Seminar on

Information Security With HONEYPOTS

(An Internet Technology)

Presented By: Dhaivat Zala

What is Information Security ? Information Security is simply the process of keeping

information secure: protecting its availability, integrity, and privacy.

Effective Information Security incorporates security products, technologies, policies and procedures.

No collection of products alone can solve every Information Security issue faced by an organization.

More than just a set of technologies and reliance on proven industry practices is required, although both are important.

Products such as firewalls, Intrusion Detection Systems (IDS), and vulnerability scanners alone are not sufficient to provide effective Information Security.

[Three Main Issues that are not taken much care]

1 – Lack of awareness: both at a corporate level and at an end user level.

This is meant that people who are existed on internet community are not safe.

In this sense, they must be aware of the risks that can happen to them while providing personal information and sharing personal traits on the internet.

They are not enough educated about various threats on internet now a days.

such as online Scammers , viral attacks , cracking, Phishing , hacking Tactics.

[Three Main Issues that are not taken much care] (Continued…)

2 – Complacency: This is another threat or say issue that is playing major role in making data insecure.

generally we never take much care or stay serious about our information with us.

but, for the other interested person or any hacker it’s the most important opportunity to steal your data.

In this issue normally user is satisfied and not being aware of future risks that can come upon their data center or database.

They generally are not having idea about various risks upon their information that is to occur, sometimes even educated and IT persons also do this mistake.

[Three Main Issues that are not taken much care] (Continued…)

3 – No root cause analysis. Traditionally security solutions, whether at the perimeter, server or client have focused on detection, blocking and/or cleaning up the results of malicious software infections but have not offered effective root-cause analysis.

People need to know from where the malware is coming ? was it a drive-by download ? , an infected USB drive, email, instant messaging or something else ? It is not enough to say “Machine X was infected with malware Y but I cleaned up for you, no need to worry”

In this case any company or their IT department must have something like IDS( Intrusion Detection System) or proper firewall set up.

Before attack takes place What sort of steps is taken by attacker?

Its not always easy to pick up an attacker. Because attacker is also a very much knowledgeable with sound

knowledge of computer hardware and operating systems. So before they attack they surely study our systems activities like

which services running , which is operating system and other security software etc.

They use certain tools that can help them to get information about our system.

The attacker must have knowledge of operating system because through this he/she can learn or understand the vulnerabilities exploit by the operating system.

Into forthcoming slides we will be taking glimpses regarding some of the software's functioning and how they are useful to any attacker.

Software that are used by attackersTCPDUMP: This is a special type of software that’s used to call

usually a network sniffer. They used to sniff or record the network traffic and take decisions

accordingly.The tcpdump program was written by Van Jacobson, Craig Leres,

and Steven McCanne, all of the Lawrence Berkeley Laboratory at the University of California at Berkeley.

Its basically a software that will view packet trace and decide a path or say flow as well as it can detect vulnerability.

NMAP: This is another network scanning application that is used to scan the activities during traffic.

Nmap (Network Mapper) is a security scanner originally written by Gordon Lyon (also known by his pseudonym Fyodor Vaskovich) used to discover hosts and services on a computer network, thus creating a "map" of the network. To accomplish its goal, Nmap sends specially crafted packets to the target host and then analyzes the responses.

Honey Pots The Solution for Internet Based Data Security

• Honey Pots are fake computer systems, setup as a "decoy", that are used to collect data on intruders.

• Decoy may be any vulnerable operating systems or any fake web page that can be specially designed for information thieves or for those people who wishes to theft the Information that is most important to the organization or institution.

• A Honeypot, loaded with fake information, appears to the hacker to be a legitimate machine.

• While it appears vulnerable to attack, it actually prevents access to valuable data, administrative controls and other computers.

• Deception defenses can add an unrecognizable layer of protection.

Honeypot ( Continues… )

In other sense honey pots are…

“ A server that is configured to detect an intruder by mirroring a real production system. It appears as an ordinary server doing work, but all the data and transactions are phony. Located either in or outside the firewall, the honey pot is used to learn about an intruder's techniques as well as determine vulnerabilities in the real system “

If deployed correctly, a honey pot can serve as an early warning and advanced security surveillance tool, minimizing the risks from attacks on IT systems and networks.

Honey pots can also analyze the ways in which attackers try to compromise an information system, providing valuable insight into potential system failures.

An Example of A Simple Honeypot

Another Setup of honey pots

How actual Honey Pot Works:

• As shown in the image previously it does two jobs simultaneously.

• One is to detect whether incoming packets or requests are coming from malicious site or coming for malicious intent.

• Second after detection it will transfer the problematic packets or requests to the decoy server.

• The transformation is done usually with normal networking tactics that is through routers.

• It simulates the original server interface as if it’s the server to be targeted.

What Makes Any System A Honeypot System.• A Decoy System: Seems as if its original one rather then any TRAP.

• Security Vulnerabilities: Attract a hacker for attack making security vulnerable that means system is intentionally been kept insecure.

• Closely Monitored: This particular system is being under watch to track the activities of the black hats (Black hats are basically type of hackers who tries to crash or crack the network) and other type of attacks also makes intensive study of their methodologies to attack.

• Deceptive: Behaves as if normal system would looks and responds.

• Well Designed : The System is well designed in such a way that any hackers or crackers or say black hats may never know whether they are under inspection.

Deployment classification: Honey pots

• After clearing up the basic concepts let us begin further discussion over its types:

• There are lots of other types of honey pots are there: Production Honey pots Research Honey pots Database Honey pots Production Honey pots : These types of honey pots are easy to use, capture very limited amount

of information, And used primarily for organizations and corporations. generally, they give less information about the attacker and attacks.

This type of honey pots could be placed inside a network so that its easy to implement with current network.

why Production Honey pot: its just implemented to mitigate the risk of organization’s internal network that is connected to outer network.

Deployment classification: Honey pots (Continues…)

Research Honey Pots: This is another type of honey pot which is used to track malicious intent by BLACKHAT community.

This is a type of honey pot which doesn’t add a value to the security at the organization level because its just implemented to get information about the tactics of BLACKHAT hackers and make use of that information to provide better security policies to the organizations.

This type of honey pot is quite complex to implement in real sense because we have to deploy totally whole architecture from real platform to real servers everything.

Its purpose is to track the tricks and tactics followed by general hackers and BLACKHAT hackers.

Types Of Honey pots (Continues…)

Database Honey pots: Databases often get attacked by intruders using SQL Injection.

As such activities are not recognized by basic firewalls, companies often use database firewalls for protection. Some of the available SQL database firewalls provide/support honey pot architectures so that the intruder runs against a trap database while the web application remains functional.

its basically intended by those people who directly wanted to capture information from original database.

And above used term called SQL Injection is a one type of malicious code injection technique to insert unreliable SQL statements to fetch confidential data or say simply attack on DATABASE SERVERS.

Types according to level of interaction.LOW INTERACTION HONEY POT

• Another classification exist according to level of workload or level of interaction.

• Types of honey pots according to interaction: Low interaction High interaction Low Interaction Honey Pot (Honeyd): This is very low risk and

very low interaction honey pot. Generally honey pots are resembled to a real system, like a normal

system for vulnerable to attack.

Secondly, this is not complete system with a full flagged OPERATING SYSTEM and other componenents, rather then it just simulates a several network services like HTTP,FTP ,Telnet etc.

Disadvantages of this kind of system is that they are very easy to

identify because they are merely a simulator software.

Types according to level of interaction.HIGH INTERACTION HONEY POT

This is actually an implementation of a real system within a network.

That means they are working in a real environment with a specific type of LOGGING SOFTWARE.

Basically logging software are used for tracking activities of the user or system running as a main server system.

High Risk because hackers are not contacting any simulator software but they attack a real system which is set up into a real environment.

There are very less chances to identify a high interaction honey pot.

The Final Step

As we have studied many aspects of honey pots such as what is the real honey pots? .

Honey Nets: "A honey net is a network of high interaction honey pots that

simulates a production network and configured such that all activity is monitored, recorded and in a degree, discreetly regulated."

That means only a single honey pot can not be proven efficient and secure but, when we implement collection of honey pots, into a network which is as mentioned into above definition is any high interaction honey pots, then from anywhere and anytime we can catch the hackers and their actions.

Questions & Answers….

THANK YOU….

FOR YOUR KIND

ATTENTION….