Service virtualisation is a simulation technique used to create reusable and deployable virtual services that act as a superior alternative to stubs and mocks, writes Romil Chennupati – Consultant, Quality Engineering and Testing Services, at IT firm Wipro Ltd.
Due to features that allow intelligent interaction with these virtual services, many digitally-focused businesses are adopting service virtualization in order to speed up the testing process and reduce infrastructure costs (like third party transactions).
Traditionally, service virtualisation has been used for unit testing and functional testing. Later, these tools evolved and service virtualisation’s usage was extended to component level performance testing. It was also used for supporting training environments meant to be used by internal customers or vendors due to be on-boarded. The latest trend is ‘Design to Test’ where virtual services are used for prototyping, which is why many tool vendors are promoting virtual services as useful across systems development life cycle – that is, except in the production environment. However, there is one specialised use case where virtual services can be deployed in the production environment – honeypots. Honeypots are dummy applications running in the production environment, intended as a trap for hackers.
Generally speaking, hackers attack organisations in the following ways:
1. False injections and penetrations which are intended to break live applications
2. Social engineering driven cracking techniques for finding loopholes in the system.
If we assume that in the above cases, hackers have little to no knowledge of internal server or integration architecture then it’s safe to say hacks will generally be exploratory in nature. As a result, honeypots are designed as easy targets which hackers would try and access. Here is how honeypots can help with the above two scenarios:
1. A trap database in the form of a honeypot can be setup so that even if the first line of defense in the form of a database is breached, the SQL injection falls into the wrong database and doesn’t impact the running application instance.
2. A discovery application or honeypot can be created and placed in the production environment. Ideally, this application would expect zero traffic and if it receives any traffic, an alarm can be raised. In this case, the security expert just needs to block the IPs that are proliferating the traffic from accessing the environment as a whole. In the case that a more conversational honeypot has been built, the ID procured through social engineering can also be discovered.
In both of the above scenarios, honeypots act as something that can potentially slow down an attack or alert the organisation before catastrophe strikes.
Is this really more useful than spending extra resources for monitoring information security? A banking entity was recently hacked with the hackers not only attempting to steal cash but to also compromise SWIFT. According to one of the investigators, the hackers were able to access a bank employee’s credentials and then attack on the system from there. Social engineering is the oldest trick in the book and remains a huge – but unquantifiable – risk to all organisations. Kevin Mitnick, once a hacker himself, famously said that instead of spending resources on attempting to create an attack, it’s a lot easier to access an employee’s credentials.
In the above example, even if hackers were able to get a random employee’s credential, they would not know the integration architecture. Their attempt to find the right application by trial and error is where honeypots, properly placed, could have acted as delay or detection agents.
Traditionally, IT companies have focused on security testing in pre-production or production environments which would include things like penetration tests. However, security monitoring remains a relatively reactive – rather than proactive – approach for the following reasons:
§ For any additional applications to be put in the production box, high costs are involved and for more robust security structure multiple honeypots are needed;
§ Certain organizations fail to comprehend that security testing is not enough and any system is a potential target for hackers; and
§ Monitoring security on production is usually associated with high cost services offered by security consultants
On most of the above points, virtual services can be used to simulate some aspects of a live application to create a honeypot instead of hosting actual services or dummy downstream integrations. It can therefore be a cost effective solution to create simulations that can be hosted in production.
Honeypots and service virtualization are becoming increasingly popular. However, the stakeholders for both technology concepts in any organisation are different. Security stakeholders should explore service virtualization as a low cost security measure and QA stakeholders should maximise ROI on service virtualization by exploring this unique use case.