A couple of weeks back while traveling I had an opportunity to spend some time with an old colleague from my penetration testing days. Once upon a time we used to spend much of our time on the road, living out of suitcases, probably giving the TSA fits and generally living la vida Sneakers. I'm out of that particular game these days because it's just not my bag anymore. The colleague in question is more or less on the management side of things at that particular company. Contrary to what one might reasonably assume, however, we didn't spend a whole lot of time reminiscing about the good old days, nor did we complain about all those kids on our respective lawns. What we did do was have a conversation that I've been ruminating on since I got home.
A lot of business entities ask and pay for penetration tests - a team of relatively tame hackers goes to town on their infrastructure with little to no insider knowledge to see what they can get into (within certain limits, usually) and the client uses the results as their roadmap to figure out what they need to fix. To a certain extent, this makes sense - sometimes the stuff that's broken doesn't make its presence known until somebody stumbles across it and gives it the business. But... the way these things usually go is, the client fixes everything the red team tore through like a thermite lance through a baby's crib and that's about it. They usually don't touch anything else, even to see how it stood up to second- and third- order effects. And this is a pretty serious problem, as evidenced by the overall state of information security in the last quarter century.