The sweet smell of IT security: Understanding honeypots

Chances are you may have recently heard the IT security geeks talking about honeypots (traps that can be set to detect or even counteract the unauthorised use of IT systems), but what about honeycheckers or the latest addition to the sugary security arsenal, honeywords?

With research suggesting that the use of honeywords in a standard password database could improve enterprise security and prevent hackers from cracking logins, maybe it's time you acquainted yourself with the sweet smell of IT security...

Knowing what they are is about as much use as the proverbial chocolate teapot unless you know how to apply them within the very real world setting of your enterprise data security strategy.

The sticky subject of definition

By now, security really ought to be a priority for organisations, They should also be thinking about using honeypots, honeywords and honeycheckers in order to help prevent hackers gaining access to confidential information, according to Sian John, the UK Security CTO for Symantec.

"Using decoy passwords alongside genuine hashed passwords could really help IT administrators fight back against hackers," she says. This is all well and good, but what, precisely are they?

Marcus Ranum, CSO at Tenable Network Security, used to teach a class on honeypots at SANS. So who better to provide us with accurate and understandable definitions of honeypots, honeycheckers and honeywords?

Honeypot: "A honeypot is a security system whose value lies in being probed, attacked, or compromised. There are two primary kinds of honeypots: production and research. The objective of a production honeypot is to act as an intrusion detection and alarm system. Whereas, a research honeypot is used for discovering new things about attackers' techniques and tools. Both are valuable in the right place."

Honeycheckers: "Honeycheckers are when you put alarms in place to check for the use of certain things. For example, you might create a crackable password and login for a user named "ferdburfle@wherever.com" and generate an alarm (and monitor all activity) if someone logs in with that account. It would indicate that your password file had been compromised or otherwise cracked."

Honeywords (also known as HoneyTokens): "Honeywords are strings injected in databases or files that an attacker might be interested in collecting, that can be detected as they move around the network. There are a variety of techniques for this, including using sniffers, proxies, scanners and so on. For example, imagine that I have a customer database that contains a fictitious entry for a fictitious customer named "Ferd J Burfle." I might monitor all files going out of my firewall for that name, since there's no normal circumstance in which that would happen."

Putting that all together, you can see how these techniques provide a model of distributed security to protect against password stealing and brute force password attacks. "The idea is to associate multiple passwords, or honeywords with a user's account, while only one password is actually valid," adds Yuval Ben-Itzhak, CTO at AVG Technologies. "Like a virtual alarm system, if a honeyword is used to log into an account, a honeychecker alerts administrators to the breach. The honeychecker can be programmed in a number of ways, such as to suspend the account in question or allow the login to proceed but within a honeypot environment."

Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.