From: Javier Fernandez-Sanguino Pena (jfernandez@germinus.com)
Date: Thu Jun 06 2002 - 04:26:47 EDT
>
> NB: this is a question from the point of view of the customer of a
> pen-test; if that's off-topic for this list my apologies and I'll go
> away.
IMHO it's perfectly in topic.
>
>
> I've had an interesting circumstance arise. I was a customer of a
> pen test, and had the happy outcome that the testers found
> absolutely nothing, despite the fact that they'd been provided with
(...)
You were happy but I expect that the pen-testers were really dumped.
(...)
>
> But the thought occurred to me that a really nice approach to take
> the next time it comes around again on the guitar would be to
> position a honeypot in the facility, just to give the poor scuppers
> something to find, and of course to let us collect positive
> documentation of our own confirming what was done.
>
> Has anybody done this before? How did you choose what services to
> publish in your honeypot? How do you make it believable --- and how
> do you avoid making it so juicy that it blinds the testers to any
> real substance that might actually be there to find elsewhere in the
> tested plant?
>
Being a pen-tester myself, I have "suffered" the effects of a honeypot,
even one as simple as a cgi simulating to be the old and vulnerable php-fi.
In that pen-test the honeypot was really a waste of time for both the
pen-testing team, the team coordinating the test and the systems
administrators
in charge (who probably laughed aloud when we stumbled into the honeypot).
It was a waste of time because in our pent-tests we follow a strict
procedure to tell our customers when a high-risk vulnerability is detected,
we do not wait until the end of the test to tell them of this but do so
inmediately.
However before doing so we had to re-evaluate if it was really a
vulnerability,
the "honeypot" surely did not work as expected but it did seem to be there
so,
even if in doubt, we reported anyway.
Now, there was a lot of wasted time after detecting this exploitable
vulnerability, reporting it properly, sending it to the person in charge and
move the report all the way towards the system administrators that had built
the honeypot. Then do this backwards again to tell the pen-testing team that
it
was really a honeypot.
IMHO honeypots and pen-tests don't get nice *unless* you want to test how
the
pen-testing team and evaluate their methods/procedures/technical expertise
with an
environment you control directly. Surely I can find that it can be useful
for
customers that are not really sure of the pen-testing team they are hiring
and want
to supervise their work. However, I do not see how it might add anything to
the pen-test itself.
Regards
Javi
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:22 EDT