+40 256 706 057 [email protected]
Security for IoT Applications

Security for IoT Applications

4 days seminar

Security for IoT Applications

Hands-on practice with thorough explanations, presentations, demos, small standalone exercises during the seminar.

Set up your trainingView Agenda

Hands-on training for C++ / Embedded software developers

Agenda

Day 1

WORKSHOP:

1. IT Security Overview

Industry trends

CVE/NVD databases

Foundations of security

Footprinting, scanning, enumeration

System hacking

Cryptography

Pentesting

Social engineering

2. Web-based Attacks Methodology

Footprinting the infrastructure

FDefense in depth

FAttacking web servers

FAnalyzing web applications

FAuthentication mechanisms

FAuthorization schemes

FSession management

FInjection attacks

FMan-in-the-Middle attacks

FData connectivity

FWeb App clients

FWeb services

3. OWASP Internet of Things Top 10

OWASP IoT project overview

Risk rating methodology

01 insecure web interface

02 insufficient authentication/authorization

03 insecure network services

04 lack of transport encryption

05 privacy concerns

06 insecure cloud interface

07 insecure mobile interface

08 insufficient security configurability

09 insecure software/firmware

10 poor physical security

Day 2

HANDS ON TRAINING:

4. Intro: From SCADA to IoT. Infrastructure for device connectivity

Terminology: ICS, SCADA, DCS, PLC – examples; how old (current?) topologies looked like

The new age: B2B equipment & systems vs. service delivery platforms

Usual scenarios:

  • Read large amounts of data in real-time; store it locally
  • Send analytics data to backend =>
  • Analyze data => identify trends =>
  • Performance optimizations
  • Predict behaviour based on what happened in the past
  • Alerts & actions
  • High performance queries in-memory
  • High-performance distributed queries
The infrastructure for device connectivity: from sensor to the cloud

  • Overlay networks
  • Messaging systems & device discovery
  • Main descriptive formats (JSON, XML)
  • Main protocols: MQTT, AMQP

Day 3

Example: migrating Rail & transport systems to IoT

Gather requirements from customer (this should be interactive)

  • Lineside communications, levels crossing, fibre-optic network, MPLS, …
  • Services: timetable, railway crossing control, etc
  • Appliances for distributed data analytics

5. Security at message systems level (message transportation)

How the message should not look like

Intrusion prevention

Intrusion detection

AMQP Security layer

6. General rules for less vulnerable C++ code (Security at implementation level)

Buffer overflows

C-centric issues (brief): unsafe string operations, pointer arithmetic & other memory management issues, integer problems

C++-centric issues

  • Choosing your compiler
  • Class behavior
  • State inconsistencies
  • Constructor / destructor implementation
  • Operator overloading

Day 4

  • Auditing classes (3-step process)
  • Auditing constructors, destructors
  • Auditing member functions
  • Operating with variable-length arrays
  • Auditing for improper delete
  • Exception handling done right
  • C++ exceptions, system exceptions, interactions
  • Stack issues: stack layout, guard pages, dynamic stack resizing
  • Exploiting stack overflow exceptions
  • Some API examples
  • Auditing for stack overflow

Prerequisites

$

Participants shouls have IoT or deep security knowledge.

Get comprehensive training for your team

Whether your team is just getting started or they are seasoned pros, custom Microsoft Azure training courses can help them obtain the knowledge and skills they need to be successful and confident.

Web Applications Security

Web Applications Security

Web Applications Security

Presentations, demos, small standalone exercises during the training.
A 1-3 days seminar forDevelopers, testers, QA, team leaders, project managers, database admins, system & network administrators

What you’ll learn

This training is for

Developers

Team leaders

System & network administrators

Testers

Project managers

QA

Database admins

GET COMPREHENSIVE TRAINING FOR YOUR TEAM

Agenda

1. Web App Attacks Methodology

Footprint web infrastructure

Attack web servers

Analyze web applications

Attack authentication mechanism

Attack authorization schemes

Attack session management

Perform injection attacks

Attack data connectivity

Attack web app client

Attack web services

2. Web Applications – Common Attacks

Injection

Broken authentication and session management

Cross-Site Scripting (XSS)

Insecure direct object references

Security misconfiguration

Sensitive data exposure

Missing dunction level access control

Cross-Site Request Forgery (CSRF)

Using components with known vulnerabilities

Unvalidated redirects and forwards

Other threats

3. Attack Detection and Mitigation

4. Integrating Security in the Software Development Lifecycle

Analysis

Development

Testing

GET COMPREHENSIVE TRAINING FOR YOUR TEAM

Developing Secure Internet of Things Applications

Developing Secure Internet of Things Applications

Developing Secure Internet of Things Applications

Hands-on practice with thorough explanations, presentations, demos, small standalone exercises during the training.
A 1-3 days seminar for Developers, testers, QA, team leaders, project managers, database admins

What you’ll learn

This training is for

Developers

Project managers

Testers

Database admins

QA

Team leaders

GET COMPREHENSIVE TRAINING FOR YOUR TEAM

Agenda

1. IT Security Overview

Industry trends

CVE/NVD databases

Foundations of Security

Footprinting, Scanning, Enumeration, System Hacking

Cryptography

Pentesting

Social Engineering

2. Web-based Attacks Methodology

Footprinting the Infrastructure

Defense in Depth

Attacking Web Servers & Applications

Authentication Mechanisms

Authorization Schemes

Session Management

Injection Attacks

Man-in-the-Middle Attacks

Data Connectivity

Web App Clients

Web Services

3. OWASP Internet of Things Top 10

OWASP IoT Project Overview

Risk Rating Methodology

1 Insecure Web Interface

2 Insufficient Authentication/Authorization

3 Insecure Network Services

4 Lack of Transport Encryption

5 Privacy Concerns

6 Insecure Cloud Interface

7 Insecure Mobile Interface

8 Insufficient Security Configurability

9 Insecure Software/Firmware

10 Poor Physical Security

GET COMPREHENSIVE TRAINING FOR YOUR TEAM

IT Risk Assessment and Risk Management

IT Risk Assessment and Risk Management

IT Risk Assessment and Risk Management

Hands-on practice with thorough explanations, presentations, demos, small standalone exercises during the training.
A 1-2 days seminar for management (CEO/COO/CFO/CMO), finance, HR, legal, technical management (CTO/CIO/CISO), infrastructure architects, software architects, project managers.

What you’ll learn

This training is for

Management (CEO/COO/CFO/CMO)

Legal

Software architects

Finance

Technical management (CTO/CIO/CISO)

Project managers

HR

Infrastructure architects

GET COMPREHENSIVE TRAINING FOR YOUR TEAM

Agenda

1. IT Risk overview & principles

Permanent connection to business objectives

Enterprise risk appetite and risk tolerance

Balancing costs and benefits of managing IT Risk

Promoting fair and open communication of IT Risk

RACI charts (responsible, accountable, consulted, informed)

IT Risk as a continuous process

Integrating IT Risk into overall Enterprise Risk Management (ERM)

Understand how to respond to IT Risk

2. The CoBIT Risk IT Framework

Set of defined governance practices

End-to-end process framework for successful IT risk management

Generic list of common, potentially adverse, IT-related risk scenarios that could impact business objectives

Tools and techniques needed to understand concrete risks to business operations

e. o Risk Governance

  • Establish and Maintain a Common Risk View
  • Integrate with Enterprise Risk Management (ERM)
  • Make Risk-aware Business Decisions

Risk Evaluation (Collect Data, Analyze Risk, Maintain Risk Profile)

Risk Response (Articulate Risk, Manage Risk, React to Events)

3. The CoBIT Risk IT Practitioner Guide

Building scenarios, based on a set of generic IT risk scenarios

Building a risk map, using techniques to describe the impact and frequency of scenarios

Building impact criteria with business relevance

Defining KRIs (Key Risk Indicators)

GET COMPREHENSIVE TRAINING FOR YOUR TEAM

Cybersecurity Training

Cybersecurity Training

A 2-to-3 days training

Cybersecurity Training

This 2-3 days seminar is designed for developers, testers, QA, project managers, database admins, system and network administrators.

Set up your trainingView Agenda

The cybersecurity training covers areas that help IT professionals understand more detailed aspects of the weaknesses, attacks, and defenses used to attack or protect critical infrastructure.

Here’s what your team will get

Customized training for your exact needs

This training is full of real-life examples, findings from studies and practical approaches your team will find useful to know in order to protect their code and applications.

Get familiar with cybersecurity

They will learn about the methods and tools used by malicious attackers to target IT systems (networks, servers, websites)

Gain essential know-how

Have high level overview of the steps needed to prevent, detect and mitigate cyber threats.

A deeper understanding of cybersecurity

Give a starting point for sysadmins, web developers and testers in addressing security within the projects they are involved in moving forward.

Full slides and additional resources

After the seminar they will get access to all the slides presented. They will also get some extra resources: materials and tools to put your knowledge into practice.

Ask the expert

During the training, they will be able to ask questions from our security expert with over 10 years of experience in the field of security.

Meet the Trainer

Tudor Damian Cybersecurity Awareness seminar

Tudor Damian
Microsoft Cloud and Datacenter Management MVP
Certified Ethical Hacker

CEH certification - Cybersecurity Awareness Seminar
Microsoft MVP certification - Cybersecurity Awareness Seminar

As an IT consultant with more than 10 years of experience in managing complex IT infrastructures, Tudor is a Certified Ethical Hacker, a Microsoft Cloud and Datacenter Management MVP and a technical speaker at local and regional community events.

He often talks about the latest technologies and trends with themes including cloud and hybrid networking & security, virtualization technologies, social engineering and information security awareness, web application security, white-hat hacking and penetration testing techniques.

Testimonials

Well organized materials, a perfect introduction to security.

Gabriel Musteata

PHP TeamLeader

In my position working on pre-sales and projects specifications I came across clients and security requests every day and the general knowledge from here will be very helpful.

Dan Tudorache

Technical Consultant

I think this is a course that should be consider by all developers and IT specialists.

Iulia Chitan

Ruby developer

Agenda

Z

Security landscape overview:

Industry trends, the “Browser Wars”, relevant information sources and keeping up-to-date

Z

The need for Security Analysis:

Industry Trends, Security Testing Methodologies (OSSTMM), Planning and Scheduling

Z

Foundations of Security:

Footprinting, Reconnaissance, Scanning, Enumeration, Sniffing, System Hacking, Trojans/Viruses/Worms, Cryptography, Denial of Service, Hacking Wireless Networks, Social Engineering, Cloud Security

Z

MITRE Overview:

CVE & CVSS, CWE & CWSS, CAPEC, OVAL, MAEC, OASIS

Z

SANS CWE Top 25

Z

OWASP Mobile & IoT Top 10 Overview

Z

Attack Detection and Mitigation:

Mitigation Techniques specific to OWASP Top 10 (A1-A10), Developing Secure Code, Static Code Analysis, Security Reviews, SDLC & Microsoft SDL

Z

Vulnerability Assessments & Tools:

OWASP ASVS, White / Grey / Black-box Pentesting, Risk Assessments and Risk Management

Z

Other Noteworthy Vulnerabilities:

Denial of Service, Malicious File Execution, Information Leakage and Improper Error Handling, Insufficient Anti-Automation, Clickjacking, Concurrency Flaws, Lack of Intrusion Detection and Response, etc.

Z

Attacking Web Servers & Web Applications:

Footprinting the Web Infrastructure, Defense in Depth, Attacking Web Servers, Analyzing Web Applications, Authentication Mechanisms, Authorization Schemes, Session Management, Injection Attacks, Man-in-the-Middle Attacks, Data Connectivity, Web App Clients, Web Services

Z

OWASP Web Top 10:

Injection (A1), Broken Authentication and Session Management (A2), XSS/Cross-Site Scripting(A3), Insecure Direct Object References (A4), Security Misconfiguration (A5), Sensitive Data Exposure (A6), Missing Function Level Access Control (A7), CSRF/Cross-Site Request Forgery (A8), Using Known Vulnerable Components (A9), Unvalidated Redirects and Forwards (A10)

Who is this cybersecurity training for?

This cyber security training is indispensable for all IT professionals.

$
Project managers
$
Team leaders
$
Developers
$
Testers
$
QA
$
Database admins
$
System & network administrators

This cyber security training will help them learn critical techniques necessary to defend against network attacks, cyber security breaches, as well as ways to protect their technology or solution through cryptography, intrusion detection and more.

Why should your company care about cybersecurity training?

Recent IT security studies show that it takes 200 days on average to detect a security breach, and another 80 days to recover from it.

Mastering a set of techniques necessary to defend against network attacks, cybersecurity breaches, as well as ways to protect their technology or solution through cryptography, intrusion detection and other vulnerabilities is essential for every business.

cybersecurity training attacks are changing

Essential Topics Covered

Everything you need for a solid foundation on cybersecurity

This cybersecurity training helps people in the IT field get familiar with many aspects of IT security. We start by looking at the current security trends in the industry, then go through a high-level overview of testing methodologies like the OSSTMM (Open Source Security Testing Methodology Manual).

$

During the 2-3 days of the course, we will cover the most important aspects of security. These includes Footprinting, Reconnaissance, Scanning, Enumeration, Sniffing, System Hacking, Trojans/Viruses/Worms, Cryptography, Denial of Service, Hacking Wireless Networks, Social Engineering, Cloud Security.

We’ll also address the MITRE CWE/CWSS and CVE/CVSS lists and rating methods for weaknesses and vulnerabilities.

$
We also discuss other noteworthy vulnerabilities (Denial of Service, Malicious File Execution, Information Leakage and Improper Error Handling, Insufficient Anti-Automation, Clickjacking, Concurrency Flaws, Lack of Intrusion Detection and Response, etc.)
$
A good deal of the content will then focus on methods of attacking web servers and web applications (Footprinting the Web Infrastructure, Defense in Depth, Attacking Web Servers, Analyzing Web Applications, Authentication Mechanisms, Authorization Schemes, Session Management, Injection Attacks, Man-in-the-Middle Attacks, Data Connectivity, Web App Clients, Web Services), as well as OWASP Top 10 (Web, IoT and Mobile) and the SANS CWE Top 25.
$

The last part of the seminar covers both vulnerability assessments and tools (OWASP ASVS, OWASP Testing Guide & Code Review Guide, White/Grey/Black-box Pentesting, Risk Assessments and Risk Management), as well as attack detection and mitigation techniques.

This will help you get a good overview of IT Security in general and Web Security in particular.

Testimonials

It achieved what I was hoping it would: give a great introduction into the fantastic world of cyber-security. Now I know, in the context of security, what questions to ask and where to look for the answers.

Radu Murzea

Backend PHP Developer

In my position working on pre-sales and projects specifications I came across clients and security requests every day and the general knowledge from here will be very helpful.

Dan Tudorache

Technical Consultant

I think this is a course that should be consider by all developers and IT specialists.

Iulia Chitan

Ruby developer

Prerequisites

The participants should have a basic level understanding of IT and web technologies, such as network, servers, databases and web application functionality.

Time for action

Defend against attacks and protect your business

Maximize your company investment by building the best-customized training that meets the professional development needs of your team.

Custom training Cybersecurity training

13 + 13 =

Pin It on Pinterest