Land of Questions and Honey
IT’S A TRAP
Jung Lee, CyberVista Head of Certification Training Programs
Bee in the Know
Later this week I will be presenting a webinar on how to approach tricky questions that appear on cybersecurity certification exams. The hardest types of questions include answer choices that are misleading. The test makers use these answer choices to tempt and trick you into choosing the wrong answer. At CyberVista, we call these type of questions “honeypot questions.” Before you attend the webinar, it will be helpful to understand the honeypot reference as it is used in cybersecurity.
Honey, I Have Root Access
Honeypots are decoy systems, servers, or computers that lure in nefarious intruders in an effort to gather information about attackers, delay them, and keep them away from real, valuable systems. Honeypots look just like real systems, but they contain no sensitive information. Instead of valuable information, honeypots usually have intentional security flaws that make them even more attractive to hackers.
What You Can Learn and How You Can Use It
Honeypots can be used to gather helpful information about attackers’ methods. As an intruder attempts to exploit the pseudo flaw in your honeypot, your security team can observe the intruder and note their attack methods, exploitation tools, and other information that could lead to their identification. Forensic data captured from the honeypot can potentially be used as evidence in prosecuting the attacker in a court of law.
Honeypots can also be used to detect and thwart insider threats. Advanced Research and Development Activity (ARDA), a cybersecurity research organization, held a workshop that focused on using honeypots to expose insider threats. One insider threat situation revolved around Robert Hanssen, a notorious Russian spy who had infiltrated the FBI. The workshop hypothesized that a honeypot-related technology would have alerted authorities to Hanssen’s suspicious activities.
Enticement vs. Entrapment
Speaking of legal issues, honeypots dip into the nuances of what makes evidence admissible in court. Ethical security professionals should use honeypots as enticement only; meaning they simply set up the honeypot and passively wait for an intruder to detect and intrude into the honeypot. Any effort on behalf of the honeypot administrator to actively solicit an attacker into exploiting a honeypot system is illegal and any evidence captured against the intruder is inadmissible in court.
See you on March 30th.
If you have read this far, you are now in on the joke, and formally invited to my webinar. And, after reading this blog and then attending my webinar, on test day you will be able to both answer any question on honeypots and avoid the test maker’s traps. Register here for the webinar!