Page 1224 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1224

observe an attacker’s activity without compromising the live
               environment. In some cases, the honeypot is designed to delay an

               intruder long enough for the automated IDS to detect the intrusion
               and gather as much information about the intruder as possible. The
               longer the attacker spends with the honeypot, the more time an
               administrator has to investigate the attack and potentially identify the
               intruder. Some security professionals, such as those engaged in
               security research, consider honeypots to be effective countermeasures
               against zero-day exploits because they can observe the attacker’s

               actions.

               Often, administrators host honeypots and honeynets on virtual
               systems. These are much simpler to re-create after an attack. For
               example, administrators can configure the honeypot and then take a
               snapshot of a honeypot virtual machine. If an attacker modifies the
               environment, administrators can revert the machine to the state it was
               in when they took the snapshot. When using virtual machines (VMs),

               administrators should monitor the honeypot or honeynet closely.
               Attackers can often detect when they are within a VM and may
               attempt a VM escape attack to break out of the VM.

               The use of honeypots raises the issue of enticement versus
               entrapment. An organization can legally use a honeypot as an
               enticement device if the intruder discovers it through no outward

               efforts of the honeypot owner. Placing a system on the internet with
               open security vulnerabilities and active services with known exploits is
               enticement. Enticed attackers make their own decisions to perform
               illegal or unauthorized actions. Entrapment, which is illegal, occurs
               when the honeypot owner actively solicits visitors to access the site
               and then charges them with unauthorized intrusion. In other words, it

               is entrapment when you trick or encourage someone into performing
               an illegal or unauthorized action. Laws vary in different countries so
               it’s important to understand local laws related to enticement and
               entrapment.


               Understanding Pseudo Flaws

               Pseudo flaws are false vulnerabilities or apparent loopholes
               intentionally implanted in a system in an attempt to tempt attackers.
   1219   1220   1221   1222   1223   1224   1225   1226   1227   1228   1229