Exploitation of Embedded DevicesIntroduction to Embedded System Exploitation
Embedded hardware is everywhere you look today – from your vehicle’s infotainment system to refrigerators to medical devices and everything else in-between.
Exploitation of Embedded Devices
Introduction to Embedded System Exploitation
Embedded hardware is everywhere you look today – from your vehicle’s infotainment system to refrigerators to medical devices and everything else in-between. With so much exposure one would think that such devices are secure against attack; however, sadly for a large number of devices this is not the case. For proof, just look no further than your local news reports. They are full of reports on devices being hacked into.
So, as engineers, how do we go about first identifying and mitigating (or capitalizing) these potential security vulnerabilities within these devices? The answer to this question, and the subject of this seminar, is through the reverse engineering of the hardware itself. This seminar is a combination of lecture and hands-on exercises which will conclude with the students attempting to attack and defeat a custom embedded device.
Software AssuranceOrganizations are becoming increasingly aware of the importance of developing secure software. These classes introduce the student to the concepts of software assurance, which have direct application in all software industries, including automotive and aerospace sectors.
Organizations are becoming increasingly aware of the importance of developing secure software. These classes introduce the student to the concepts of software assurance, which have direct application in all software industries, including automotive and aerospace sectors. Students gain an appreciation of the technical challenges associated with software assurance and develop the technical skills necessary to engineer secure software. Laboratory exercises reinforce the principles taught in the course, and give students an opportunity to develop their skills.
Trust in Web and Network Technologies
This course demonstrates to students the requirement to properly employ web and network technologies when developing secure software systems. Web and networked systems have a disproportionate reliance on trust, and are often vulnerable to remote exploitation. This course examines vulnerabilities that potentially introduce unique opportunities to exploit software, and even execute arbitrary (attacker-supplied) code. Finally, the course enumerates these classes of vulnerabilities associated with trust in web and network technologies, and presents prevention and mitigation techniques, along with methods to test and discover such vulnerabilities.
This course demonstrates to students the requirement to perform input validation when developing secure software systems. It examines a variety of vulnerabilities—caused by failure to validate input—that potentially allow an attacker to alter intended program execution flow and execute arbitrary (attacker-supplied) code. Finally, the course enumerates several classes of vulnerabilities associated with input validation, and presents prevention and mitigation techniques, along with methods to test and discover such vulnerabilities. The specific vulnerability classes addressed during this course account for 50% of the most critical vulnerabilities reported to the National Vulnerability Database from 2011 through 2015.
Language, Environment and Human-computer Interaction
This course demonstrates to students the requirement to consider object-oriented programming vulnerabilities, as well as potential adverse effects of the execution environment and human-computer interactions, when developing secure software systems. It examines vulnerabilities that potentially introduce unique opportunities to exploit software, and even execute arbitrary (attacker-supplied) code. Finally, the course enumerates these classes of vulnerabilities associated with languages, execution environment, and human-computer interaction, and presents prevention and mitigation techniques, along with methods to test and discover such vulnerabilities.
If you’re interested in any of our course offerings,
DoD Weapon Systems SecurityCyber Security Essentials for DoD Weapon Systems
Students are introduced to threats that exist for our increasingly sophisticated DoD weapon systems with a foundation for strategies to reduce and combat those threats.
Cyber Security Essentials for DoD Weapon Systems
Department of Defense weapon systems have become increasingly sophisticated and technologically advanced. The intricacies associated with advanced technology, however, introduce complexity that makes it difficult to discern vulnerabilities that may exist due to underlying functionality, interconnections, associated subsystems and weaknesses in hardware/software. Although Department of Defense operations are dependent on proper functionality and the integrity of weapon systems, there is a lack of understanding concerning associated cyber-based threats.
This course is designed to introduce students to the threats that exists for DoD weapon systems and provides the foundation for developing mitigation strategies. The course utilizes real-world examples to walk students through how an attacker can exploit weapon systems via subcomponents and supporting infrastructure. Students will learn the fundamentals of cyber security as applied to DoD weapon systems along with supply chain risks, system weaknesses, operational implications and how an adversary can target weapon systems.
An understanding of the concepts discussed in this class is critical for anyone involved in the design, test, evaluation, assessment, command and/or operation of DoD weapon systems. Students will gain insight into the threats associated with the critical systems and learn how to apply the concepts in order to reduce an adversary’s capabilities to impact military operations. This course serves as the foundation for anyone interested in cyber security for DoD weapon systems.
Course Learning Objectives
Attendees will understand the following concepts:
- How weapon systems cyber security is different than traditional IT systems
- Fundamentals of cyber security as applied to DoD weapon systems
- The common threats/risks and how adversaries target weapon systems
- Risks to weapon systems associated with supply chain, system weaknesses and the operational implications
- Approaches to developing a strategy associated with prevention, mitigation, response, test and evaluation for cyber-based risks for weapon systems
What Students Will Receive:
- Student manual containing all lecture slides and notes
- Template documents for stakeholder identification documentation
- Template documents for planning document
- Template documents for technical out brief
- Template documents for executive out brief
- Template documents for mitigation strategy documentation
Course Outline (2 day course):
Weapon system cyber security vs traditional IT security
- Operational requirements
- Emerging technologies and legacy technologies
- Interdependency of complex systems
- Mission dependency
- Direct kinetic effects
- Availability of evaluation environment
- Technical skill-set requirements
- Intel and targeting
- Safety systems and safeguards
- Prioritization of assets and sub-systems
- Real-world examples
- Common security weaknesses
- Threat considerations
- Supply chain risks
- Primary security concerns
- Adversary attack vectors
- Differing attack types and effects
Typical stakeholders and their roles
- Identifying stakeholders
- Test and evaluation
- Commanding officers
- Information flow
Evaluating cyber security risks
- Risk analysis
- Developing mitigation strategies
- Identify sub-systems and evaluation criteria
- Define ROEs
- Identify skill-set and personnel
- Coordination of controls
- Perform discovery for each sub-system
- Identify system inputs and outputs
- Identify system functionality and characteristics
- Develop the planning document
- Obtain approval authority to execute
- Study types
- Passive study
- Active study
- Informational study
- Independent sub-system evaluation
- Holistic system evaluation
- Coordinated effects
Developing mitigation strategies
- DTOMLPF considerations
- Cyber Security Essentials for DoD Weapon Systems
- Software changes
- Software validation and integrity
- Configuration management validation
- Monitoring capabilities
- Information assurance principles
- Extending the security perimeter
- Information protection
- Technical out briefs
- Executive out briefs
Instructor(s): Dr. Johnathan Butts and Billy Rios
We developed DoDWS-301: Cyber Security Essentials for DoD Weapon Systems to meet a growing demand for trained personnel with expertise in DoD weapon systems. There is a significant shortage in the cyber security workforce of individuals that have the skill-sets to evaluate, assess and understand the cyber threats to DoD weapon systems. Some of the most critical systems that our national security relies on, however, are dependent on the ability to operate securely. As weapon systems continue to evolve and expand their cyber footprint, it is imperative that security professionals are adequately trained and have the knowledge and skill-sets to stay ahead of the threats.
Assessment and vulnerability analysis for traditional information technology systems rely greatly on pre-packaged security tools and common implementation schemes. Weapon systems, however, are different in the fact that applications are typically focused on specific functionalities and vary widely. Although security tools assist in weapon systems reviews, it is a firm understanding of the fundamentals relating to hardware, firmware and application software that is critical. As such, as designed this course around the principles associated with security assessments and vulnerability analysis for weapon systems – from the ground up. Individuals attending this training will gain a fundamental understanding of how to evaluate weapon systems, the operational implications associated with weapon systems cyber security, and will build the foundations for exploring this critical area.
We have learned first hand – through many years of performing assessments on critical systems, evaluating embedded device security, vulnerability research and training/educating individuals in this area – the importance of understanding the fundamental principles. Once an individual understands the core concepts presented in this class, they will be able to apply the skills to evaluate complex systems-of-systems.
Employee AwarenessAn organization’s livelihood is in large part dependent on its ability to grow and protect its most critical assets: employees, customers, sensitive information, revenue, reputation and supporting infrastructure.
An organization’s livelihood is in large part dependent on its ability to grow and protect its most critical assets: employees, customers, sensitive information, revenue, reputation and supporting infrastructure. Given the investment most companies make to develop these assets, protecting them should be a continuous priority. While controls are established to limit access to systems and information and ensure authorized availability, many of these same controls can be easily bypassed by exploiting one of the weakest links in any corporate security chain: the employee. Employees are often not security conscious, and/or bypass security controls out of laziness and/or the pressure to be productive.
While some organizations provide reminders and internal information security training, the employee often focuses more on “checking the box” than actually retaining and implementing the information they have been provided. What does all of this mean? Employees unnecessarily take and introduce risks to their employer and critical assets. This is where AIS can help.
We provide practical information security awareness training that is delivered in a straightforward, relaxed and interactive manner. Attendees are exposed to relevant information that can be seamlessly converted into proactive action within their professional and personal lives, all with minimal impact on productivity. Our training encompasses both cyber and physical elements and demonstrates the impact by highlighting actual techniques that criminals utilize to gain unauthorized access to, and/or disrupt the availability of, critical assets. AIS’s Information Security Training is completely customizable to an organization’s specific needs, including target audience, executive leadership, management, employees, partners and vendors.
Custom TrainingAIS provides custom training courses in a number of different areas related to cyber and security. Whether it’s a pre-existing training course, or one developed from scratch to support your organization’s unique needs, contact us to learn how we can help.
AIS provides custom training courses in a number of different areas related to cyber and security. Whether it’s a pre-existing training course, or one developed from scratch to support your organization’s unique needs, contact us to learn how we can help. In addition to having qualified staff on hand to deliver our training, our diverse offering of cyber and security services is supported by industry leading employees who possess strong backgrounds in computer science, engineering, and cyber security. In fact, many of these same employees also teach at various colleges and universities. With all of this expertise, we are confident that AIS can develop and deliver a quality course that exceeds your expectations.
Sample training topics include:
- Secure software design and development
- Cyber security assessments
- Security configuration reviews
- Penetration testing
- Application security assessments
- Hardware hacking
- Red Team assessments
- Cyber investigations
- Forensics and eDiscovery
- Policy design and development approaches
- Security awareness for executive leadership, management, and employees