Risk Centric Threat Models for Internet of Things (IoT) & Medical Devices
Date
Authors
Tony UcedaVélez
Follow Us
WorkshopCon InfoSec 2-Day Training Event:
IoT-based medical devices with VerSprite & TonyUV
This course begins by focusing on IoT based medical devices and the overall importance of threat modeling in product/ application development and then quickly dives into helping students deconstruct product/ application components into use cases, abuse cases, call/data flows, trust boundaries, attack vectors and most importantly countermeasures.The course is provided over two days and begins with a very quick overview of threat modeling concepts, common inputs to the process, integration activities to secure SDLC workflows and extends into applying the 7 stages of the PASTA methodology to target IoT applications in the healthcare medical field.
What is Threat Modeling?
Risk centric threat modeling is an approach that focuses on correlating threat viability and business impact. Many other threat modeling approaches do not consider impact of threat scenarios beyond subjective analysis.
For healthcare applications the impact goes well beyond patient data privacy and includes impact of loss of life, particularly in the proliferation of IoT based medical devices where wearables have gone to become implantables.
Learn how to leverage threat modeling for any type of IoT application. Register Now →
We’ll explore IoT protocols that support many IoT applications (e.g. – ZigBee, MQTT, CoAP) as well as common web related components that interface with client hardware devices. Beyond the basics of DFDs, attack tree build outs, kill chains, we’ll address how to leverage tools to identify an application’s attack surface (both client side and web), identify work processes, actors (callers) privileges, techniques for threat intel filtering and correlation, and recommendations for identifying weaknesses and attacks that are both present and related to the threat motives of the constructed model.
