Honeypots for Windows (Books for Professionals by Professionals)

		Chapter 1 - An Introduction to Honeypots Honeypots for Windows by Roger A. Grimes Apress 2005

As much as I like honeypots, I still need to point out some trade-offs and risks involved in their use. First, a honeypot means hours of setup, maintenance, and analysis. In your busy life as a computer administrator, are you ready to add even more hours of work? If you’re already overworked and you cannot fit in any extra hours or put some other tasks aside, forget about honeypots. They aren’t “install and forget it” systems. They take care and feeding. If neglected, they can actually increase your company’s exposure and legal risk.

Putting up a system designed to be compromised by unauthorized outsiders entails a certain amount of risk that you would otherwise not have. The key is to be a conscientious honeypot administrator, practice strict data control, and keep on top of the data the honeypot is producing. If the honeypot is compromised, follow up immediately or take the system offline. The worst thing you can do is to neglect the honeypot and let it sit unmonitored. The hacker might be using it to hack other computers inside and outside your network.

Many papers on the Internet discuss the legal risks of running a honeypot. Discussion centers on liability, privacy, and entrapment. Privacy issues, such as intercepting innocent third-party communications without consent, seem to worry legal analysts the most. One of the best papers on the subject, “Honeypots: Are They Illegal?,” by Lance Spitzner, is located at http://www.securityfocus.com/infocus/1703. The short answer is that laws that could apply to honeypot surveillance technology have not yet been tested in the courts. Most researchers believe that although hackers may be able to defend themselves using some of the laws, it is probably unlikely that anyone will be charged for running a honeypot that is then abused by others.

You can reduce your legal risk when using a honeypot by following these guidelines:

• Keep the honeypot well monitored and maintained so it is not used to attack others.

• Use the honeypot to protect your production network, and in that respect, it needs to mimic the environment that it protects.

• On each of the services that a hacker can reach on the honeypot, put a banner warning that unauthorized access is prohibited and all access may be monitored.

Most honeypot experts believe these suggestions will significantly reduce any legal risk, but you should always consult legal counsel before deploying a honeypot.

The following are a few helpful honeypot resources:

• Honeypots: Tracking Hackers (http://www.tracking-hackers.com) is the best honeypot web site on the Internet. It contains the largest collection of honeypot documentation and software, as well as links to mailing lists, organizations, and FAQs.

• The Honeyd Development web site (http://www.honeyd.org) contains the latest versions of Honeyd virtual honeypot software, documentation, and scripts.

• The Honeynet Project (http://www.honeynet.org) is a nonprofit organization dedicated to the development and use of honeypots.