There’s been an interesting theme of late on many of the infosec mailing lists (including WASC) which carry a tune that mimics my own experience in this field — that of “perfect” security vs. acceptable risk mitigation or “operational” security.

It drives an interesting point, since “perfect” security is simply not possible unless you want to throw away your business model and cut yourself off from the world (unless that IS your business model, then–awesome for you!!).

As security testers or auditors (or whatever you want to call us) we are often called on to assess the target environment in terms of perfect security. This is a good practice and we – as professionals – should never compromise this in our profession, but so many times this ideal of “perfect security” is what is relayed to the client in the final report–which is not good practice.

This is one of the issues that, over my career, I have had to come to terms with–assess the environment in terms of perfect security, but relay them in operational terms that works for the client. Of course this is second nature to me now, but it’s interesting the line that can be walked here — if you know the end result is less-than-perfect security evaluation, are you not tempted to cut corners?

I certainly hope that if you are a professional security consultant/auditor/tester that you DONT CUT CORNERS, or your customers will ultimately suffer…perfect security is still the prize, but “perfect” is only relevant to the real business risk, the operation reality and often many, many other factors. All of the risks should be evaluated from a perfect security mentality, and translated into good (not perfect) operational reality…

Years ago the common analogy was that the only secure computer was one that was disconnected from the ‘Net, powered off and buried 6 feet below a nuclear blast site…I don’t know many companies operating 6 feet below a nuclear blast site that would find much use out of a powered off PC, but I may be wrong…

This post is a tribute to how fast Google works. I posted this and was immediately the first hit for the word P0aned in less than 5 minutes.

This post has little bearing on anything. Just a little fun with those l33t sp3@k3rz out there that like to carry the torch…plus a little jab at one of our friends in the security community that couldn’t spell owned or pwned…(thanks for the laughs, Kemo)

A colleague of mine and I recently had some fun with l33t sp2@king in regards to auditing a client environment, and those who like to audit environments with the goal of proving they can hack into a client’s network after receiving a pass to do so. The whole running joke got me to thinking as to the mentality of the traditional “hacker” as opposed to a security consultant.

There’s a surprisingly thick line between the two, and at my firm we try and look for those treading nearer the middle. Regardless, this post is more about poking fun at the lingo.

According to wikipedia: “In hacker jargon, to “pwn” means “to compromise” or “to control,” specifically another computer (server or PC), web site, gateway device, or application.

It is synonymous with one of the definitions of hacking or cracking. An outside party who has “owned” or “pwned” a system has obtained unauthorized administrative control of the system.” (don’t forget P0aned:)

So as security consultants if our customers contract us to audit their security, are they are inevitably hiring us to own, pwn,or P0an (pronounced “po-anne” as we like to joke in our circle) their networks?

I don’t think so, but that’s my +w0 c3nt$