Getting inside the minds of ethical hackers

Dan Hatch gets to know some ethical hackers, learning what makes them tick and how they can help businesses by attacking them.

It was Wood's team of hackers who, from his unassuming office in Shoreham-by-Sea, were responsible for penetrating security in the aforementioned hack. The attack was not difficult for Wood and Co to perpetrate though. Busting through the company's defences was startlingly simple.

"We found an internet portal for a client which led to an extranet login, which was defended only by a username and password," he told IT Pro.

"The username test' and the password testing' gave us access, over a straight SSL connection, through a Citrix gateway, which was poorly configured, so we got a command line on the Citrix server, which was in turn poorly configured so that we could enumerate all the computers on their network worldwide.

"Then a Windows account called backup', with a password of backup', allowed us to see every file on every computer in a worldwide organisation."

Disturbing to see such lax login procedures being used by large businesses, is it not? For the company's IT director, the news wasn't so good. He was given the boot.

"There were a few people who experienced the new pleasures of gardening leave," Wood said. "We don't like being the cause of that but in the end, if you are the IT director, you are the IT director, and it's your job to get it right."

For the organisation, however, the benefits were tangible and immediate. "The result of presenting those findings to the senior people at that organisation was that they changed all of those things, both tactically and systemically, so that it wouldn't occur again. We massively secured that system," Wood said.

Generally, it takes Wood or one of his team between half an hour and half a day to hack into a system. It just depends how long it takes them to find their way around the network. If you were an insider it could literally take just 10 minutes.

There were a few people who experienced the new pleasures of gardening leave.

The trouble is, IT staff setting up systems think like people who are setting up systems, not like people who are going to break into them, Wood said.

"So the same mistakes happen again and again because so many organisations have extraordinarily competent IT staff, but they don't think like attackers," he said.

In some cases, Wood has seen trivial passwords which have not changed in 12 years, often despite multiple changes in staff.

"Pretty much every time we go on site, we find an account like that say an account called backup has a password called backup," he said.

"I don't want to be unkind to the people running these businesses, in most cases it is something they've inherited from their predecessors and they've never been asked to check it. The chasm between people who think business and people who think IT is really quite wide and I don't think businesses really take on board the fact that anyone managing a network for them can access anything on that network they don't even ask the question."

Featured Resources

The complete guide to changing your phone system provider

Optimise your phone system for better business results

Download now

Simplify cluster security at scale

Centralised secrets management across hybrid, multi-cloud environments

Download now

The endpoint as a key element of your security infrastructure

Threats to endpoints in a world of remote working

Download now

2021 state of IT asset management report

The role of IT asset management for maximising technology investments

Download now

Most Popular

Do smart devices make us less intelligent?
artificial intelligence (AI)

Do smart devices make us less intelligent?

19 Oct 2020
Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

21 Oct 2020
What is Neuralink?

What is Neuralink?

24 Oct 2020