It's a small post by the Iowa Judicial Council, with the potential for significant debate in cybersecurity circles.
Two pentesters are now wearing orange jumpsuits after police arrested them inside a county courthouse just after midnight local time.
The pair had set off an alarm on their way in.
Justin Wynn, of Naples, Florida, and Gary Demercurio, of Seattle, Washington, are charged with third-degree burglary and possession of burglary tools. They are being held on $50,000 bond.
Court statement on pentest arrests
This happened in the Dallas County, Iowa, courthouse. Here is the complete statement from the Iowa Judicial Branch:
"State Court Administration (SCA) is aware of the arrests made at the Dallas County Courthouse early in the morning on September 11, 2019. The two men arrested work for a company hired by SCA to test the security of the court’s electronic records.
The company was asked to attempt unauthorized access to court records through various means to learn of any potential vulnerabilities. SCA did not intend, or anticipate, those efforts to include the forced entry into a building.
SCA apologizes to the Dallas County Board of Supervisors and law enforcement and will fully cooperate with the Dallas County Sheriff’s Office and Dallas County Attorney as they pursue this investigation.
Protecting the personal information contained in court documents is of paramount importance to SCA and the penetration test is one of many measures used to ensure electronic court documents are secure."
According to the Des Moines Register, the pentesters work for Coalfire Cyber Risk Management Advisors.
The company's website does list pentesting among its technical security services, and couches its technical services overview like this:
"Security today requires you to think—and act—like an attacker. By applying knowledge gained through industry-recognized vulnerability research, tool and exploit development, and technical testing experience, Coalfire Labs simulates an adversarial attack against your product or business."
We did not see physical pentests listed, which some companies do advertise. So maybe they offer that service, maybe they don't.
Regardless, there are lingering questions here.
Unanswered questions about pentester arrests
First of all, what was the scope of the pentest project? And did the men go outside the scope of the agreement?
This is a question we're pretty sure #cybersecurity people will be discussing on social media.
We like what pentester Adrien de Beaupré posted in a pentesting Q&A article about mistakes pentesters can make:
Q: What is the single biggest mistake that a pen tester can make?
A: "Violating the rules of engagement or going out of scope. The rules of engagement include the laws and ethical guidelines as well as those types of tests that are allowed to be performed in that engagement. The scope are those things that you are allowed to test in that engagement. Going out of bounds on either of these can not only be career limiting, but also freedom limiting. When in doubt always go back to the written rules of engagement and scope. Ask for clarification or modification if required. There is no cheating in penetration testing. Only those things that are illegal, immoral, unethical, or illogical."
Did this situation cross the line into any of these things? Or was it some sort of misunderstanding that the scope of a pentest included physical penetration testing? Was proper communication all that went wrong?
According to the Des Moines Register, the men claimed they were working on physical security:
"... to test out the courthouse alarm system's viability and to gauge law enforcement's response time."
And there is something else that adds to the mystery here.
It is a cryptic follow-up statement by the Iowa courts:
"SCA was recently were made aware of a break-in at the Polk County Historic Courthouse that is similar in nature to the break-in that occurred at the Dallas County Courthouse. SCA is investigating what transpired and has no other information to share at this time. State court administration does not condone forcible entry into any building as a part of cyber-security or any other type of testing."
Based on what we know and your experience in cybersecurity, what are your thoughts on this case?
And do you have any concerns about a "chilling effect" on penetration testers?
Please let us know, below.