The RSA SecurID token has arguably been the defacto second factor authenticator for many years. Despite the recent breach at RSA I do not see many organizations moving to alternate vendors or other second factor technologies, like PKI / SmartCards or telephone based solutions. In the wake of the RSA breach most companies seem to be replacing tokens and hardening their SecurID & Authentication Manager infrastructures and reviewing relevant security processes. I have seen a couple organizations look to add additional authentication methods to supplement existing SecurID implementations for remote access, like requiring PKI certs in addition to SecurID for Remote Access. Obviously this capability is dependent on your Remote Access vendor. If you are staying with SecurID for your Remote Access authentication you should be taking a hard look at your access logs. Below are some searches that you may find useful if your logging environment can perform them. The ability to perform GeoIP lookups and calculate temporal data is required for some of the searches. Many of these searches will require you to baseline this activity in your environment to reduce the false positives.
- Top 20 Remote Access source IP addresses for the last 30 days
- Top 20 Remote Access users for the last 30 days
- Remote Access attempt from non-US IP address
- Remote Access attempts at “odd” hours
- Remote Access failures from multiple
- Remote Access attempts from one IP address for two or more usernames
- Remote Access attempts for one username from at least two different IP addresses in XX minutes
- Remote Access attempts for one username from at least two different countries in an X hour period
- Remote Access sessions of longer than usual duration
- SecurID authentication attempt involving Invalid / Revoked / Expired tokens
- SecurID authentication attempts involving one username and multiple token serial numbers
- SecurID authentication attempts involving one token serial number and multiple usernames
- SecurID “Right Token code, wrong PIN” messages
There are probably others that can be added to the list. Your RSA sales rep can provide you with a copy of their Security best practices guide for Authentication Manager as well as their Log Monitoring Guidelines. The NSA’s Information Assurance Directorate has also published an unclassified advisory on securing your SecurID infrastructure. If you Google it you should be able to find a copy.
–Chris
Leave a Reply