So, you’ve had enough. You are fed up with hackers and have decided to go “active” in identifying and taking them down. While the sentiment is certainly justifiable in these difficult times, the old adage of “look before you leap” could not apply more than in this context.
Any type of active cyber defense, such as creating and operating a honeypot, can create potential liability and open a business up to action by one or more regulators. At its foundation, the honeypot is designed to mislead and misrepresent its nature to entice a hacker into engaging with it. To accomplish that, the honeypot must be constructed to appear to be a legitimate entity (e.g., a bank, a consumer products business, etc.).
It’s one thing to do that in the context of a third-party hacker intending to do harm. It is quite another when the third party has no harmful intent, but merely stumbles upon the honeypot thinking it to be a valid website. Even if the third-party is a hacker, deploying active measures like collecting information about the attacker or, worse yet, attempting to place phone-home or other technologies onto the attacker’s own systems may violate applicable privacy laws and may, themselves, result in the operator of the honeypot violating state and federal anti-hacking laws.
While there have been various attempts to enact legislation in support of active cyber defense tactics, such as honeypots, none have yet to become actual laws. The operation of a honeypot is never without inherent risk. These risks can, however, be mitigated to a certain extent by following these guidelines:
Minimize misleading material and data collected
Ensure the domain name for the honeypot and the name of the associated fictitious business are not identical ..
Support the originator by clicking the read the rest link below.
