I'm auditing our company's RSA system and stumbled on a file share with RSA backup files. Obviously, this should be tightened down, but it begs the questions, what could an attacker do if they obtained a copy of a company's RSAbackup file?? What if anything can they extract from it that would put the company at risk? Could they exfiltrate it, rebuild a new instance of the RSA environment and restore this into an alternate environment and gain access to our RSA users, tokens info? Please advise.
Hi Joseph,
I have moved this thread to the RSA SecurID Access so that you can get an answer to your question.
You can post future questions and discussions directly to that community by clicking on the Ask a Question or Start a Discussion button on the RSA SecurID Access page.
Thanks,
Jeff
It is a risk to have backup files reachable by anyone who is not 'the RSA superadmin whose role might be
to rebuild the environment.'
It poses risk of revealing:
-the name, IP, and patch version of the RSA server that created it...this will be in the clear.
This is unique info and is some risk to reveal names and IP's of systems. If someone has access
to the backup file, it might be trival to know that information beforehand.
This is in the clear so that if you do need to restore a backup, and have many to choose from, and do
not have or forgot how and what they came from...you can discover which one
is the one you want and what patch version you can restore it to...
-inside the file... are directory names of the structure of the backup...these are in the clear
(nothing new here, all RSA backups would have the same info)
-but all the contents beyond that are encrypted,
and can only be decrypted using the operations console of the target RSA Primary,
and the password that was used at the time that backup was made, on the source RSA Primary.
Anyhow, if someone has access to an RSAbackup, and they shouldn't, there are greater security concerns
than the strength of the password that created that backup file.
Thanks for the response Edward. I do not disagree. The backup files shoud NOT be accessible to anyone other than the RSA administrators. This is an audit finding for sure. The real question was what could someone learn or do with a copy of that backup which you addressed. The assumption is the bad actor has already breached our exterior perimeter (a BIG assumption) and is now inside our network on a compromised machine looking/browsing around for info and ways to elevate their privileges. and they stumble up on this RSA backup - how much damage could they do if they could exfiltrate it to the outside.
1) learn info about the name, ip and RSA version#.
2) learn the directory names of the backup file structure.
You made a comment about needing access to the operations console of the target RSA primary machine. So, am I correct in understanding that if someone exported the backup file and was able to crack the password, that they COULD NOT restore the backup off-site somewhere in the wild in a new environment with access to the operations console of the RSA primary machine?
I question if this is true? That implies the backup is useless without the password AND the original primary machine (or VM).
However in a disaster, should the primary machine (either physical or virtual) go down, all one has left is the backup file containing the system configuration - which one assumes is required to rebuild an environment??? Can you please clarify. Are you suggesting the backup is useless without the primary RSA server for recovery?
It is a risk to have backup files reachable by anyone who is not 'the RSA superadmin whose role might be
to rebuild the environment.'
It poses risk of revealing:
-the name, IP, and patch version of the RSA server that created it...this will be in the clear.
This is unique info and is some risk to reveal names and IP's of systems. If someone has access
to the backup file, it might be trival to know that information beforehand.
This is in the clear so that if you do need to restore a backup, and have many to choose from, and do
not have or forgot how and what they came from...you can discover which one
is the one you want and what patch version you can restore it to...
-inside the file... are directory names of the structure of the backup...these are in the clear
(nothing new here, all RSA backups would have the same info)
-but all the contents beyond that are encrypted,
and can only be decrypted using the operations console of the target RSA Primary,
and the password that was used at the time that backup was made, on the source RSA Primary.
Anyhow, if someone has access to an RSAbackup, and they shouldn't, there are greater security concerns
than the strength of the password that created that backup file.