Penetration Testing mailing list archives
Re: honeypot in conjunction with pen test?
From: "Mike Riley" <mike () akitanet co uk>
Date: Thu, 6 Jun 2002 19:46:33 +0100
NB: this is a question from the point of view of the customer of
a
pen-test; if that's off-topic for this list my apologies and
I'll go
away.IMHO it's perfectly in topic.I've had an interesting circumstance arise. I was a customer of
a
pen test, and had the happy outcome that the testers found absolutely nothing, despite the fact that they'd been provided
with
(...) You were happy but I expect that the pen-testers were really
dumped. Not if they were professionals. This really burns me - as far as I'm concerned a security audit is like an M.O.T. If you take your car in for an M.O.T, and the garage finds nothing wrong, that's a good result. The garage aren't annoyed, and the owner certainly isn't. It's not about getting in, it's about *auditing*.
But the thought occurred to me that a really nice approach to
take
the next time it comes around again on the guitar would be to position a honeypot in the facility, just to give the poor
scuppers
something to find, and of course to let us collect positive documentation of our own confirming what was done. Has anybody done this before? How did you choose what services
to
publish in your honeypot? How do you make it believable --- and
how
do you avoid making it so juicy that it blinds the testers to
any
real substance that might actually be there to find elsewhere in
the
tested plant?Being a pen-tester myself, I have "suffered" the effects of a
honeypot,
even one as simple as a cgi simulating to be the old and
vulnerable php-fi.
In that pen-test the honeypot was really a waste of time for both
the
pen-testing team, the team coordinating the test and the systems administrators in charge (who probably laughed aloud when we stumbled into the
honeypot). Why not have an independent team in to do an audit once a year and compare and contrast their results with your monthly auditors? This will reveal a lot about your auditor's competence without wasting your company's money, your auditors' time and your time building honeypots. -- Mike Riley - Security Systems manager @ Akita http://www.akita-security.co.uk -------------------------------------------------------------------- -- Sales: T:+44(0)1869 320111 F: +44(0)1869250688 E: sales () akita co uk Tech: T: +44(0)161 8385687 E: mike () akita co uk -------------------------------------------------------------------- -- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- RE: honeypot in conjunction with pen test? Aleksander P. Czarnowski (Jun 05)
- <Possible follow-ups>
- RE: honeypot in conjunction with pen test? Javier Fernandez-Sanguino Pena (Jun 06)
- Re: honeypot in conjunction with pen test? Bennett Todd (Jun 06)
- Re: honeypot in conjunction with pen test? Mike Riley (Jun 06)
- Re: honeypot in conjunction with pen test? Mark Tinberg (Jun 07)
- Re: honeypot in conjunction with pen test? Daniel Polombo (Jun 07)
- honeypot in conjunction with pen test? Javier Fernandez-Sanguino Pena (Jun 18)
- Re: honeypot in conjunction with pen test? Alex Russell (Jun 19)
- RE: honeypot in conjunction with pen test? Woody Weaver (Jun 19)