Pen testing vs security assessment.

Sep 29 2019

A couple of weeks back while traveling I had an opportunity to spend some time with an old colleague from my penetration testing days.  Once upon a time we used to spend much of our time on the road, living out of suitcases, probably giving the TSA fits and generally living la vida Sneakers.  I'm out of that particular game these days because it's just not my bag anymore.  The colleague in question is more or less on the management side of things at that particular company.  Contrary to what one might reasonably assume, however, we didn't spend a whole lot of time reminiscing about the good old days, nor did we complain about all those kids on our respective lawns.  What we did do was have a conversation that I've been ruminating on since I got home.

A lot of business entities ask and pay for penetration tests - a team of relatively tame hackers goes to town on their infrastructure with little to no insider knowledge to see what they can get into (within certain limits, usually) and the client uses the results as their roadmap to figure out what they need to fix.  To a certain extent, this makes sense - sometimes the stuff that's broken doesn't make its presence known until somebody stumbles across it and gives it the business.  But... the way these things usually go is, the client fixes everything the red team tore through like a thermite lance through a baby's crib and that's about it.  They usually don't touch anything else, even to see how it stood up to second- and third- order effects.  And this is a pretty serious problem, as evidenced by the overall state of information security in the last quarter century.

Neologism: DC AC

Jul 28 2019

DC AC - noun phrase (humorous) - The primary mechanism of air conditioning inside the DC Beltway.  Notionally, the movement of air due to revolving doors caused by the never-ending cycle of contractors becoming civil servants, civil servants becoming lobbyists, and lobbyists forming startups and becoming government contractors once more.

Neologism: Profit harvesting

Jul 28 2019

profit harvesting - noun phrase - A polite name for the act of finding each and every little remaining way to gouge money from someone or out of some thing.  Called nickel and diming when hard currency was more common.

Neologism: Proper channels excise tax

Apr 16 2019

Proper channels excise tax - noun phrase - The markup paid on commonplace things when you go through proper channels at work to do something rather than going rogue, buying it yourself and filing an expense report.  For example, a flight from Chicago to Boston might cost $176us if you paid for it yourself, but by using your employer's internal processes and vendors the cost of the same flight is closer to $630us.