50 shades of grey hat: When is it right to go public about a security breach?

The ethics of IT security are still evolving: one in five security professionals say they have worked for a company that covered up a data breach.

Black hat, white hat, grey hat - all part of the hacker community. Image: iStock

If somebody hacks into your customer database but nobody ever finds out, did it ever really happen?

This variation on the 'if a tree falls in a forest' conundrum is one that IT security staff have to deal with on a regular basis, and there is little consensus on what the right answer should be.

One in five security professionals surveyed said they had worked for a company which had suffered a breach and hidden it, while a similar number said they weren't sure if this had happened at their place of work.

"On the surface, covering up a breach appears to be an inexcusable act. After all, customers, shareholders, and partners are put at risk whenever a breach occurs," said AlienVault, the security company which carried out the survey.

But it also notes that not all security staff think that way: "But on the other hand, under certain circumstances, people can tend to make decisions that are not always right - or maybe without fully understanding the impact of their actions. After all, if a breach occurs in a forest and no-one is around to see it - did it really happen?"

Read this

Russian hackers target NATO, Ukraine through Windows zero-day exploit

iSight says the "Sandworm" team has targeted NATO, the European Union, Ukraine and industry through a previously unrecognized Windows zero-day exploit.

Read More

The history of IT security may be behind this level of ambiguity: in many ways, information security as a profession is an outgrowth of the hacking scene, which recognises the varying intents of members - some good, some bad, and some in between - through the labels black, white, and grey hat hackers.

Black hats use their skills to break into systems, while white hat hackers use theirs in order to test and improve the security of those same systems, and grey hats float around somewhere in the middle. But, for all three, the tools remain mostly the same: the key difference between each of them is intent and permission.

In the IT security world, a relatively immature industry that has emerged from that kind of environment, a number of ethical questions remain to be resolved. "Do the ends justify the means? When a professional's job and reputation is on the line - that question can become quite difficult to answer without including a long list of caveats," said the report.

The research also found that just over half of those surveyed said they had visited hacker forums or hung out with black hat hackers to learn about security. "Anecdotal conversations and evidence supports the fact that many professionals believe that until one understands the enemy and objectives, adequate defences cannot be constructed," it noted. The company interviewed 1,107 attendees at the RSA security conference.

Nearly two-thirds said that if they found a major vulnerability in a company's website, they would privately disclose it to the firm. Meanwhile full public disclosure was chosen by 12 percent, limited public disclosure by 10 percent, and 'do nothing' by a similar proportion.

When faced with a breach of their own systems, nine percent said they would just keep quiet if nobody noticed, while a quarter said they would tell the regulator, pay the fine, and move on. But perhaps a more canny two-thirds would use the breach as an opportunity to convince the boss to boost the security budget.

Further reading