 So, let us go for questions now, Sitaram Bhai in Patel Institute of Technology. Good morning sir. Yeah. So, my question is related to SIM, Security Information Management. Yes. There is a one point of long time storage. Yes. Can anybody break the, break the security of long time storage? Yes, it is very interesting and let me just take you out to a domain which is slightly different, take hospital records, medical records. Now, they also have to be stored for a long time even though they are not computer network and it is similar. So, what they do is two things, one of course you want to store it for the long term and therefore you need a lot of data and you need replication, duplication and so on. So, the cloud services and all you know and to store it outside your organization is again risky because of privacy that is why I went to the hospital and medical example. So, you do not want the service provider whoever he is to reliance or to read the data. So, what do you do? This is a very interesting concept in security. It is called split your data, it is like the treasure island map, you might have seen it in the movies that there is a map where the treasure is buried. You pair that map into 10 pieces and give it to 10 different people and only when all 10 of them come together and put their pieces together they can really understand the data. Likewise each one is seeing a very similarly when you store long time your data in some other storage you have to divide it into different parts and each part alone will not reveal the full information, but if you assemble it back. So, this is a very interesting concept I will just leave it at that and those who want should read this further. This is called m of n that if m out of n people if 10 out of 15 people combine only then the data can be recreated. So, this gives you some advantage of storing in a secure way in untrusted places store different pieces in different places and as long as all of them do not get together to cheat you will be able to preserve the data and also get your privacy. Next question. One is my question is where open proxy is used and the advantage of open proxy? Open proxy is usually used really by bad guys. So, a good guy a good service provider will never allow his proxy to be used by unknown people, but open proxy let me qualify that statement a bit. There are societies which are open in the sense they are free they do not want to disallow their citizens from doing things. So, in such societies open proxies are usually used by the bad guys, but there are other societies where the government is taking very strict action against citizens who try to read or learn or think beyond what is prescribed as the correct way to live. So, for such societies providing open proxies is something that helps their citizens to in some sense overcome some of the restrictions. So, these answers are more in the nature of political. From a technical point of view an open proxy is not a profit making model and it is used it is to be provided only if you have some reason for allowing unknown people to benefit by hiding their identity. I gave you some examples of why people would want to do things like that, but in general like Someshwar said it is a misconfiguration. You have tried to configure a proxy only for students in your campus and because you did not configure it properly others are also able to use it to hide their identity. Morning we have asked the same question. What does mean by birthday attack? Birthday attack. Birthday attack now I understood. Tell me please about the Chinese Reminder Theorem. The second one I will pass you can read by Googling Chinese Reminder Theorem. Birthday attack I will just give you a simple answer which of course you can again read by Wikipedia and Google and so on. See there is a very interesting puzzle that in your room how many people are sitting now maybe about 30 people. So, can you guess what is the chance that two people have the same birthday just the date day and the month not the year. So, these 30 are random people actually it is not random you are all teachers you are all having a particular degree, but assume 30 random people are sitting in a room what is the chance that two of them share what do you think is it a very low chance or very high chance. So, let me continue the explanation that surprisingly that if the number of people in the room exceeds 23 or so there is a very high probability more than 0.5, 0.6 that two people in the room have the same birthday even though there are 365 different days in which they could have been born once the number of people exceeds 21 or 22 a clash is possible. Now, this principle is used when you do this integrity of files when you hash files many different files if they are hashing to a smaller domain that is why it is called Shah 128, Shah 256 how many bits you are using to represent the hash and the smaller your hash the more chance of collision that a wrong file can be mistaken for a right file because of the probability of clashing is quite high. So, this is called the birthday paradox and it is used in some scenarios to attack protocols which try to do sort of integrity checking where you modify the message you can still make the hash come out right and cheat the person into thinking that the message is authentic you can compromise the integrity of the message. Chinese reminder theorem is little more complicated you can read that later on. Next question. Good morning sir. Yeah. My question is related to OSIM. Yeah. In the morning class we have seen OSIM architecture so many models. Yeah. And one of the module which is particularly interesting to us is vulnerability attack. Yes. So, we would like to know something about what kinds of vulnerability attacks it is presently checking. Okay. So, many of you will be aware that ethical hacking is the thing where a lot of professionals get together to go and check out whether a system or an organization is actually secure. So, many financial organization banks or even stock exchanges and clearing corporation and so on they have a compulsory rule that once in three four months they have to get an independent third party to come and do a security audit. And those people use tools with check for vulnerabilities that there are many known vulnerabilities that keep getting published and that is what Ashok was trying to tell you that software that for instance Apache server or SSL or Windows software as people find out faults they keep reporting these and the manufacturer or the software writer releases patches and bugs. Now most organizations find it very difficult to keep up with all this. So, they do have a system which is supposed to do all this there are supposed to be information coming in and so on but never you can trust that you have done everything perfectly. So, vulnerability assessment tools or tools that are used by these auditors to go to a client's network plug in their PC or laptop and it starts probing whether all the services available on that network are having any known vulnerabilities. So, this is the open VAS that he talked about he gave the website you can go and see and this sort of information is made available on a cooperative crowd sourcing basis to anybody to use just like for email sites which are known to send spam their IP address are listed. For viruses sites that web pages where viruses are concealed are written and therefore like a parental guidance most proxy servers or mail servers can use such information or OSIM can use information like this available in a trusted forum developed for this purpose to block deny or prevent bad things from happening. So, this is what is meant by open vulnerability assessment with the help of only using a port scanning. Please louder. And we identify the victim system we will need to consult the IP table stored in a firewall. We will need to consult or we will need to modify ok. So, I think let me explain the second part that what Ashok was trying to say and you should also see this is a slightly more advanced usage that the firewall has rules which you have configured to the best of your knowledge and ability, but OSIM is revealing to you that an address let us say from China is suddenly starting to send lot of data to you and your IP tables as the way you had configured originally was allowing that particular IP address to kind of contact your web server. So, what you need to do is react. React means go and add a new rule in IP tables. Now manually we can do it, but that is a very slow process and if it happens in the night when nobody is watching. So, this is called an intrusion prevention system, not an intrusion detection system. An intrusion detection system will simply find out something bad is happening and alert it. An intrusion prevention system will take the next step. Once it has found out that some IPs are causing trouble to me, it will go and add a new rule automatically in the firewall. So, the firewall will have an agent, an OSIM agent which will then be able to reconfigure the IP tables, add one more rule, block this IP, drop the packet so that when it restarts the service this particular IP will be no longer able to attack you. So, this is an example of trying to prevent the intrusion automatically. Now, this could lead to false positives. It is slightly troublesome risky. You have to analyze the effect of this that a genuine customer may get blocked. He may then go away. So, depending on the nature of your business and depending on the nature of this, the policies are set when to block. What is a false positive? How long to tolerate? And these are judgment calls that as you become a security professional and start helping organizations, you have to use and configure the tool so that you strike the right balance between keeping your organization safe So, one way to keep your organization safe, of course, is do not allow anybody to talk to you. Now, that is a very bad policy for most organizations. Therefore, you have to do this balancing and that you will learn with experience. Yes. Hello. Yes. Morning, sir. Good morning. I am sure once again and here my question is like if there are a number of requests coming from same IP what will happen is the first part I think that it will block the OSIM system and what if I try to virtualize multiple IPs and generate multiple requests like DDoS or something like that. How much amount of traffic will it let to pass at all at a particular time and then raise a threat alert? Okay. So, the first one you answered it yourself but actually you should I just want to point out the converse that you cannot simply block an IP because it is generating a lot of traffic because it could be a proxy server. For instance, IIT Bombay, when 5000 students are surfing the internet almost all of the requests are served by 2 or 3 IP addresses which are the addresses of our proxy servers, the squid servers. So, a lot of address requests keep going out from those few IP addresses only from IIT Bombay and therefore if a Gmail or a Google blocks it then most of us will not be able to access the service and it is not a good healthy situation. Therefore, we have to be careful and you cannot block only based on number of requests. So, therefore the analysis has to be a little more sophisticated. Now, the second question relates to that that answering that maybe I should just give an analogy it is a spy versus spy. Okay. There are every scenario where you can think of which is a bad use or a DDoS could also be a legitimate use based on how other users whom you really want them to access. For instance, if you are Flipkart if you just block then you are going to lose sales and if you do not block then you are going to get denial of service. So, I was saying this in the previous question also there is no easy answer to what you are asking that there is no this is good this is bad there is no black and white and therefore many times you have to make judgment calls and these judgment calls with experience the software can be trained and sometimes it makes better calls. This is the same situation in many information reasoning with uncertainty. When you apply for credit cards to banks banks do not give everybody credit cards they do a risk evaluation. If you are a young man driving a red car red color car and so on then you are more likely to cause damage so they will deny it. If you are an old man and you have been your children are married and so on then you are less likely to be a risk. So, like that they use some guidelines and rules. So, similarly people use this he said about IP reputation right all IP addresses are not equal. IP addresses used by university like IIT or used by some government of India agency are probably more trustworthy. IP addresses used in a private subnet of a network of a commercial service provider are less trustworthy and this is not only based on the owner it is also based on the history if attacks have been reported in the last two months from these addresses or this range it is more risky. So, I do not want to elongate this answer little more all I want to tell you is this is what is called a multi-factor uncertain reasoning. There is no clear 100 percent guaranteed correct answer and these calls are taken by different this is called security posture. Some organizations take a very strict posture if you are CIA or military or FBI then yes if you are different university take a different posture. So, please look for this it is called security posture and such a policy is made by the CISO. So, if you happen to become the CISO of a commercial organization you have to face all these tough challenges. So, I will stop this here and I hope you will enjoy the labs we will come back during the labs and answer questions when you have questions in need center. Thank you.