Catching this trusted, long-term acquaintance perpetrating unauthorized acts rocked me. I had recommended him to my client many years ago, and his dubious actions certainly reflected poorly on my judgment. Unfortunately for my friend, his activities and lack of communication about them led to his losing the account. Further, I won't recommend him to future clients. Whether or not his deeds had malicious intent, we had to assume it did, and this is unfortunate all the way around.
None of this would have come about without a honeypot in place. Had his activities been recorded on a bunch of workstation firewall logs, more than likely they would have been lost in the messaging noise that accompanies most firewall logs. But honeypots, by their very nature, record every event (after the initial fine-tuning) that is suspect and potentially malicious.
If you don't have honeypots installed at your organization, you should, and there are some good options out there. My favorite honeypot software is KFSensor from KeyFocus. It's a commercial product that only works on Windows computers, but the maintainer is constantly updating and improving the product, whereas most honeypot products languish severely after the excitement of its new release dies down. KFSensor isn't perfect, but it's feature-rich and fairly easy to set up. It has hundreds of options and customizations, and it allows logging and alerting to a variety of databases and logs.
Honeyd is a flexible, free, open source, feature-rich honeypot software program, but it requires solid Linux and network skills to deploy and operate. Windows versions are available, but they aren't kept as up-to-date as the non-Windows versions (which aren't very current either); from my experience, they end up being more trouble than they're worth. Still, if you have no money and a few days to explore and troubleshoot, Honeyd is probably a good place to start.
Me, I've given up on Honeyd and usually spend the money it takes to get Kfsensor. Or I go with an old, about-to-be-decommissioned computer or device to make a physical honeypot.
The Honeynet Project is the single best place for honeypot information and forensics. Its Honeywall CD-ROM image is a great, free, all-in-one honeynet software for users not scared of a little Linux configuration. It is menu driven, full of functionality, and easier to get up and running than a brand-new Honeyd install.
This story, "Honeypots stick it to insider threats," was originally published at InfoWorld.com. Follow the latest developments in security and read more of Roger Grimes's Security Adviser blog at InfoWorld.com.