Honeypots stick it to insider threats

Beyond stopping outside hackers and tracking malware, honeypots can weed out unauthorized insiders and partners

One of the more popular benefits of setting up honeypots on your organization's network is to learn about malware and hacker behavior, but I often recommend that companies install a low-interaction honeypot on internal networks to simply report anything that touches it. See, honeypots are fake assets. Nobody should access them. Thus, they often can be used for finding trusted insiders or partners doing things they were not authorized to do.

Case in point: Recently I installed a Kfsensor honeypot to try to rule out an external compromise against a longtime client. While fine-tuning the software to remove false positives, I saw tons of malicious activity, including port scanning, RDP connection attempts (to the honeypot computer), NetBIOS logons, and website identification attempts. The company owner happened to be right there as I investigated the source IP address and name.

[ Also on InfoWorld.com: Watch out for this nasty zero-day exploit | Get your systems up to snuff with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]

The culprit turned out to be the trusted external computer-consulting company that my client had hired to install a new firewall on another floor. While hooked to the client's network to install the firewall, the technician -- coincidentally, I've known and trusted him for 20 years (he helped me get my first job) -- was exploring the client's network without authorization.

Security iGuide

When confronted, he kept changing his story. First, he said he was trying to find an available free IP address to put the new firewall on. Then he claimed he was finding advertising services to make sure he opened all the necessary ports on the firewall. I wasn't buying either.

Next story: He already had every elevated password in the company, so why would he need to port scan and enumerate the network -- my question exactly. Then he mentioned he'd done similar things in other companies, including banks and financial companies, without complaint. Most likely, he hadn't gotten complaints because he'd never been caught.

1 2 Page 1
Page 1 of 2
Microsoft's very bad year for security: A timeline