|
|
| Applications |
| Mailing Lists |
| Miscellaneous |
| Operating Systems |
| Programming |
RE: FW: Honeytokens and detection
Date: Sun Apr 27 2003 - 15:40:34 EDT
Hi,
Sure if the honeytoken was to be used for internal policy enforcement it should absolutely be on the secretive side of things. However, I am still unclear about why ALL the tokens must be a secret to work for Internet collaborative enforcement? What if they were public but rotated every month with new ones? Would we be weeding out a good number of bad eggs who are up to no good and the few really clever ones who cross all their t's and dot their i's will be moving stuff with SCP and therefore not necessarily within our target anyways?
So if all the major (A)DSL and Cable Modem providers used an IDS to drop and log any data stream containing the signature from one of 50 or even 500 honeytokens and they shared this signature with each other and a consortium of other network owners, changing the sigs and honeytokens every month, wouldn't this be beneficial for enhancing policy management?
Again, I know it's not a simple task to set up and get people to sign up but the technology and capability is there now. As Frank Knobbe says, this is where intrusion detection blurs with forensics. It's a really interesting concept.
Sincerely,
-pete.
Pete Herzog
Managing Director
Institute for Security and Open Methodologies
www.isecom.org
www.osstmm.org
ISECOM is the OSSTMM Professional Security Tester (OPST) and OSSTMM Professional Security Analyst (OPSA) certification authority. Certifying professional, practial, and efficient security testing and analysis.
> -----Original Message-----
> From: Jimi Thompson [mailto:jimit@myrealbox.com]
> Sent: Saturday, April 26, 2003 1:58 AM
> To: lists@isecom.org; FOCUS-IDS@securityfocus.com
> Subject: Re: FW: Honeytokens and detection
>
>
> My experience with most "security incidents" is that they are
> insiders - either disgruntled current employees or ex-employees who
> are targeting a specific system or piece of information. Stastically
> speaking this is fairly standard. The email about the executive
> bonuses at American Airlines pops immediately to mind. Other
> examples are the employee who just wants to trash the database/email
> system/hr application server/phone system because they are angry.
> The moral of the story is that you have to trust who you hire even
> when you have to fire them. Your honeytokens are going to do a bit
> of good in those circumstances. They aren't going to go after an
> account of someone they've never heard of (i.e. your honeytoken).
> They are going to try to crack the HR VP's/CEO/other person they
> know's account that will have the rights to the thing they want or
> want to destroy.
>
> While external intrusions to run a very close second to "inside
> jobs", inside jobs still have the lead. Should you stop using them?
> No, but you should be aware of their limitations.
>
> About the sharing thing - the more people who know about it, the less
> likely it is to remain a secret. Secrecy and the number of people
> who know are inversely proportional. By the time you have
> replicated this out to your top 3 suppliers and the have replicated
> it out to their top 3 suppliers, you may as well have released it on
> the Internet.
>
>
>
> At 7:02 PM +0200 4/24/03, Pete Herzog wrote:
> >Sorry for the delay; I thought about this for a while.
INTRUSION PREVENTION: READY FOR PRIME TIME? IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities - including intrusion identification, relevancy, direction, impact and analysis - enabling a path to prevention.
Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: http://www.securityfocus.com/IntruVert-focus-ids Received on Mon Apr 28 10:19:14 2003
This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:12 EDT
|
Contact Us Legal Notices Order Services Online Pantek Home Privacy Policy IT news Site Map Pantek Library |