4 days seminar

Security for IoT Applications

Hands-on practice with thorough explanations, presentations, demos, small standalone exercises during the seminar.

Set up your trainingView Agenda

Hands-on training for C++ / Embedded software developers

Agenda

Day 1

WORKSHOP:

1. IT Security Overview

Industry trends

CVE/NVD databases

Foundations of security

Footprinting, scanning, enumeration

System hacking

Cryptography

Pentesting

Social engineering

2. Web-based Attacks Methodology

Footprinting the infrastructure

FDefense in depth

FAttacking web servers

FAnalyzing web applications

FAuthentication mechanisms

FAuthorization schemes

FSession management

FInjection attacks

FMan-in-the-Middle attacks

FData connectivity

FWeb App clients

FWeb services

3. OWASP Internet of Things Top 10

OWASP IoT project overview

Risk rating methodology

01 insecure web interface

02 insufficient authentication/authorization

03 insecure network services

04 lack of transport encryption

05 privacy concerns

06 insecure cloud interface

07 insecure mobile interface

08 insufficient security configurability

09 insecure software/firmware

10 poor physical security

Day 2

HANDS ON TRAINING:

4. Intro: From SCADA to IoT. Infrastructure for device connectivity

Terminology: ICS, SCADA, DCS, PLC – examples; how old (current?) topologies looked like

The new age: B2B equipment & systems vs. service delivery platforms

Usual scenarios:

  • Read large amounts of data in real-time; store it locally
  • Send analytics data to backend =>
  • Analyze data => identify trends =>
  • Performance optimizations
  • Predict behaviour based on what happened in the past
  • Alerts & actions
  • High performance queries in-memory
  • High-performance distributed queries
The infrastructure for device connectivity: from sensor to the cloud

  • Overlay networks
  • Messaging systems & device discovery
  • Main descriptive formats (JSON, XML)
  • Main protocols: MQTT, AMQP

Day 3

Example: migrating Rail & transport systems to IoT

Gather requirements from customer (this should be interactive)

  • Lineside communications, levels crossing, fibre-optic network, MPLS, …
  • Services: timetable, railway crossing control, etc
  • Appliances for distributed data analytics

5. Security at message systems level (message transportation)

How the message should not look like

Intrusion prevention

Intrusion detection

AMQP Security layer

6. General rules for less vulnerable C++ code (Security at implementation level)

Buffer overflows

C-centric issues (brief): unsafe string operations, pointer arithmetic & other memory management issues, integer problems

C++-centric issues

  • Choosing your compiler
  • Class behavior
  • State inconsistencies
  • Constructor / destructor implementation
  • Operator overloading

Day 4

  • Auditing classes (3-step process)
  • Auditing constructors, destructors
  • Auditing member functions
  • Operating with variable-length arrays
  • Auditing for improper delete
  • Exception handling done right
  • C++ exceptions, system exceptions, interactions
  • Stack issues: stack layout, guard pages, dynamic stack resizing
  • Exploiting stack overflow exceptions
  • Some API examples
  • Auditing for stack overflow

Prerequisites

$

Participants shouls have IoT or deep security knowledge.

Get comprehensive training for your team

Whether your team is just getting started or they are seasoned pros, custom Microsoft Azure training courses can help them obtain the knowledge and skills they need to be successful and confident.

Get exclusive offers and the latest updates on our upcoming events

You have Successfully Subscribed!

Pin It on Pinterest