Internet of Things (IoT) Security Testing – Is it necessary and how much it costs?
For every company, which is, thinking of entering into the IoT bandwagon must keep in mind about a statutory warning “Information or the data should be protected at any cause”. Because data is their primary asset, which contains potential PII and consumer safety content, it is mandatory that privacy and security be taken into consideration during design. You may not get a medal for keeping data secure but you will definitely lose your customer trust, competitive edge, potential financial loss, and reputation damage if something goes wrong, all it takes is one good security breach for all these things to happen.
It is already a connected world and more things are getting connected to the Internet every minute. Data collected from these IoT devices must be organised, registered, tracked and more importantly secured. Every organisation either a large enterprise or a startup must provide safety and security for their customer’s data collected through their IoT ecosystem. When I say IoT ecosystem, it includes all the components end to end from the device to customer. Generally speaking IoT ecosystem includes IoT device, cloud, web application and mobile application.
In order to prevent data exploits, security testing should be done on the IoT ecosystem to identify potential security vulnerabilities and re-mediate them before it becomes an exploit. IoT product and solution providers need assurances about their data safety and elimination of new threat vectors, which would compromise their assets. Security testing will assist them to ensure that the actual technology is built and managed in a secure way.
Just like any other security testing, IoT focused security testing is divided into three categories Black box, Grey box and White box testing. If you are a Security Professional then you will know what I am going to discuss in next :).
- Black box is more like hacking way of approach to your system. In this method the security professional won’t have any clue about IoT ecosystem, underlying infrastructure, device detail, code or anything. Security tester is more like a user of your product. They would constantly search for back doors and logical flaws and they would more likely to drop a firmware bit-by-bit and reverse engineer it to make an impact. They will try every possible way to break into the IoT ecosystem like a hacker. This kind of testing will take more time maybe a month to access the flaws.
- White box is more efficient approach especially for connected systems, here the security tester is part of your internal team or a 3rd party engaged to perform testing. They can access everything like code, algorithms, architecture etc. It is the sophisticated way of performing a security testing. If they find any internal flaws or back doors, they would immediately check with the code and will recommend you on how to address that at code level. This will take a lesser time compared to black box testing, where we need to constantly fuzz it to figure it out.
- Grey box is a combination of black box and white box testing. In here they have partial understanding of IoT ecosystem or codes and they would try to hit you with a more focused approach. It is like a partner company or a malicious insider trying to hit you, who have access to your internal system not completely but partially or an external hacker with an illegitimate access to your internal network. It has the advantages of both black box and white box testing but it is also a time consuming way of approach.
I know it seems to be very complex, time consuming and expensive. Let me give you explanation on costing and timeline.
Security Testing – Costing and Timeline:
Another X-factor in security assessment is the time and money involved. For an end-to-end security assessment it requires a lot of understanding about the architecture and various components involved. It’s a kind of phased approach starting from black box testing and then to white box testing, depending on size and complexity of the product and its environment it would take a week or 2 on low levels. But as the complexity increases it would take 3 weeks for black box testing. As in white box testing we would have a certain level of understanding with the details on our table. So it would also take 2-3 weeks for completing the white box testing based on the scope.
In terms of budget, let’s say you are engaging a 3rd party security testing specialised company to assist, generally they would charge any where between $200-$250 per day to carry out testing, let’s keep it as $250 per day for argument sake so for a
- White box testing which takes 2 to 3 weeks (40 hours, 5 working days per week), it will probably cost between $20,000-$30,000 roughly for complete end-to-end security testing.
- Black box testing which takes 4 to 5 weeks (40 hours, 5 working days per week), it will probably cost between $40,000-$50,000 roughly for complete end-to-end security testing.
Of-course it costs lot of money for security testing but it is much much lesser when you compare to the cost, which you will have to pay when you suffer a security breach. Especially if you are a startup, think about the reputation and customer trust, which you will need to build to become a leader in the market. You don’t want all the effort, innovation and creativity to go missing because of a security breach.
In Enterprises when it comes to spending money on security generally product managers would always think its better to spend money on the product features rather than spending it for accessing security. Its very obvious when you compare the loss of potential breach with the money spent on security assessment it is arguably lesser. But the point is, there is not only a potential financial loss but also a complete damage to your brand and reputation, which you can’t gain easily.
Finally keep in mind, the equation is Information Security Risk = cost of breach x reputation, without firm understanding of the security risk involved you can’t achieve success.