+40 256 706 057 [email protected]
Security for IoT Applications

Security for IoT Applications

4 days seminar

Security for IoT Applications

Hands-on practice with thorough explanations, presentations, demos, small standalone exercises during the seminar.

Set up your trainingView Agenda

Hands-on training for C++ / Embedded software developers

Agenda

Day 1

WORKSHOP:

1. IT Security Overview

Industry trends

CVE/NVD databases

Foundations of security

Footprinting, scanning, enumeration

System hacking

Cryptography

Pentesting

Social engineering

2. Web-based Attacks Methodology

Footprinting the infrastructure

FDefense in depth

FAttacking web servers

FAnalyzing web applications

FAuthentication mechanisms

FAuthorization schemes

FSession management

FInjection attacks

FMan-in-the-Middle attacks

FData connectivity

FWeb App clients

FWeb services

3. OWASP Internet of Things Top 10

OWASP IoT project overview

Risk rating methodology

01 insecure web interface

02 insufficient authentication/authorization

03 insecure network services

04 lack of transport encryption

05 privacy concerns

06 insecure cloud interface

07 insecure mobile interface

08 insufficient security configurability

09 insecure software/firmware

10 poor physical security

Day 2

HANDS ON TRAINING:

4. Intro: From SCADA to IoT. Infrastructure for device connectivity

Terminology: ICS, SCADA, DCS, PLC – examples; how old (current?) topologies looked like

The new age: B2B equipment & systems vs. service delivery platforms

Usual scenarios:

  • Read large amounts of data in real-time; store it locally
  • Send analytics data to backend =>
  • Analyze data => identify trends =>
  • Performance optimizations
  • Predict behaviour based on what happened in the past
  • Alerts & actions
  • High performance queries in-memory
  • High-performance distributed queries
The infrastructure for device connectivity: from sensor to the cloud

  • Overlay networks
  • Messaging systems & device discovery
  • Main descriptive formats (JSON, XML)
  • Main protocols: MQTT, AMQP

Day 3

Example: migrating Rail & transport systems to IoT

Gather requirements from customer (this should be interactive)

  • Lineside communications, levels crossing, fibre-optic network, MPLS, …
  • Services: timetable, railway crossing control, etc
  • Appliances for distributed data analytics

5. Security at message systems level (message transportation)

How the message should not look like

Intrusion prevention

Intrusion detection

AMQP Security layer

6. General rules for less vulnerable C++ code (Security at implementation level)

Buffer overflows

C-centric issues (brief): unsafe string operations, pointer arithmetic & other memory management issues, integer problems

C++-centric issues

  • Choosing your compiler
  • Class behavior
  • State inconsistencies
  • Constructor / destructor implementation
  • Operator overloading

Day 4

  • Auditing classes (3-step process)
  • Auditing constructors, destructors
  • Auditing member functions
  • Operating with variable-length arrays
  • Auditing for improper delete
  • Exception handling done right
  • C++ exceptions, system exceptions, interactions
  • Stack issues: stack layout, guard pages, dynamic stack resizing
  • Exploiting stack overflow exceptions
  • Some API examples
  • Auditing for stack overflow

Prerequisites

$

Participants shouls have IoT or deep security knowledge.

Get comprehensive training for your team

Whether your team is just getting started or they are seasoned pros, custom Microsoft Azure training courses can help them obtain the knowledge and skills they need to be successful and confident.

Security for IoT Applications

IoT/Embedded Security

A 3-to-5 days hands-on training

IoT/Embedded Security Training

Hands-on practice with thorough explanations, presentations, demos, small standalone exercises during the training.

Set up your trainingSee topics covered

Hands-on training for Team Leads, Embedded / Backend / Frontend Developers, System / Penetration Testers and Security / IoT / Embedded Consultants

Essential Topics Covered

At the end of the training you’ll be able to do the following:

Z

Analyze the details of CVE/vulnerabilities through a critical-thinking process; categorize them according to CWEs; evaluate their severity and risk by computing their CVSS scores.

Z

Understand what fuzzing (for security) is, how to use the tools and find actual vulnerabilities using fuzzing frameworks.

Z

Understand how to use Wireshark to sniff on insecure communication protocols (e.g., clear-text username/passwords) to prove that protocol hardening is necessary for a given solution.

Z

Learn how PKI (Public Key Infrastructure) and SSL/TLS work and how to leverage them in hardening an (IoT) communication protocol which may come insecure by default.

Z

Learn what emulation is, how to emulate the firmware and find real vulnerabilities in real-world firmwares provided as examples.

Z

Understand what is an embedded firmware, how to unpack firmware images and how to discover vulnerabilities in your own firmware or the ones from your favorite vendor.

Z

Start using static and dynamic security analysis tools on your own projects, as well real-world examples provided during the training.

Z

Learn how easy it is to find a buffer overflow vulnerability and how easy it is for an attacker to exploit such a vulnerability should it exist in your own project.

Target Audience

$

Security Consultants

that act as developers/ (penetration-)testers, or need to provide solutions for IoT and embedded devices that also must be secure

$

Developers

that design partial or full solutions for IoT and embedded devices and need a security angle to the problem

$

(Penetration) Testers

that perform testing of own products or products of their customers and need more expertise “security testing” for IoT and embedded devices

$

Team Leaders

managing said talent who want to understand the IoT/embedded security big picture (with its challenges and requirements) to better manage their teams and secure the products/solutions they are managing

Objectives

At the end of the training, you will be able to:

Z

Understand and master the top 10 security issues for IoT solutions; map them to real-world use cases and your own projects.

Z

Use PKI/SSL/TLS for protocol security hardening.

Z

Configure and end-to-end secured IoT communication protocol such as MQTT.

Z

Use fuzzing tools to speed-up the discovery of bugs and vulnerabilities.

Z

Use emulation to emulate IoT/embedded devices for finding vulnerabilities in their firmware.

Z

Use protocols sniffers for protocol security analysis.

Z

Understand stack-based overflows, how to find them and exploit them.

Get comprehensive training for your team

Whether your team is just getting started or they are seasoned pros, custom Microsoft Azure training courses can help them obtain the knowledge and skills they need to be successful and confident.

Meet the Trainer

Andrea Saltarello ASP.Net core seminar

Andrei Costin

Independent security researcher

Dr. Andrei Costin is an Assistant Professor within the Cyber Security Group which is part of the Information Technology Faculty at the University of Jyvaskyla (Finland). He earned his Ph.D. degree at EURECOM/TelecomParisTech (France), where he developed internationally recognized research and expertise in the field of security of embedded and IoT devices and firmwares.

Andrei presented his research at more than 40 international computer security events including BlackHat, CCC, HITB and Usenix Security. His work was featured in numerous digital media publications, including respected media outlets such as Forbes, Wired, and TV France3.

During his career, he found and demonstrated multiple serious vulnerabilities within a wide range of embedded devices such as printers/MFPs, CCTV systems, pyrotechnic devices, and avionics/air-traffic control systems. For his responsible disclosure and discovered CVEs, Andrei was acknowledged in various security bulletins and “Hall of Fame” boards, including ones by the leading companies such as HP, Xerox, Google, and Microsoft.

Currently, Andrei develops cutting edge research and techniques related to embedded and IoT security and also guides towards success new generations of cyber security experts as part of his teaching for the master and bachelor programs at the University of Jyvaskyla.

Testimonials

Experienced hands-on and interesting courses.

Scrob Alexandru

Software Engineering Associate

Real-life examples, practical knowledge, learning by doing.

Anna Deák

Software Engineering Associate/Scrum Master

I got the opportunity to see how a software solution is usually attacked and what are the steps to increase it’s security.

János Puskás

Software Engineering Consultant

Prerequisites

The participants shouls have at least:

Familiarity with fundamental Computer Science terms
Familiarity with VM environments (VirtualBox, Vmware)
Familiarity with Linux environments
Basic development skills

Basic testing skills
Basic command-line skills
Basic understanding of ISO OSI model
Familiarity with troubleshooting, debugging

Hardware installation requirements:

Minimal 40 GB HDD free space
Minimal 4 GB RAM
Laptops CPU to support x86 32-bit VM images in VirtualBox
WiFi/LAN switch/router to provide connectivity for the laptops and development boards
NOTE: the more performing laptop specs, the better

Software installation requirements:

VirtualBox 5.x (latest)
SSH client (openssh-client or PuTTY)
SCP client (scp or WinSCP)
Download and unzip on the laptops the provided VM image(s)

When involving development boards (e.g., Raspberry Pi):

Cables and connectivity (e.g., HDMI monitors, USB keyboard/mouse, USB debug cables)
NOTE: varies based on boards, decided based on training needs

This training comes with an option that is highly recommended:

The use of development boards to demonstrate some of the main topics of the training. The nature and configuration of these boards may vary depending on the final agenda, but the usual setups involve a number of Raspberry Pi boards.

Get comprehensive training for your team

Whether your team is just getting started or they are seasoned pros, custom Microsoft Azure training courses can help them obtain the knowledge and skills they need to be successful and confident.

Pin It on Pinterest