SlideShare una empresa de Scribd logo

RSA Security Advisory Part III

Onomi
Onomi

Am 71 log monitoring guidelines 03 21-2011

Tecnología
1 de 4
Descargar para leer sin conexión
RSA® Authentication Manager 7.1 Log Monitoring Guidelines The following document describes audit log messages that will allow your organization to monitor your RSA®Authentication Manager 7.1 systems for unusual authentication activities such as passcode reuse, next tokencode, etc. You should also examine older or archived logs to establish a baseline frequency for these events before proceeding. In addition, some actions like provisioning new tokens or changing PIN policy will increase the frequency of these events. The events that should be monitored are broken into sections based on which report should be used to monitor them. Authentication Failure Event Report You can generate a customized “Login Failure Event” Authentication Activity Report for end user authentication events. To generate this report, in addition to your usual customization choose the following options and values: 1. Choose “Login Event” for “Activity Key” option 2. Choose “False” for “Display Successful Actions” 3. Choose “True” for “Display Failed Actions” 4. Choose “True” for “Display Warned Actions” Use this report to monitor the critical authentication events described below. 1. Bad PIN, Good Tokencode Authentication Event Typical cause: An end user accidently enters the wrong PIN during an authentication attempt. Why you should monitor this message: Unusually frequent occurrences of this message may indicate that an attacker is trying to guess the PINs for the end user’s RSA SecurID® tokens. Relevant log messages: Bad PIN, but good tokencode detected for token serial number 2. Bad PIN, Previous Tokencode Authentication Event Typical cause: An end user accidently enters the wrong PIN during an authentication attempt. In addition to this, the end user also enters a previous token code RSA The Security Division of EMC March 18, 2011 (Version 1.0)
Why you should monitor this message: Unusually frequent occurrences of this message may indicate that an attacker is trying to guess the PINs for and end user’s RSA SecurID tokens and the attacker has a valid but old tokencode. Relevant log messages: Bad PIN, but previous tokencode detected for token serial number 3. Passcode Reuse Attempt Event Typical cause: An end user accidently sends the same passcode for two separate authentication attempts. Why you should monitor this message: This message may indicate that an attacker is trying to reuse a tokencode in a replay attack. Relevant log messages: Passcode reuse or previous token code detected for user 4. Good PIN, Bad Tokencode Authentication Event Typical cause: An end user has entered a valid PIN but accidently enters the wrong tokencode during an authentication attempt. Why you should monitor this message: Unusually frequent occurrences of this message may indicate that an attacker is trying to guess the tokencode for an end user’s RSA SecurID tokens. Relevant log messages: Bad tokencode, but good PIN detected for token serial number 5. Failed Authentication Attempt Event Typical cause: An end user accidently enters the wrong passcode during an authentication attempt. Why you should monitor this message: Unusually frequent occurrences of this message may indicate that an attacker is trying to guess the passcode for an end user’s RSA SecurID tokens. RSA The Security Division of EMC Page 2
Relevant log messages: “User <user id> attempted to authenticate using authenticator “SecurID_Native”. The user belongs to security domain <domain name>” in the Description column of the activity report and “Authentication Method Failed” in the Reason column 6. Next Tokencode Attempt Event Typical cause: The token clock is different than what is expected by the server. (e.g. a software token with an inaccurate clock or the hardware token time has drifted) Why you should monitor this message: It is possible that this message indicates that an attacker is trying to submit out-of-date passcodes. Relevant log messages: Next tokencode mode activated for token serial number Lockout Authentication Failure Event Report You can generate a customized “Lockout Failure Event” Authentication Activity Report for end user authentication lockout events. To generate this report, in addition to your usual customization, choose the following options and values: 1. Choose “Lockout Event” for “Activity Key” option 2. Choose “False” for “Display Successful Actions” 3. Choose “True” for “Display Failed Actions” 4. Choose “True” for “Display Warned Actions” User Locked Out Event Typical cause: An end user has entered the wrong passcode multiple sequential times and is now locked out. Why you should monitor this message: A higher frequency of this message may indicate that an attacker is trying to guess the RSA SecurID token passcode. Relevant log messages: “User <user id> attempted to authenticate using authenticator “SecurID_Native”. The user belongs to security domain <domain name>” in the Description column of the activity report and “Principal locked out” in the Reason column RSA The Security Division of EMC Page 3
Administrator Activity Report You can generate a customized “Clear PIN Event” Administrative Activity Report to track how frequently PINs are being cleared. To generate this report, choose “Administrator Activity” report template. In addition to your usual customization, choose “Clear Token PIN for “Activity Key” option. Clear Pin Event Typical cause: An end user has forgotten the end user’s PIN and the PIN is cleared after the Help Desk Administrator verifies the user’s identity. Why you should monitor this message: This message may indicate that an attacker is attempting a social engineering attack by convincing a Help Desk Administrator to clear the PIN. Relevant log messages: Clear Token Pin RSA The Security Division of EMC Page 4

Recomendados

Emotions Quiz
Emotions QuizEmotions Quiz
Emotions Quizemslaubaugh
 
Survivors guide to the cloud whitepaper
Survivors guide to the cloud whitepaperSurvivors guide to the cloud whitepaper
Survivors guide to the cloud whitepaperOnomi
 
Cloud Exchange 2010
Cloud Exchange 2010Cloud Exchange 2010
Cloud Exchange 2010Onomi
 
Interoute Intelligent Monitoring
Interoute Intelligent MonitoringInteroute Intelligent Monitoring
Interoute Intelligent MonitoringOnomi
 
Jm 2010.June Long Cv
Jm 2010.June Long CvJm 2010.June Long Cv
Jm 2010.June Long CvJocelyn Marquis
 
Navigating Social Media in the Automotive Industry
Navigating Social Media in the Automotive IndustryNavigating Social Media in the Automotive Industry
Navigating Social Media in the Automotive IndustryDMEautomotive
 
Quantix virtualisation case study
Quantix virtualisation case studyQuantix virtualisation case study
Quantix virtualisation case studyOnomi
 
Osdb guarantee uk eu 2016 11-20 (002)
Osdb guarantee uk eu 2016 11-20 (002)Osdb guarantee uk eu 2016 11-20 (002)
Osdb guarantee uk eu 2016 11-20 (002)Onomi
 

Recomendados

Emotions Quiz
Emotions QuizEmotions Quiz
Emotions Quizemslaubaugh
 
Survivors guide to the cloud whitepaper
Survivors guide to the cloud whitepaperSurvivors guide to the cloud whitepaper
Survivors guide to the cloud whitepaperOnomi
 
Cloud Exchange 2010
Cloud Exchange 2010Cloud Exchange 2010
Cloud Exchange 2010Onomi
 
Interoute Intelligent Monitoring
Interoute Intelligent MonitoringInteroute Intelligent Monitoring
Interoute Intelligent MonitoringOnomi
 
Jm 2010.June Long Cv
Jm 2010.June Long CvJm 2010.June Long Cv
Jm 2010.June Long CvJocelyn Marquis
 
Navigating Social Media in the Automotive Industry
Navigating Social Media in the Automotive IndustryNavigating Social Media in the Automotive Industry
Navigating Social Media in the Automotive IndustryDMEautomotive
 
Quantix virtualisation case study
Quantix virtualisation case studyQuantix virtualisation case study
Quantix virtualisation case studyOnomi
 
Osdb guarantee uk eu 2016 11-20 (002)
Osdb guarantee uk eu 2016 11-20 (002)Osdb guarantee uk eu 2016 11-20 (002)
Osdb guarantee uk eu 2016 11-20 (002)Onomi
 
Tactical Outsourcing (Interoute)
Tactical Outsourcing (Interoute)Tactical Outsourcing (Interoute)
Tactical Outsourcing (Interoute)Onomi
 
Unified Computing Whitepaper
Unified Computing WhitepaperUnified Computing Whitepaper
Unified Computing WhitepaperOnomi
 
Hybrid Cloud Case Study (Interoute)
Hybrid Cloud Case Study (Interoute)Hybrid Cloud Case Study (Interoute)
Hybrid Cloud Case Study (Interoute)Onomi
 
SaaS 2001
SaaS 2001SaaS 2001
SaaS 2001Onomi
 
Database as a service
Database as a serviceDatabase as a service
Database as a serviceOnomi
 
Oracle ISV Cloud Presentation
Oracle ISV Cloud PresentationOracle ISV Cloud Presentation
Oracle ISV Cloud PresentationOnomi
 
SaaS exchange 2010 why make the move
SaaS exchange 2010 why make the moveSaaS exchange 2010 why make the move
SaaS exchange 2010 why make the moveOnomi
 
RSA Advisory Part I
RSA Advisory Part IRSA Advisory Part I
RSA Advisory Part IOnomi
 
Exchange server 2010 archiving and retention
Exchange server 2010 archiving and retentionExchange server 2010 archiving and retention
Exchange server 2010 archiving and retentionOnomi
 
9 Steps to Cloud Security Heaven
9 Steps to Cloud Security Heaven9 Steps to Cloud Security Heaven
9 Steps to Cloud Security HeavenOnomi
 
Exchange cloud tco analysis (Quantix)
Exchange cloud tco analysis (Quantix)Exchange cloud tco analysis (Quantix)
Exchange cloud tco analysis (Quantix)Onomi
 
TechMarketView article - Quantix Growth
TechMarketView article - Quantix GrowthTechMarketView article - Quantix Growth
TechMarketView article - Quantix GrowthOnomi
 
Quantix cloud case study
Quantix cloud case studyQuantix cloud case study
Quantix cloud case studyOnomi
 
The Oracloud
The OracloudThe Oracloud
The OracloudOnomi
 
Quantix - Cloud Computing Congress (15/10)
Quantix - Cloud Computing Congress (15/10)Quantix - Cloud Computing Congress (15/10)
Quantix - Cloud Computing Congress (15/10)Onomi
 
Cloud Business Continuity White Paper
Cloud Business Continuity White PaperCloud Business Continuity White Paper
Cloud Business Continuity White PaperOnomi
 
Cloudstorm Quantix
Cloudstorm QuantixCloudstorm Quantix
Cloudstorm QuantixOnomi
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 

Más contenido relacionado

Más de Onomi

Tactical Outsourcing (Interoute)
Tactical Outsourcing (Interoute)Tactical Outsourcing (Interoute)
Tactical Outsourcing (Interoute)Onomi
 
Unified Computing Whitepaper
Unified Computing WhitepaperUnified Computing Whitepaper
Unified Computing WhitepaperOnomi
 
Hybrid Cloud Case Study (Interoute)
Hybrid Cloud Case Study (Interoute)Hybrid Cloud Case Study (Interoute)
Hybrid Cloud Case Study (Interoute)Onomi
 
SaaS 2001
SaaS 2001SaaS 2001
SaaS 2001Onomi
 
Database as a service
Database as a serviceDatabase as a service
Database as a serviceOnomi
 
Oracle ISV Cloud Presentation
Oracle ISV Cloud PresentationOracle ISV Cloud Presentation
Oracle ISV Cloud PresentationOnomi
 
SaaS exchange 2010 why make the move
SaaS exchange 2010 why make the moveSaaS exchange 2010 why make the move
SaaS exchange 2010 why make the moveOnomi
 
RSA Advisory Part I
RSA Advisory Part IRSA Advisory Part I
RSA Advisory Part IOnomi
 
Exchange server 2010 archiving and retention
Exchange server 2010 archiving and retentionExchange server 2010 archiving and retention
Exchange server 2010 archiving and retentionOnomi
 
9 Steps to Cloud Security Heaven
9 Steps to Cloud Security Heaven9 Steps to Cloud Security Heaven
9 Steps to Cloud Security HeavenOnomi
 
Exchange cloud tco analysis (Quantix)
Exchange cloud tco analysis (Quantix)Exchange cloud tco analysis (Quantix)
Exchange cloud tco analysis (Quantix)Onomi
 
TechMarketView article - Quantix Growth
TechMarketView article - Quantix GrowthTechMarketView article - Quantix Growth
TechMarketView article - Quantix GrowthOnomi
 
Quantix cloud case study
Quantix cloud case studyQuantix cloud case study
Quantix cloud case studyOnomi
 
The Oracloud
The OracloudThe Oracloud
The OracloudOnomi
 
Quantix - Cloud Computing Congress (15/10)
Quantix - Cloud Computing Congress (15/10)Quantix - Cloud Computing Congress (15/10)
Quantix - Cloud Computing Congress (15/10)Onomi
 
Cloud Business Continuity White Paper
Cloud Business Continuity White PaperCloud Business Continuity White Paper
Cloud Business Continuity White PaperOnomi
 
Cloudstorm Quantix
Cloudstorm QuantixCloudstorm Quantix
Cloudstorm QuantixOnomi
 

Más de Onomi (17)

Tactical Outsourcing (Interoute)
Tactical Outsourcing (Interoute)Tactical Outsourcing (Interoute)
Tactical Outsourcing (Interoute)
 
Unified Computing Whitepaper
Unified Computing WhitepaperUnified Computing Whitepaper
Unified Computing Whitepaper
 
Hybrid Cloud Case Study (Interoute)
Hybrid Cloud Case Study (Interoute)Hybrid Cloud Case Study (Interoute)
Hybrid Cloud Case Study (Interoute)
 
SaaS 2001
SaaS 2001SaaS 2001
SaaS 2001
 
Database as a service
Database as a serviceDatabase as a service
Database as a service
 
Oracle ISV Cloud Presentation
Oracle ISV Cloud PresentationOracle ISV Cloud Presentation
Oracle ISV Cloud Presentation
 
SaaS exchange 2010 why make the move
SaaS exchange 2010 why make the moveSaaS exchange 2010 why make the move
SaaS exchange 2010 why make the move
 
RSA Advisory Part I
RSA Advisory Part IRSA Advisory Part I
RSA Advisory Part I
 
Exchange server 2010 archiving and retention
Exchange server 2010 archiving and retentionExchange server 2010 archiving and retention
Exchange server 2010 archiving and retention
 
9 Steps to Cloud Security Heaven
9 Steps to Cloud Security Heaven9 Steps to Cloud Security Heaven
9 Steps to Cloud Security Heaven
 
Exchange cloud tco analysis (Quantix)
Exchange cloud tco analysis (Quantix)Exchange cloud tco analysis (Quantix)
Exchange cloud tco analysis (Quantix)
 
TechMarketView article - Quantix Growth
TechMarketView article - Quantix GrowthTechMarketView article - Quantix Growth
TechMarketView article - Quantix Growth
 
Quantix cloud case study
Quantix cloud case studyQuantix cloud case study
Quantix cloud case study
 
The Oracloud
The OracloudThe Oracloud
The Oracloud
 
Quantix - Cloud Computing Congress (15/10)
Quantix - Cloud Computing Congress (15/10)Quantix - Cloud Computing Congress (15/10)
Quantix - Cloud Computing Congress (15/10)
 
Cloud Business Continuity White Paper
Cloud Business Continuity White PaperCloud Business Continuity White Paper
Cloud Business Continuity White Paper
 
Cloudstorm Quantix
Cloudstorm QuantixCloudstorm Quantix
Cloudstorm Quantix
 

Último

The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 

Último (20)

The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 

RSA Security Advisory Part III

  • 1. RSA® Authentication Manager 7.1 Log Monitoring Guidelines The following document describes audit log messages that will allow your organization to monitor your RSA®Authentication Manager 7.1 systems for unusual authentication activities such as passcode reuse, next tokencode, etc. You should also examine older or archived logs to establish a baseline frequency for these events before proceeding. In addition, some actions like provisioning new tokens or changing PIN policy will increase the frequency of these events. The events that should be monitored are broken into sections based on which report should be used to monitor them. Authentication Failure Event Report You can generate a customized “Login Failure Event” Authentication Activity Report for end user authentication events. To generate this report, in addition to your usual customization choose the following options and values: 1. Choose “Login Event” for “Activity Key” option 2. Choose “False” for “Display Successful Actions” 3. Choose “True” for “Display Failed Actions” 4. Choose “True” for “Display Warned Actions” Use this report to monitor the critical authentication events described below. 1. Bad PIN, Good Tokencode Authentication Event Typical cause: An end user accidently enters the wrong PIN during an authentication attempt. Why you should monitor this message: Unusually frequent occurrences of this message may indicate that an attacker is trying to guess the PINs for the end user’s RSA SecurID® tokens. Relevant log messages: Bad PIN, but good tokencode detected for token serial number 2. Bad PIN, Previous Tokencode Authentication Event Typical cause: An end user accidently enters the wrong PIN during an authentication attempt. In addition to this, the end user also enters a previous token code RSA The Security Division of EMC March 18, 2011 (Version 1.0)
  • 2. Why you should monitor this message: Unusually frequent occurrences of this message may indicate that an attacker is trying to guess the PINs for and end user’s RSA SecurID tokens and the attacker has a valid but old tokencode. Relevant log messages: Bad PIN, but previous tokencode detected for token serial number 3. Passcode Reuse Attempt Event Typical cause: An end user accidently sends the same passcode for two separate authentication attempts. Why you should monitor this message: This message may indicate that an attacker is trying to reuse a tokencode in a replay attack. Relevant log messages: Passcode reuse or previous token code detected for user 4. Good PIN, Bad Tokencode Authentication Event Typical cause: An end user has entered a valid PIN but accidently enters the wrong tokencode during an authentication attempt. Why you should monitor this message: Unusually frequent occurrences of this message may indicate that an attacker is trying to guess the tokencode for an end user’s RSA SecurID tokens. Relevant log messages: Bad tokencode, but good PIN detected for token serial number 5. Failed Authentication Attempt Event Typical cause: An end user accidently enters the wrong passcode during an authentication attempt. Why you should monitor this message: Unusually frequent occurrences of this message may indicate that an attacker is trying to guess the passcode for an end user’s RSA SecurID tokens. RSA The Security Division of EMC Page 2
  • 3. Relevant log messages: “User <user id> attempted to authenticate using authenticator “SecurID_Native”. The user belongs to security domain <domain name>” in the Description column of the activity report and “Authentication Method Failed” in the Reason column 6. Next Tokencode Attempt Event Typical cause: The token clock is different than what is expected by the server. (e.g. a software token with an inaccurate clock or the hardware token time has drifted) Why you should monitor this message: It is possible that this message indicates that an attacker is trying to submit out-of-date passcodes. Relevant log messages: Next tokencode mode activated for token serial number Lockout Authentication Failure Event Report You can generate a customized “Lockout Failure Event” Authentication Activity Report for end user authentication lockout events. To generate this report, in addition to your usual customization, choose the following options and values: 1. Choose “Lockout Event” for “Activity Key” option 2. Choose “False” for “Display Successful Actions” 3. Choose “True” for “Display Failed Actions” 4. Choose “True” for “Display Warned Actions” User Locked Out Event Typical cause: An end user has entered the wrong passcode multiple sequential times and is now locked out. Why you should monitor this message: A higher frequency of this message may indicate that an attacker is trying to guess the RSA SecurID token passcode. Relevant log messages: “User <user id> attempted to authenticate using authenticator “SecurID_Native”. The user belongs to security domain <domain name>” in the Description column of the activity report and “Principal locked out” in the Reason column RSA The Security Division of EMC Page 3
  • 4. Administrator Activity Report You can generate a customized “Clear PIN Event” Administrative Activity Report to track how frequently PINs are being cleared. To generate this report, choose “Administrator Activity” report template. In addition to your usual customization, choose “Clear Token PIN for “Activity Key” option. Clear Pin Event Typical cause: An end user has forgotten the end user’s PIN and the PIN is cleared after the Help Desk Administrator verifies the user’s identity. Why you should monitor this message: This message may indicate that an attacker is attempting a social engineering attack by convincing a Help Desk Administrator to clear the PIN. Relevant log messages: Clear Token Pin RSA The Security Division of EMC Page 4