COMP07171 2018 Securing the IOT

General Details

Full Title
Securing the IOT
Transcript Title
Securing the IOT
Code
COMP07171
Attendance
N/A %
Subject Area
COMP - Computing
Department
COMP - Computing & Creative Practices
Level
07 - NFQ Level 7
Credit
05 - 05 Credits
Duration
Semester
Fee
Start Term
2018 - Full Academic Year 2018-19
End Term
9999 - The End of Time
Author(s)
Mr. John Kelleher, John Weir, Shaun McBrearty
Programme Membership
SG_KSMAR_B07 201800 Bachelor of Science in Computing in Smart Technologies SG_KSMAR_H08 201900 Bachelor of Science (Honours) in Computing in Smart Technologies
Description

The aim of this module is to introduce the learner to the wide variety of security and privacy issues associated with the Internet of Things (IoT). The module aims to provide the learner with both an understanding of these issues, as well as the remediation strategies associated with same.

Learning Outcomes

On completion of this module the learner will/should be able to;

1.

Evaluate potential security threats to a cyber-physical project and document findings in a Threat Model.

2.

Compose security requirements for cyber-physical projects in the following areas: Physical Security, OS/Microcontroller Security, Application Security, Network Security and Cloud Security.

3.

Implement and utilise APIs that adhere to industry standard security guidelines.

4.

Describe the role of cryptography in relation to the secure transportation of data and the secure storage of data.

Teaching and Learning Strategies

Delivery of the module will comprise a one-hour lecture and a two two-hour practical sessions (four hours in total).

The one-hour lecture will be used to introduce key concepts relating to security in the context of the Internet of Things. These concepts will later be applied practically in the subsequent practical sessions.

Additionally, flipped-learning and inquiry based learning will be used where appropriate.

Module Assessment Strategies

Continuous Assessment for the module comprises two pieces of work.

The first assessment see's the learner develop a small software application of their choosing that utilises a secure industry standard API. This will be carried out over a number of weeks - beginning in Week 1, with assignment submission in Week 5.

The second assessment see's the learner produce a Threat Model for a given IoT scenario. This will be carried out over a number of weeks - beginning in Week 6, with assignment submission in Week 8.

Repeat Assessments

Repeat exam and/or Continuous Assessment.

Indicative Syllabus

1) Evaluate potential security threats to a cyber-physical project and document findings in a Threat Model.

  • Threats and Countermeasures associated with physical possession and interference of cyber-physical devices.
  • Threats and Countermeasures associated with OS/Microcontroller configuration.
  • Threats and Countermeasures associated with on-device applications.
  • Threats and Countermeasures associated with wireless networking and networking protocols.
  • Threats and Countermeasures associated with cloud computing.
  • Threat Modelling.

2) Compose security requirements for cyber-physical projects in the following areas: Physical Security, OS/Microcontroller Security, Application Security, Network Security and Cloud Security.

  • Privacy Challenges of IOT.
  • End to End Security.
  • Privacy by Design.
  • Security Requirements Engineering. 

3) Implement and utilise APIs that adhere to industry standard security guidelines.

  • Authentication.
  • Authorization.
  • Accounting.
  • OAuth 2.0.
  • Open ID.

4) Describe the role of cryptography in relation to the secure transportation of data and the secure storage of data.

  • Confidentiality, Integrity, Availability, Non-Repudiation.
  • Identification of Data Which Must Be Legally Encrypted (GDPR, Health Data, Financial Data, etc.).
  • Symmetric-Key Cryptography.
  • Public-Key Cryptography.
  • Cryptographic Hashing.
  • Binary/Cryptographic Auditing of Executable Files/Shared Libraries.
  • Utilise Cryptography for Secure Storage of Data (File System Storage, SQL Database Storage).
  • Certificate Authorities (CA's).
  • Acquisition and Installation of Digital Certificates.
  • Utilise Cryptography for Secure Transportation of Data (HTTPS/SSL).

Coursework & Assessment Breakdown

Coursework & Continuous Assessment
40 %
End of Semester / Year Formal Exam
60 %

Coursework Assessment

Title Type Form Percent Week Learning Outcomes Assessed
1 Produce A Threat Model for a Given Scenario Continuous Assessment Assignment 20 % OnGoing 1
2 Implement A Simple Software Artefact That Utilises A Secure API. Continuous Assessment Assignment 20 % OnGoing 2,3
             

End of Semester / Year Assessment

Title Type Form Percent Week Learning Outcomes Assessed
1 Final Exam Final Exam Closed Book Exam 60 % End of Semester 1,2,3,4
             
             

Full Time Mode Workload


Type Location Description Hours Frequency Avg Workload
Lecture Computer Laboratory Lecture 1 Weekly 1.00
Laboratory Practical Computer Laboratory Practical 2 Weekly 2.00
Independent Learning Not Specified Independent Learning 2 Weekly 2.00
Laboratory Practical Computer Laboratory Practical 2 Weekly 2.00
Total Full Time Average Weekly Learner Contact Time 5.00 Hours

Required & Recommended Book List

Recommended Reading
2006-11-20 The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities Addison-Wesley Professional

The Definitive Insiders Guide to Auditing Software Security

 

This is one of the most detailed, sophisticated, and useful guides to software security auditing ever written. The authors are leading security consultants and researchers who have personally uncovered vulnerabilities in applications ranging from sendmail to Microsoft Exchange, Check Point VPN to Internet Explorer. Drawing on their extraordinary experience, they introduce a start-to-finish methodology for ripping apart applications to reveal even the most subtle and well-hidden security flaws.

 

The Art of Software Security Assessment covers the full spectrum of software vulnerabilities in both UNIX/Linux and Windows environments. It demonstrates how to audit security in applications of all sizes and functions, including network and Web software. Moreover, it teaches using extensive examples of real code drawn from past flaws in many of the industry's highest-profile applications.

 

Coverage includes

 

Code auditing: theory, practice, proven methodologies, and secrets of the trade

Bridging the gap between secure software design and post-implementation review

Performing architectural assessment: design review, threat modeling, and operational review

Identifying vulnerabilities related to memory management, data types, and malformed data

UNIX/Linux assessment: privileges, files, and processes

Windows-specific issues, including objects and the filesystem

Auditing interprocess communication, synchronization, and state

Evaluating network software: IP stacks, firewalls, and common application protocols

Auditing Web applications and technologies

 

Recommended Reading
2013-03-06 Cryptography and Network Security: Principles and Practice Pearson
ISBN 0133354695 ISBN-13 9780133354690

Cryptography and Network Security For one-semester, undergraduate- or graduate-level courses in Cryptography, Computer Security, and Network Security. The book is suitable for self-study and so provides a solid and up-to-date tutorial. The book is also a comprehensive treatment of cryptography and network security and so is suitable as a reference for a system engineer, programmer, system manager, network manager, product marketin... Full description

Recommended Reading
2016-06-29 Practical Internet of Things Security Packt Publishing

A practical, indispensable security guide that will navigate you through the complex realm of securely building and deploying systems in our IoT-connected world

About This Book

  • Learn to design and implement cyber security strategies for your organization
  • Learn to protect cyber-physical systems and utilize forensic data analysis to beat vulnerabilities in your IoT ecosystem
  • Learn best practices to secure your data from device to the cloud
  • Gain insight into privacy-enhancing techniques and technologies

Who This Book Is For

This book targets IT Security Professionals and Security Engineers (including pentesters, security architects and ethical hackers) who would like to ensure security of their organization's data when connected through the IoT. Business analysts and managers will also find it useful.

What You Will Learn

  • Learn how to break down cross-industry barriers by adopting the best practices for IoT deployments
  • Build a rock-solid security program for IoT that is cost-effective and easy to maintain
  • Demystify complex topics such as cryptography, privacy, and penetration testing to improve your security posture
  • See how the selection of individual components can affect the security posture of the entire system
  • Use Systems Security Engineering and Privacy-by-design principles to design a secure IoT ecosystem
  • Get to know how to leverage the burdgening cloud-based systems that will support the IoT into the future.

In Detail

With the advent of Intenret of Things (IoT), businesses will be faced with defending against new types of threats. The business ecosystem now includes cloud computing infrastructure, mobile and fixed endpoints that open up new attack surfaces, a desire to share information with many stakeholders and a need to take action quickly based on large quantities of collected data. . It therefore becomes critical to ensure that cyber security threats are contained to a minimum when implementing new IoT services and solutions. . The interconnectivity of people, devices, and companies raises stakes to a new level as computing and action become even more mobile, everything becomes connected to the cloud, and infrastructure is strained to securely manage the billions of devices that will connect us all to the IoT. This book shows you how to implement cyber-security solutions, IoT design best practices and risk mitigation methodologies to address device and infrastructure threats to IoT solutions.

This book will take readers on a journey that begins with understanding the IoT and how it can be applied in various industries, goes on to describe the security challenges associated with the IoT, and then provides a set of guidelines to architect and deploy a secure IoT in your Enterprise. The book will showcase how the IoT is implemented in early-adopting industries and describe how lessons can be learned and shared across diverse industries to support a secure IoT.

Style and approach

This book aims to educate readers on key areas in IoT security. It walks readers through engaging with security challenges and then provides answers on how to successfully manage IoT security and build a safe infrastructure for smart devices. After reading this book, you will understand the true potential of tools and solutions in order to build real-time security intelligence on IoT networks.

Recommended Reading
2016-04-05 Security and Privacy in Internet of Things (IoTs): Models, Algorithms, and Implementations CRC Press

The Internet of Things (IoT) has attracted strong interest from both academia and industry. Unfortunately, it has also attracted the attention of hackers. Security and Privacy in Internet of Things (IoTs): Models, Algorithms, and Implementations brings together some of the top IoT security experts from around the world who contribute their knowledge regarding different IoT security aspects. It answers the question "How do we use efficient algorithms, models, and implementations to cover the four important aspects of IoT security, i.e., confidentiality, authentication, integrity, and availability?"



The book consists of five parts covering attacks and threats, privacy preservation, trust and authentication, IoT data security, and social awareness. The first part introduces all types of IoT attacks and threats and demonstrates the principle of countermeasures against those attacks. It provides detailed introductions to specific attacks such as malware propagation and Sybil attacks. The second part addresses privacy-preservation issues related to the collection and distribution of data, including medical records. The author uses smart buildings as an example to discuss privacy-protection solutions.



The third part describes different types of trust models in the IoT infrastructure, discusses access control to IoT data, and provides a survey of IoT authentication issues. The fourth part emphasizes security issues during IoT data computation. It introduces computational security issues in IoT data processing, security design in time series data aggregation, key generation for data transmission, and concrete security protocols during data access. The fifth and final part considers policy and human behavioral features and covers social-context-based privacy and trust design in IoT platforms as well as policy-based informed consent in the IoT.

Recommended Reading
2017-01-11 Securing the Internet of Things Syngress

Securing the Internet of Things provides network and cybersecurity researchers and practitioners with both the theoretical and practical knowledge they need to know regarding security in the Internet of Things (IoT). This booming field, moving from strictly research to the marketplace, is advancing rapidly, yet security issues abound.

This book explains the fundamental concepts of IoT security, describing practical solutions that account for resource limitations at IoT end-node, hybrid network architecture, communication protocols, and application characteristics. Highlighting the most important potential IoT security risks and threats, the book covers both the general theory and practical implications for people working in security in the Internet of Things.

  • Helps researchers and practitioners understand the security architecture in IoT and the state-of-the-art in IoT security countermeasures
  • Explores how the threats in IoT are different from traditional ad hoc or infrastructural networks
  • Provides a comprehensive discussion on the security challenges and solutions in RFID, WSNs, and IoT
  • Contributed material by Dr. Imed Romdhani

Recommended Reading
2015-08-13 Abusing the Internet of Things: Blackouts, Freakouts, and Stakeouts O'Reilly Media

This book is a marvellous thing: an important intervention in the policy debate about information security and a practical text for people trying to improve the situation.

Cory Doctorow
author, co-editor of Boing Boing

A future with billions of connected "things" includes monumental security concerns. This practical book explores how malicious attackers can abuse popular IoT-based devices, including wireless LED lightbulbs, electronic door locks, baby monitors, smart TVs, and connected cars.

If youre part of a team creating applications for Internet-connected devices, this guide will help you explore security solutions. Youll not only learn how to uncover vulnerabilities in existing IoT devices, but also gain deeper insight into an attackers tactics.

  • Analyze the design, architecture, and security issues of wireless lighting systems
  • Understand how to breach electronic door locks and their wireless mechanisms
  • Examine security design flaws in remote-controlled baby monitors
  • Evaluate the security design of a suite of IoT-connected home products
  • Scrutinize security vulnerabilities in smart TVs
  • Explore research into security weaknesses in smart cars
  • Delve into prototyping techniques that address security in initial designs
  • Learn plausible attacks scenarios based on how people will likely use IoT devices

Module Resources