A Pen Test Gone Wrong: How Iowa Wronged a Security Firm They Hired
It’s common practice for companies to hire security firms to carry out pen tests, but this one in Iowa went south, quickly. Learn why.
Most jobs don’t come with even the remote possibility of being arrested during the course of duties. For penetration testing and cybersecurity professionals, this possibility exists but is almost always accounted for by contracts.
Almost always is the operative phrase here. In September, two members of the Coalfire security firm out of Colorado learned every rule has it’s exceptions.
The incident brings up several troubling concerns over the purpose and procedures for carrying out pen testing. To their benefit, Coalfire released a statement condemning the arrest. They are standing with their employees.
Read on for a detailed breakdown of the situation and why it’s a cause of concern for security professionals country-wide.
In the late evening on September 9, 2019, two employees of Colafire, made a physical penetration test of the Dallas County courthouse in Iowa.
The two had been in the area conducting similar tests on other courthouses and multiple buildings in the bast week. Each had been conducted without incident.
On this occasion, the pair found a door that was propped open and shut it to attempt a breach. The door set off an alarm and the security professionals waited for law enforcement to arrive, per policy.
When sheriff’s deputies arrived, they showed their authorization and explained their reason for being in the building. Everything was fine at that moment. Soon after, the sheriff arrived and had the Coalfire employees arrested.
The company posted bail for them the next day, but the charges were only reduced not dropped.
Testing isn’t exactly standardized as not all buildings have the same systems or vulnerabilities. That said, pen tests are common and have been performed throughout the country. Tests are conducted on public and private buildings to look for security vulnerabilities.
Before engaging in a test, security personnel receives authorization. This comes from an authority within the business/state.
The test can take several forms and be conducted during or after business hours. Testing looks at physical security setups such as holes in surveillance and the quality of locks. They also look at human elements such as difficulty accessing secure areas and police response time.
Security measures are more important now than ever. Municipal buildings need to be tested in the runup to the election season of 2020. Voting areas and facilities are targets and often underprepared for attacks.
Recent to this incident, municipal buildings in Baltimore and Atlanta have been dealing with ransomware attacks. We’ve covered security breaches involving the implantation of several of these trojans here.
Security Firm vs Legal Jurisdictions
In the aftermath of the initial September 9 incident, many details have come out from the Iowa State legislator.
First, the state court administration offered the explanation that they did not expect the pen test to involve attempts to force entry into the building. This has some validity, as passive methods of entry can be tested.
The most common of these is ‘tail-gating’ in which a breacher follows an authorized person into a secure area.
One document indicates that Coalfire was under contract to attempt unauthorized access through various means. This indicated a carte blanche approach to entry. However, the judicial branch released documents saying they didn’t anticipate the types of efforts used.
Further complicating this is the response from the deputies and the sheriff. One group accepted the authorization without a problem while the sheriff did not.
The Polk County sheriff condemned the action from the state legislator. Another officer, Lt. Steve Larence of the Iowa State patrol also reported he was informed of the tests after the fact.
With both of these law enforcement officials, a question fo jurisdiction over the building is raised. While it should be obvious that the state approving the test would carry, that is not always the case. Local law enforcement is keen to assume they have ultimate authority in some cases.
This isn’t a far-fetched assumption. In most counties, the sheriff’s department is tasked with supplying security and bailsmen to the courthouse. This would, in some readings, place authorization for a test with the sheriff over the state.
Looking at a quickie primer of law enforcement agencies’ purviews only complicates the matter.
In this incident, members of the state legislature have come forward complaining about the test. They cite not being aware of the scope of the methods that would be used.
This could be a problem with communication within the legislature when the testing was being assigned. It could be politicians redirecting conversation that paints them unfavorably.
This incident has a detrimental effect on other security testers. it calls into question the validity of authorization agreements. It also poses a risk for security professionals and law enforcement alike.
While this incident was not violent, it very well could have been. As law enforcement has no notification of a test, they are obligated to respond as if it were a normal incident.
Officers must respond to a breach according to policy. They can’t assume it is a test. Security professionals also need to work cautiously to avoid raising the risk.
At the same time, forewarned building security and local police may act out of ordinary, invalidating any testing.
With growing security pressures nationwide from both physical and remote breaches, limiting the efficacy of tests is bad for business.
Ego and pride are factors to look out for in the aftermath of a test as well. Various security professionals have faced some form of legal action after a test. Sometimes this comes from legitimate questions of jurisdiction or legal standing.
Other times, the reaction comes down to upset alarm installations or security workers. They become embarrassed when they see their efforts curtailed.
Some security testing companies are looking into creating guidelines for reporting vulnerabilities without exposing workers to direct redress. This will safeguard against this kind of issue.
Time will tell if the two men are sentenced for a reduced charge or if the charges are dropped. For anyone working in a security firm, the incident itself paints a dangerous precedent.
For updates on this and other cybersecurity news, subscribe to our newsletter.