RSA Security Advisory Part III
Upcoming SlideShare
Loading in...5
×
 

RSA Security Advisory Part III

on

  • 9,979 views

Am 71 log monitoring guidelines 03 21-2011

Am 71 log monitoring guidelines 03 21-2011

Statistics

Views

Total Views
9,979
Views on SlideShare
9,979
Embed Views
0

Actions

Likes
0
Downloads
49
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

RSA Security Advisory Part III RSA Security Advisory Part III Document Transcript

  • RSA® Authentication Manager 7.1 Log Monitoring GuidelinesThe following document describes audit log messages that will allow your organization to monitor yourRSA®Authentication Manager 7.1 systems for unusual authentication activities such as passcode reuse,next tokencode, etc. You should also examine older or archived logs to establish a baseline frequencyfor these events before proceeding. In addition, some actions like provisioning new tokens or changingPIN policy will increase the frequency of these events.The events that should be monitored are broken into sections based on which report should be used tomonitor them.Authentication Failure Event ReportYou can generate a customized “Login Failure Event” Authentication Activity Report for end userauthentication events. To generate this report, in addition to your usual customization choose thefollowing options and values: 1. Choose “Login Event” for “Activity Key” option 2. Choose “False” for “Display Successful Actions” 3. Choose “True” for “Display Failed Actions” 4. Choose “True” for “Display Warned Actions”Use this report to monitor the critical authentication events described below.1. Bad PIN, Good Tokencode Authentication Event Typical cause: An end user accidently enters the wrong PIN during an authentication attempt. Why you should monitor this message: Unusually frequent occurrences of this message may indicate that an attacker is trying to guess the PINs for the end user’s RSA SecurID® tokens. Relevant log messages: Bad PIN, but good tokencode detected for token serial number2. Bad PIN, Previous Tokencode Authentication Event Typical cause: An end user accidently enters the wrong PIN during an authentication attempt. In addition to this, the end user also enters a previous token codeRSA The Security Division of EMC March 18, 2011 (Version 1.0)
  • Why you should monitor this message: Unusually frequent occurrences of this message may indicate that an attacker is trying to guess the PINs for and end user’s RSA SecurID tokens and the attacker has a valid but old tokencode. Relevant log messages: Bad PIN, but previous tokencode detected for token serial number3. Passcode Reuse Attempt Event Typical cause: An end user accidently sends the same passcode for two separate authentication attempts. Why you should monitor this message: This message may indicate that an attacker is trying to reuse a tokencode in a replay attack. Relevant log messages: Passcode reuse or previous token code detected for user4. Good PIN, Bad Tokencode Authentication Event Typical cause: An end user has entered a valid PIN but accidently enters the wrong tokencode during an authentication attempt. Why you should monitor this message: Unusually frequent occurrences of this message may indicate that an attacker is trying to guess the tokencode for an end user’s RSA SecurID tokens. Relevant log messages: Bad tokencode, but good PIN detected for token serial number5. Failed Authentication Attempt Event Typical cause: An end user accidently enters the wrong passcode during an authentication attempt. Why you should monitor this message: Unusually frequent occurrences of this message may indicate that an attacker is trying to guess the passcode for an end user’s RSA SecurID tokens.RSA The Security Division of EMC Page 2
  • Relevant log messages: “User <user id> attempted to authenticate using authenticator “SecurID_Native”. The user belongs to security domain <domain name>” in the Description column of the activity report and “Authentication Method Failed” in the Reason column6. Next Tokencode Attempt Event Typical cause: The token clock is different than what is expected by the server. (e.g. a software token with an inaccurate clock or the hardware token time has drifted) Why you should monitor this message: It is possible that this message indicates that an attacker is trying to submit out-of-date passcodes. Relevant log messages: Next tokencode mode activated for token serial numberLockout Authentication Failure Event ReportYou can generate a customized “Lockout Failure Event” Authentication Activity Report for end userauthentication lockout events. To generate this report, in addition to your usual customization, choosethe following options and values: 1. Choose “Lockout Event” for “Activity Key” option 2. Choose “False” for “Display Successful Actions” 3. Choose “True” for “Display Failed Actions” 4. Choose “True” for “Display Warned Actions”User Locked Out Event Typical cause: An end user has entered the wrong passcode multiple sequential times and is now locked out. Why you should monitor this message: A higher frequency of this message may indicate that an attacker is trying to guess the RSA SecurID token passcode. Relevant log messages: “User <user id> attempted to authenticate using authenticator “SecurID_Native”. The user belongs to security domain <domain name>” in the Description column of the activity report and “Principal locked out” in the Reason columnRSA The Security Division of EMC Page 3
  • Administrator Activity ReportYou can generate a customized “Clear PIN Event” Administrative Activity Report to track howfrequently PINs are being cleared. To generate this report, choose “Administrator Activity” reporttemplate. In addition to your usual customization, choose “Clear Token PIN for “Activity Key” option.Clear Pin Event Typical cause: An end user has forgotten the end user’s PIN and the PIN is cleared after the Help Desk Administrator verifies the user’s identity. Why you should monitor this message: This message may indicate that an attacker is attempting a social engineering attack by convincing a Help Desk Administrator to clear the PIN. Relevant log messages: Clear Token PinRSA The Security Division of EMC Page 4