Groups -- People sometimes act as a group to steal information for any number of reasons. They may be a company's customer or vendor, or they may be a fierce competitor trying to steal sensitive trade secrets (Elifoglu, 2002).
Some common threat attack groups include the following:
Domestic or Foreign Criminals;
Former Employees (Elifoglu, 2002).
In reality, the concept of intrusion detection systems is a straightforward matter of designing a system that can provide alerts when it is attacked. According to Andress (2003), the process of intrusion detection typically requires the identification of unauthorized access into computer systems. For example, this author notes, "Robust intrusion-detection systems are placed at strategic locations on the network to look for suspicious usage patterns so that attacks can be detected before an intruder has gained access to the network, application, or operating system" (Andress, p. 66). This author also reports that, "An intrusion-detection system (IDS) monitors networks and computer systems for signs of intrusion or misuse. IDSs are quickly becoming a core component of any security infrastructure and the standard solution for monitoring and recognizing attacks. Intrusion refers to an unauthorized user attacking your resources. IDSs work in the background, continuously monitoring network traffic and system log files for suspicious activity. When they find something, appropriate individuals receive alerts, often by e-mail, a page, or a Simple Network Management Protocol (SNMP) trap" (Andress, p. 196).
Generally speaking, intrusion-detection systems identify, among other types of intrusions, Web attacks, probing attacks, denial-of-service attacks, remote procedure attacks, service exploits, and unauthorized network traffic (Andress). "The majority of commercial IDS products work by examining network traffic and looking for well-known patterns of attack. For every recognized attack technique, the product developers code something, usually referred to as a signature, into the system" (Andress, p. 196). This signature identification can be a basic pattern match (e.g., / cgi-bin/password), a sign that there is an unauthorized attempt to gain access to the password file on a Web server (Andress). Such signatures, though, can be as complex as a security state transition codified in a formal mathematical expression (Andress). In order to employ signature identifications, the IDS analyzes signatures based on the information it receives from the system; such analyses involves matching the patterns of system settings and user activities against a database of known attacks (Andress). Current commercial IDS products generally include databases that may contain hundreds (or thousands) of such attack signatures (Andress).
Chapter 3: Classification and Types of Honeypots
This chapter provides an overview of the two primary classifications of honeypots and their respective intended applications. A discussion of the different types of honeypots concludes the chapter.
Currently, there are two main classifications of honeypots that primarily relate to the intended purpose of the IDS as follows:
Research Honeypot. According to Grimes (2008), research honeypots are complex to implement as well as to maintain, but they are capable of capturing extensive information; these types of honeypots are used mostly by research, military, or government organizations.
Production Honeypot. By contrast, production honeypots are fairly simple to implement but are only capable of capturing a limited amount of information; these types of honeypots are mostly used by companies or corporations (Grimes, 2008).
The type of honeypot that is best suited for a particular application depends on the type of interaction that can be expected; in this regard, there are three types of honeypots which are described in Table 3 below.
Levels of Honeypot Interaction.
Low-interaction honeypots simulate just those services that cannot be exploited to get complete access to the honeypot. Low-interaction honeypots are more limited, but they are useful to gather information at a higher level, e.g., learn about network probes or worm activity. They can also be used to analyze spammers or for active countermeasures against worms (Provos, 2003).
Medium-interaction honeypots seek to incorporate the best of low-interaction and high-interaction approaches. Medium-interaction honeypots do not seek to completely simulate a fully operational system environment; moreover, these types do not implement all of the details of an application protocol (Wicherski, 2006).
High-interactions honeypot are capable of being completely compromised, thereby allowing an attacker to gain full access to the system and use it to launch further network attacks (Provos, 2003).
Chapter 4: Legal Issues Affecting the Use of Honeypots
This chapter provides a general discussion concerning the legal issues that affect the use of honeypots that should be taken into account before an organization makes the decision to use this intrusion detection system approach.
According to Spitzer (2003), "In the past there has been some confusion on what are the legal issues with honeypots. There are several reasons for this. First, honeypots are relatively new. Second, honeypots come in many different shapes and sizes and accomplish different goals" (p. 3). There have been some laws enacted to date that stipulate that certain levels of confidentiality, accessibility and integrity of data must be maintained by the system owners (Elifoglu, 2002). This type of data that various laws currently address typically involves ensuring the privacy of medical records, student records, personal financial data or simply archived e-mailed correspondence archiving; noncompliance with such laws can result in fines and/or lawsuits (Elifoglu, 2002).
A company's management team is ultimately responsible for establishing policies and procedures for securing information systems; auditors are responsible for assessing the control risk associated with these systems (Elifoglu, 2002). The Computer Fraud and Abuse Act of 1984 and the 1986 Federal Computer Fraud Act (Title 18 USC 1030) are the primary controlling legislation involved that are intended to address computer crime (Elifoglu). These laws cover unauthorized access and transmission of programs for fraudulent or harmful purposes and a majority of states in the U.S. currently have comparable laws on their books (Elifoglu). As Spintner (2003b) emphasizes, though, "To date, we have seen no published decision addressing whether the operator of an insecure system can be liable to other operators for the misuse of the system by a hacker. So while liability is an issue, it may be an overblown one, as there is no recorded case of it happening with compromised systems" (p. 5).
Andress, a. (2003). Surviving security: How to integrate people, process, and technology. Boca Raton, FL: Auerbach Publications.
Elifoglu, I.H. (2002). Navigating the 'information super highway': How accountants can help clients assess and control the risks of Internet-based e-commerce. Review of Business, 23(1), 67-69.