Honeypots have applications in the Production as well as the Research domain. In the production network they provide a good indication of your security holes and how your application and network setup can be compromised. In research it is a discovery tool to study new vulnerabilities and attack techniques.
The Honeypot (Honeynets being a type of Honeypots) is not a replacement for any of the devices and tools in your security arsenal. It can be considered to be the "Security Video Camera" or "Motion sensor" on your network. The honeypot will record the activity like a camera, and this data is available for analysis in the same way a video can be replayed frame by frame.
In deploying Honeypots, it is important to consider the ramifications of applicable laws and regulations in Canada, for example with respect to PIPEDA or other applicable Privacy, Criminal and Civil legislation in the country. In this context an organization must identify their purpose for the deployment, how the information will be used after data analysis, how the results will be distributed or published and whether this will mention (or need to mention) any personal identifiable data such as an IP, email address, domain name, username etc.
Our research in this area led us to consider the potential implications of privacy laws relating to the Canadian context for the deployment and use of Honeynets/Honeypots. It is generally accepted that a user of a public network should have little expectation of privacy in their online activities. This can be compared to walking down a public street and expecting that no one will see you. Further, an attacker (intruder or unauthorized network user or hacker) has little to no right to expect privacy in undertaking an illegal activity. The use of Honeypots in your production network is best considered similar – from a privacy perspective – to the use of security video cameras in stores and requires similar information management handling techniques and safeguards.
Organizations must be diligent when sharing results or data whether it is for research or for business purposes. The data and results analysis from the Honeypot deployment can be freely published by de-identifying all data, e.g. masking IP addresses, and any other information that may identify an individual person. If the information is shared with law enforcement agencies an organization is legally obliged to provide information as requested in a legal document, for example, a warrant. In such cases the responsibility for managing the requested information would fall to the law enforcement agency.
The Wiretap law in the USA has created a situation where the deployment, or use, of Honeypots on a network can be termed an illegal activity, but a few exceptions allow Honeynet research to continue. Canada does not have the equivalent of the wiretap law so Honeypots are viewed differently in this country. The applicability of the various Canadian privacy laws depends on the type of organization using the technology and the sector within which they operate. So if you are a research project or a production network the law might apply to you very differently than if you were a corporation. Any research organization publishing a paper on a Honeynet attack should ensure that all personal information or personally identifiable information is de-identified prior to publication, including IP addresses so as not to come into conflict with rights provided under the law.
Dinesh Bareja and Sami Guirguis.
