Because a honeypot often catches trusted insiders attempting unauthorized acts (in my personal experience, about half of the catches are insiders), it's best if the honeypot is known to only a few people. Use a code word when referring to it in emails because you never know when an attacker hasn't compromised your email system. Not even the people assigned to responding to honeypot incidents need to know of its existence. All they need to be told is that an intrusion detection system alerted on the suspicious traffic.
Read the related articles:
- Intrusion detection honeypots simplify network security
- KFSensor: Sweet Windows honeypot
- HoneyPoint: A honeypot for Windows, Linux, or Mac OS X
- Honeyd: The open source honeypot
- Honeypots by the features: KFSensor, HoneyPoint, and Honeyd
This story, "Intrusion detection on the cheap: Roll your own honeypot," was originally published at InfoWorld.com. Follow the latest developments in network security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com.