From: jason@kaddywampus.org
Date: Fri Mar 14 2008 - 16:23:58 EST
I think honeypots are great for research and invaluable to the security
profession. But research should be done by the those that have the time
to do it.
If an organization has a security group with time on their hands to deal
with honeypots, I would be surprised. There are many more priorities for
an organization.
The honeypot is a research project, not a security project. Security
professionals working in security groups should subscribe to honeypot
research data and use it accordingly.
However, a honeypot research project would like prove more valuable if
they could deploy honeypots across different organizations and gather the
intel they provide. A dispersed honeypot research project that had the
cooperation of corporate and government organizations would help to show
trending and other attack data.
> You want discussion, so I'll throw a hand in.
>
> What security benefit is there to "trapping attackers" and/or watching
> their behavior/action? I think that may make great research, but I'm not
> sure how many people or organizations will benefit from that added
> knowledge. Will it make the organization more secure?
>
> The other side of this is giving attackers an easy target to trigger your
> alarms so you know they're present. This is a basic tripwire type of
> alarm. Only instead of alarming on actual valuable stuff, you'll get many
> more positive hits because you're alarming on giveaway stuff. Maybe this
> will alert before your jewels are stolen, but again the value/time side of
> this is still arguable.
>
> I'm certainly no expert, but if you make this too easy, are you opening
> yourself up to entrapment, or at the very least the inability to prosecute
> if you seemingly welcomed the intruder in? I really don't know, but I'm
> sure others do.
>
> This isn't to say I want to discourage your work here. I think you should
> continue to pursue it. While I might speak about alarming only on the
> things you're trying to protect, I do tend to be a network control freak
> and prefer the heartbeat of my network close at my fingertips...and
> alarming on even smaller things is useful information to alert me to
> potential problems early.
>
> Soapbox: I think it is dangerous to speak too highly of honeypots or
> honeypot-like tripwires. While I do believe in their value for research
> and curiosity, honeypots in an organization can be extremely dangerous
> when tended by non-experts. Besides, there are so many more valuable tasks
> to do in most orgs.
>
>
>
> <- snip ->
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------
>
>
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:28 EDT