We were invited by the Cloud Ecosystem EV to participate in a series of IoT Innovation Workshops taking place in different cities across Germany: Berlin, Frankfurt and Munich in September 2018.

The format was very interesting and productive: it started with approx. 2:30 of presentations related to IoT. Ranging from different use cases, analytics to IoT security. After a short break, the work was transformed with the “world cafe” format. Basically it was broken down into 4 small work groups, each with a topic: industrial analytics, 5G, industrial data spaces (IDS) and blockchain technology.

A specialist on each topic served as moderator to set the scene of the discussions and try to keep them on track. In this case all of them were very well versed in there topics. These sessions where really productive to get a kickstart on some of the topics and understand the pain points of different industries on each of them.

I had the pleasure to attend and present on two of the events: Frankfurt and Munich. I had about 30 min to talk about IoT security. I started with an overall introduction into IoT and IoT security, highlighting the vulnerabilities and frameworks to protect them. Finally I took them through a use case with Baby Cams, to highlight the typical findings and their implications.

Here is a teaser of the talk and before the end of the year, we will share the complete video from the presentation in Munich with the subscribers of our newsletter. So if you are still not part of it, now is a good chance to do so.

 

 

With these events, we got to meet very interesting people and company. Since then we have decide to become members of the Cloud Ecosystem and we will be working on security with the organisation and its members.

Here are some impressions of both events.

Read time 3-4 min

Deciding to book a Bootcamp can be a difficult decision. It is a big investment in time, energy, and money. To help you with your decision, we decided to give you more than seven reasons why to do it.

IoT security is complex by nature. There are multiple layers, aspects and technologies interacting at any given time to make it work. From the devices, their firmware, mobile and web interfaces, APIs, cloud and network services, to the network and radio protocols used. There is a lot to learn.

Research and learning about any topic requires lots of time. It is not easy to find time and the mindset to do this on a regular basis.

IoT is the hottest technology (or group of technologies) on the market right now. Everything is getting connected and is controlled by an app, from your smart watch, to your barbecue and your home. Development and innovation are happening at rocket speed, but the security is still trying to catch up. The results of an attack are no longer just finding yourself on the front page of the newspapers, but they are serious and can be life threatening. It is not possible to neglect the security of IoT products.

Kickstart your career in IoT Security. Book a bootcamp now!

 

There is a very high demand for security professionals, and for the foreseeable future there will not be enough qualified professionals to fulfill this demand. Currently, there are just too many threats and too few professionals. There are multiples studies by ISACA and many other institutions that highlight this.

ISACA – RSA Conference – Career opportunities in Cybersecurity

ISACA – RSA Conference – Career opportunities in Cybersecurity

 

There is a shortage of skilled cybersecurity professionals. For example, the Computer Business Review cites a study by ISC2 that says that Europe alone will need 350.000 cybersecurity professionals by 2022.

Constant growth and learning: for those, who enjoy constantly learning new technologies and concepts, it is the right path. The constant change and evolution assure that the job will never get boring.

As we mentioned in our article: “Kickstarting a career in IoT Security”, to get hired as a security professional or to progress in this career path, you need a mix of: experience, education, and certifications. It takes all three to not only land the job, but also be successful in it. The SevenShift IoT Security Bootcamps, provide you all three, including a certificate of completion.

If you are a curious person, you like to understand how things or different technologies work; then a good training is the best environment for you. Each module should start by laying down the theory and the basics of how these things work. Once you have understood them, hacking them is a lot easier. Hacking is about knowledge and not poking things in the dark to see if they break.

What can you expect from a bootcamp?

A bootcamp will give you lots of knowledge condensed in a relatively short period of time. It will give you a kickstart so that you land on your feet and running. You will take away the know-how, techniques, tactics, and tools, as well as the hands-on experience on the topic.

The information you get in a bootcamp will significantly shorten your research time. Lots of the content is condensed, but it will help you identify your areas of improvement: on what topics you need to or want to go deeper into. You will get pointers to good sources of information.

What shouldn’t you expect from a bootcamp?

Three to five days is enough time to get your feet wet, but you will come out being the next Jacques Cousteau. You will not become a hardware/IoT hacker overnight. Use the knowledge gained to start pentesting IoT devices and sharpen your skills.

 

Book a free call with the trainer

 

SevenShifts IoT Security Trainings

SevenShift has developed a series of IoT security trainings and workshops to fit any profile, from managers to pentesters.

  • IoT Security for Managers: everything what a Manager should know to make an IoT project secure Available in both English and German.
  • IoT Security Bootcamp: 5 days Hands-on. Learning-by-Hacking. A hacker course for non-hackers. Teaches you how to discover security vulnerabilities in real life devices.
  • IoT Security Compact Bootcamp: 3 days Hands-on. Learning-by-Hacking. A fast-paced course designed for security professionals and pentesters, that want to learn the specifics of IoT.

With your registration to any of the bootcamps, you will receive a free IoT Hacking Kit, which contains the tools and some vulnerable devices, so that you can continue sharpening your skills or hack devices after the event.

This year, the bootcamps will take place in Cologne, Germany. They start on:

Book your bootcamp now on https://sevenshift.de/training or https://sevenshift.de/de/training (German version)

Meet the trainer

 

Pablo Endres

Managing director / Lead Security Consultant / Trainer

Pablo Enjoys hacking, IoT, teaching, working with new technologies, startups, collaborating with Open Source projects, learning new things and being challenged.

In the last couple of years, he has been working mainly IoT security, testing dozens of devices and working with multiple platform providers to secure their solutions.

 

 

Book a free call with the trainer

Rufly one year ago, we started our adventure creating SevenShift. The experience has been very challenging, but fun and fulfilling.

At the beginning, we thought that it would just be a change in our legal figure, from freelancers into to a company. But we feel that we have grown into a Boutique Security Consulting Firm, with many customers and multiple projects.

This has only been possible, with the support of our team, colleagues, clients and partners. Thank you so much for your engagement, expertise, patience and desire to reach our mutual goal!

A special thanks goes to our customers, for trusting us and letting us do what we love most: making IoT a more secure place. Giving us the time to experiment and think, to help us support your projects and make them better.

IoT is a fascinating but very complex world. In a few years, it will not be imaginable to live without this technology. Security, has not been the main focus for many of the players involved. However, our commitment is to help you make sure that your devices or products are secure. It is very important to us that you and your company can deliver what is expected from you.

There have been multiple milestones in this last year: from creating our logo, building our 2G base station, testing dozens of devices, and last but not least, preparing our IoT security trainings. These have been the biggest challenge of this year, and the first public trainings will take place at Startplatz, Cologne in November 2018.

We love training IT professionals, it is our passion. There is so much to learn and limited time to do it. We want to share what we have learned over the last couple of years, in our projects, studies and research with our students.

The best investment professionals and companies can make is to keep their skills (and those of their employees) up to date and sharp. This allows them to provide a positive impact on their organizations, helping create better and more secure products and solutions.

We would like to thank everyone involved in our journey. We hope you’ll join us in the years to come, because we have a lot in store for you.

Foto by Mathew Schwartz

There has been a lot of noise or hype around the Internet of Things or IoT for the last couple of years. The volume of the chatter is actually still getting louder and has probably not reached its peak yet. It is supposed to impact everything, from how we do things at home, our traveling, shopping until the way manufacturers keep track of inventory. But what is IoT? How does it work? Is it really that important? How secure is it? And last but not least, how can you make a career in it?

What is the Internet of Things or IoT?

There are many different definitions and interpretations out there, which vary depending on whom you ask and the context. The interesting thing is that most of them are right, but at the same time confuse you even more. The ITU, in document ITU-T Y.2060, defined IoT as:

“ a global infrastructure for the information society, enabling advanced services by interconnecting (physical and virtual) things based on existing and evolving interoperable information and communication technologies.”

Which basically means, that it is a network of things (devices, sensors, people, etc) which can collect, share, use and act on data from their environment. This can include things like an outdoor thermometer, a smart fridge, a smart toilet seat, an auto-driving-cars or even a smart factory.

IoT Landscape and areas of application

Some of the best articles that describe and analyze the IoT landscape are by Matt Turck. He was one of the first to study this topic and his first analysis dates back to 2016 . The latest version is from the beginning of 2018.

As part of his work, he also created these poster size slides that group companies into vertical and horizontal markets. The first are focused on satisfying the needs of a particular industry or niche, while the latter focuses on satisfying need across industries.

 

Matt Turck. IoT landscape 2016

Matt Turck. IoT landscape 2018

 

The version from beginning of 2018 saw an increase of almost 35% in the amount of logos on the chart, from 721 to 971. 96 companies were removed from the chart and 346 new companies were added. A small number of typically very large companies have their name in several categories.

If you take a closer look at the full size diagrams of the landscape from 2016 and landscape of 2018, you may recognize many of the companies on the chart and especially the different areas on it:

  • Personal (wearables, fitness, health, lifestyle, elderly care, …)
  • Home (automation, hub, security, kitchen, pets, …)
  • Vehicles (UAVs, autonomous, marine, bicycles, …)
  • Enterprise (healthcare, retail, agriculture, smart cities, smart office, …)
  • Industrial Internet (machines, energy, supply chain and logistics, robotics, …)
  • Analytics and many more

The landscape is so big that it is very hard to keep track of all of the moving parts.

Need to deliver a secure IoT project? We can show you how Book out Manager Training now!

IoT Security

The events of the last couple of months and years have shown that Security is and will continue to be one of the main issues (or handicaps) in the Internet of Things. There have been many incidents, for example: the botnet Mirai in September 2016, Cloud Pet was hacked and held for ransom in February 2017, smart locks by Lockstate were broken by a firmware update in March; almost 8000 Telnet credentials to IoT devices were exposed in August 2018, and the list just goes on and on.

Given focus on the “time-to-market” and keeping prices low, security continues to be an afterthought. In many cases the companies and developers are missing the framework, the know-how or the time to implement security into their solutions.

The proliferation of many IoT Cloud Infrastructure offerings, for example from Amazon AWS, Microsoft Azure or Libelium, to mention a few; will raise the bar in the future, but until then we will still see multiple incidents.

What makes IoT Security so complex?

The Internet of Things, is complex by nature. It involves multiple layers and components, and in most cases using different technologies, working with each other. If we take a look at a reference architecture, we can identify:

  1. Devices / Sensors / Things
  2. Communication protocols
  3. Gateways (optional)
  4. Networking
  5. Data collection
  6. Visualization / Action / Applications

This creates an attack surface that can be split into 4 categories:

  1. Device security vulnerabilities
  2. Firmware based vulnerabilities
  3. Mobile, Web and Infrastructure, and Network security issues
  4. Radio communication based vulnerabilities

Here we have grouped what can be considered as the traditional IT security scope into point 3. The others are not new but claim more relevance in this context.

From a security point of view, it is important to always consider the big picture (overall architecture and design), as well as to pay attention to details (low level design and implementation). Especially in highly complex environments.

There is no current industry standard for IoT Security, but there are multiple organizations and many people working on this, for example the OWASP Internet of Things (IoT Project), the IoT Security Foundation, GSMA IoT Security Guidelines, and much academic work.

When should security be taken into account in an IoT project? The answer, as usual: the sooner, the better.

Different studies show that there is a significant better Return on Investment (ROI) for addressing security in the design phase, compared to after implementation or short before go-live. The costs can be up to 30 times higher, when done at the end.

Security requirements, vulnerabilities, hacks.. Need to understand it all? We can explain it! Book your training now!

Kickstart a career in IoT Security

Adopting a security career path has multiple incentives, from which the following can be highlighted:

  • Cybersecurity professionals enjoy high wages, that can go somewhere between 50K and 120K USD a year with a median in Europe of around 80K Euros. There are many publications that confirm this trend, like this article from CSO Online (7 of the highest paying jobs in cybersecurity in 2018), or this one from the The Robert Walters 2018 Salary Survey.
  • There is a very high demand for security professionals, and for the foreseeable future there will not be enough qualified professionals to fulfill this demand. Currently, there are just too many threats and too few professionals. There are multiples studies by ISACA and many other institutions that highlight this.

    ISACA – RSA Conference – Career opportunities in Cybersecurity

  • There is a shortage of skilled cybersecurity professionals. For example, the Computer Business Review cites a study by ISC2 that says that Europe alone will need 350.000 cybersecurity professionals by 2022.
  • Constant growth and learning: for those, who enjoy constantly learning new technologies and concepts, it is definitely the right path. The constant change and evolution assures that the job will never get boring.
  • Getting paid to “hack” can be in many cases compared to getting payed to do your hobby. Of course, there are better days than others, but in general most security practitioners feel this way.

What is needed to start a career in security?

There are many great articles on how to start a career in infosec or cyber security. But it comes down to a triad of education, experience and training.

  • Education: with a good education you build the fundamental knowledge needed for your career path and one of the most important skills: you learn how to learn.Self-study is an important skill, but it is hard and not for everyone. You can look for training programs for certifications or formal programs specialized in computer science, engineering or even electronics. When studying, make sure to include operating systems, networks, some databases and even programming.
  • Experience: everything you do adds up to experience. From playing with a Raspberry Pi, to hacking vulnerable boxes or applications. Your experiences help fine-tune your abilities and the results you obtain.Get in touch with communities or local chapters of known organizations like: OWASP, ISC2 or CEH. Even a maker group will provide you with valuable experience with electronics and people, that will come in handy.
  • Training / Certifications: these get you a foot in the door or even help you obtain an interview for a new job. They prove to your actual and future employers that you have competences in different fields, i.e. threats and vulnerability management or even pentesting skills.CompTIA Security+ is a good starting point, from which you can follow different career paths: management, infosec or even more technical implementation or hands on. ISECOMs OPST, OPSA are very complete and do not have requirements of experience like ISC2s CISSP or ISACAs CISM or CISA. On the technical side the OSCP is known to be one of the hardest to obtain.Take a look at our article comparing trainings and conference to help you pick we is the best for you at this moment.

You can find lots of information on this topic, but we recommend Fabio Baroni‍’s article “Cracking the infosec interview for fun and profit – how not to suck and get $$ hired $$“, or Ron Woerner’s article on Peerlyst: ”Breaking into Security Careers – 2018”.

Kickstart your career in IoT Security. Book a bootcamp now!

Why should you attend IoT Security Trainings?

There are many reasons to attend IoT Security Trainings or bootcamps. Here are five we consider the most relevant:

IoT is complex and the security aspects involve multiple layers and components. It is important to have the complete overview before diving into just some of the details.

Learning about IoT requires a lot of time and there is lots of material to cover: Firmware, Embedded Devices, Serial communication protocols, Software Defined Radio, Bluetooth Low Energy (BLE), ZigBee and lots more!

This takes a lot of time and energy. A training or bootcamp can give you a kickstart so that you land on your feet and running; with the know-how, techniques, tactics, and tools; as well as the hands-on experience.

As we mentioned above, to get hired as a security professional or to progress in this career path, you need a mix of: experience, education, and certifications. It takes all three to not only land the job, but also be successful in it. The SevenShift IoT Security Bootcamps provide you all three, including a certificate of completion.

Completing a good training will set you in right path to find 0-days, security vulnerabilities, claim CVEs, win Capture the Flag (CTF) contests or collect bounties on platforms like HackerOne or Synack. It is possible to do this without it, but a training helps you reach this level faster.

If you are a curious person, who likes to understand how things or different technologies work, then a good training is the best environment for you. Each module should start by laying down the theory and the basics of how these things work. Once you have understood them, hacking them is a lot easier. Hacking is about knowledge and not poking things in the dark to see if the break.

SevenShifts IoT Security Trainings

IoT Security Trainings and Bootcamps <br> Learn-by-hacking <br> Book yours now!

SevenShift has developed a series of IoT security trainings and workshops to fit any profile, from managers to pentesters.

  • IoT Security for Managers: everything what a Manager should know to make an IoT project secure. There are 2 dates, one in english and one in german.
  • IoT Security Bootcamp: 5 days Hands-on. Learning-by-Hacking. For those who want to understand the security and technical details to it. A hacker course for non-hackers.
  • IoT Security Compact Bootcamp: 3 days Hands-on. Learning-by-Hacking. A fast paced course designed for security professionals and pentesters.

With your registration to any of the bootcamps, you will receive a free IoT Hacking Kit (hardware with a value of +400 Euros), which contains the tools and some vulnerable devices, so that you can continue sharpening your skills or hack devices after the event.

For more information and dates for the next courses visit our website: https://sevenshift.de/training oder https://sevenshift.de/de/training (German version)

About the Trainer

The trainer is an actual security practitioner, not just a trainer. Pablo has 15+ years of experience in IT and Cybersecurity. He has tested dozens of devices and IoT ecosystems in the last 2-3 years. This experience allows him to provide insights of real world pentesting and consulting. He will talk about the most common findings, how to identify them and exploit them. Most importantly he will share the tools and tactics used in his projects.

 

In the dynamic and constantly evolving world of IT, one has to keep learning in order to stay on top of things and remain relevant within their niche. So, it is not a question about whether you should keep honing your skills, but rather, how to go about it.

When it comes to sharpening your skills the quick and easy way, you have the option of attending either conferences or training courses. But aren’t they one and the same thing? Not at all! This article will explain the differences between conferences and training courses, and how each could benefit you.

 

Large conference

What is a Conference?

This is a congregation of like-minded individuals in a profession where they gather to share their opinions and views on a wide array of topics. The atmosphere is typically formal, and the place chosen to be the venue needs to have visual aids in addition to accommodation facilities since conferences may spill over a couple of days. During the conference, experts of the chosen subject are invited to share their knowledge. The participants are also given a chance to do the same. The goal of a conference is to share knowledge.

Characteristics of Conferences

  • Many Opinions and Topics

A conference usually covers a broad range of topics which allows you to choose the ones that are most relevant to you. This ensures that you get to spend your time constructively.

  • Big Picture

Due to the wide range of topics covered in a conference, it might not be possible to get detailed information on each topic. However, you get to see the bigger picture as you will have a good overview of what is happening in the industry. This means you will leave with a lot to look into.

  • Hearing from the Experts

Conferences are where you are most likely to find your industry’s thought-leaders and opinion shapers. They are there to let you in on the latest developments plus what to look out for.

  • You Get to Understand the Industry

Conferences are one of the best ways of getting to meet new people and strengthening your network. There are a lot of networking opportunities in a conference, such as during session breaks and lunch, where you can leave with a few LinkedIn connections.

Additionally, most conferences have exhibitors and sponsors. Thus, if you are in need of new solutions or suppliers, a conference is an excellent place of finding these people and getting special offers.

Who Can Benefit Most from a Conference?

If you are relatively new to an industry, conferences are an excellent way of getting to know what the industry is all about while meeting up with people who are in the same situation as yourself.

You will also get to be updated on the latest happenings in the industry, and what to anticipate. And since they are knowledge sharing platforms, you will become more knowledgeable about your niche.

What are Training Courses?

These are short-term educational training courses that are designed to enhance the participants’ skills in a specific profession or field, where advancements in techniques force individuals to upgrade their skills. Trainings usually comprise of a small group of people, who have come to benefit from experts’ knowledge. They are a type of interactive training where the participants embark on a number of training activities instead of just passively listening to a lecture.

Characteristics of Trainings

  • In-depth and Focused

Trainings tend to major on a singular topic rather than attempt to have an overview of multiple topics. Thus, the training will be much more detailed.

  • Hands-on

Trainings tend to be more practical than other kinds of events. They include group discussions, exercises, and other practical activities that will require you get your hands dirty, so you can implement what you are learning.

  • Small Groups

Due to the specific nature of the training, groups are typically small. This means that each participant is likely to get individualized attention, in addition to being able to communicate with the speaker(s) on a one-on-one basis.

  • Like-minded Individuals

The people you will be training with will be facing the same challenges as yourself. This will allow you to share the experience with each other and form valuable connections.

  • Certification

Most trainings offer a certificate after the course. Thus, they are a good way to boost your accreditations.

Who Benefits the Most from Trainings?

Trainings are good for anyone who wants to learn a particular subject in detail. It enables an individual to be more proficient in their field or niche.

So, which one should you go for: Conferences or Training Courses?

Due to their different purposes, they benefit different individuals. Conferences are good for anyone looking to gather more insight into their industry so as to be aware of what they need to know or do to be ahead in their respective fields. Training Course, however, are for people looking to enhance their skills in a particular subject which will help them gain an edge in the employee marketplace. Thus, a training is excellent for anyone looking to advance their career.

What is SevenShift?

SevenShift is a boutique security consulting firm with a wealth of experience in the worlds of security and Internet of Things (IoT). Our experts have tested numerous IoT devices and Ecosystems over the last couple of years. Our experience in security testing, design, and implementation has helped us provide security solutions for many organizations. Through our hands-on training methods, we help companies to better secure their business and products.

Some of our trainings include:

• IoT Security Bootcamp

This is an IoT hacking class designed for professionals who have an understanding of hacking and IT. It is a 5-day class that covers all the aspects of the Internet of Things’ (IoT) security. Each module begins by first covering the basics before getting into the actual subject. This allows you to understand what things can be hacked, why and how. You will learn by hacking real devices and will be guided by experienced and highly proficient teachers.

In this training, you will first review the architecture of IoT ecosystems and devices, assess their attack surface, test for vulnerabilities, and then hack them.

• IoT Security Compact Bootcamp

This IoT hacking class is designed for pentesters and security experts. It is a 3-day, fast paced class that covers the following topics: IoT devices, cloud, wireless technology such as ZigBee and BLE, radio and mobile components, hardware and software debugging, firmware reverse engineering, and binary exploitation using both standard and unconventional attacks.

• IoT Security Manager Training

With the Internet of Things being one of the biggest digital trends of the century, there is a demand for highly trained and capable managers, who will incorporate this technology into their product strategy. This training will impart you with a high-level understanding of the innovation, implementation, and maintenance of security in this field.

As we get closer to a world where the Internet of Things will dictate our day to day lives, it is imperative that IT professionals are well equipped to handle the potential cyber security threats that may arise. It is estimated that there will be about 20.8 billion interconnected devices, which will generate over 20 zettabytes of data by 2020.

This is why IT experts and business owners should undergo the specific training to ensure they are ready for any cyber security issues to protect their entities.

Visit our training page to book your training now or to learn more about our programs.