The lines between good guys and bad guys when it comes to enterprise security have always been blurred. Although usually described as White Hats and Black Hats the reality of identifying people is far more grey.
A culture of offering “bug bounties” – paying people who find holes in your security – is controversial and not universally accepted.
The most recent victim of this confusion was an 18-year old Hungarian who noted a glaring mistake in the online ticketing system for Budapest’s public transport system. The vulnerability allowed you to change the price for any ticket you bought through the website just before payment was taken.
The young man emailed the developer of the system pointing out the security hole. He had no wish to make money or be paid for his advice.
The company concerned immediately informed the police and sought his arrest.
A storm quickly erupted on social media and hundreds of people flooded networks with outrage at the company’s actions.
The row forced the company to apologise and promise to work with the youngster in future, if he was willing.
The firm’s chief executive said there was no wide acceptance of “ethical hacking” in Hungary and nor was it supported by local law or regulation.
Dealing with this sort of issue is difficult and needs careful consideration. It is an issue for the wider business not just the IT department.
Every large company will have received dozens of claims from people who are little more than blackmailers or simple scammers with no useful information to offer.
But within this group there will be some genuine attempts at improving your firm’s security. Separating one from the other is difficult and the good guys won’t take kindly to being treated as blackmailers. And even the good guys might want payment.
Simply ignoring all such tip-offs might be seem tempting but is dangerous in at least two ways.
Firstly it leaves potential holes in systems.
But secondly and more dangerously it leaves the possibility of a huge public row which will leave the world with the distinct impression that your organisation is choosing to ignore security concerns which might damage both customers and partners.
The first strategy is to make sure the need to deal with such people is minimised.
That means putting in place detailed and repeated security testing procedures. It is vital that this is seen as an ongoing process – as your systems change so do your vulnerabilities.
This might include processes of ethical hacking – hiring people to do their best to get onto networks in order to highlight weaknesses.
Budapest transport seemed to have missed these steps in the rush to get a new system released in time to hit a deadline. Its system provider has now publicly promised to create a new system at its own expense.
But a different more open strategy to dealing with the information provided could have created a very different outcome.
Very often security holes are simple mistakes, not hugely complex technical issues. But in the speed required to get systems running or updated these are all too easy to miss. This means they’re just as likely to be spotted by a member of the public as the security team.
So make sure you have a strategy and procedure in place to listen and deal with such warnings – the alternative is risking an expensive, and very public lesson, in enterprise security.