What security risks do enterprise honeypots pose?

BROWSE BY TAG Network Intrusion Detection (IDS),   Network Intrusion Detection and Analysis,   Enterprise Network Security,   Network Intrusion Prevention (IPS),   Expert Archive: Information Security Threats,   VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Network Intrusion Detection (IDS) Preventing SQL injection attacks: A network admin's perspective Lifecycle of a network security vulnerability Best Intrusion Prevention and Detection Products Rogue AP containment methods SIMs tools and tactics for business intelligence IPS and IDS deployment strategies Know when you need IDS, IPS or both Trend Micro to acquire Third Brigade for virtualization, cloud security New product aims to control rogue applications that avoid firewalls How to perform a network forensic analysis and investigation Network Intrusion Detection (IDS) Research Network Intrusion Prevention (IPS) Aligning network security with business priorities Best Intrusion Prevention and Detection Products Port scan attack prevention best practices Lesson 4: How to use wireless IPS Lesson 1 quiz: Risky business Hacker attack techniques and tactics: Understanding hacking strategies SIMs tools and tactics for business intelligence IPS and IDS deployment strategies I'll be watching you: Wireless IPS Know when you need IDS, IPS or both Network Intrusion Prevention (IPS) Research Expert Archive: Information Security Threats The telltale signs of a network attack Will Google Chrome enhance overall browser security? Are there antivirus suites that pick up more than just run-of-the-mill viruses? What tools can a hacker use to crack a laptop password? Are social networking sites an easy target for malicious hackers? What are the dangers of cross-site request forgery attacks (CSRF)? Should social engineering tests be included in penetration testing? What kind of data is compromised during a Google hack? Best practices for using restriction policy whitelists Defining mobile device security concerns

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary computer forensics  (SearchSecurity.com) Diffie-Hellman key exchange  (SearchSecurity.com) Einstein  (SearchSecurity.com) HIDS/NIDS  (SearchSecurity.com) network behavior analysis  (SearchSecurity.com) ultrasound  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

Honeypots can provide a great deal of insight into an environment's attack activity, and I encourage you to consider them. However, be careful! There are some significant issues that require careful consideration and planning before an enterprise honeypot deployment.

One of the best sources of honeypot information is the Honey Project, led by Lance Spitzner. I'm an alum of that project, and I had a great deal of fun taking part in it. Over the years, I also learned a lot by reading the great research papers at www.honeynet.org.

A honeypot, by definition, is typically a computer that has no actual production use, other than to act as fly paper for attackers. Designed to look unprotected and inviting, its purpose is to lure in malicious hackers to either isolate them or simply learn about their methods. There are a number of variations on the theme beyond full-blown end systems. Honeypot accounts -- that have no production use -- can detect password-guessing attacks; honey tokens, which may include cookies, files, and other data elements, can also be used to track malicious hackers.

Regardless of the honeypot being used, you have to be careful about its compromise and misuse. If a bad guy takes over a honeypot machine and starts using it as a launch point to attack other systems, or worse yet, other enterprises, you have a serious problem. Not only could that spell severe consequences for your career advancement, but you could also be held liable for damages resulting from the honeypot misuse.

Thus, make sure you limit any honeypot's ability to interact with other network systems. The honeypot can be firewalled off, or its connections can be limited by a network-based IPS tool. Monitor your honeypot carefully, using host-based IDS and IPS products. When the detection and prevention systems recognize an attacker, respond quickly before the hacker can cause damage elsewhere in your environment.

Finally, it's important to talk with your lawyers about any legal issues that may arise from enterprise honeypot monitoring and deployment.

More information: