Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase 12»»

Honeywords in SQL Server Expand / Collapse
Author
Message
Posted Wednesday, May 15, 2013 10:22 PM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Today @ 9:15 AM
Points: 31,181, Visits: 15,624
Comments posted to this topic are about the item Honeywords in SQL Server






Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #1453316
Posted Thursday, May 16, 2013 1:53 AM


Ten Centuries

Ten CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen Centuries

Group: General Forum Members
Last Login: Yesterday @ 11:50 AM
Points: 1,394, Visits: 6,590
Honeypot accounts may be easier to implement
Post #1453355
Posted Thursday, May 16, 2013 2:00 AM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Sunday, October 19, 2014 11:12 AM
Points: 7,791, Visits: 9,545
Hmmm. Interesting idea.

Maybe combine it with Honey Accounts: as well as the real accounts, you have lot of accounts which have insufficient privilege to do anything interesting, and audit successful logins as well as failed ones on those accounts. Give some of those accounts nice tempting names.


Tom
Post #1453358
Posted Thursday, May 16, 2013 4:22 AM
SSC-Enthusiastic

SSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-Enthusiastic

Group: General Forum Members
Last Login: Monday, November 11, 2013 2:42 AM
Points: 150, Visits: 245
Jo Pattyn (5/16/2013)
Honeypot accounts may be easier to implement


That is probably true, but if you have a billion users, you can probably only afford to have a few honeypot accounts, and therefore it is a one-in-a-million chance that you will detect a particular hack attempt. The way that this was described, (I read about it yesterday on another site) you use circa ten honey-passwords for each account, which doesn't use much space, and you have a ten-to-one chance (in your favour) of detecting a hacking attempt.


Throw away your pocket calculators; visit www.calcResult.com

Post #1453410
Posted Thursday, May 16, 2013 7:12 AM
Ten Centuries

Ten CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen Centuries

Group: General Forum Members
Last Login: Thursday, October 9, 2014 11:33 AM
Points: 1,307, Visits: 779
Rename sa, create a new "sa" account, track all attempts to log into it?

One would think that most hackers that are attempting to hack a SQL server would try the sa account first. Heck I can't even count how many times as a consultant I would come in and log right in with sa and no password (ok so that has been a while...).
Post #1453510
Posted Thursday, May 16, 2013 7:56 AM
SSC-Enthusiastic

SSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-Enthusiastic

Group: General Forum Members
Last Login: Monday, November 11, 2013 2:42 AM
Points: 150, Visits: 245
Anders Pedersen (5/16/2013)
Rename sa, create a new "sa" account, track all attempts to log into it?


I think the intention was to apply this at a rather larger scale than just SQL server!


Throw away your pocket calculators; visit www.calcResult.com

Post #1453551
Posted Thursday, May 16, 2013 8:07 AM


SSCommitted

SSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommitted

Group: General Forum Members
Last Login: Today @ 9:26 AM
Points: 1,706, Visits: 4,850
If the production server should only be accessable by an admin or service accounts, then there is no reason why login attempts should be routinely failing with invalid account name or password. The same goes for 'invalid object' errors. That would imply ad-hoc logins and querying, so on the first failed attempt, an email should be sent to the administrators. Perhaps on investigation it would be explained by a misconfigured application change or a buggy stored procedure, but in any event, it's something out of the ordinary and worth looking into right away.

There could also be honeypot tables. For example, the DBA could create tables with enticing names like [Employee_Salary] or [Customer_CreditCard] and then place an audit event with email notifications. Even an internal hacker who gains access with a proper account name and password could fall for that one.
Post #1453566
Posted Thursday, May 16, 2013 9:19 AM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Today @ 9:15 AM
Points: 31,181, Visits: 15,624
Eric M Russell (5/16/2013)

...
There could also be honeypot tables. For example, the DBA could create tables with enticing names like [Employee_Salary] or [Customer_CreditCard] and then place an audit event with email notifications. Even an internal hacker who gains access with a proper account name and password could fall for that one.


Oohh, I like that. A great idea.







Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #1453622
Posted Thursday, May 16, 2013 9:40 AM


SSCommitted

SSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommitted

Group: General Forum Members
Last Login: Today @ 9:26 AM
Points: 1,706, Visits: 4,850
Steve Jones - SSC Editor (5/16/2013)
Eric M Russell (5/16/2013)

...
There could also be honeypot tables. For example, the DBA could create tables with enticing names like [Employee_Salary] or [Customer_CreditCard] and then place an audit event with email notifications. Even an internal hacker who gains access with a proper account name and password could fall for that one.


Oohh, I like that. A great idea.

Taking it another step forward, there could even be honeypot data. For example, a corporation concerned about hackers (or internal employees) stealing confidential financial information could populate tables with bogus revenue, sales projections, or executive salaries.
Or the banks could post bogus credit card numbers on the web. When someone attempts to make a purchase using one of these account numbers, it would alert local police. Theives may even come to conclusion that databases of "stolen" account numbers are not worth the risk.
Post #1453632
Posted Thursday, May 16, 2013 9:50 AM
Old Hand

Old HandOld HandOld HandOld HandOld HandOld HandOld HandOld Hand

Group: General Forum Members
Last Login: Friday, October 3, 2014 3:41 AM
Points: 333, Visits: 129
Two factor authentication would be nice, perhaps even some sort of approval process enabled that required multiple approvals for some changes.

It's funny that you mentioned this Steve, I'm actually in the middle of putting a demo system for exactly those two things at the minute. Once it's done, and if I get approval from above, I can put a post together for fellow SSC'ers to read about.
Post #1453636
« Prev Topic | Next Topic »

Add to briefcase 12»»

Permissions Expand / Collapse