RSA The Security Division of EMC March 18, 2011 (Version 1.0)

RSA® Authentication Manager 7.1 Log Monitoring Guidelines

The following document describes audit log messages that will allow your organization to monitor your RSA®Authentication Manager 7.1 systems for unusual authentication activities such as passcode reuse, next tokencode, etc. You should also examine older or archived logs to establish a baseline frequency for these events before proceeding. In addition, some actions like provisioning new tokens or changing PIN policy will increase the frequency of these events.

The events that should be monitored are broken into sections based on which report should be used to monitor them. Authentication Failure Event Report You can generate a customized “Login Failure Event” Authentication Activity Report for end user authentication events. To generate this report, in addition to your usual customization choose the following options and values:

1. Choose “Login Event” for “Activity Key” option 2. Choose “False” for “Display Successful Actions” 3. Choose “True” for “Display Failed Actions” 4. Choose “True” for “Display Warned Actions”

Use this report to monitor the critical authentication events described below.

1. Bad PIN, Good Tokencode Authentication Event

Typical causeAn end user accidently enters the wrong PIN during an authentication attempt.

:

Why you should monitor this messageUnusually frequent occurrences of this message may indicate that an attacker is trying to guess the PINs for the end user’s RSA SecurID® tokens.

:

Relevant log messagesBad PIN, but good tokencode detected for token serial number

:

2. Bad PIN, Previous Tokencode Authentication Event

Typical causeAn end user accidently enters the wrong PIN during an authentication attempt. In addition to this, the end user also enters a previous token code

:

RSA The Security Division of EMC Page 2

Why you should monitor this messageUnusually frequent occurrences of this message may indicate that an attacker is trying to guess the PINs for and end user’s RSA SecurID tokens and the attacker has a valid but old tokencode.

:

Relevant log messagesBad PIN, but previous tokencode detected for token serial number

:

3. Passcode Reuse Attempt Event

Typical causeAn end user accidently sends the same passcode for two separate authentication attempts.

:

Why you should monitor this messageThis message may indicate that an attacker is trying to reuse a tokencode in a replay attack.

:

Relevant log messagesPasscode reuse or previous token code detected for user

:

4. Good PIN, Bad Tokencode Authentication Event

Typical causeAn end user has entered a valid PIN but accidently enters the wrong tokencode during an authentication attempt.

:

Why you should monitor this messageUnusually frequent occurrences of this message may indicate that an attacker is trying to guess the tokencode for an end user’s RSA SecurID tokens.

:

Relevant log messagesBad tokencode, but good PIN detected for token serial number

:

5. Failed Authentication Attempt Event

Typical causeAn end user accidently enters the wrong passcode during an authentication attempt.

:

Why you should monitor this messageUnusually frequent occurrences of this message may indicate that an attacker is trying to guess the passcode for an end user’s RSA SecurID tokens.

:

RSA The Security Division of EMC Page 3

Relevant log messages“User <user id> attempted to authenticate using authenticator “SecurID_Native”. The user

belongs to security domain <domain name>” in the Description column of the activity report and “Authentication Method Failed” in the Reason column

:

6. Next Tokencode Attempt Event

Typical causeThe token clock is different than what is expected by the server. (e.g. a software token with an inaccurate clock or the hardware token time has drifted)

:

Why you should monitor this messageIt is possible that this message indicates that an attacker is trying to submit out-of-date passcodes.

:

Relevant log messagesNext tokencode mode activated for token serial number

:

Lockout Authentication Failure Event Report

You can generate a customized “Lockout Failure Event” Authentication Activity Report for end user authentication lockout events. To generate this report, in addition to your usual customization, choose the following options and values:

1. Choose “Lockout Event” for “Activity Key” option 2. Choose “False” for “Display Successful Actions” 3. Choose “True” for “Display Failed Actions” 4. Choose “True” for “Display Warned Actions”

User Locked Out Event

Typical causeAn end user has entered the wrong passcode multiple sequential times and is now locked out.

:

Why you should monitor this messageA higher frequency of this message may indicate that an attacker is trying to guess the RSA SecurID token passcode.

:

Relevant log messages“User <user id> attempted to authenticate using authenticator “SecurID_Native”. The user

belongs to security domain <domain name>” in the Description column of the activity report and “Principal locked out” in the Reason column

:

RSA The Security Division of EMC Page 4

Administrator Activity Report You can generate a customized “Clear PIN Event” Administrative Activity Report to track how frequently PINs are being cleared. To generate this report, choose “Administrator Activity” report template. In addition to your usual customization, choose “Clear Token PIN for “Activity Key” option.

Clear Pin Event

Typical causeAn end user has forgotten the end user’s PIN and the PIN is cleared after the Help Desk Administrator verifies the user’s identity.

:

Why you should monitor this messageThis message may indicate that an attacker is attempting a social engineering attack by convincing a Help Desk Administrator to clear the PIN.

:

Relevant log messagesClear Token Pin

: