong passcode multiple sequential times. Why you should monitor this message: A higher frequency of this message may indicate that an attacker is trying to guess the RSA SecurID token passcode.RSA The Security Division of EMC Page 2
  • 3. Relevant log messages: Token Disabled, Suspect Stolen (143) Token Disabled, Many Failures (145) ACCESS DENIED, Token Disabled (1004)Note: If you utilize Cross Realm, consult the Admin Guide Troubleshooting section for similar CrossRealm messages.RSA The Security Division of EMC Page 3

×