Catching flies with honey?

The concept of the honey trap, or honey pot, has been around Washington for a long time. During the Cold War, the practice of seducing spies, government officials, and others to use it as leverage against them became famous — if only because of its wide discussion in the books of John LeCarre and other authors. The idea was that, once seduced and cornered, the target would do anything to maintain their good name, even betray their country.

Versions of the honey trap exist today, although clearly the agencies that run them would rather not discuss the details. But times have changed. For one thing, it’s a lot harder to use seduction as a lever — people just aren’t as ashamed of such things following a decade of Bill, Monica, and the blue dress. That doesn’t mean seduction no longer works; it’s just that the nature of the honey has to take other forms.

For example, many miscreants love nothing better than to break into the sites of major corporations or government agencies. In many cases, this gives them the bragging rights they crave along with the chance to tag the site with their own version of digital graffiti. So trying to shame the bad guy won’t work if they’re bragging about it to their peers.

Because of their perceived pay off, you can attract these miscreants by building a sweet target. Then you can carefully monitor a break-in, figuring out who’s trying to hack into or deface your site. If you can get bad guys to hang out long enough, it’s possible to trace them back to their own lair, and then unload on them. Sounds nice, right?

Such a plan was suggested in a fascinating op-ed in the Jan.11 issue of The Washington Post, in which MIT’s Michael Schrage put forth a detailed plan of how such a honey pot might work. What’s more, companies such as NetBait can create a customized honey pot for you.

But just because it’s possible doesn’t mean it’s necessarily a good idea. TruSecure’s Director of Risk Assessment, Paul Robertson, agrees. Despite the fact that TruSecure uses honey pots from time to time to perform research, Robertson thinks it’s a mistake for most enterprises to set out honey pots of their own.

For one, unless the enterprise is in the business of catching crooks, there’s not a lot they can do, even if they find out who’s trying to break in. Worse, there’s some question about the legality of such honey pots, according to Robertson. Is a honey pot considered entrapment if you want to press charges? Can you really claim “damage” if it’s a fake site that’s broken into? After all, if you build the site with the intention of attracting a break-in, is it actually against the law if someone does just that?

Even scarier, suppose the bad guy gets into your honey-pot site and compromises it. Might he then be loose in your real enterprise? Would you have attracted a bad guy, made it possible for him to break in, and then accidentally handed over the keys to your kingdom? Remember, all complex code has vulnerabilities, and honey pots, in order to be convincing, must be complex.

There are ways to shore up honey pots — build them on a separate, secure network, and keep them disconnected from any production or critical network services and applications, for example — but those measures can’t guarantee real safety. Plus, you have to be ready to respond to a break-in at any time, and with today’s budget decreases, it’s doubtful an enterprise has extra security staff hanging around to monitor a honey pot.

In reality, as tempting as it might be to try and catch a crook or two, maybe your staff’s time is better spent watching the real store, rather than building a pretend store to distract the bad guys.