Over the last three years, engineering in IoT has seen massive changes primarily driven by Microsoft, Google and Amazon. These large behemoths have invested billions of dollars to develop IoT platforms that are more easy to manage and secure some perimeters of data.
Overview
Over the last three years, engineering in IoT has seen massive changes primarily driven by Microsoft, Google and Amazon. These large behemoths have invested billions of dollars to develop IoT platforms that are more easy to manage and secure some perimeters of data.
Also IoT edge has gained a lot of momentum in both research and deployment as only means for practical IoT implementation. 5G is also promising to transform the business of IoT. This has led to an unprecedented large swath of new areas of research funding in IoT.
However large scale adaptation of IoT is slow due to security concerns at various levels. Securing Firmware and Gateways is far from ideal. One of the major issue is, disagreement among different large IoT vendors on the matter of security.
Microsoft Azure, Amazon AWS have pushed forward with its own security standards. Where as NIST is placing a more comprehensive one.
OWASP model of 10 layers of IoT security did some impact but overall failed to get much ground due to non-adoption from major IoT platform like Azure or Google.
Second large area of concern is security of Firmware. Primarily most of the Firmware are still vulnerable to any patching be it via OTA ( over the top ) or locally via a hardware port.
Course Objective
Give introduction of all the technology stacks, data model and vulnerability of IoT
Drawing the layers of vulnerability at each stack and between the stack
Vulnerability from vendors and third party devices
Learning about the NIST standard of IoT security
Course Outline
Session 1 & 2: Basic and Advanced concepts of IoT architecture from security perspective
A brief history of evolution of IoT technologies
Data models in IoT system – definition and architecture of sensors, actuators, device, gateway, communication protocols
Third party devices and risk associated with vendors supply chain
Technology ecosystem – device providers, gateway providers, analytics providers, platform providers, system integrator -risk associated with all the providers
Edge driven distributed IoT vs Cloud driven central IoT : Advantage vs risk assessment
Management layers in IoT system – Fleet management, asset management, Onboarding/Deboarding of sensors , Digital Twins. Risk of Authorizations in management layers
Demo of IoT management systems- AWS, Microsoft Azure and Other Fleet managers
Introduction to popular IoT communication protocols – Zigbee/NB-IoT/5G/LORA/Witespec – review of vulnerability in communication protocol layers
Understanding the entire Technology stack of IoT with a review of Risk management
Session 3: A check-list of all risks and security issues in IoT
Firmware Patching- the soft belly of IoT
Detailed review of security of IoT communication protocols- Transport layers ( NB-IoT, 4G, 5G, LORA, Zigbee etc. ) and Application Layers – MQTT, Web Socket etc.
Vulnerability of API end points -list of all possible API in IoT architecture
Vulnerability of Gate way devices and Services
Vulnerability of connected sensors -Gateway communication
Vulnerability of Gateway- Server communication
Vulnerability of Cloud Database services in IoT
Vulnerability of Application Layers
Vulnerability of Gateway management service- Local and Cloud based
Risk of log management in edge and non-edge architecture
Session 4: OSASP Model of IoT security , Top 10 security risk
I1 Insecure Web Interface
I2 Insufficient Authentication/Authorization
I3 Insecure Network Services
I4 Lack of Transport Encryption
I5 Privacy Concerns
I6 Insecure Cloud Interface
I7 Insecure Mobile Interface
I8 Insufficient Security Configurability
I9 Insecure Software/Firmware
I10 Poor Physical Security
Session 5: Review and Demo of AWS-IoT and Azure IoT security principle
Microsoft Threat Model – STRIDE
Details of STRIDE Model
Security device and gateway and server communication – Asymmetric encryption
X.509 certification for Public key distribution
SAS Keys
Bulk OTA risks and techniques
API security for application portals
Deactivation and delinking of rogue device from the system
Vulnerability of AWS/Azure Security principles
Session 6: Review of evolving NIST standards/recommendation for IoT
Review of NISTIR 8228 standard for IoT security -30 point risk consideration Model
Third party device integration and identification
Service identification & tracking
Hardware identification & tracking
Communication session identification
Management transaction identification and logging
Log management and tracking
Session 7: Securing Firmware/ Device
Securing debugging mode in a Firmware
Physical Security of hardware
Hardware cryptography – PUF ( Physically Unclonable Function) -securing EPROM
Public PUF, PPUF
Nano PUF
Known classification of Malwares in Firmware ( 18 families according to YARA rule )
Study of some of the popular Firmware Malware -MIRAI, BrickerBot, GoScanSSH, Hydra etc.
Session 8: Case Studies of IoT Attacks
Oct. 21, 2016, a huge DDoS attack was deployed against Dyn DNS servers and shut down many web services including Twitter . Hackers exploited default passwords and user names of webcams and other IoT devices, and installed the Mirai botnet on compromised IoT devices. This attack will be studied in detail
IP cameras can be hacked through buffer overflow attacks
Philips Hue lightbulbs were hacked through its ZigBee link protocol
SQL injection attacks were effective against Belkin IoT devices
Cross-site scripting (XSS) attacks that exploited the Belkin WeMo app and access data and resources that the app can access
Session 9: Securing Distributed IoT via Distributer Ledger – BlockChain and DAG (IOTA) [3 hours]
Distributed ledger technology– DAG Ledger, Hyper Ledger, BlockChain
PoW, PoS, Tangle – a comparison of the methods of consensus
Difference between Blockchain, DAG and Hyperledger – a comparison of their working vs performance vs decentralization
Real Time, offline performance of the different DLT system
P2P network, Private and Public Key- basic concepts
How ledger system is implemented practically- review of some research architecture
IOTA and Tangle- DLT for IoT
Some practical application examples from smart city, smart machines, smart cars
Session 10: The best practice architecture for IoT security
Tracking and identifying all the services in Gateways
Never use MAC address- use package id instead
Use identification hierarchy for devices- board ID, Device ID and package ID
Structure the Firmware Patching to perimeter and conforming to service ID
PUF for EPROM
Secure the risks of IoT management portals/applications by two layers of authentication
Secure all API- Define API testing and API management
Identification and integration of same security principle in Logistic Supply Chain
Minimize Patch vulnerability of IoT communication Protocols
Session 11: Drafting IoT security Policy for your organization
Define the lexicon of IoT security / Tensions
Suggest the best practice for authentication, identification, authorization
Identification and ranking of Critical Assets
Identification of perimeters and isolation for application
Policy for securing critical assets, critical information and privacy data
Requirements
Basic knowledge devices, electronics systems and data systems
Basic understanding of software and systems
Basic understanding of Statistics (in Excel levels)
Understanding of Telecommunication Verticals
Summary
An advanced training program covering the current state of the art security of Internet of Things
Covers all aspect of security of Firmware , Middleware and IoT communication protocols
The course provides a 360 degree view of all kinds of security initiatives in IoT domain for those who are not deeply familiar with IoT standards, evolution and future
Deeper probe into security vulnerabilities in Firmware, Wireless communication protocols, device to cloud communication.
Cutting across multiple technology domains to develop awareness of security in IoT systems and its components
Live demo of some of the security aspects of gateways, sensors and IoT application clouds
The course also explains 30 principle risk considerations of current and proposed NIST standards for IoT security
OSWAP model for IoT security
Provides detailed guideline for drafting IoT security standards for an organization
Target Audience
Engineers/managers/security experts who are assigned to develop IoT projects or audit/review security risks.
NobleProg is an international training and consultancy group, delivering high quality courses to every sector, covering: Cyber Security, Artificial Intelligence, IT, Management, Applied Statistics.
Over the last 17 years, we have trained more than 50,000 people from over 6000 companies and organisations.
Our courses include classroom (both public and closed) and instructor-led online giving you choice and flexibility to suit your time, budget and level of expertise.
We practice what we preach – we use a great deal of the technologies and methods that we teach, and continuously upgrade and improve our courses, keeping up to date with all the latest developments.
Our trainers are hand picked and have been through rigorous checks and interviews, and all courses are evaluated by delegates ensuring continuous feedback and improvement.
The Internet of Things (IoT) promises a wide range of benefits for industry, energy and utility companies, municipalities, healthcare, and consumers. Data can be collected in extraordinary volume and detail regarding almost anything worth measuring.
This Micro-credential introduces the concept of the Internet of Things (IoT) and the underlying connections between people, processes and platforms that can drive the digital transformation of organisations.
© 2024 coursetakers.com All Rights Reserved. Terms and Conditions of use | Privacy Policy