Tag Archives: ids

A Sweet Addition in Your Arsenal of Protections

Perimeter security has made leaps and bounds for detecting and preventing attacks. However, rules and detection methods cannot catch everything. The big question is: What should you do once malware or an attacker is in an environment? Answer: Honeypots.

They work as an early-alerting system for complex attacks, and produce very few false positives, when tuned properly, compared to firewalls, IPS, and IDS. The sole purpose of a honeypot is to be probed, attacked, and compromised. This is accomplished by mimicking any resource, service, application, system, or network. All activity between the honeypot and malware/attacker is monitored, alerted on, and analyzed. Some examples of activity can be: scanning for activity of worms or bots, looking for internal threats, detecting compromised nodes, identifying new exploits and vulnerabilities, or capturing new malware.

Honeypots are one of the most underutilized ways to detect a threat once it has hopped the fence of perimeter security. However, the email security industry has relied heavily on the honeypot, or spamtrap, as one of their most widely used and effective ways to detect incoming phishing and spam. Perhaps this disparity exists because honeypots in a production environment are commonly viewed as an insecure holes that allows an attacker into the environment. This should not be the case. A honeypot can be deployed in a normal secured environment, or in an isolated DMZ. Obviously, once a threat has been detected by a honeypot the normal environment can no longer be referred to as secure. The moment that a honeypot has been compromised, a threat has found a way into your environment and all of your servers are exposed. It should be assumed that anything on the network with the honeypot is or will be compromised as well. In this scenario, you still get the benefit of early alerting regarding the compromise.

Deploying a properly isolated honeypot is also worth the effort. Based on the information that is produced through the alerting and reporting, we can gain insights into our operating systems and servers, host protections, and information protections. By monitoring a live infection or attack, we can learn how these areas of the security model are being comprised by threats.

With BYOD being more prevalent every day and attack vectors growing, a detection mechanism such as a honeypot could end up being invaluable.

Matt

Just as a precautionary note this approach must be implemented with the proper expert guidance and strategic planning otherwise it can introduce unwanted threats into an environment.

The Human Element of Information Security

With all of these security breaches making the news headlines on a weekly (sometimes daily) basis, one can imagine that there is (or should be) a renewed focus on how organizations secure their information assets.

There are many products available on the market which can assist with this task – newer application-based firewalls, Intrusion Detection and Prevention devices, Internet access gateways, Security Information and Event Management (SIEM) and the list goes on.  However, these products will not adequately protect the environment unless they are paid attention to by an information security professional.

In the absense of human attention the symptoms become apparent; Unpatched systems, security breaches going unnoticed, misconfigured access control lists and a lack of documentation are just a few issues resulting from the lack of human oversight.  When a breach occurs, it is often revealed to be simple enough that even a novice security person could have identified them as a potential issue.  It becomes obvious that sufficient resources were not available to properly review these systems or pay attention to the overall security posture of their environment.

It’s hard to believe this bit of common sense is so often overlooked, however I firmly believe the biggest threats to security today are not deficiencies in  electronic security countermeasures but shrinking IT budgets, with the acquisition of additional security personnel required to ensure the security of the organizations assets falling by the wayside. 

In the public sector, a perception exists that investing in information security offers no value to the business.  However, this mindset has been rigorously tested over the last year with company reputations being (perhaps irreparably) damaged when a security breach occurs, a cost which far exceeds the amount that could have been spent on properly securing their environment.