Honeytoken

In the field of computer security, honeytokens are honeypots that are not computer systems. Their value lies not in their use, but in their abuse. As such, they are a generalization of such ideas as the honeypot and the canary values often used in stack protection schemes. Honeytokens do not necessarily prevent any tampering with the data, but instead give the administrator a further measure of confidence in the data integrity.

Honeytokens are fictitious words or records that are added to legitimate databases. They allow administrators to track data in situations they wouldn't normally be able to track, such as cloud based networks.[1] If data is stolen, honey tokens allow administrators to identify who it was stolen from or how it was leaked. If there are three locations for medical records, different honey tokens in the form of fake medical records could be added to each location. Different honeytokens would be in each set of records.[2]

If they are chosen to be unique and unlikely to ever appear in legitimate traffic, they can also be detected over the network by an intrusion-detection system (IDS), alerting the system administrator to things that would otherwise go unnoticed. This is one case where they go beyond merely ensuring integrity, and with some reactive security mechanisms, may actually prevent the malicious activity, e.g. by dropping all packets containing the honeytoken at the router. However, such mechanisms have pitfalls because it might cause serious problems if the honeytoken was poorly chosen and appeared in otherwise legitimate network traffic, which was then dropped.

The term was first coined by Augusto Paes de Barros in 2003.[3][4][5]

Uses

Honeytokens can exist in many forms, from a dead, fake account to a database entry that would only be selected by malicious queries, making the concept ideally suited to ensuring data integrity. A particular example of a honeytoken is a fake email address used to track if a mailing list has been stolen.[6]

gollark: It doesn't ignore robots.txt, I just manually whitelist sites.
gollark: But it's non-evil, so I would set it to 0, silly.
gollark: When it downloads a page, it stores:- the raw HTML of it, gzipped- the extracted text of it- a timestamp- the frequency of every word (well, token) in the page- every link from that page
gollark: Because of the way it works it uses a *lot* more space than just the size of the page, so it would use all my storage very fast.
gollark: I don't want to end up downloading all of github or something.

See also

References

This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.