We always should take multi-dimensional proactive and if possible, a holistic approach to protect our system when it comes to security. The online CAT examination is probably a lesson for all of us to learn the basic thing.

We claim our nation as the future hub or destination of information technology in near future. We project our nation as one of the most advanced digital nations in the 21st century. We claim our nation as one of the nations, who holds vast resource of talented IT students, professionals and experts. All claims stand absolutely small; when news like online CAT exam failure comes up as headline ones.

Are we really fit enough to be called as one of the most progressive IT nations? Are we really serious and skilled enough to handle such incidents proactively? Are we really prepared enough to create a flawless digital educational environment? Do we have ability to identify right vendor for execution of a serious project? I understand security never can be 100% proof. It never can create fully protected environment. But despite all these excuses, we can adopt a proactive and holistic approach to prevent all these unwanted incidents at least. Thousands students’ career are at stake. Who should take the responsibility of such irresponsible act?

The Blame Game

The first-ever experiment of the IIMs to conduct its CAT using computers ran into trouble in many centres across the country. The computer-based Common Admission Test (CAT) in around 50 centres across the country was on Sunday rescheduled to allow necessary repairs to be completed at the labs where technical glitches disrupted the exams on the first day. Prometric, the American firm has been entrusted with the task of conducting the tests. The American firm has been awarded a USD 40 million contract by the IIMs to computerize the prestigious CAT. According to sources from IIM-A, this contract is meant for conduct of the exam by the agency for about 20 years.

While almost 20,000 candidates completed their exams on Day One, computer viruses at a number of testing centers prevented over 2,000 candidates from taking the exams. Due to "virus attack" in the computers, nearly 4,000 students could not appear in the test during the first two days of the 10-day long staggered entrance that started on 28th Nov.
Scores of students were unable to appear in the test at several centres on 30th Nov also as technical glitches continued to disrupt the exam. Candidates could not appear in the test at a few centres in Mumbai, Bangalore and Ghaziabad owing to malfunctioning of computers at these places.

Due to the vast system glitches, candidates were blocked to access first online version and as a result anxiety swept scores of examination centres for the CAT. From Bangalore to Delhi, there was massive confusion as students were either refused entry or simply forced to walk out because the system appeared to have collapsed and would not open up for them to answer the questions. In several New Delhi centres, the first session, which was scheduled to start at 10 am, was delayed by roughly half-an-hour. When students tried to log in, computers took ages to boot up and, in many cases, rejected the password. The scene was not very different in the evening session.
Samir Barua, director, IIM Ahmedabad, told Hindustan Times: “We have failed in delivering an error-free system… We feel responsible and will move forward (in correcting those errors).”  Prometric Chief Operating Officer Charles Kernan said: “We were not able to detect some viruses that intruded the systems.”

"All efforts would be made to accommodate all the candidates within the testing period. The spare facility at the test centre would used. If there is need, the exam could be extended beyond the test period as required," IIM Ahmedabad Director Samir Barua said. The IIM authorities have told the Prometric that they should provide enough support system at the examination centre if there is something wrong with the computer and strengthen the quarantine system to check any virus attack in future.

The IIMs issued a statement saying a decision to conduct computerized CAT was taken unanimously by all IIMs. "IIMs were responsible for generating questions for the tests and Prometric was responsible for conducting the test. The delivery could not be executed flawlessly because of virus attack at several test sites. Prometric is working to address the issues arising from the attacks," it said.

Even this unwanted incident found government in a very embarrassing situation. Government sought a report from the convener of Common Admission Test (CAT) Satish Deodhar on the ongoing disruption of the computer-based entrance test for admission into IIMs. The HRD Ministry shot off a letter to Deodhar, asking him to submit a factual report on the whole issue of disruption in the test, which is being conducted by an American firm Prometric, according to a ministry official.

The press note, out after more than 24 hours after the test began does little to explain the thousands of glitches that took place in the online CAT and attributes it flimsily to a ‘virus’. For example, the untrained staff, Prometric personnel not reaching the faulty testing centers on time, delays in registration and the likes cannot be assigned to a virus but to the lack of testing of the process and the software before putting it out in the open.

Is only ‘Virus’ Responsible?

A press note released by Prometric and IIMs says that ‘Vital Information Resource Under Siege’ in the CAT 2009 exam, due to a virus attack. And saying this only IIMs and Prometric washed their hands.

“Exhaustive plans were developed and put in place well in advance of the start of the testing window. Unfortunately, particular viruses and malware that attacked the test delivery system were not detected by the anti-virus software at the testing centres,'' stated Ramesh Nava, vice president and general manager, Asia Pacific, Japan & Africa, Prometric.

According to IANS report, Gautam Puri, vice chairman of Career Launcher, a CAT coaching institute, says that students reached their centres early in the morning and then learnt that the exam was rescheduled. But there was no official who told them so, or gave them any reason for the change in date. According to him, this is a case of mismanagement, lack of planning and implementation. There are approximately 150-200 students taking CAT in each centre and that is not such a heavy number- local servers can take that load easily. There was no proper testing of the online version of the exam.

Complaints of log in, booting and system crashing mid-way came from across centres and according to coaching centres. And there are unique complaints as well such as unavailability of images that are supposed to come with the questions. The IIM officials have asked Prometric to engage competent people to deal with such situation. The IIMs and Prometic will institute a thorough probe into the disruption to find out what went wrong. IIMs want to have robust system in place.

Even it is virus, which disrupted the entire examination, why there was no proactive approach to prevent such incident? IIMs should recheck the technical capability of prometric employees and service engineers regarding the strength to tackle such situation. Are there enough security experts to combat such security emergency? Have they enough experience to handle such security issues in past? Are they intelligent enough to face technically advanced cunning hackers?

What we understand, it’s not only virus. This situation would not appear, if prometric’s so called intelligent team would take a proactive holistic security approach for the entire examination system. But, never the less, we hope it is enough for them to make them understand the basic sense of security.

Conclusion

We really don’t know whether it was a deliberate effort from an insider or outsider to infect the entire system. We really don’t want to know the quantity of benefit, the attacker has achieved from here. We really don’t want to know also the intensity and intention of the attack. What we understand, a clear major failure of so called prometric experts’ to understand the security parameter of the system. Our suggestion to all Indian companies to check and recheck on the strength and more precisely quality of strength of the organization, before you select him to serve you, especially when it’s about ‘Security’.

—By: Tanu Srivastava, ‘InfoSecurity’ Bureau.