DAY 1: 04/9/2018
Session 1: Scenario based problems for Security Plan, Security Analysis and Security Design
Speaker: Cmdr. L.R. Parkash
Commander L.R. Parkash, director CDAC - Chennai, began the session with a brief introduction of various activities being conducted at CDAC-Chennai which includes developing open source software; security related products and conducting various training programmes. The lecture started with the definition of the word 'security' and he quoted that security is fully dependent on context. He further emphasized on Enterprise View which can be referred as combination of Business Continuity Management, Information Security and IT Disaster Recovery. Security Plan can be mentioned as a formal plan of action to secure a computer or information system. He gave the example of a College Network System to briefly explain about the implementation of security planning. The speaker also focussed on Risk Assessment and Analysis which included Threat, Asset and Vulnerability and supplemented it with the example of JAVA Exploit. Different phases of Security System Development Life Cycle were discussed. The session summed up listing various international security standards like MOF, COBIT, SABSA, NIST, ISO/IEC-27000 for generating security plans and highlighting the importance of Security Education, Training and Awareness Programme.
Session 2: Security Review through Security Audit
Speaker: Cmdr. L.R. Parkash
Cmdr. L.R. Parkash started the session by highlighting how to write an information security plan for a particular system. Security plan document mainly specifies purpose and scope, mission and vision, organizational structure, output and information assets etc. An information asset need not be limited to IT systems. Information assets summary plays crucial role to find out scope of system. Workflows and other processes that are important to the administration of the organization need to be secured. While writing information security plan, one must be specific but being too specific may lead to backdoors or vulnerabilities into the system. So a balance must be attained. He interacted with the audience and discussed what personal data is and why critical sensitive data should be kept private. All students were grouped to make a sample information security plan document for PEC. Risk assessment, listing all acceptable risks, privacy controls and security initiatives are other factors which need to be considered while planning information security plan. Session ended up with list of 20 CSC (Critical Security Controls) which are decisive to any information security plan. CSC is kept in appendix part of plan document.
DAY 2: 05/9/2018
Session 1: Cryptography
Speaker: Cmdr. L. R. Parkash
Commander L. R. Parkash began the session on cryptography protocols by interacting with the students and sharing various real-life examples of encryption and decryption. He talked about Symmetric vs. Asymmetric key encryption and their various issues. There is an exponential increase in the number of keys to be shared in case symmetric key encryption. It also becomes matter of concern how to share the key securely. On the other hand, Asymmetric key encryption needs to address physical key distribution and key revocation issues. Although Asymmetric key encryption provides confidentiality, authentication, integrity and non-repudiation, however in practice it is not scalable and it is must costlier. So, in practice, hybrid encryption approach utilising symmetric as well as asymmetric encryption is used. He interacted with students to generate a keypair and send an encrypted message to each other. Speaker also discusses about the Public Key Infrastructure and how the certificates are signed and shared. A certificate authority issues a certificate, provides the public key, and checks the key revocation. At the end, the students were grouped and asked to set up a Certificate Authority Server, generate certificates and GPG system. This added a dimension of practical implementation to his session and intrigued everyone in attendance.
Session 2: Blockchain Technology
Speaker: Mr. Arshdeep Bagha
Mr. Arshdeep Bagha, Director, Cloudemy Technology Labs LLP, Chandigarh started the session discussing the four industrial revolutions, the fourth one being the Cyber Physical Systems. He explained the concept of blockchain technology along with its evolution. Further he discussed about web 1.0, web 2.0 and web 3.0 in which blockchain came under the ambit of web 3.0. The speaker further explained the basic concepts related to blockchains like its definition, structure, Merkel tree etc. He explained the difference between blockchain and Bitcoin and talked about Santoshi Nakamoto and his paper "Bitcoin: A Peer to Peer electronic cash system". Some of the characteristics of blockchain were discussed e.g. immutable, secure and transparent, no central authority, privacy, scalable and many more. He explained various types of smart contracts like crowd funding contracts, escrow smart contracts, voting smart contract etc. Further, he elaborated upon the Blockchain stack and some of the differences between web app and decentralised app. He also outlined some of the applications of blockchain like Banks, insurance, solar charging stations, shipment tracking and many more. A demonstration of a solar charge app was given. He discussed the double spending problem which refers to the spending of same money more than once and wrapped up the session with some of the challenges and future prospects in blockchain technology.
Session 3: Cryptography Public Key Infrastructure (PKI) and Digital Signatures
Speaker: Cmdr. L.R. Parkash
Cmdr. L.R Parkash began by talking about Cryptography Public Key Infrastructure (PKI) and Digital Signatures. The speaker explained how different types of websites are certified by Certifying Authorities (CAs). Financial websites require a lot more checks as compared to other websites therefore extended validations are applied by them to get certificates from CA. He also spoke about secure communication using symmetric and asymmetric encryption techniques and explicated the concept of domain by defining it as a boundary of control. A brief explanation of the root CA was given and where this root CA is present. Taking an example of DigiCert, he mentioned that the root CA also has many intermediate CAs which share its workload. There are different types of certificates such as personal certificates, commercial certificates, other people certificates etc. The contents of a certificate were discussed in detail. CDAC has developed a digital signing system known as e-Hastakshar- CDAC's eSign service that facilitates instant signing of documents online by citizens in a legally acceptable form. He ended the talk with the discussion of eSign architecture and motivated the students to work in the area of digital signatures and other relevant spheres of technological advancement needed in our modern society.
Session 4: Hands-on Workshop on Competitive Programming
Speaker: Mr. Sandeep Jain, Mr. Ayushman Bansal
The founders of the extremely popular learning database- Geeks for Geeks- started the session with the story of their website's inception and how their aim was to motivate students to prepare for placement interviews. They mentioned their humble beginnings and how they used to contact students from IITs to know about interview questions and patterns and then they prepared for the same questions in order to crack placement interview. While learning through this process, the team came up with idea of building their own group to share interview experience and questions, hence came up with a big platform for the same. Data Structures and Design of Algorithms are two key subjects to be mastered for a computer science student, according to the speakers. These core subjects play a vital role in every job profile and must be mastered. They spoke about fair pay and disclosed that they give remuneration to students for their contribution to geeks for geeks. Various key categories of geeks for geeks website were also discussed to help students to start their preparation. Internship programs are also offered by geeks for geeks to students to excel their skillset. The talk ended up with an interactive questions and answer session with the enthusiastic students.
DAY 3: 06/9/2018
Session 1: Key-length Management
Speaker: Cmdr. L. R. Parkash
Commander L. R. Parkash began the session by discussing symmetric and asymmetric key length management. Brute force attack on the key involves large computation and a parallel processing is often involved for effective brute force. He gave an example of Chinese Lottery to understand the concept of parallel processing involved for brute-force. Key length management has practical and mandatory safeguards which need to be followed. The concept behind the Dictionary attack, Length Extension attack and Rainbow Table attack was discussed in detail. A rainbow table is a precomputed table for reversing cryptographic hash functions, usually for cracking password hashes. Tables are usually used in recovering a password (or credit card numbers, etc.) up to a certain length consisting of a limited set of characters. However, a Rainbow Table does not work for Linux passwords. Salting is a means of preventing a Rainbow Table attack. A commonly used cryptosystem for GSM communications is the A5 ciphering algorithm. He advised to have an up to date knowledge on the legal advisor regarding the length of the keys. A case study on recently held cyber-attack called 'ATM Jackpotting Attack' on Pune based Cosmos Bank was discussed. The ATM jackpotting technique is basically an exploitation of both physical and software vulnerabilities in banking kiosks or dispensing machines such as ATMs. At the end of the session, speaker motivated the students to read these real-life case studies, analyse various security lapses and relate them with theoretical knowledge.
Session 2: Virtual Private Networks
Speaker: Cmdr. L. R. Parkash
Commander L. R. Parkash introduced the concept of port addresses and NAT. NAT maps private IP address to public IP address. The main use of NAT is to limit the number of public IP addresses an organization or company must use, for both economy and security purposes. Port addresses are used to send packets to particular application on a system. Some services or processes have conventionally assigned permanent port numbers. These are known as well-known port numbers. In other cases, a port number is assigned temporarily (for the duration of the request and its completion) from a range of assigned port numbers. Various security features and attacks in this model are elaborated with suitable examples. For example, there may be DoS or DDoS attack on the web server by sending multiple bogus requests to web server to occupy all ports on server. Natting makes provisions such that no outside packet can reach to private network. Net neutrality concept and implications were discussed with students. ISP may peep into personalized traffic to route traffic differently to different users. Further, the speaker talked about Virtual Private Networks. VPN technology was developed as a way to allow remote users and branch offices to securely access corporate applications and other resources. To ensure safety, data travels through secure tunnels and VPN users must use authentication methods -- including passwords, tokens and other unique identification methods -- to gain access to the VPN. Session ended with Cmdr. Parkash motivating the students to thoroughly study basic and advanced communication infrastructure over the internet and create solutions to our day-to-day problems.
DAY 4: 07/9/2018
Session 1: Applied Cryptographic Applications
Speaker: Cmdr. L. R. Parkash
Cmdr. L. R. Parkash started the session discussing about Virtual Private Network (VPN) Tunneling. VPN Tunneling has three components Carrier, Passenger and Encapsulation of data. A thorough explanation of how the data is transmitted and encapsulated over VPN was given. Tunneling can be done site-to-site or through remote access in VPNs. The various advantages of VPN include greater scalability, mobility, security, cost effectiveness, etc. The major disadvantages of VPN are unpredictable internet traffic and understanding of different security issues. A brief presentation was given on the topic of Address Resolution Protocol (ARP) which is used to obtain MAC address from a given IP address. ARP is a stateless protocol which does two jobs that are, responding to a query and ownership announcement. ARP cache tables are maintained to map MAC addresses from IP addresses. The major drawback of ARP is ARP spoofing. ARP announcements are not authenticated, the requests are not tracked and ARP tables can be easily poisoned by man-in-the-middle attack. Various solutions to ARP spoofing involve software-detection solutions such as Xarp, ArpWatch, Anti-arpspoof and MAC binding. The speaker ended the lecture with a amall talk on TCP Session Hijacking, Droppers and BotNets.
Session 2: Digital Business Transformations
Speaker: Mr. Prashant Mehta, Sapient
Mr Prashant Mehta, VP of Sapient, started session mentioning growth of marketing technology landscape over 7 years. We are moving from a mobile first to an AI- first world. It is hard to overstate how big if an impact AI is going to have on society in next 20 years. He mentioned quote by Andrew NG AI is the new electricity. Robots will have an IQ of 10000 in 30 years. The average life span of an S and P company was about 65 years in the 1960s. Now, it's closer to15 years and it's projected to get even shorter in the coming years. Four out of ten companies are top ranked companies in their industry won't survive in the next five years. The pace of change we see today will be a pale shadow of the unfolding future. Future happens very slowly and then all at once. We are at the beginning of the most transformative revolution ever. Whilst many of the technique and algorithm of machine learning and AI have been around since 1950s, only recently we have three factors coincided to provide access to scalable and replicable solutions: cost of compute and storage has fallen; a huge abundance of data and smarter algorithms. He also threw light on five pillars of transformations namely Data and AI, cloud, sensor, ways of working and culture. Talk ended up motivating students to learn and improve their self with time.
Session 3: Information Security Threats
Time: 02.00 PM - 04.00 PM
Date: 07/09/2018
Cdr L.R Prakash .Head CDAC, Chennai in the session discussed about security auditing , social engineering and proxy servers. He defined security auditing as a systematic evaluation of the security of a company's information system by measuring how well it conforms to a set of established criteria. Further he explained the concept of proxy with the help of a simple example. A proxy server he stated is a dedicated computer or a software system running on a computer that acts as an intermediary between endpoint device . He further stated that proxy helps to speed up the operations. Proxy he explained is used mainly for control, security and convenience .Speaker also briefly stated about squid proxy .Moving the discussion further he explained the concept of social engineering with some real life examples. Social engineering he referred to as psychological manipulation of people into performing actions or divulging confidential information. He gave example of Royal Bank of Scotland to further explain the concept. Giving the example of Jharkhand gang he explained how using Social engineering ,this gang used aadhar verification calls to target pension accounts .Awareness among the users he suggested as the only way forward to tackle this problem of Social engineering .He further outlined some of famous attacks like petya and wannacry attack . Speaker further presented the concept of Dark Net and its characteristics like it is not searchable, not resolvable and not routable. He listed some of the security firms like Vupen Security, Hacking Team, Cellebrite etc. Talk ended up with encouraging students to go hand in hand with growing technology.
