Other

CertNexus Certified IoT Security Practitioner: Certification, exam and training details

September 29, 2021 by Susan Morrow

The Internet of Things (IoT) has exploded in the last few years. Manufacturing, medicine, consumer devices, automotive and more all benefit from connectivity and data. There are expected to be around 31 billion connected devices in the world by 2025. 

With increased connectivity and massive amounts of data come security challenges. According to the Nokia Threat Intelligence Report, the result is that this proliferation of IoT devices now accounts for almost 33% of infections across mobile networks.

To help develop the skills needed to deal with the security aspects of IoT devices, CertNexus has created the CertNexus Certified IoT Security Practitioner (CIoTSP). Anyone attaining this certification will be able to demonstrate to employers a deep understanding of the types of threats made against an IoT ecosystem and how to prevent them from happening.

Overview of CertNexus CIoTSP certification

Holding CIoTSP certification is great for building a career as an IoT practitioner. A CIoTSP certification demonstrates knowledge of IoT security issues and how to resolve them. Individuals who successfully pass the CIoTSP exam demonstrate to current or future employers that they have the skills needed to use security by design in the implementation and deployment of an IoT ecosystem. 

The current exam version, ITS-110, tests your level of understanding of common IoT threats and security measures for IoT devices across seven domains (% weight of each domain shown in brackets):

  • Domain 1.0: Securing IoT portals (29%)
  • Domain 2.0: Implementing authentication, authorization and accounting (14%)
  • Domain 3.0: Securing network services (14%)
  • Domain 4.0: Securing data (14%)
  • Domain 5.0: Addressing privacy concerns (12%)
  • Domain 6.0: Securing software/firmware (10%)
  • Domain 7.0 Enhancing physical security (7%)

Whilst CertNexus specifies that no prerequisites are needed to take the exam, they do set out a list of criteria that will help you to successfully pass the exam: 

  • Understanding of the fundamental benefits and challenges of securing IoT systems
  • Understanding of an IoT ecosystem, including the physical elements, edge or fog computing elements, network and connectivity elements, cloud and cloud platform elements, and the applications and “Things” within various market sectors
  • Understanding of common IoT security and privacy threats and countermeasures
  • Understanding of common IoT safety and risk management approaches
  • Understanding of the IoT system/software development life cycle

Who should take the CIoTSP exam?

Because IoT is now a ubiquitous part of an organization, employees working across various roles should consider taking the CertNexus Certified IoT Security Practitioner exam. Some examples of roles or areas of work that can benefit from holding CIoTSP certification include:

  • IT security
  • IoT security
  • IoT device management
  • Solution architect
  • Platform engineer
  • IoT designer
  • Product manager
  • Cloud engineer
  • Production or manufacturing engineer

CIoTSP exam objectives

The CIoTSP exam is designed for people who wish to demonstrate a vendor-neutral, cross-industry skill set that validates their ability to design, implement, operate and manage a secure IoT ecosystem. The CIoTSP exam comprises seven domains:

Domain 1.0: Securing IoT portals

Domain 1 tests two core competencies that cover the IoT attack surface and the application of security by design.

Objective 1.1: Identify common threats used to compromise unsecure web, cloud, or mobile interfaces

This objective covers typical IoT security threats such as weak default credentials, sensitive data exposure and misconfiguration.

Objective 1.2: Implement countermeasures used to secure web, cloud or mobile interfaces

This objective tests the examinee’s knowledge of countermeasures that mitigate the threats discussed in objective 1.1 — for example, the importance of changing default passwords.

Domain 2.0: Implementing authentication, authorization and accounting

Domain 2 test two core competencies that cover identity and access management (IAM).

Objective 2.1: Identify common threats used to exploit weak authentication/authorization schemes

This objective explores the exploitation of poorly implemented credential policies.

Objective 2.2: Implement countermeasures used to provide secure authentication, authorization and accounting

This objective looks at countermeasures to ensure that robust IAM is applied across an IoT ecosystem.

Domain 3.0: Securing network services

Domain 3 tests two core competencies that specifically cover common threats against network services.

Objective 3.1: Identify common threats used to exploit unsecure network services

This objective tests the examinee’s knowledge of network services including TP, DNS, SNMP and Telnet, as well as exploitation through open ports. It also covers DDoS threats and other threats typically used to attack IoT network services.

Objective 3.2: Implement countermeasures used to provide secure network services

This objective tests the understanding of countermeasures to the exploits in objective 3.1 — for example, port control.

Domain 4.0: Securing data

Domain 4 tests two core competencies that explore how insecure data is exploited. 

Objective 4.1: Identify common threats used to exploit unsecured data

This objective examines your knowledge of securing data at rest, in motion and in use.

Objective 4.2: Implement countermeasures used to secure data

This objective addresses the types of encryption used to secure data throughout its lifecycle.

Domain 5.0: Addressing privacy concerns

Domain 5 tests two core competencies around the use of cyber threats to compromise data privacy.

Objective 5.1: Identify common threats used to compromise privacy

This objective tests your knowledge of common issues around ensuring data privacy by an IoT device and associated system. It includes the principles of data minimisation and anonymization techniques.

Objective 5.2: Implement countermeasures used to ensure data privacy

This objective tests the use of available countermeasures and includes questions on privacy regulations and laws as well as the practical implementation of privacy by design.

Domain 6.0: Securing software/firmware

Domain 6 tests two core competencies that look specifically at securing firmware.

Objective 6.1: Identify common threats used to exploit unsecure software/firmware

This objective covers the general area of firmware updates, testing and end-to-end solution threats.

Objective 6.2 Implement countermeasures used to provide secure software/firmware

This objective tests your knowledge of mitigating firmware threats such as digitally signing updates and using a root of trust.

Domain 7.0: Enhancing physical security

Domain 7.0 tests two core competencies covering the physical security aspects of an IoT ecosystem.

Objective 7.1: Identify common threats used to exploit poor physical security

This objective explores the physical access to ports, access to removable media and threats to devices that are easy to disassemble.

Objective 7.2: Implement countermeasures used to ensure physical security

This objective covers countermeasures such as encryption and protection of physical ports.

CIoTSP exam details

The CIoTSP exam is a multiple-choice exam comprising 100 questions. The examinee is given 120 minutes to complete the exam, and a passing score is 60%. 

Once you pass the exam, your certification status is valid for three years. To maintain certification, you will need to retake the most current version of the CIoTSP exam before the end of the three-year period.

How to prepare for the CIoTSP exam

The CIoTSP exam covers a wide range of security threats against IoT ecosystems. As such, preparation is key to exam success. The following methods are useful when preparing for the CIoTSP exam as they help to build up a wide knowledge base:

  • Read up on the core threats and countermeasures used to secure an IoT ecosystem
  • Take practice exams to build your knowledge through sample questions
  • Try hands-on labs to experience real or simulated IoT environments
  • Get feedback from professional tutors on your exam readiness

Training courses like Infosec’s CIoTSP learning path are another option to help prepare for your exam.

Sources

Posted: September 29, 2021
Articles Author
Susan Morrow
View Profile

Susan Morrow is a cybersecurity and digital identity expert with over 20 years of experience. Before moving into the tech sector, she was an analytical chemist working in environmental and pharmaceutical analysis. Currently, Susan is Head of R&D at UK-based Avoco Secure. Susan’s expertise includes usability, accessibility and data privacy within a consumer digital transaction context. She was named a 2020 Most Influential Women in UK Tech by Computer Weekly and shortlisted by WeAreTechWomen as a Top 100 Women in Tech. Susan is on the advisory board of Surfshark and Think Digital Partners, and regularly writes on identity and security for CSO Online and Infosec Resources. Her mantra is to ensure human beings control technology, not the other way around.

Leave a Reply

Your email address will not be published. Required fields are marked *