CertNexus Certified IoT Security Practitioner: Certification, exam and training details
The Internet of Things (IoT) has exploded in the last few years. Manufacturing, medicine, consumer devices, automotive and more all benefit from connectivity and data. There are expected to be around 31 billion connected devices in the world by 2025.
With increased connectivity and massive amounts of data come security challenges. According to the Nokia Threat Intelligence Report, the result is that this proliferation of IoT devices now accounts for almost 33% of infections across mobile networks.
To help develop the skills needed to deal with the security aspects of IoT devices, CertNexus has created the CertNexus Certified IoT Security Practitioner (CIoTSP). Anyone attaining this certification will be able to demonstrate to employers a deep understanding of the types of threats made against an IoT ecosystem and how to prevent them from happening.
Overview of CertNexus CIoTSP certification
Holding CIoTSP certification is great for building a career as an IoT practitioner. A CIoTSP certification demonstrates knowledge of IoT security issues and how to resolve them. Individuals who successfully pass the CIoTSP exam demonstrate to current or future employers that they have the skills needed to use security by design in the implementation and deployment of an IoT ecosystem.
The current exam version, ITS-110, tests your level of understanding of common IoT threats and security measures for IoT devices across seven domains (% weight of each domain shown in brackets):
- Domain 1.0: Securing IoT portals (29%)
- Domain 2.0: Implementing authentication, authorization and accounting (14%)
- Domain 3.0: Securing network services (14%)
- Domain 4.0: Securing data (14%)
- Domain 5.0: Addressing privacy concerns (12%)
- Domain 6.0: Securing software/firmware (10%)
- Domain 7.0 Enhancing physical security (7%)
Whilst CertNexus specifies that no prerequisites are needed to take the exam, they do set out a list of criteria that will help you to successfully pass the exam:
- Understanding of the fundamental benefits and challenges of securing IoT systems
- Understanding of an IoT ecosystem, including the physical elements, edge or fog computing elements, network and connectivity elements, cloud and cloud platform elements, and the applications and “Things” within various market sectors
- Understanding of common IoT security and privacy threats and countermeasures
- Understanding of common IoT safety and risk management approaches
- Understanding of the IoT system/software development life cycle
Who should take the CIoTSP exam?
Because IoT is now a ubiquitous part of an organization, employees working across various roles should consider taking the CertNexus Certified IoT Security Practitioner exam. Some examples of roles or areas of work that can benefit from holding CIoTSP certification include:
- IT security
- IoT security
- IoT device management
- Solution architect
- Platform engineer
- IoT designer
- Product manager
- Cloud engineer
- Production or manufacturing engineer
CIoTSP exam objectives
The CIoTSP exam is designed for people who wish to demonstrate a vendor-neutral, cross-industry skill set that validates their ability to design, implement, operate and manage a secure IoT ecosystem. The CIoTSP exam comprises seven domains:
Domain 1.0: Securing IoT portals
Domain 1 tests two core competencies that cover the IoT attack surface and the application of security by design.
Objective 1.1: Identify common threats used to compromise unsecure web, cloud, or mobile interfaces
This objective covers typical IoT security threats such as weak default credentials, sensitive data exposure and misconfiguration.
Objective 1.2: Implement countermeasures used to secure web, cloud or mobile interfaces
This objective tests the examinee’s knowledge of countermeasures that mitigate the threats discussed in objective 1.1 — for example, the importance of changing default passwords.
Domain 2.0: Implementing authentication, authorization and accounting
Domain 2 test two core competencies that cover identity and access management (IAM).
Objective 2.1: Identify common threats used to exploit weak authentication/authorization schemes
This objective explores the exploitation of poorly implemented credential policies.
Objective 2.2: Implement countermeasures used to provide secure authentication, authorization and accounting
This objective looks at countermeasures to ensure that robust IAM is applied across an IoT ecosystem.
Domain 3.0: Securing network services
Domain 3 tests two core competencies that specifically cover common threats against network services.
Objective 3.1: Identify common threats used to exploit unsecure network services
This objective tests the examinee’s knowledge of network services including TP, DNS, SNMP and Telnet, as well as exploitation through open ports. It also covers DDoS threats and other threats typically used to attack IoT network services.
Objective 3.2: Implement countermeasures used to provide secure network services
This objective tests the understanding of countermeasures to the exploits in objective 3.1 — for example, port control.
Domain 4.0: Securing data
Domain 4 tests two core competencies that explore how insecure data is exploited.
Objective 4.1: Identify common threats used to exploit unsecured data
This objective examines your knowledge of securing data at rest, in motion and in use.
Objective 4.2: Implement countermeasures used to secure data
This objective addresses the types of encryption used to secure data throughout its lifecycle.
Domain 5.0: Addressing privacy concerns
Domain 5 tests two core competencies around the use of cyber threats to compromise data privacy.
Objective 5.1: Identify common threats used to compromise privacy
This objective tests your knowledge of common issues around ensuring data privacy by an IoT device and associated system. It includes the principles of data minimisation and anonymization techniques.
Objective 5.2: Implement countermeasures used to ensure data privacy
This objective tests the use of available countermeasures and includes questions on privacy regulations and laws as well as the practical implementation of privacy by design.
Domain 6.0: Securing software/firmware
Domain 6 tests two core competencies that look specifically at securing firmware.
Objective 6.1: Identify common threats used to exploit unsecure software/firmware
This objective covers the general area of firmware updates, testing and end-to-end solution threats.
Objective 6.2 Implement countermeasures used to provide secure software/firmware
This objective tests your knowledge of mitigating firmware threats such as digitally signing updates and using a root of trust.
Domain 7.0: Enhancing physical security
Domain 7.0 tests two core competencies covering the physical security aspects of an IoT ecosystem.
Objective 7.1: Identify common threats used to exploit poor physical security
This objective explores the physical access to ports, access to removable media and threats to devices that are easy to disassemble.
Objective 7.2: Implement countermeasures used to ensure physical security
This objective covers countermeasures such as encryption and protection of physical ports.
CIoTSP exam details
The CIoTSP exam is a multiple-choice exam comprising 100 questions. The examinee is given 120 minutes to complete the exam, and a passing score is 60%.
Once you pass the exam, your certification status is valid for three years. To maintain certification, you will need to retake the most current version of the CIoTSP exam before the end of the three-year period.
How to prepare for the CIoTSP exam
The CIoTSP exam covers a wide range of security threats against IoT ecosystems. As such, preparation is key to exam success. The following methods are useful when preparing for the CIoTSP exam as they help to build up a wide knowledge base:
- Read up on the core threats and countermeasures used to secure an IoT ecosystem
- Take practice exams to build your knowledge through sample questions
- Try hands-on labs to experience real or simulated IoT environments
- Get feedback from professional tutors on your exam readiness
Training courses like Infosec’s CIoTSP learning path are another option to help prepare for your exam.
- Internet of Things (IoT) and non-IoT active device connections, Statistica
- Nokia Threat Intelligence Report 2020, Nokia
- CertNexus CIoTSP Exam ITS-110, CertNexus