I'm auditing our company's RSA system and stumbled on a file share with RSA backup files. Obviously, this should be tightened down, but it begs the questions, what could an attacker do if they obtained a copy of a company's RSAbackup file?? What if anything can they extract from it that would put the company at risk? Could they exfiltrate it, rebuild a new instance of the RSA environment and restore this into an alternate environment and gain access to our RSA users, tokens info? Please advise.
It is a risk to have backup files reachable by anyone who is not 'the RSA superadmin whose role might be
to rebuild the environment.'
It poses risk of revealing:
-the name, IP, and patch version of the RSA server that created it...this will be in the clear.
This is unique info and is some risk to reveal names and IP's of systems. If someone has access
to the backup file, it might be trival to know that information beforehand.
This is in the clear so that if you do need to restore a backup, and have many to choose from, and do
not have or forgot how and what they came from...you can discover which one
is the one you want and what patch version you can restore it to...
-inside the file... are directory names of the structure of the backup...these are in the clear
(nothing new here, all RSA backups would have the same info)
-but all the contents beyond that are encrypted,
and can only be decrypted using the operations console of the target RSA Primary,
and the password that was used at the time that backup was made, on the source RSA Primary.
Anyhow, if someone has access to an RSAbackup, and they shouldn't, there are greater security concerns
than the strength of the password that created that backup file.