Re: honeypot in conjunction with pen test?
From: Mike Riley (mike@akitanet.co.uk)Date: 06/06/02
- Previous message: Javier Fernandez-Sanguino Pena: "RE: honeypot in conjunction with pen test?"
- In reply to: Javier Fernandez-Sanguino Pena: "RE: honeypot in conjunction with pen test?"
- Next in thread: Mark Tinberg: "Re: honeypot in conjunction with pen test?"
- Reply: Mark Tinberg: "Re: honeypot in conjunction with pen test?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Mike Riley" <mike@akitanet.co.uk> To: <pen-test@securityfocus.com> Date: Thu, 6 Jun 2002 19:46:33 +0100
> >
> > NB: this is a question from the point of view of the customer of
a
> > pen-test; if that's off-topic for this list my apologies and
I'll go
> > away.
>
> IMHO it's perfectly in topic.
> >
> >
> > I've had an interesting circumstance arise. I was a customer of
a
> > pen test, and had the happy outcome that the testers found
> > absolutely nothing, despite the fact that they'd been provided
with
> (...)
>
> You were happy but I expect that the pen-testers were really
dumped.
Not if they were professionals. This really burns me - as far
as
I'm concerned a security audit is like an M.O.T. If you take
your car in for an M.O.T, and the garage finds nothing wrong,
that's a good result. The garage aren't annoyed, and the owner
certainly isn't. It's not about getting in, it's about
*auditing*.
> >
> > But the thought occurred to me that a really nice approach to
take
> > the next time it comes around again on the guitar would be to
> > position a honeypot in the facility, just to give the poor
scuppers
> > something to find, and of course to let us collect positive
> > documentation of our own confirming what was done.
> >
> > Has anybody done this before? How did you choose what services
to
> > publish in your honeypot? How do you make it believable --- and
how
> > do you avoid making it so juicy that it blinds the testers to
any
> > real substance that might actually be there to find elsewhere in
the
> > tested plant?
> >
>
> Being a pen-tester myself, I have "suffered" the effects of a
honeypot,
> even one as simple as a cgi simulating to be the old and
vulnerable php-fi.
> In that pen-test the honeypot was really a waste of time for both
the
> pen-testing team, the team coordinating the test and the systems
> administrators
> in charge (who probably laughed aloud when we stumbled into the
honeypot).
Why not have an independent team in to do an audit once a year
and
compare and contrast their results with your monthly auditors?
This
will reveal a lot about your auditor's competence without
wasting
your company's money, your auditors' time and your time building
honeypots.
-- Mike Riley - Security Systems manager @ Akita http://www.akita-security.co.uk -------------------------------------------------------------------- -- Sales: T:+44(0)1869 320111 F: +44(0)1869250688 E: sales@akita.co.uk Tech: T: +44(0)161 8385687 E: mike@akita.co.uk -------------------------------------------------------------------- ------------------------------------------------------------------------------ This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
- Previous message: Javier Fernandez-Sanguino Pena: "RE: honeypot in conjunction with pen test?"
- In reply to: Javier Fernandez-Sanguino Pena: "RE: honeypot in conjunction with pen test?"
- Next in thread: Mark Tinberg: "Re: honeypot in conjunction with pen test?"
- Reply: Mark Tinberg: "Re: honeypot in conjunction with pen test?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
