'Honey pot' traps can get you out of a sticky security situation

posted onJuly 24, 2001

by hitbsecnews

Traditionally, security issues are tackled by formulating a security policy, educating staff in the importance of security, and employing appropriate tools such as anti-virus software, VPNs and firewalls. These measures can be further enhanced by more sophisticated measures such as firewall reporting, access reporting and traffic analysis so you can detect any suspicious activity.

One proactive and relatively simple way of ensuring a second line of defence is to set up a "honey pot" trap. Honey pot systems are decoy servers or systems set up to gather information regarding an attacker or intruder into your system..

"Honey pot" traps can get you out of a sticky security situation

SECURITY can seem at times like an impossible task. The threats keep increasing and changing. The data to be protected keeps growing, changing and becoming more decentralised. The use of the internet and online systems keeps escalating, creating more risk.

Viruses, external intrusion via the internet, data manipulation, theft of data, fraud, and malicious damage are just some of the everyday problems. Of course the biggest and most consistent threat is internal. The FBI found that 70 per cent of all hacks come from the inside.

Employees can get up to all sorts of things they shouldn?t. Accessing restricted systems, for example, or cracking another employee?s password. They might use someone else?s account while they go for a break or run programmes they?re not entitled to. If they?re more malicious, they could introduce viruses or in the most serious cases, commit fraud.

Key word tracking is useful, for example, to prevent unauthorised data being mailed to competitors. Security analysers can throw tests at your system to test for weak spots. Intrusion detection and content inspections are also very useful tools.

However, the fact remains that absolute security in the real world is absolutely impractical. In the real world there are many challenges, such as the lack of financial resources, the lack of skilled staff and the lack of enough time to cope with the potential hazards.

One proactive and relatively simple way of ensuring a second line of defence is to set up a ?honey pot? trap. Honey pot systems are decoy servers or systems set up to gather information regarding an attacker or intruder into your system.

Honey pot traps tempt intruders into areas which appear attractive, worth investigating and easy to access, taking them away from the really sensitive areas of your systems. They do not replace other traditional internet security systems but act as an additional safeguard with alarms.

In a sense, they are variants of standard intruder detection systems, but with more of a focus on information gathering and deception. They work best alongside standard intrusion detection which provides the means by which unwelcome visitors can be identified.

Alarms can be put around honey pots so when someone enters them, you can monitor exactly what is going on.

You can set up honey pot traps for internal, external and remote access systems. Externally, you may want to put them on firewalls and pretend to be vulnerable. You could also put them on routers, to feign access. On web servers, you can direct attempted access to sacrificial servers.

Internally, there are certain key areas such as human resources and payroll, which attract employees. You also need to protect the corporate database and of course, sensitive areas such as R&D.

One method of doing this is to re-use test systems and rename them as live systems. Or you could recycle old systems into honey traps. For remote access, you may connect dial-up modems to ?decoy? servers or with VPNs you can direct intruders to decoy networks.

If you catch someone in an internal honey pot, what do you do? Well, you don?t automatically sack them. Monitor what they are doing and learn where your vulnerabilities are. Use the knowledge to change your security policies and use the event to send out generalised messages reminding staff groups not to enter unauthorised areas.

For example, if you detect someone in a payroll system honey pot, send out an e-mail to their department. Say that you?re aware that people from that department are actually trying to break into the payroll system and it will be a disciplinary offence if they are caught. This should scare people from trying it again.

There are those who say that honey pot traps with lower security than core systems will not attract unauthorised users, because they will not be fooled by them. This is simply not true - 82 per cent of British industry doesn?t even have a firewall, so hackers are used to systems that are vulnerable.

It?s easy to spend your life worrying whether your systems are secure. It?s a fact that there is no such thing as absolute security. In these circumstances it makes sense to have a second line of defence. Honey pot traps can distract intruders from your valuable data and send them to a harmless area, leaving you to take appropriate action.

Ian Kilpatrick is managing director of Wick Hill Group, specialists in infrastructure solutions for e-business.

SNP.