“You’re my honey bee, baby, come on and sting me”

Security professionals probably spend too much time and money securing their systems and too little checking to see whether their security measures have failed.  After putting a new security solution in place at great cost, it’s only natural to think that you’ve, well, solved your security problems. But the history of computer security, not to mention the history of humanity, tells a different tale.  While you’re basking in a sense of achievement, your adversary is working to overcome your new defenses. Sooner or later, he will. How will you know?  Today, most companies figure it out when the FBI or someone else shows up to tell them their systems are spewing data to known bad sites.

Schmuckkörbchen_mit_BieneThat’s a little late, and a little random. Ideally, we’d all have automatic security checks to tell us that we’ve been compromised, just as a good accounting system has backend checks to flag suspicious transactions.  In the network security world, one of the more developed tripwire technologies are honey traps – irresistible targets for hackers that, among other things, let you know when some or all of your defenses have been penetrated.  Gloria Gaynor pretty much summed up the strategy:  hackers come for the honey and end up getting stung.

Now comes a good new report on honey trap technologies from the European Network and Information Security Agency, or ENISA, which is rapidly becoming my favorite European institution. (Granted, there’s not much competition.) ENISA’s report is a good practical evaluation of a host of honey technologies.  Among the things I liked was its discussion of “honeytokens” – fake files left on your system and watched carefully for any signs of access. I’ve experimented with crude versions of that approach myself, and I’m quite surprised that it is not a standard part of all security deployments.  Unfortunately, the report’s practical evaluation charts don’t actually evaluate commercial technologies using honeytokens, but it does cite a few additional publications in the footnotes (here’s one; here’s another; and another) for those who share my enthusiasm for the concept.

Photo credit: Stefan-Xp through Wikimedia commons