But in the interest of full disclosure, I confess that I've been that guy. Two decades ago when I was first starting out in computer security, I too was looking to drum up business. I think nearly every independent hacker considers the same simple plan: Scan lots of businesses, find weaknesses, and offer fix-it or find-it services. Every website and computer network on the Internet has existing, publicly accessible weaknesses and flaws. Hey, we're just highlighting them to the owners. It's a proactive service for the good of the community.
Except it stinks from an ethics standpoint. Thankfully, although I considered it, I didn't follow my urges. I realized that the only way to build a good reputation was to do white-hat hacking when invited by the owners or custodians.
It's like driving by a business or home at night and checking to see if the doors are locked and the alarms are engaged -- then notifying the owner that they aren't and offering your services to make sure the locks are automatically secured from now on. I think I know how most people would respond to that offer, and I doubt the local constabulary would hesitate to oblige.
A measured response
With the online equivalent, it's a little trickier. If you respond harshly, you risk offending the hacker; the next time they explore your network you might not know about it. The Internet is full of stories of spurned, previously "good guy" hackers who move over to the dark side because someone (or a bunch of someones) pissed them off. Or because they decide there's easier, faster money to be made.
On the other hand, I would never hire hackers making such a solicitation. While a big part of me would want to pay them for services my company obviously needed, paying them anything is somewhat like paying hostage takers. It would only encourage them to engage in future unethical behavior.
Instead, I would graciously thank them for their notification and let them know I'm already working on rectifying the found issues (hopefully, you're really doing this). Second, I would let them know that while I appreciated being notified about weaknesses, such unrequested probes are unethical, at the very least. I'd recommend the hackers read their certification bodies' (if they have certifications) ethical statements. Most likely they signed one of these when they obtained their skills and/or certification.
If the hacker responded in a hostile manner, I would kick it up a notch and report the violation to law enforcement authorities -- if only to start a legal paper trail. I would notify the hacker and the certification body (if applicable) about the ethical violations. I would then make darn sure I'm monitoring my network better and have fixed all the weaknesses the hacker found and the ones they may be likely to uncover in the future.
If it were me, I'd be gentle at first. After all, the intentions are not necessarily evil. Your reply should be the same: businesslike, but denying services or employment and pointing out the ethical problem.
Had I ventured into gray-hat areas, I would have been lucky if someone had firmly, but nicely, helped me get on the straight and narrow. Think of it as a rare opportunity to make the world a better place.
This story, "How to fend off aggressive white-hat hackers," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.