In what is now an important annual event, the municipality of The Hague in The Netherlands and cybersecurity company Cybersprint organised the internationally renowned hacking competition: Hack The Hague.
Reflecting the growing threat from cyber criminals to organisations of all sizes, regardless of the sector in which they operate, the competition invites international professional and student hackers to attempt to hack the live IT systems, applications and websites of the municipality of The Hague.
For the first time, the scope of the systems under scrutiny included those of many of the organisations that supply goods and services to The Hague, putting their digital security to the test too. This expansion of the scope is undoubtedly in response to the changing attack vector adopted by criminals, with many seeking a way into target organisations through vulnerable supply chains.
All those taking part, agree in advance to report the vulnerabilities they find in a dedicated portal, along with evidence of what they found and how they found it. Importantly, the successful hackers are encouraged to suggest ways to resolve the problems they find, without releasing any details publicly.
It is an interesting and courageous response to the threats faced by organisations and suggests that no single cyber security service can address every likely issue. Ensuring a service provider is not checking their own homework and reporting a clean bill of health when vulnerabilities exist, is a sensible approach that strengthens the defensive posture of any organisation.
Whilst the honour for many is in taking part and pitting your wits against other professional cyber security experts, including those who manage and monitor The Hauge’s systems, there were also cash prizes on offer, ranging from €500 to €2,000.
Do the results validate the event?
It is the second year the talented individuals from illume have been involved. Our team were amongst the professionals displaying their skills, reported 125 vulnerabilities, including unsafe access to accounts, outdated software, the ability to inject malicious code into a website and an account that could be entirely taken over.
Whilst little is reported in terms of these identified vulnerabilities, or their seriousness, anecdotally the number found is increasing each year. This is perhaps the best evidence of the benefits of regularly stress-testing systems and networks to identify the weak points, before malicious hackers do.
Hack the Hague event organisers explains it not only helps to map and assess the municipality’s attack surface, a necessary step in strengthening cyber-resilience, it also raises awareness about digital security and its importance for organisations, businesses and individuals.
Why do more organisations not do this?
There are a number of platforms, such as ‘HackerOne’, that allow companies to sign up, put their systems in scope in much the same way The Hague does in this annual event. If a vulnerability is identified by an ethical hacker, they can report it and potentially get paid a bounty for their work.
Typically those adopting this approach, are larger organisations with big systems and big cyber security budgets, mostly confident they have everything covered. It is probably a bit daunting to put all your systems in scope publicly, ready to be hacked
It is recommended that every organisation undertakes regular penetration testing and vulnerability scanning to ensure any holes in their defences are identified and resolved.
How often this is done, depends on the unique circumstance of each organisation, but those operating in regulated sectors, handling client funds and valuable data, such as law firms, should consider vulnerability scanning a constant process, backed by penetration testing at least once a year, but ideally twice.
We have explained the difference between penetration testing and vulnerability scanning, along with the benefits of the services we provide to keep organisations safe, but if you would like to discuss your situation in more detail, please get in touch today – there’s no time to waste.