Application Controls, Monitoring, and Honeypots Essay

Application Controls, Monitoring, and Honeypots - act ExampleIn addition to maintaining the rules, someone must respond to the alerts. Sometimes signatures may also hold back valid activity, typifying that responding to alerts first studys determining whether the alert is the result of an intrusion or unexpected, but valid, arranging activity. All of these require highly trained mortalnel to carry out (Skoudis, 2002). The implication here is, and as our companys ICT director confirmed, that current intrusion detection systems are somewhat limited in capacity. This does not mean that current intrusion systems are not effective but only they are not as effective as required. Within the context of the stated, it is commonly held that anomaly detection will ultimately grow more valuable and robust because it has the latent to identify previously unknown intrusions or attacks. It is, thus, that the corporation is currently investigating the implementation of honeypots.Honeypots a re new security technologies that, while not a replacement for conventional intrusion detection systems, address some of the weaknesses of intrusion detection systems (Spitzner, 2003). As their only purpose is to be attacked, all traffic to the honeypot can be considered an intrusion or an anomaly of some sort. For this causality there is no need to separate normal traffic from anomalous this makes any data stash away from a honeypot of high value. Added to that, since honeypots have no production value, no resource or person should be communicating with them, and therefore any activity arriving at a honeypot is likely to be a probe, scan, or attack. Their value comes from their potential ability to capture scans, probes, attacks, and other malicious activity (Spitzner, 2003). there are three types of honeypots low interaction, sensitive interaction, and high interaction. In order to collect information a honeypot must interact with the attacker, and the level of interaction ref ers to the degree of interaction the honeypot has with a potential attacker (Spitzner, 2003). A low interaction honeypot provides minimal function, like an open port. A medium interaction honeypot simulates basic interactions like asking for a login and password, but providing no actual service to log into. High interaction honeypots offer a fully functioning service or operate system, which can potentially be compromised (Spitzner, 2003).Honeypots have also been shown to be effective against Internet worms. Laurent Oudot (2006) demonstrated how MSBlast could be detected and captured using Honeyd and some simple scripts. He also showed how worm propagation can be slowed using Honeyd to attract the worms attention and then respond very slowly to its requests. Using scripts, Oudot demonstrated how a honeypot could even launch a counter attack against a worm outbreak, either by isolating services or network segments, or by abusing the same vulnerability the worm employ and then tryi ng to kill the worm process.Honeypots do face several important challenges 1) honeypots are entirely unaware of attacks not directed at them, 2) they must avoid being fingerprinted because if an attacker can advantageously identify honeypots their usefulness will be severely limited, and 3) like so many security technologies, they require configuring and maintaining by a knowledgeable person (Spitzner, 2003).Honeypots, because of their very nature, excel at detection. What makes them most attractive in the area of detection is the fact that they