The methodology used involved the studying and understanding of data assembled during EC-Council’s Code-Uncode contest which saw over 10,000 students from various colleges across India, participating. The entire group was checked for various skill categories including Application Architecture, Authentication and Authorisation, Code Review, Cryptography, Error Handling, File Handling, Fundamentals, Input Validation and Session Management. Each question under the preliminary round was categorized by skill. Based on the responses to questions under each category, an analysis was drawn towards expertise in each respective skill.
Close to an alarming 75%participants showcased low levels or a lack of skill in Error Handling, thereby displaying vulnerability known to lead to the disclosure of sensitive information and denial of service attacks. Serving as example of such a threat is the instance from May 2012, when a hackers’ group called Anonymous India brought down government websites including those belonging to IT and Telecom Departments. The tool used was, not surprisingly, DDOS attacks. Drawing a parallel is a recent case in the United States, that showed three US banks being subject to DDoS related thefts, while hackers used ‘low powered’ DDoS attacks as a decoy.
A startling 73% of participants were not adequately equipped with skills in File Handling, leaving only 27% trained with the skill. Experts have recognised that Malicious File Inclusions, Malware Distribution and DDOS attacks are known threats that can arise out of improper file handling and such threats are often used to synchronise attacks on websites or large networks.
The report also revealed that meagre 28% percent participants understood the process of Authentication and Authorisation, a skill crucial to data protection and an essential skill needed by programmer. Prospective threats include credential theft, eavesdropping, brute-force, dictionary attack, data tampering, account hijacking, disclosure of confidential data among others.
Only approximately 29% participants were adept in the area of Input Validation. While66% displayed poor handling skills in Session Management, only around 36% were equipped with sound Fundamentals of secure coding knowledge.28% participants displayed the ability to be good cryptographers and a lukewarm 39%proved eligible to efficiently handle prospective Application Architecture risks. Only 30% were well prepared to take on roles in Code Reviewing.
Akash Agarwal, Country Head, India at EC-Council, said “The first phase of our report was an analysis of the secure programming skills of students across India, but with this second phase, we have come across a serious talent crisis and skill gap in vital areas of programming. We cannot afford to lag behind from the rest of the world. It is fair to say that there are only proven ways of continuously managing the risks and getting the younger lot trained with right skills and knowledge is our best preparation for the future.”
Sanjay Bavisi, President, EC-Council Foundation addressing the gathering said, “India is the software capital of the world and a lot of progress has been made technology wise. However, It is disheartening that there are risks posed by vulnerabilities and information security threats to the nation’s IT infrastructure across industries. Whereas, what we need in an ever-evolving cyber security landscape is talent that responds to sophisticated threats in a timely manner. To enable a task force set up, we need a talent pipeline that is trained to confidently fix the weak spots. Our initiatives in India are towards providing a identification and sustained development of talent in the field of Information Security.”
The findings of EC-Council Foundation’s report were announced along with the launch of iLabs, a virtualized cyber security training platform. More details of the report can be viewed here www.eccouncil.org.
About EC-Council Foundation:
EC-Council Foundation is a not-for-profit initiative by EC-Council to raise awareness of online safety issues for the global community while unifying global cyber defense. EC-Council Foundation’s mission is to unify global cyber defense by fostering collaboration and participation of online computer users to become advocates for safe on-line activities for youth and adults alike through education, and training programs. Cyber security statistics show that the majority of security breaches are: low in difficulty, take a long time to discover, are discovered by outside parties, and are perpetrated by outsiders. Through our programs we aim to stop malicious hacking at its core cause, while creating an opportunity for ethical hacking to be accepted and practiced without any discrimination, across all geographical boundaries for the purpose of understanding what it takes to protect and secure critical information and assets.
We foster child online protection and cyber security awareness through our programs. These include:
· Global Cyberympics
· The Cyber Post
· Code Uncode
· Live. Learn. Secure.
EC-Council Foundation’s parent company The International Council of E-Commerce Consultants also known as EC-Council is a member-based organization that certifies individuals in e-business and information security skills. It is the owner and creator of the world famous Certified Ethical Hacker (CEH), Computer Hacking Forensics Investigator (CHFI), EC-Council Certified Security Analyst (ECSA), Licensed Penetration Tester (LPT), and numerous others that are offered in over 92 countries through more than 600 training partners globally. EC-Council has trained over 120,000 individuals and certified more than 60,000 security professionals.
Individuals who have achieved EC-Council certifications include those from some of the finest organizations around the world such as the US Army, the FBI, Microsoft, IBM and the United Nations.
