|
List Info Thread: honeytokens in databases
[1-3]
|
||||||||||||||||||||||||||||
|
about | contact Other archives ( Real Estate discussion Medical topics ) |
||||||||||||||||||||||||||||
honeytokens in databases |
|
List Info Thread: honeytokens in databases
[1-3]
|
||||||||||||||||||||||||||||
|
about | contact Other archives ( Real Estate discussion Medical topics ) |
||||||||||||||||||||||||||||
yahoo.com
said:
> hi
> I would like some guidance in creating and deploying
honeytokens.
>
> 1.Coming up with honeytoken data that would interest
hackers.
This is very site-specific. What I might recommend for a
honey token for
our student-records crew is probably not a good fit for a
hospital...
> 2.How and where do I place the data so that I can
monitor hackers.
Well, you basically invent a totally fictitious entry for
the database
(be it a student transcript, a medical record, an
accounts-payable - something
that makes sense for your organization), and put it in the
database along with
all the production data. You then monitor the database
system logs (with
a program of course, this is too tedious to do by actually
reading logs), and
if you see somebody make a request for that specific
database entry, then
you know you need to start investigating. The only tough
part is that
you need to identify queries like 'SELECT name, ssn FROM
student_table WHERE
home_address_state = "VA"' where it's expected
to be returned and not
generating a false-positive. But if you go through the logs
and find a
'SELECT * WHERE fullname = "John Q.
Honeytoken"', you have a problem 