Free

IoT Product Security

As with the regular Internet, the Internet of Things (IoT) is increasingly targeted in malicious attacks. If you are a CISO or security director for an organization that produces IoT or IIoT products, you should take this advanced IoT Product Security course so you can build a risk-based IoT product security program in this quickly evolving field.
8
10
M
Time
advanced
difficulty
8
ceu/cpe

Course Content

Foundations of Trust Part 4

11m

Hardware Root of Trust
Product Design (Software)

8m

Secure Development
OWASP Top 10 Part 1

9m

Course Introduction
CPSO Reporting Structure Part 2

7m

Product Security Programs
Encryption

8m

Hardware Root of Trust
IoT Operating Systems

10m

Secure Development
OWASP Top 10 Part 2

10m

Course Introduction
CPSO Reporting Structure Part 3

11m

Product Security Programs
Trusted Execution Environment

8m

Hardware Root of Trust
Supplier Risk

10m

Product Security Programs
Trusted Platform Module Part 1

8m

Hardware Root of Trust
Device Ownership

8m

Build, Ship, Operate
Contracts

10m

Product Security Programs
Trusted Platform Module Part 2

8m

Hardware Root of Trust
Case Study: CCleaner

10m

Product Security Programs
Trusted Platform Module Part 3

10m

Hardware Root of Trust
Trusted Platform Module Part 4

13m

Hardware Root of Trust
Course Description

This course, taught from the perspective of a CISO or a senior director in either a security or engineering organization, will focus on the information required to design and implement an IoT product security program. The topics discussed in this course will apply to any Information Security Program trying to understand how to securely handle IoT, IIoT, ICS, and OT technology within the enterprise. By better understanding the underlying security concerns of designing and manufacturing IoT devices, security practitioners can better understand how to secure these devices within their environments.

The IoT security field is maturing and changing at an incredible rate. At the same time, IoT is expanding into our everyday lives and will continue to have an increasing impact on how we live our lives. Threat actors understand this and see the immature industry as an opportunity to do evil.

This class is designed for senior-level security professionals and assumes the learner has knowledge of advanced security concepts, experience leading security or engineering organizations, and is comfortable with business risk and governance concepts. The class is organized in a way to help organizations stand up an IoT product security program; however, any learner with a desire to understand how to apply cyber security principles to IoT security will benefit from the material in this class.

This class takes a deep technical dive into designing and establishing a secure foundation of trust within the IoT device and ecosystem architecture. The class will take a deep technical dive into roots of trust, anchors of trust, secure boot, and managed boot with an in-depth discussion of secure elements and hardware roots of trust, including TEE, TPM, HSM, and DICE. It discusses the steps an organization can take to develop a product security program to address IoT security, including factors of success, reporting structures, and which elements of the existing information security program that can be incorporated and enhanced for product security. This class discusses how an organization can proactively develop tools to address IoT vulnerabilities, such as developing an enterprise vulnerability disclosure program using tools such as bug bounties and responsible disclosure. It discusses hot topics, such as third-party risk, IoT physical and logical security, OTA patching, architecture frameworks, and IoT manufacturing considerations in foreign markets. The class will identify secure IoT device provisioning and manufacturing practices, including a robust examination of security considerations for chip manufacturers, IoT device OEMs, and contract manufacturers. This class also discusses relevant legal and regulatory changes affecting the global IoT market and steps organizations should consider to meet the changing security and privacy environment. Lastly, this class uses real-world case studies and goes behind the news headlines to discuss how organizations can take steps today to prevent becoming tomorrow's next Internet meme.

Prerequisites

This course assumes the learner has a strong foundation of security engineering concepts, security management practices, and business leadership principles and can apply these concepts in a leadership capacity.

Course Goals

By the end of this course, students should be able to:

  • Design and build a risk-based IoT product security program to securely develop, manufacture, deliver, and support IoT and Industrial IoT (IIoT) devices throughout their product lifecycle
  • Understand what existing security program elements CISOs can leverage to implement an IoT product security program and identify the new elements that need to be added
  • Identify principles of hardware roots of trust and develop an understanding of how to help guide product engineers to securely design IoT products
  • Understand how to design secure elements and hardware roots of trust including TEE, TPM, HSM, and DICE
  • Understand how CISOs should manage risk associated with existing IoT, IIoT, Industrial Control Systems (ICS), and Operational Technology (OT) systems within the context of their existing security program
  • Learn how to create a Vulnerability Disclosure Program using tools such as bug bounties and responsible disclosure
  • Understand how to secure the IoT device provisioning and manufacturing practices including a robust examination of security considerations for chip manufacturers, IoT device OEMs, and contract manufacturers
  • Learn relevant legal and regulatory changes affecting the global IoT market, and identify steps organizations should consider to meet the changing security and privacy environment
  • * Apply security knowledge gained by study of CISSP, CISM, CRISC, etc. to the real world scenarios contained in the course material and discussions

    This course is part of a Career Path:
    No items found.

    Instructed by

    Instructor
    Matthew Clark

    I started my career in information security in 1999, when I was hired to help Goodyear prepare for Y2K. I’ve spent most of my career in the manufacturing sector securing the global enterprise, plant ICS and SCADA networks and helping to secure IoT products.

    I have over 20 years of experience in Information Technology and have grown with the security industry since 1999, when Y2K came along as the ultimate unfounded FUD (fear, uncertainty, and doubt) event. I have a Master’s Degree in Business (MBA), a Bachelors Degree in Business (BBA), and an Associates Degree in Computer Networking. I have several security certifications, including the Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified in Risk and Information Systems Control (CRISC), Certified in the Governance of Enterprise IT (CGEIT), Certified Data Privacy Solutions Engineer (CDPSE), and ITIL Foundations. I have previously taught classes in IoT security, computer forensics, server security, and family and personal safety on the Internet.

    I currently serve on several advisory boards, including EC-Council’s CISO Advisory Board, HMG CIO Executive Leadership Advisory Board, and Evanta’s CISO Governing Body. I’ve also been a member of InfraGard since 2016 and a proud volunteer of the Danville Area Humane Society since 2000. I’ve been in a unique position to see the security industry mature over the last 20+ years and have been blessed to work with some of the finest people in the field.

    What I enjoy most about my professional career is that I am in a position to help others. Whether it is combining technical and security knowledge with business acumen to address cyber security risks to critical business processes or simply answering a question about how to protect a coworker’s family online, I honestly love helping people.

    I consider myself to be a professional student. I am extremely goal-oriented and love learning and challenging myself. I am always working on my next class, project, or certification.

    Over the last several years, I have watched Cybrary grow and mature. It is a unique platform that connects the learner to instructors and other professionals in the security field. They offer over a thousand hands-on learning experiences that add practical skills to academic knowledge. As a hiring manager, I have learned that this mixture practical and academic knowledge is invaluable. I am excited to be associated with Cybrary.

    Fun Fact: I once (technically) lived on a cruise ship. We sold our home and cruised two weeks before we closed on another one. In the period between owning homes, our only permanent address happened to floating in the ocean.

    Provider
    Cybrary Logo
    Certification Body
    Certificate of Completion

    Complete this entire course to earn a IoT Product Security Certificate of Completion