Lost in the Noise

  • Comments posted to this topic are about the item Lost in the Noise

  • Maybe a honeypot will attract outsiders, but it will not save you from insiders compromising your security. IMHO if organisations will use honeypots and decoys on a larger scale, some hackers will soon develop tools to distinguish those IP-adresses from 'the real things' and distribute those tools among their community members. Since none of us wants to pay more than absolutely necessary and security is costly, any organisations will cut on security and leave it to the bare minimum that is required by law. As long as a security measure (for example, an extra guard) delivers more than it costs (less shop lifting) those measures will be taken, but don't expect anything more in a world based on profit and loss. Why should a hospital invest in extra security measures on the access to their patient files, while making them accessable from nearly anywhere could save them traveling costs? Did you ask them how they secure your file before you went to a doctor? Did you ask the water plant what measures they have taken to ensure that their plant is not vulnerable to an attack from the internet? As long as people do not ask these questions, companies will not profit from security measures, leaving no reason to implement additional security measures. Yes, they do talk about it, but when they find out how much effort it rquires to embed security into their daily operations, it ends up at the bottom of the list. But of course that is only my humble opinion ...

  • 1. In general it costs just as much to develop code with poor performance as it does to develop fast code. The same can be said for security. If you have good templates, good guidelines you tend to develop better code. So I refute the argument of cost outlined in the reply above.

    That said, I do agree that these best practises need to be gained from somewhere & implemented. Which typically means smart, motivated, up-to-date staff. These folks typically earn more.

    2. I'd hesitate on the "Decoy" concept. It may work for fighter aircraft against an immediate threat. But it may also attract the attention of someone with a more effective weapon. Once they've hacked your honeypot, they are more educated & are now armed with scripts to automate their attacks against you or someone else in your industry.

    3. If you really have the ability to detect a hack and track the offender back to the source. Then there is merit in offering a soft target which you can use as a ambush. But if all you know is "someone" tried/is trying to hack us. It may help to get budget for more security. OR it may just frustrate the business. ie: Which is most expensive? Knowing that someone is trying to hack your banks ATM network right now & maybe letting them steal money OR turning off all the Banks ATM's Nationwide for an indeterminate period of time & dealing with the customer dissatisfaction & negative PR that results. What manager wants to make that decision?

  • David Lean (8/27/2013)


    1. In general it costs just as much to develop code with poor performance as it does to develop fast code. The same can be said for security. If you have good templates, good guidelines you tend to develop better code. So I refute the argument of cost outlined in the reply above.

    That said, I do agree that these best practises need to be gained from somewhere & implemented. Which typically means smart, motivated, up-to-date staff. These folks typically earn more.

    David, I do agree with you on the other points you've made in your comment. But from my experience as a professional developer, programmer, DBA and BI consultant I can tell you that it requires more than good templates to build fast and secure applications. Even so, many poorly build applications ended up this way because the companies that made them relied more on tools and templates than on the programming skills of their employees. Good developers must be payed likewise, good tools seems to be a lot cheaper, but no tool can protect you from the mistakes of inexperienced developers.

    In most cases there is a trade-off between speed and security. Secure code needs to perform more checks, and code running in a secured environment will always be slower than 'unsafe' code. But security is not just build in the applications we use. It is also in the way we work with these applications, the places where we have access to these applications and many other factors that are outside the reach of the application or its developers. If a company decides to hand out the administrator password to every employee to avoid the 'overhead' of setting up roles and user groups, one can blame neither the application nor the developer for the lack of security.

  • David Lean (8/27/2013)


    Knowing that someone is trying to hack your banks ATM network right now & maybe letting them steal money OR turning off all the Banks ATM's Nationwide for an indeterminate period of time & dealing with the customer dissatisfaction & negative PR that results. What manager wants to make that decision?

    That is exactly the decision Sony made when they where hacked. It was costly, but not as costly as not reporting it, not fixing the problem, and letting people find out afterwards.

  • Placing any part of our crucial Infrastructure on the public internet is begging for them to be hacked, destroyed, or owned over that connection.

    Security is cheap and easy when compared to the cost of a failure of these systems. It might be inconvenient to make physical contact with these system or connect them on a private network. How inconvenient is it when they are hacked?

    It almost seems that all this was done just so we could waste money undoing it.

  • I would bet that at this moment, some people are honeypotting the NSA to see what tools/approaches they are using

    ...

    -- FORTRAN manual for Xerox Computers --

  • David Lean (8/27/2013)


    1. In general it costs just as much to develop code with poor performance as it does to develop fast code. The same can be said for security. If you have good templates, good guidelines you tend to develop better code. So I refute the argument of cost outlined in the reply above.

    That said, I do agree that these best practises need to be gained from somewhere & implemented. Which typically means smart, motivated, up-to-date staff. These folks typically earn more.

    2. I'd hesitate on the "Decoy" concept. It may work for fighter aircraft against an immediate threat. But it may also attract the attention of someone with a more effective weapon. Once they've hacked your honeypot, they are more educated & are now armed with scripts to automate their attacks against you or someone else in your industry.

    3. If you really have the ability to detect a hack and track the offender back to the source. Then there is merit in offering a soft target which you can use as a ambush. But if all you know is "someone" tried/is trying to hack us. It may help to get budget for more security. OR it may just frustrate the business. ie: Which is most expensive? Knowing that someone is trying to hack your banks ATM network right now & maybe letting them steal money OR turning off all the Banks ATM's Nationwide for an indeterminate period of time & dealing with the customer dissatisfaction & negative PR that results. What manager wants to make that decision?

    Perhaps. I'd think that the honeypots could change just as the attackers change.

    The idea isn't just to have them attack a fake system, but also to learn about how they attack (and from where). The honeypots can also draw off the "Script kiddie" attacks. Those not made with targeted intent of achieving anything other than vandalism.

  • Just a general question about this. If someone hacks or attempts to hack a fake or valid site and they are identified as real and are known by IP or otherwise, is it legal to retaliate as a means to protect your assets. Use to be said that the best defense is a strong offence, is that valid or legal in the IT world today?

    If we just smile and spend another xxx billion dollars a year to protect ourselves across the entire industry passing that increased cost on time after time to the consumers could bankrupt some companies and cause online things just to cost too much to operate. Now I know that is in part what some would like to do, so why have we not taken them on, besides attempting to take them to court?

    Just wondering!

    Not all gray hairs are Dinosaurs!

  • @steve-2 Jones wrote:

    It's scary to think how the world may change when any individual, as well as any country, could attack our digital systems. It means security is more and more important all the time.

    It makes me wonder if the game is always worth the candle. When do we actually need automation and digital systems? Are we automating for automation's sake? Would analogue technologies or even manual processes be more appropriate?

    I'm not advocating we go back to the Eisenhower era, but perhaps we should at least occassonally rethink our (over?)reliance upon digital technology.

  • Steve Jones - SSC Editor (8/27/2013)[hrThe idea isn't just to have them attack a fake system, but also to learn about how they attack (and from where). The honeypots can also draw off the "Script kiddie" attacks. Those not made with targeted intent of achieving anything other than vandalism.

    Trouble is that when the vandal wants to insert a picture of Minnie Mouse cuddling up to Kermit onto the home page of the National Bank of Grand Fenwick's website, he knows what IP address he has to attack - the one that the bank's customers and potential customers get when they ask the DNS network for http://WWW.NBGF.FENWICK.EU; so a honeypot on a different address isn't going to draw her (or him) off because it's obviously wrong. That of course doesn't mean that honeypots won't draw people off - but the people drawn off will not be script kiddies, because the script kiddies want to vandalise something whose address is well known, not something that doesn't have a well-known address.

    Tom

  • ... the vandal wants to insert a picture of Minnie Mouse cuddling up to Kermit onto the home page of the National Bank of Grand Fenwick's website ...

    Grand Fenwick has a bank?!

    I thought all they had was wool and Pinot.

  • Craig-315134 (8/27/2013)


    ... the vandal wants to insert a picture of Minnie Mouse cuddling up to Kermit onto the home page of the National Bank of Grand Fenwick's website ...

    Grand Fenwick has a bank?!

    I thought all they had was wool and Pinot.

    Also very militarily effective mice and wine-fuelled rockets.

    The bank of course is the west bank of the river that forms the eastern boundary of the duchy, a wild life preserve rather than a taker of deposits and lender of advances. 😀

    Tom

Viewing 13 posts - 1 through 12 (of 12 total)

You must be logged in to reply to this topic. Login to reply