Data Center Risk - Tell us how you manage it and enter to win iPad

Intrusion Detection FAQ: What is a honeypot? Why do I need one?

A "honeypot" is a tool that can help protect for network from unauthorized access. The honeypot contains no data or applications critical to the company but has enough interesting data to lure a hacker. A honeypot is a computer on your network the sole purpose is to look and act like a legitimate computer but actually is configured to interact with potential hackers in such a way as to capture details of their attacks. Honeypots are known also as a sacrificial lamb, decoy, or booby trap. The more realistic the interaction, the longer the attacker will stay occupied on honeypot systems and away from your production systems. The longer the hacker stays using the honeypot, the more will be disclosed about their techniques. This information can be used to identify what they are after, what is their skill level, and what tools do they use. All this information is then used to better prepare your network and host defenses.

The honeypot can be used to augment the deployment of an IDR system. Some of the problems with commercial IDR include inability for detection of low level attacks, techniques or tools that are new or not previously known, or use of techniques that may appear as legitimate user activity. To a certain extent, the honeypot is also subject to missing new attacks. However, the honeypot is uniquely capable of letting you know that some hacker is in your network doing things they have no business doing. The honeypot may spot them because as far as other security measures (including IDR) are concerned they are legitimate users.

Phil Bandy, Michael Money & Karen Worstell
SRI Consulting