Getting inside the minds of ethical hackers
Dan Hatch gets to know some ethical hackers, learning what makes them tick and how they can help businesses by attacking them.

It was Wood's team of hackers who, from his unassuming office in Shoreham-by-Sea, were responsible for penetrating security in the aforementioned hack. The attack was not difficult for Wood and Co to perpetrate though. Busting through the company's defences was startlingly simple.
"We found an internet portal for a client which led to an extranet login, which was defended only by a username and password," he told IT Pro.
"The username test' and the password testing' gave us access, over a straight SSL connection, through a Citrix gateway, which was poorly configured, so we got a command line on the Citrix server, which was in turn poorly configured so that we could enumerate all the computers on their network worldwide.
"Then a Windows account called backup', with a password of backup', allowed us to see every file on every computer in a worldwide organisation."
Disturbing to see such lax login procedures being used by large businesses, is it not? For the company's IT director, the news wasn't so good. He was given the boot.
"There were a few people who experienced the new pleasures of gardening leave," Wood said. "We don't like being the cause of that but in the end, if you are the IT director, you are the IT director, and it's your job to get it right."
For the organisation, however, the benefits were tangible and immediate. "The result of presenting those findings to the senior people at that organisation was that they changed all of those things, both tactically and systemically, so that it wouldn't occur again. We massively secured that system," Wood said.
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
Generally, it takes Wood or one of his team between half an hour and half a day to hack into a system. It just depends how long it takes them to find their way around the network. If you were an insider it could literally take just 10 minutes.
There were a few people who experienced the new pleasures of gardening leave.
The trouble is, IT staff setting up systems think like people who are setting up systems, not like people who are going to break into them, Wood said.
"So the same mistakes happen again and again because so many organisations have extraordinarily competent IT staff, but they don't think like attackers," he said.
In some cases, Wood has seen trivial passwords which have not changed in 12 years, often despite multiple changes in staff.
"Pretty much every time we go on site, we find an account like that say an account called backup has a password called backup," he said.
"I don't want to be unkind to the people running these businesses, in most cases it is something they've inherited from their predecessors and they've never been asked to check it. The chasm between people who think business and people who think IT is really quite wide and I don't think businesses really take on board the fact that anyone managing a network for them can access anything on that network they don't even ask the question."
-
A threat to Google’s dominance? The AI browser wars have begun – here are the top contenders vying for the crown
News Perplexity has unveiled its Comet browser while OpenAI is reportedly planning to follow suit
-
Google Cloud Summit London 2025: Practical AI deployment
ITPro Podcast As startups take hold of technologies such as AI agents, where is the sector headed?
-
RSAC in focus: Key takeaways for CISOs
The RSAC Conference 2025 spotlighted pivotal advancements in agentic AI, identity security, and collaborative defense strategies, shaping the evolving mandate for CISOs.
-
RSAC in focus: Quantum computing and security
Experts at RSAC 2025 emphasize the need for urgent action to secure data against future cryptographic risks posed by quantum computing
-
RSAC in focus: How AI is improving cybersecurity
AI is revolutionizing cybersecurity by enhancing threat detection, automating defenses, and letting IT professionals tackle evolving digital challenges.
-
RSAC in focus: Collaboration in cybersecurity
Experts at RSA Conference 2025 emphasised that collaboration across sectors and shared intelligence are pivotal to addressing the evolving challenges of cybersecurity.
-
RSAC in focus: Considerations and possibilities for the remainder of 2025
As 2025 unfolds, RSAC explores the pivotal considerations and emerging possibilities shaping the cybersecurity landscape
-
RSAC Conference 2025: The front line of cyber innovation
ITPro Podcast Ransomware, quantum computing, and an unsurprising focus on AI were highlights of this year's event
-
RSAC Conference 2025: AI and quantum complicate security
Organizations are grappling with the complications of adopting AI for security
-
RSAC Conference 2025 was a sobering reminder of the challenges facing cybersecurity professionals
Analysis Despite widespread optimism on how AI can help those in cybersecurity, it’s clear that the threat landscape is more complex than ever