4 days seminar
Security for IoT Applications
Hands-on practice with thorough explanations, presentations, demos, small standalone exercises during the seminar.
Hands-on training for C++ / Embedded software developers
Agenda
Day 1
WORKSHOP:
1. IT Security Overview
Industry trends
CVE/NVD databases
Foundations of security
Footprinting, scanning, enumeration
System hacking
Cryptography
Pentesting
Social engineering
2. Web-based Attacks Methodology
Footprinting the infrastructure
FDefense in depth
FAttacking web servers
FAnalyzing web applications
FAuthentication mechanisms
FAuthorization schemes
FSession management
FInjection attacks
FMan-in-the-Middle attacks
FData connectivity
FWeb App clients
FWeb services
3. OWASP Internet of Things Top 10
OWASP IoT project overview
Risk rating methodology
01 insecure web interface
02 insufficient authentication/authorization
03 insecure network services
04 lack of transport encryption
05 privacy concerns
06 insecure cloud interface
07 insecure mobile interface
08 insufficient security configurability
09 insecure software/firmware
10 poor physical security
Day 2
HANDS ON TRAINING:
4. Intro: From SCADA to IoT. Infrastructure for device connectivity
The new age: B2B equipment & systems vs. service delivery platforms
- Read large amounts of data in real-time; store it locally
- Send analytics data to backend =>
- Analyze data => identify trends =>
- Performance optimizations
- Predict behaviour based on what happened in the past
- Alerts & actions
- High performance queries in-memory
- High-performance distributed queries
- Overlay networks
- Messaging systems & device discovery
- Main descriptive formats (JSON, XML)
- Main protocols: MQTT, AMQP
Day 3
Gather requirements from customer (this should be interactive)
- Lineside communications, levels crossing, fibre-optic network, MPLS, …
- Services: timetable, railway crossing control, etc
- Appliances for distributed data analytics
5. Security at message systems level (message transportation)
How the message should not look like
Intrusion prevention
Intrusion detection
AMQP Security layer
6. General rules for less vulnerable C++ code (Security at implementation level)
Buffer overflows
C-centric issues (brief): unsafe string operations, pointer arithmetic & other memory management issues, integer problems
C++-centric issues
- Choosing your compiler
- Class behavior
- State inconsistencies
- Constructor / destructor implementation
- Operator overloading
Day 4
- Auditing classes (3-step process)
- Auditing constructors, destructors
- Auditing member functions
- Operating with variable-length arrays
- Auditing for improper delete
- Exception handling done right
- C++ exceptions, system exceptions, interactions
- Stack issues: stack layout, guard pages, dynamic stack resizing
- Exploiting stack overflow exceptions
- Some API examples
- Auditing for stack overflow
Prerequisites
Participants shouls have IoT or deep security knowledge.
Get comprehensive training for your team
Whether your team is just getting started or they are seasoned pros, custom Microsoft Azure training courses can help them obtain the knowledge and skills they need to be successful and confident.