Penetration Testing mailing list archives

Re: honeypot in conjunction with pen test?

From: "Mike Riley" <mike () akitanet co uk>
Date: Thu, 6 Jun 2002 19:46:33 +0100


NB: this is a question from the point of view of the customer of

pen-test; if that's off-topic for this list my apologies and

I'll go

away.


IMHO it's perfectly in topic.



I've had an interesting circumstance arise. I was a customer of

pen test, and had the happy outcome that the testers found
absolutely nothing, despite the fact that they'd been provided

with

(...)

You were happy but I expect that the pen-testers were really

dumped.

    Not if they were professionals.  This really burns me - as far
as
    I'm concerned a security audit is like an M.O.T.  If you take
    your car in for an M.O.T, and the garage finds nothing wrong,
    that's a good result.  The garage aren't annoyed, and the owner
    certainly isn't.  It's not about getting in, it's about
*auditing*.


But the thought occurred to me that a really nice approach to

take

the next time it comes around again on the guitar would be to
position a honeypot in the facility, just to give the poor

scuppers

something to find, and of course to let us collect positive
documentation of our own confirming what was done.

Has anybody done this before? How did you choose what services

to

publish in your honeypot? How do you make it believable --- and

how

do you avoid making it so juicy that it blinds the testers to

any

real substance that might actually be there to find elsewhere in

the

tested plant?


Being a pen-tester myself, I have "suffered" the effects of a

honeypot,

even one as simple as a cgi simulating to be the old and

vulnerable php-fi.

In that pen-test the honeypot was really a waste of time for both

the

pen-testing team, the team coordinating the test and the systems
administrators
in charge (who probably laughed aloud when we stumbled into the

honeypot).


    Why not have an independent team in to do an audit once a year
and
    compare and contrast their results with your monthly auditors?
This
    will reveal a lot about your auditor's competence without
wasting
    your company's money, your auditors' time and your time building
    honeypots.

--
Mike Riley - Security Systems manager @ Akita
http://www.akita-security.co.uk
--------------------------------------------------------------------
--
Sales: T:+44(0)1869 320111 F: +44(0)1869250688 E: sales () akita co uk
Tech: T: +44(0)161 8385687  E: mike () akita co uk
--------------------------------------------------------------------
--



----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

RE: honeypot in conjunction with pen test? Aleksander P. Czarnowski (Jun 05)
- <Possible follow-ups>
- RE: honeypot in conjunction with pen test? Javier Fernandez-Sanguino Pena (Jun 06)
  - Re: honeypot in conjunction with pen test? Bennett Todd (Jun 06)
  - Re: honeypot in conjunction with pen test? Mike Riley (Jun 06)
    - Re: honeypot in conjunction with pen test? Mark Tinberg (Jun 07)
    - Re: honeypot in conjunction with pen test? Daniel Polombo (Jun 07)
- honeypot in conjunction with pen test? Javier Fernandez-Sanguino Pena (Jun 18)
  - Re: honeypot in conjunction with pen test? Alex Russell (Jun 19)
  - RE: honeypot in conjunction with pen test? Woody Weaver (Jun 19)