RE: statistics

["Michael Anuzis" <michael_anuzis () hotmail com>]

> From a "deterring" standpoint, the honeypot is not the most efficient tool 
available. Using "detection" technologies (referring to a honeypot) as you 
put it could possibly act as some deterring factor if the knowledge of their 
use was made public, but the level of deterrance would be very small. In 
most cases a simple IDS will act as a much more efficient "deterrant" than a 
honeypot for a few reasons:
1. An IDS is generally easier to set up as it doesn't involve the intricate 
configurations of one or more hosts to deceive an intruder into thinking 
they are on a valid host
2. An IDS will generally have a larger scope of protection as it will watch 
a whole network while a honeypot (or honeynet) will generally be in its own 
DMZ and be ineffective at monitoring the security of the whole network

If I were to try to hack an organization; I would rather try my luck with 
the organization with an IDS set up in the DMZ only in front of a honeynet 
before I'd try my luck with the organization with an IDS deployed at their 
demarcation. The knowledge that an organization has a honeynet set up would 
not be much of a deterrant, if anything it would just strike my awareness up 
more and give me a heightened sense of importance that I need to make sure I 
am gaining access to a production machine and not a honeypot.

Using a honeynet as a mere deterrant in this fashion, while possible, isn't 
very efficient and does give up a considerable amount of a honeynet's value 
which lies in its ability to capture information about the intruder by 
letting them onto a system and watching what they do. The potential to 
capture this kind of information that can shed insight into who the intruder 
is and what they want is greatly reduced when the intruder is alerted to 
watch their steps for honeynets before they even open their first 
connection.


Michael Anuzis, CCNA
Network Security Consultant
Mobile: 248.376.7030
CTO, Advanced DataTactics, Inc.
CTO, Advanced InfoTactics, Inc.


> From: "Golomb, Gary" <GGolomb () enterasys com>
> To: <honeypots () securityfocus com>
> Subject: RE: statistics
> Date: Mon, 25 Aug 2003 11:01:23 -0400
>
>
> "Deterring" attackers from your network is a loss of value?
>
> What's good for the security researcher is not necessarily good for the
> organization that needs to worry about policy compliance. The "value" of
> a honeynet is relative to the environment it's in and the people
> administrating it. The use of "detection" technologies as a deterrent
> might be the only value those systems have in many organizations.
>
> -gary
>
> > Original Message:
> > From: Michael Anuzis [mailto:michael_anuzis () hotmail com]
> >
> > Reducing honeypots/honeynets to a mere deterrant loses a lot of their
> > value.
> > Any business that's taken the time to set up a honeynet properly
> probably
> > doesn't want to make its hand public.
> >
> >
> >
> > Michael Anuzis, CCNA
> > Network Security Consultant
> > Mobile: 248.376.7030
> > CTO, Advanced DataTactics, Inc.
> > CTO, Advanced InfoTactics, Inc.
> >
> >
> >
> >
> >
> > >From: Joshua Krage <jkrage () guisarme net>
> > >To: honeypots () securityfocus com
> > >Subject: Re: statistics
> > >Date: Fri, 22 Aug 2003 17:46:39 -0400
> > >
> > >On Fri, Aug 22, 2003 at 02:45:43PM +0100, Luis Miguel Silva wrote:
> > > > What would be the point to use honeypot technologies if
> organisations
> > >told everybody they use it? :o)
> > >
> > >:)
> > >
> > >How about as a deterrent?
> > >
> > >If that seems valid, them I have a couple /16s of honeypots.  You'll
> just
> > >have to guess where they are.   ;)
> > >
> >
> > _________________________________________________________________
> > Get MSN 8 and enjoy automatic e-mail virus protection.
> > http://join.msn.com/?page=features/virus

_________________________________________________________________
MSN 8: Get 6 months for $9.95/month. http://join.msn.com/?page=dept/dialup