RSA The Security Division of EMC March 18, 2011 (Version 1.0)

RSA® Authentication Manager 5.2/6.1 Log Monitoring Guidelines

The following document describes audit log messages that will allow your organization to monitor your RSA® Authentication Manager 5.2 and 6.1 systems for unusual authentication activity. You should also examine older or archived logs to establish a baseline frequency for these events before proceeding. In addition, some actions like provisioning new tokens or changing PIN policy will increase the frequency of these events.

The number included in parentheses next to the relevant log messages is a unique identifier that can be used to build custom queries.

1. Bad PIN, Good Tokencode Authentications

Typical causeAn end user accidently enters the wrong PIN during an authentication attempt.

:

Why you should monitor this messageUnusually frequent occurrences of this message may indicate that an attacker is trying to guess the PINs for an end user’s RSA SecurID® tokens.

:

Relevant log messagesGood Tokencode/Bad PIN Detected (1010)

:

2. Passcode Reuse Attempts

Typical causeAn end user accidently sends the same passcode for two separate authentication attempts.

:

Why you should monitor this messageThis message may indicate that an attacker is trying to reuse a tokencode in a replay attack.

:

Relevant log messagesACCESS DENIED, multiple auths (1141)

:

PASSCODE REUSE ATTACK Detected (149)

3. Failed Authentication Attempts

Typical causeAn end user accidently enters the wrong passcode during an authentication attempt.

:

Why you should monitor this messageUnusually frequent occurrences of this message may indicate that an attacker is trying to guess the passcode for your RSA SecurID tokens.

:

RSA The Security Division of EMC Page 2

Relevant log messagesACCESS DENIED, PASSCODE Incorrect (1008)

:

ACCESS DENIED, Token ToD Bad (1001) ACCESS DENIED, Next Tokencode Bad (1000)

4. Next Tokencode Attempts

Typical causeThe token clock is different than what is expected by the server. (e.g., a software token with an inaccurate clock or the hardware token time has drifted)

:

Why you should monitor this messageIt is possible that this message indicates that an attacker is trying to submit out-of-date passcodes.

:

Relevant log messagesNext Tokencode On (144)

:

Next Tokencode Requested (1002)

5. Cleared PINs

Typical causeA user has forgotten their PIN and the PIN is cleared after the Help Desk Administrator verifies the end user’s identity.

:

Why you should monitor this messageThis message may indicate that an attacker is attempting a social engineering attack by convincing a Help Desk Administrator to remove the PIN.

:

Relevant log messagesPIN cleared (117)

:

6. Token Disabled

Typical causeAn end user has entered the wrong passcode multiple sequential times.

:

Why you should monitor this messageA higher frequency of this message may indicate that an attacker is trying to guess the RSA SecurID token passcode.

:

RSA The Security Division of EMC Page 3

Relevant log messagesToken Disabled, Suspect Stolen (143)

:

Token Disabled, Many Failures (145) ACCESS DENIED, Token Disabled (1004)

Note

: If you utilize Cross Realm, consult the Admin Guide Troubleshooting section for similar Cross Realm messages.