All’s Fair in Security?

I read an interesting piece in InfoWorld by Roger Grimes, « A Sweet Solution to the Insider Threat. » The premise of Grimes’ article is that companies should use computer decoys, or « honeypots, » to catch workers attempting to login to resources they have no business reason for accessing.

Honeypots by their very nature are fake computers that nothing should ever attempt to contact. Their sole purpose in life is to note any connection attempt and report it for immediate investigation … A honeypot can’t be guaranteed to catch an internal hacker before any damage is done, but it’s one of the best chances you’ll have.

The article was particularly interesting to me because it raises a philosophical question about employer trust. No doubt about it, the insider threat is very real. We read about workers committing acts of theft, fraud and sabotage on almost a weekly basis. Given this very real threat, most organizations have put in place security measures and internal controls to reduce the probability of insider threats occurring. But to what lengths should employers go to detect potential fraud?

I can see both sides of this argument:

In favor of honeypots: Most companies admit that they can only detect a fraction of all fraud cases. And when fraud is detected, it’s usually too late. For this reason, an early warning system to detect potential fraud is a good thing. If employees are trolling around trying to access seemingly « sensitive » systems, you want to know about it – before damage is done to real assets.

Against honeypots: Creating a honeypot is a form of entrapment that is deceptive and ethically questionable. Furthermore, you can’t always assume that criminal activity has occurred – curious employees could be harmless. Perhaps a bigger issue is the legality of monitoring employee activity. In countries with strict privacy laws, such monitoring is illegal, and in even in countries where it’s allowed, it should be part of company policy that is clearly spelled out to all workers.

Perhaps the best approach is a pragmatic one. Companies should focus their energies on proactively protecting critical business assets. This includes a range of preventive and detective controls: limiting user access to what is absolutely required for workers to perform their jobs; limiting the use of shared or privileged accounts; and requiring supervisory review of all access privileges. Monitoring of worker activity should focus first on the actual resources you care about protecting. If you do decide to use honeypots, you should treat them as additional tools in the arsenal – as supplements to your baseline foundation of controls.

What do you think?