Getting inside the minds of ethical hackers
Dan Hatch gets to know some ethical hackers, learning what makes them tick and how they can help businesses by attacking them.

It was Wood's team of hackers who, from his unassuming office in Shoreham-by-Sea, were responsible for penetrating security in the aforementioned hack. The attack was not difficult for Wood and Co to perpetrate though. Busting through the company's defences was startlingly simple.
"We found an internet portal for a client which led to an extranet login, which was defended only by a username and password," he told IT Pro.
"The username test' and the password testing' gave us access, over a straight SSL connection, through a Citrix gateway, which was poorly configured, so we got a command line on the Citrix server, which was in turn poorly configured so that we could enumerate all the computers on their network worldwide.
"Then a Windows account called backup', with a password of backup', allowed us to see every file on every computer in a worldwide organisation."
Disturbing to see such lax login procedures being used by large businesses, is it not? For the company's IT director, the news wasn't so good. He was given the boot.
"There were a few people who experienced the new pleasures of gardening leave," Wood said. "We don't like being the cause of that but in the end, if you are the IT director, you are the IT director, and it's your job to get it right."
For the organisation, however, the benefits were tangible and immediate. "The result of presenting those findings to the senior people at that organisation was that they changed all of those things, both tactically and systemically, so that it wouldn't occur again. We massively secured that system," Wood said.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
Generally, it takes Wood or one of his team between half an hour and half a day to hack into a system. It just depends how long it takes them to find their way around the network. If you were an insider it could literally take just 10 minutes.
There were a few people who experienced the new pleasures of gardening leave.
The trouble is, IT staff setting up systems think like people who are setting up systems, not like people who are going to break into them, Wood said.
"So the same mistakes happen again and again because so many organisations have extraordinarily competent IT staff, but they don't think like attackers," he said.
In some cases, Wood has seen trivial passwords which have not changed in 12 years, often despite multiple changes in staff.
"Pretty much every time we go on site, we find an account like that say an account called backup has a password called backup," he said.
"I don't want to be unkind to the people running these businesses, in most cases it is something they've inherited from their predecessors and they've never been asked to check it. The chasm between people who think business and people who think IT is really quite wide and I don't think businesses really take on board the fact that anyone managing a network for them can access anything on that network they don't even ask the question."
-
RSAC Conference day two: A focus on what attackers are doing
From quantum to AI, experts discussed how new and experimental technologies could be used by hackers to access and decrypt sensitive data
-
The IT industry’s shift to circular, low-carbon solutions
Maximize your hardware investment and reach your sustainability goals with HP’s Renew Solutions
-
RSAC Conference day two: A focus on what attackers are doing
From quantum to AI, experts discussed how new and experimental technologies could be used by hackers to access and decrypt sensitive data
-
RSAC Conference Day One: Vibe Is 'All In' on AI for Security
News Artificial intelligence took center stage as RSAC Conference looks at how the discussion has moved from generative AI to agentic AI
-
RSAC Conference 2025 live: All the day-two news and updates
Live blog It's day two at RSAC Conference 2025 – keep track of everything that's announced live through our coverage
-
Cisco takes aim at AI security at RSAC with ServiceNow partnership
News The companies claim Cisco AI Defense and ServiceNow SecOps will help address new challenges raised by AI
-
What to look out for at RSAC Conference 2025
Analysis Convincing attendees that AI can revolutionize security will be the first point of order at next week’s RSA Conference – but traditional threats will be a constant undercurrent
-
'You need your own bots' to wage war against rogue AI, warns Varonis VP
News Infosec pros are urged to get serious about data access control and automation to thwart AI breaches
-
CrowdStrike CEO: Embrace AI or be crushed by cyber crooks
News Exec urges infosec bods to adopt next-gen SIEM driven by AI – or risk being outpaced by criminals
-
Microsoft security boss warns AI insecurity 'unprecedented' as tech goes mainstream
News RSA keynote paints a terrifying picture of billion-plus GenAI users facing innovative criminal tactics