 Good morning to all the participants. It is a great pleasure to be here. I will be delivering lectures on Monday and Tuesday 14th and 15th and professor Bernard will be also doing most of the lectures and talking to you about the real subject matter computer network security. So, I will take this five minutes now to pick up on a theme that professor Fartrick used a particular word several times empowerment, empowerment of teachers and I wish I could quote the original fluently the two Sanskrit Shubhachitas which are very relevant to this, but since I cannot I will give you the essence in English. The first one sort of compares two different ways to empower or empowerment or two different articles that give you power. One is what you know you might have heard the story about King Maidas. He got a magic wand with which if it touches any object it will become gold. So, the other is a magnet and if you use a magnet and magnetize another piece of iron that also becomes a magnet. So, which one is more valuable? So, the traditional difference between wealth and power of knowledge or power of. So, the Shubhachita goes on to say that the distinct property of the magnet as opposed to the magic wand that changes something else into gold is that the new magnet that is formed further has the power to re magnetize other objects. Whereas, the gold that is formed is limited it stops and this one magic wand is the one that has all the power it cannot empower. So, why am I saying this? Because the audience today is teachers and it is a particular pleasure for us to talk to teachers and tell teachers because teachers are like magnets. They have the power to empower that they can pass on knowledge and wealth is a perishable commodity of course all of us want wealth and all that. So, do not mistake me, but again as you know they say Raja, Swadesha Pujyate Raja, Vidvan Sarvatra Pujyate. Knowledge is something that shares with increasing that you can develop it cannot be stolen it does not have to be inherited that is yet another classical Shubhachita. So, this workshop where the goal is to make teachers pass on knowledge in a in a in a in a very what shall I say appropriate way is the goal of this workshop and 6000 people at a time is the type of scale that we need in our country and I hope that you know that that will happen at the end of ten days, but having said all these good things about teachers there is also another verse that reminds us that only a quarter of a person's learning a student's learning comes from teachers. So, everything that you will hear in the next ten days and all the lab material everything that you do which is coming from a teacher even if you understand and absorb all of that will only contribute 25 percent. So, I some of you may have heard this. So, how does the student get the remaining 75 percent of the knowledge? So, 25 percent is all we can do you even you as a teacher however good you are because the next 25 percent according to the poem comes from interaction with classmates with colleagues discussion with friends with peers who are also learning the same subject and this stimulates thought it stimulates understanding. So, that is still only 50 percent. So, the third 25 percent comes from practice what the I R they call it you have to sit and study you have to think on your own spoon feeding is never a solution. So, what a teacher can do is only inspire and motivate and show the path and if you do not apply on your own when you are in solitude when you are alone when you are not disturbed if you are not able to mull on the problem and make it your own then passing it on to others will be lot more difficult still it is only 75 percent. So, what is the last 25 percent? It will only come with time you cannot become an instant knowledge or empower the first time you teach the course you are bound to make missteps I would not call it mistakes missteps and as you go along and as time passes your knowledge will become better the way of doing things will better and that is why teachers at the same time. Although the first part was trying to say that why we are so special and so on we should realize our role is and, but at least that 25 percent we should do extremely well. So, I hope that this workshop will assist you in the first 25 percent at least in making a good start and we have like professor Fata pointed out very indebted to a lot of very bright students who have helped us to design the experiments who have been the guinea pigs who have tried out the labs who have given us feedback and of course the 200 coordinators who came earlier to the to our campus and went through this program also gave us very valuable inputs and feedback and I hope all that will be passed on to you in the next 10 days and I hope you have a very enjoyable time going through this workshop because professor Bernard now to take over. So, good morning to everybody across the 200 plus centers I hope you have the coordinators have learned something from the previous workshop and are now ready to possibly hand hold some of the participants in these different centers just wanted to mention a couple of things number one is of course the first workshop was just five days and this is 10 days. So, we have a little bit of breathing space over here we are going to make things a little bit more detailed for example, there was one session on cryptography now there will be two there was one session on security protocols there now two and web security there was one and there are two etcetera. So, hopefully things will be a little bit eased out the other thing is there are plenty of lab sessions and to make it a little bit more comfortable for the coordinators at the remote sites what we have done is we have introduced as part of the regular lecture we are introducing some demos. So, the lab will actually very closely parallel the demos that we are going to you know show you as part of the lecture. So, as you very well know the lectures are in the first half of the day before lunch and the lab sessions are after lunch, but as part of the lectures we will also have the demos and what you will be doing in the lab is pretty much what is done in the demo. So, for example, 70 percent of what is done in the lab will be actually be done in the demo and another 20 percent will be minor extensions and another 10 percent hopefully will be something slightly more challenging. So, even if you do not get the challenging thing in the three hour lab session do not panic do not worry you can still try it and our team of TAs is over here to help you. So, can we just again flash it on the TAs to see who these people are we can just briefly introduce some of them or they can introduce themselves. Hello everyone this is the Bohr Agrawal. So, Vibhor is mainly handling Metasploit for us let us go on. Hello everybody my name is Swapnil. Swapnil will be talking today and he is going to be speaking about basic Linux and also about OpenSSL. Hello everybody my name is Ramesh Gaikwad. Ramesh is going to be talking about Nmap and Nessus. Good morning everyone I am Samson Kess. Samson is going to be talking about Snot. Hi everyone my name is Lucky Agrawal. Lucky will be talking about DVWA together with who is the other guy Swapnil Bari. Hello everyone I am Someshwar. Someshwar what are you talking about? About log analysis tools. Log analysis tools. Good morning everyone I am Abhishek. Abhishek will be introducing you to Firebug which is an extension to the Firefox browser. So, there are some of the TAs who are going to be with us a little bit later because they are sessions they are involvement is a little bit later. So, this is what we are going to do a couple of things as Professor Fartick is already mentioned a very important part of this course very important component are the lab sessions and there are very many tools which you can get a handle on. We had looked at last time Bireshark in some level of detail we had looked at Nmap, Nessus, Metasploit and Snot primarily as demos rather than hands on experience for all the participants. I assume that will continue because some of these tools like Nmap are involved in port scans and port scans for example, generate a tremendous amount of traffic. So, the server that you are using might actually go down. So, we did not want to take that risk. However if you have a small number of people say about 10 or 15 you can actually use Nmap live rather than just as a demo. Another important thing for web security is this application that somebody has designed called dvwa which stands for damn vulnerable web application and it has got several exploits that you can try and also several levels of security. So, we will look at specifically SQL injection and cross site scripting both persistent cross site scripting and non-persistent. And in addition to that as I said there is Firebug which is an extension to Firefox. So, what motivated us to look at this was some questions during the five day workshop. We were talking about cookies, but there were quite a few questions on it. So, we wanted to enlighten the participants about the different types of cookies, how you could inspect the cookies, what is the difference between persistent and non-persistent cookies, how you could use cookies for session tracking and so on and so forth. You could look at different HTTP headers, the authorization header and much of that stuff which will be done through Firebug. So, those of you have got the schedule in front I can also tell you which demos come when. So, can the participants kindly look at the schedule. So, today Thursday the 10th of July in the second session on cryptography basics we will have a demo on basic Linux commands and open SSL. So, I am talking about this session over here as part of the lecture there will be a demo on basic Linux commands and open SSL APIs. Where you will get a chance to look and see how an encryption key is created say RSA encryption key, what do they look like for example, how you can encrypt a message, what are the contents of the ciphertext look like and so on and so forth. Then on the next day during the morning session the first half you will have a demo on wire shark basic wire shark and the day after that extended wire shark which looks at SSL and so on. So, exactly the thing that we will demo over here you will actually be doing in the lab plus as I said a little bit more then. So, we here we have an SSL demo we have a wire shark demo and the wire shark with SSL over here we will have the firebug demo. So, that you can be prepared for the lab on web security over here we will demo dvwa primarily SQL injection which will be done in the lab either on the same day or on a subsequent day. Then we will have dvwa, but the XSS demo on this day and professor Shiva's two lectures will also have a corresponding lecture on logging system logging and so on. Then on this day we will have a buffer overflow demo then going to the 16th which is a Wednesday we will have the nmap and nesses demo and on the next day the metasploit demo and then these are all exploits. Now, how do we defend against them we will have the snot demo in the next session on Thursday and then we will repeat the demos, but they will be one after the other. So, that you can see the linkage between each of these different tools nmap metasploit nesses and finally snot this will be held. So, this will be just a demo not a hands on thing in the afternoon on the 17th which is the Thursday. So, that is basically the schedule and the differences that we have the main difference is that we will have a demo as part of the lecture and the second main difference is that we will have some small quizzes just to test the ability of people to absorb the material and so on and so forth. There has to be some kind of a quiz. So, we will have quizzes most probably we will have one the day after tomorrow on Saturday another one on Tuesday and probably another one on Thursday these quizzes will be very small fill in the blanks or objective type questions which will take around 15 minutes and we tell you how to grade it in an efficient manner. So, I guess with that we could get started. So, I will start with this quotation which is very interesting if you read it carefully you will see why security is so different from many of the other fields that you encounter. Security engineering especially in this third wave requires you to think differently you need to figure out not how something works, but how something can be made not to work. You need to imagine an intelligent and malicious adversary inside your system remember Satan's computer constantly trying new ways to subvert it. So, in many other disciplines you figure out how something works how you can make something work over here you try to figure out how you can make something not work how to subvert the system for example. You have to consider always your system can fail most of them having nothing to do with the design itself. You have to look at everything backwards upside down and sideways you have to think like an alien this is a well known security analyst by the name of Bruce Schneider a saying by this person. So, as you can see security is a very different field and probably requires a very different set of skill sets. So, this is the introductory lecture the first session of this morning and we are just going to talk about some basics like what are different types of attacks that you have heard of we are going to amplify on these attacks in the days to come what are the vulnerabilities behind these attacks what are some of the defenses and then we will conclude with something called security principles. So, before we talk about the attacks it is nice to know what could be the motives behind some of these attacks. So, what is the motive behind a hacker for example, theft of sensitive information for example credit card information that is one possibility as is mentioned before denial of service for example, you want to disrupt service rendering a service unavailable or inaccessible for example or you want to illegally use certain resources like for example, super computing time and so on and so forth. So, these are all different kinds of goals that an attacker might have they can also be national security goals where you might want to attack the computing resources of another you know adversary of yours for example. So, this is also getting to be an issue recently as was mentioned by professor Fatak the computing systems of the republic of Estonia were attacked. So, we could easily see such things happening even to our country in the days to come or in the years to come. I do not know how visible this slide is over here, but I will just try to put together and talk taxonomize the different kinds of attacks. So, we have for example, the different motives over here identity theft information theft disruption of service and the new kind of thing which is information warfare which is launched between countries. The different kinds of attacks if I might try to classify them fishing attacks, skimming attacks, farming attacks, session hijacking, eavesdropping. So, you have heard of these terms the attacks on the top that you will see are pretty much terms that layman year off you will see in the newspapers for example, intrusions, denial of service, malware, worms, viruses and so on. And then as we go to the next level we try to make more technical sense over these things are. So, things like for example, side channel attacks or dictionary attacks or DNS cash poisoning or ARP cash poisoning, replay attacks in security protocols etcetera etcetera. And then finally, we always would like to know why these attacks were possible in the first place. So, what is behind those attacks? Well various bugs in different protocols like say DNS or ARP or different software vulnerabilities like application based software vulnerabilities, SQL injection, buffer overflow, cross side scripting and so on. So, basically what we have over here is the different goals, the different attacks, attacks two kinds of names if you will, names that are well known to people in general who read newspapers. I mean these are things that do not require any technical sense and then you drill down into these attacks and you find the more technical names for some of these attacks. And then finally, the vulnerabilities behind these attacks which gets to be very technical. So, just to mention a few of these attacks in the time that we have a phishing attacks and phishing typically a victim is lured to a fake website. An online bank for example, the fake website looks like the real site, but it is not really authentic. The victim is then induced to reveal sensitive information like a password and so on which then get passed on to the actual attacker site. So, phishing units many manifestations is an example of a social engineering technique. So, the problem is the vulnerability is in the human beings gullibility. Another kind of attack again high level term information leakage. So, there is this thing called farming which is discussed in chapter 17 of the text. It is similar to phishing, but the former is more sophisticated and makes use of vulnerabilities in DNS. So, phishing is more social engineering while farming is more of a technical attack that exploits vulnerabilities in the DNS service. Information leakage may also take place through eavesdropping or snooping on the link between two communicating parties. Identity theft. So, you hear of this term very often, but what exactly do we mean by identity theft? Is it stealing my identity and is that something that I am very particular about keeping to myself? What is exactly identity? So, one form of identity is your name, nationality, language, religion and so on and so forth. So, this might be something that comprises identity, but then you might ask the question is it such a big deal if somebody steals my identity. And the answer is we are not really talking about these kinds of attributes of an individual. We are talking about things that are more sensitive like credit card numbers, passwords, pins and so on and so forth. So, when we talk about identity theft we are talking about some means of getting this kind of sensitive information which of course, then can be abused. Attacks on credit cards, ATM cards. So, we have seen so much of this many of you or most of you have credit cards, debit cards etcetera. And many of you have heard of at least some friend or someone somewhere through the newspapers or just hearing from friends about attacks on credit cards where somebody's credit card has been stolen, the password or the pin has been stolen etcetera etcetera. So, one way of doing this is through actually skimming attacks. So, personal information may be leaked out from credit cards, smart cards, ATM cards, electronic passports through a variety of skimming attacks. There are rich set of attacks to enable these ranging from fake terminals at supermarkets for example, to sophisticated side channel attacks. So, leakage through things like power and timing. I take a smart card that is a credit card which is enabled with a little processor on chip and I perform power and timing attacks to be able to cull out information like the private key from the smart card. So, these are very dangerous attacks that could possibly happen. You can give your smart card to somebody, your credit card to somebody who is lying on a desk, somebody takes it and launches these side channel attacks which are of different flavors power and timing being two examples. Impersonation, one means of intruding into a computer system is through password guessing attacks and a special case of this are dictionary attacks. So, you might have heard of dictionary attacks again chapter 11 of the text talks about this in some detail. The ultimate goal of the attacker is to impersonate, impersonation to impersonate his victim. He can then make online purchases, request banking transactions, perform unauthorized logins etcetera all under the assumed identity of his victim. So, impersonation attacks where you get things like the password or the pin of somebody and then you misuse it. Denial of service attack, the common name employed for an attacker's interruption or disruption of the computing services of his victim is denial of service DOS and its cousin the D DOS distributed denial of service attack. So, there are different kinds of these attacks and different reasons why these might occur. There is an application based and there are protocol based. A good example of a protocol based DOS attack is the SIN flood attack where you simply send out a lot of SIN packets to establish a TCP connection and you exhaust the resources of the victim either it is computing resources or memory resources or communication resources. One version of this attack for example, which is very popular a few years ago caused defacing of different websites including several government sites around the world. So, these are denial of service attacks. Now, everybody is heard of malware attacks. So, these are there are different types of malware and the different species of malware is increasing all the time. So, to start with we have got worms and viruses dealt with in chapter 19 for example. So, typically what characterizes worms and viruses is your ability to replicate. A virus typically infects a file and then spreads from one file to another while a worm is typically a standalone program that infects a computer. So, a worm typically spreads from one machine to another machine. Worms and viruses use spraying techniques like email. So, they spread to different media like email, internet messages, web pages, Bluetooth, MMS and so on. Besides worms and viruses we have Trojans that do not typically replicate a kind of malware that masquerades as a utility, but has other insidious goals such as the modification of files, data theft and so on. In addition you have got also spyware and bots. So, this is probably becoming one of the most serious problems today is you have got bots which are remotely controlled and the bot master controls not tens of these things, but hundreds of them thousands of them even hundreds of thousands of bots. So, these bots basically lying latent in different machines. So, they could be bots in your own machine that could be lying hidden over there you do not know they exist because they do not really make a big noise. So, they only communicate with their bot master may be once a day once a week or something. So, there is not much traffic and you do not get suspicious your intrusion detection system does not detect them, but still they are there and they are listening to the bot master and they are following the instructions of the bot master. So, the bot master might instruct his 100,000 bots under his control which are spread over different machines around the world perhaps to attack a particular website to deface a website on the first of August 2014. So, these bots all listen to their master and at any time they could be activated depend on depending on the master's command. So, talking about attacks now these are some more technical things attacks on networking protocols. So, some examples of these are address spoofing session hijacking ERP cash poisoning and DNS cash poisoning man in the middle attacks replay attacks etcetera. So, in the days to come we will throw more light on many of these. So, now that we talk about attacks the next thing is vulnerabilities what is it that is behind the attack. So, a vulnerability is a weakness or a lacuna in a policy in a procedure in a protocol in hardware or software within an organization that has the potential to cause loss or damage. So, it be a good thing for you to think about this what are the weaknesses for example, can you think of weaknesses in a policy a policy within an organization a policy for what a policy for example, carrying laptops into the organization carrying iPads into the organization carrying pen drives into the organization. All these things they should be policies and if you have a slight fault a slight weakness a slight lacuna in one of the policies that opens the door for various kinds of attacks. So, it is not just policy or procedure it could be in protocol it could be in hardware it could be in software. So, when I say networking protocols it could be in the design of the protocol it can be in the implementation of the protocol. So, there are different kinds of vulnerabilities that we will be exposed to in the next 10 days. So, there are many different types of vulnerabilities as I mentioned before one type is human vulnerabilities induced by careless or unthinking human behavior clicking on a link in an email message from a questionable source. So, the vulnerability is a human weakness you got an email which says click on this link to claim a prize of 1 crore and you feel ok if I click on this link probably somehow I am going to get this prize. Of course, this is kind of may be greed or some other reason on the part of the human being may be fear. There is an email that says log into this thing and check your password because if you do not in the next 2 hours then your account will be invalid. So, now there is fear. So, that could be greed it could be fear it could be some other kind of human feeling and that is why these are vulnerabilities because of these are human vulnerabilities because they are caused due to certain human feelings and these are related to phishing attacks for example, and at least some kinds of cross-site scripting attacks. So, that is one category of vulnerabilities human vulnerabilities the next are protocol vulnerabilities. So, attacks on commonly used you can think of almost any protocol TCP IP DNS the wireless protocols the MAC protocols etcetera. Think of almost any of them and you will be able to detect some kind of vulnerability. So, connection hijacking caused by ARP spoofing for example. So, you can on a local area network you can do ARP spoofing you can poison the ARP cache of the victim and you can redirect all the traffic to pass through you. It is a very serious problem and there are tools that exist to actually implement this attack. There are denial of service attacks which exploit the 3 way handshaking as I mentioned before there is something called the sin flood a special kind of denial of service attack which exploits the way in which TCP sets up a connection. There are also farming attacks besides phishing there is farming which exploit vulnerabilities in the DNS service and then a very interesting set of vulnerabilities are software vulnerabilities which is dealt with in detail in chapter 18 of the text these are caused by sloppy software. So, what is the problem exactly? So, it is a very interesting problem when we talk about software we talk about the first thing when you write software the first consideration is the software correct is it doing what it is supposed to do. The next thing is probably is it efficient does it perform with acceptable performance. The next question is it reliable does it perform reliability depending on the kind of inputs I give it say for example, I am sorting integers if I give it negative integers will it do the correct thing if I give it floating point instead what will happen in that case and so on and so forth. So, is it reliable kind of software, but now there is another thing when we talk about security and that is is the software secure in addition. So, what exactly do we mean by secure software what is the difference between secure software and reliable software is it in some way analogous to talking about the difference between secure communication and reliable communication. So, think about these things. So, when we talk about secure software may perform as expected under normal conditions, but when provided with specific input specific input by a very intelligent adversary malicious input it becomes malicious. So, I can change the input in a very strange way not just arbitrary input, but in a very strange way may be adding some javascript to it for example, and then it strangely enough it becomes malicious and it starts doing things that it should not do like for example, getting your credentials and so on. So, examples of such software based attacks are buffer overflow, a cross side scripting, SQL injection, cross side request forgery, clickjacking and so on and so forth. So, now that we have talked about attacks, we have talked about attack goals, we have talked about vulnerabilities the next obvious topic is defense strategies. How do we defend against all these attacks and once again there are different categories of defense defenses prevention detection recovery and forensics. So, just look at all the defenses that you have seen before that you have taught your class and ask yourself which category does that defense belong to say for example, we talk about encryption what is the encryption defend against, it defends against eavesdropping. Is it a preventive kind of mechanism, is it a detective kind of mechanism, is it recovery, is it forensics what is it. We talk about five walls that hopefully filter traffic, is that a preventive mechanism, is it a detective mechanism or what. We talk about intrusion detection systems where does that thing lie and so on and so forth. So, let us take some examples code auditing and testing. So, you have written a web application and the next thing you need to do is to make sure it is secure. So, you pass it through certain tools which audit the code, which test the code and there of course, as you know two types of testing black box testing and white box testing. So, it tests against software flaws, what we are really doing by auditing the code and testing the code is we are preventing any possible attacks which exploit sloppy code. So, this is an example of a preventive mechanism. Access control, two aspects of it, authentication and authorization. So, what is this kind of mechanism, it is a preventive strategy because it prevents unauthorized access. So, there is a whole field of access control, access control at different levels in the operating system for example, in databases within the program and so on and so forth. So, there could be and of course, within the network through five walls. So, access control at different levels, you might again want to think about it, how do you implement access control in the network through a firewall, how do you implement access control in the operating systems by using permissions, by using mandatory access control, by using discretionary access control and so on and so forth. And there this topic is sufficiently important that there are two chapters in the book dedicated to this, one chapter to firewalls and one chapter to operating system based access control. Another preventive mechanism is encryption, once again against eavesdropping. What about detection? So, some examples of this are integrity checking on messages and files to see whether these files have been tampered with. So, you might use something like a message authentication code, something like a cryptographic hash, which we will talk about in some detail later today and tomorrow. Something like a CRC may be very weak, if you are trying to protect the integrity of messages in transit, you need to use something more strong than that and that thing typically is the message authentication code or MAC. Chapters five and seven contain details of this. Another example of detection is a full blown security product, which is the intrusion detection system. Again there are many varieties of this, there are intrusion detection systems that work by detecting anomalies and that work based on signatures. So, you have a database of signatures and you check particular set of circumstances, you may check the payload of a packet to determine whether it contains a certain known malware. So, anomaly detection, signature detection also there is another differentiation of IDSs, basically a host based IDS and a network based IDS. So, these are examples of detection. So, we have seen examples of prevention, now examples of detection. Before we move further, it is important to talk about some terms that are used very often in the security literature. So, one such term is security policy, another term is security mechanism. So, what is the difference in policy and mechanism? So, this looks like some sort of a high level thing, this looks like some implementation. So, security policy is a set of rules and practices that regulate how an organization manages and protects its computing and communication resources from unauthorized use or misuse. So, this would be typically a high level document. For example, users or employees within the organization are not allowed to access the following web pages. They can only access this white list of web pages, this list of 20 websites and nothing else during office hours. That would be security policy as laid down by the organization typically from the CISO's desk. The CISO is Chief Information Security Officer. So, somebody like him and his team would draft the security policy for a particular organization and then a team of technical people, technical experts would then go and see how best to implement that policy, what sort of tools are required to implement that policy. So, that is implemented via what is called a security mechanism, a technique or a device used to implement a security policy. For example, a firewall would be some such thing. Some more terms, access control and authorization. Access control, the process of preventing unauthorized access to a computing or communication resource. While authorization involves granting special permissions to different users or to different entities or to different principles to perform a restricted operation. Reading a file, writing a file, accessing a printer and so on and so forth. So, various kinds of operations and associated with them would be permissions. So, this is a key word over here when we talk about authorization permissions or rights. Now, you might have heard of these terms, but I will just repeat them. Entity authentication, the process of verifying that the entity being communicated with is indeed the entity it claims to be. So, there are two types of authentication. The first is entity authentication. When two parties that are remote are trying to establish communication, the first thing is they need to know for sure that they are talking to the right person. So, for example, if you are interacting, you are one entity, your bank is another entity. You are doing internet banking, you want to make sure that you are really talking to state bank of India and not somebody posing a state bank of India. Likewise, state bank of India wants to make sure that at the other end it is you and not somebody posing as you. So, that is an entity authentication and then a more fine grain thing is message authentication. Once both parties have established that they are talking to the right entity, then every single message needs to be integrity protected and authenticated. So, we refer to that process as message authentication. The process of verifying the source or the origin of the message. In addition to authentication, there are some other terms confidentiality and integrity. The protection of data from disclosure to an unauthorized party or process and then integrity, the assurance that the data has not been modified, tampered with or made inconsistent in any way. So, when the information is flowing from you to your bank, I want to make sure that everything in that message is the way you wanted it to be. It is not been tampered with in the middle and secondly, it is actually been sent by you and not that your message which was supposed to go to the other side has been hijacked and somebody else has now replaced your message by his message. So, this is the aspect of integrity that needs to be protected. And finally, non-repudiation offers a guarantee against repudiation or denial by a party of the fact that it created or it sent a particular message. So, this is the rather strong kind of requirement and for this as you might be aware to guarantee this use something called a digital signature. While to guarantee the previous thing just integrity and authentication use something called a MAC, a message authentication code. So, the digital signature guarantees integrity, authentication and in addition non-repudiation. If I send the message I cannot tomorrow deny that I send this message. If I signed the message I cannot deny that is not my signature. So, how do you guarantee this in a digital sort of way? So, to conclude this particular session I would like to just mention something about these different principles. Security is an area that has gone through much evolve you know it has evolved a gradient much evolution over the last 10 years over the last 20 years. If you think about it most universities did even have a security course 10 years ago. So, it was more like an art there were different things on a plate. There was encryption technologies, there were you know system attacks, authentication methods, biometrics and so on and so forth. All these little pieces together and security was like just a bunch of all of these things in a big plate. One of the questions that I would like I wanted to ask myself or I asked myself over time is can we create a science out of all of this it seems more like an art. This is my problem I use this solution, but in order to create a science we need something like principle we need something like laws like theorems. So, there are certain subjects in mathematics for example, say cryptography itself or number theory where you are very nicely laid out theorems and proofs and everything follows very nicely and logically, but in security can we have something that is also similarly logical something that makes much more sense. If you go back to software design for example, there is a whole area in object oriented software design called design patterns. You must have heard of the wrapper pattern and the observer pattern and the singleton pattern and the bridge pattern and so on and so forth. These are all patterns based on experience of the experts over years and years and years and they put it all together and then they tell the software designer the software programmer. If this is your problem then use the singleton pattern. If this is your problem I think you will need to use the observer pattern or the publisher subscriber pattern and so on and so forth. So, these all very well documented today and your full books on design patterns in much the same way I wanted to ask myself the question are there any principles that are pretty much sacred. I will not say completely sacred, but more or less sacred that guide the designer saying for example, you are a consultant you are a security consultant other principles that can guide you in designing the security infrastructure in a particular organization. So, I came up with this little list I am sure this list can be expanded can be modified etcetera, etcetera, but here are some of the principles. The first principle is security is as much or more a human problem rather than a technological problem and must be addressed at different levels. So, security is not just about installing a firewall and putting some rules over there or installing an IDS or you know SIEM security incident and event management. This is a new tool by the way which is a much more glorified version of the IDS. It is called the SIEM security incident and event management tool. It is actually a suite of tools which are now being procured by many banks by many companies worldwide to ensure security within the organization and within their different branches. So, it is not just getting the SIEM getting the IDS getting a firewall getting a VP and virtual private network etcetera, etcetera. It is also a human problem a human being is very, very important over there to guarantee the right level of security. So, it is as much a human problem rather than merely a technological problem and must be addressed at different levels. So, besides processes and technologies it is also processes it is also humans besides technology. Security is also a people problem and should involve a security team headed by a chief information security officer almost of the level of a CEO or CTO is chief technology officer CEO is chief executive officer etcetera in an organization. So, a CISO should have a very high rank it should not be some small guy who is much below he should have executive powers also a CISO. So, security team headed by a CISO system administrators all members of an organization should be involved in security through awareness program. So, do not forget this it is not just technology it is not just processes it is also people. So, many companies and all will tell you this when you go and meet the security team they will say that it is not just technology it is not just processes, but also people. So, that is the first security principle that we should note not always remember that when you have to actually deploy security and make it work it must also be people involved through awareness programs and such. Security should be factored in at inception not as an afterthought. So, security is always the last guy in this role we think of functionality we think of performance we think of reliability those are the traditional things that we have been talking about for the last 30 years or 40 years whenever we talk about anything that we design a new product a new protocol etcetera new software we think in terms of functionality we think in terms of performance reliability, but what about security very often that is not considered at inception and then there is a big problem because of that. Notice how many times you have got so many different versions of a protocol because security was not properly factored in. So, security should be factored in early on during the design phase of a new product and then carried forward right through implementation and testing rather than just like a stop gap thing and ad hoc kind of thing that has been just put into the thing after the product is designed. So, there are many products that failed precisely because of this reason security was not factored in at inception a nice saying by Mark Tobias you cannot make something secure if you do not know how to break it. So, make sure you can try to break it you have got enough effort spent in trying to break it ask other people to try to break this product that you have created and if nobody can break it after months and months of trying then maybe you can convince yourself that your product is secure. So, security practice principle 3 security by obscurity or by complexity is often bogus. So, just trying to make something complex so that nobody can understand what is inside it does not make it secure at all you are fooling yourself. So, let the security community. So, actually make it as transparent as possible if I am designing a new cryptographic algorithm give the code for the algorithm give the actual algorithm to the entire world and say now you hack into this and if nobody can hack into it the best experts cannot hack into this after months and months of hacking after years and years of hacking then you could be pretty much sure that it is actually secure. So, let the security community scrutinize a crypto algorithm or a protocol before standardizing it. Let us get all the feedback we can even if it is negative this will help us identify and eliminate bugs prior to actual deployment in this context openness and transparency rather than obscurity wins. Another principle security practice principle 4 always consider the default deny policy for adoption and access control. I am not saying 100 percent you should adopt default deny, but think about this seriously before you make any alternative choice. The default deny policy is the conservative approach in which the subjects request is denied unless it is on a white list. So, will I allow you to enter this particular room now there are two ways of answering that question is your name on this particular list I have got a list of 50 people if you are on this list I will allow you to enter. So, by default you will be denied permission to enter you will only enter if your name is on a white list. So, this is the default deny policy I have a very strict policy only if your name is on the white list you will be allowed to enter. The other policy which is the opposite is default permit. So, I have got a black list of people if your name is this this this this or this or if you look like this this this you cannot enter this room otherwise you can enter it. So, the default permit policy I allow almost anybody to enter unless that person has got these attributes. So, this policy is better than this policy in general I am not saying 100 percent every time, but mostly it is this that is better than this. So, try to implement this in general. The next principle entity should be given the least amount or level of permissions privileges to accomplish a given task. So, if there is a task to be performed you do not have to give that person supervisory privileges because he might abuse them it is pretty obvious give him just the right level of permissions. So, that he can complete his task successfully. So, conferring higher privilege to an individual other than what is warranted by his current role. So, it is the role what is the role of this person what is this person doing or what is this person asked to do based on that you should give him that level of permissions and privileges. So, giving him a higher role or giving him a higher set of permissions could compromise the systems through various kinds of privilege escalation attacks. So, these are another set of attacks that are due to mis configuration of the system or of user rights and user privileges. Another very interesting principle is that of this is borrowed from the military defense in depth defense in depth could help frustrate carefully laid out attack plans and a good example of this principle is the use of at least two packet filtering appliances such as a fire wall from different vendors and possibly configured by two different system administrators. So, here you have your input or ingress into the system and what I do is I place one fire wall. So, this is the internet over here and packets are getting ready to enter my organization from the internet I place one fire wall here, but I do not trust that fire wall completely I place another fire wall in another zone. So, that whatever this fire wall misses is captured by that fire wall is captured and filtered out by the second fire wall. So, this is very often used in organizations two levels of fire walls what escapes fire wall one will hopefully be caught by fire wall two and vice versa. So, this is the defense in depth security practice principle 7. Now, how much security to deploy what should be my security budget. So, the thing that I need to estimate is what is called the risk the risk is proportional to the assets the vulnerabilities and the threat. So, what are the assets that you are trying to protect in your organization if the assets do not count for much of the assets do not have any value what is the sense and provide I am talking about typically assets that are digital assets. So, this information that I have an all my disks and so on is not worth too much I do not care who steals that information. So, that is the case then what is the sense in actually deploying too much of a security budget what is the point in spending too much on security if the assets to be protected are not very much. So, please understand what are the assets that you are trying to protect in an organization the next thing is what are the vulnerabilities study the vulnerabilities carefully. If there are no vulnerabilities then there is again no need of spending too much on security. So, study what are the vulnerabilities and the third thing is a threat is anybody that you see who is trying to threaten the organization. If there is a perceptible threat then of course, you can enhance your security budget otherwise you will have to carefully think about all of these three issues before you decide about what security to deploy in your organization. You can have a security budget that is a few lakhs you can have a security budget that is tens of crores. How much exactly to spend depends on your estimate of the assets the vulnerabilities and the threat. And the final security practice principle is carefully study the tradeoffs involving security before making any of these decisions. So, for example, you might have seen in other subjects that you have a tradeoff between cost and performance. If I am willing to deploy more servers I will get higher throughput for example. So, that is one of the tradeoffs performance versus cost, but in the context of security there are tradeoffs like security versus performance. So, once again I invite you to think about where these tradeoffs are made where is a tradeoff between security and performance made one particular example. If I want higher security and encryption I will use larger key sizes. So, that gives me higher security, but on the other hand my performance goes down because with larger key size I need more computation power. So, there is a tradeoff between security and performance security versus cost. So, for example, I might get more security by buying an IDS that has got many more signatures. It has got a larger database of signatures updates those signatures much more frequently etcetera, but to do all the updation more frequently etcetera I might incur a greater cost. So, I have more security, but at a price which comes with greater cost. The vendor who is supplying me the security product says that I should pay much more if I want these signatures to be updated say every hour for example, because I am paranoid about security. Another is security versus convenience of flexibility. So, as you know it is a hassle to change your password every two months. It is a hassle to have a password that is at least 8 characters long and that are not just alpha numeric, but also punctuation marks and what not. So, there is a tradeoff between security and convenience. I would like not to have a password at all it is such a pain every time typing this password. So, there is a tradeoff between security and convenience. The more security that I want I may have to sacrifice some convenience just as you might have seen at airports. You want more security when you are flying and there is more frisking at the airports, there is more checking of your baggage and so on and so forth. As a result there are more delays and there is more of an irritation every time you enter the airport. So, these are some of the different principles in terms of security and I think you should think about each one of them and see how best to deploy them see different examples of these things. So, with that I finished the introductory session.