by Steve Brady
Two Iowa men learned the hard way how important it is to always agree on a clear scope when conducting a penetration (pen) test. Iowa state court officials had Coalfire conduct a pen test to determine “how vulnerable county court records were” and had authorized “various means” for the Coalfire employees to conduct a test.
One way the two men chose to test the court system was to “measure law enforcement’s response to a break-in.” As it turns out, law enforcement’s response to a break-in was to arrest the two men, charge them with “third degree burglary and possession of burglary tools” and hold them in jail overnight until they were able to make bail.
Of all the failures in this test, the two that jump out are:
When asked about this incident, Iowa state court officials said, in part, “State Court Administration (SCA) is aware of the arrests made at the Dallas County Courthouse early in the morning on September 11, 2019. The two men arrested work for a company hired by SCA to test the security of the court’s electronic records. The company was asked to attempt unauthorized access to court records through various means to learn of any potential vulnerabilities. SCA did not intend, or anticipate, those efforts to include the forced entry into a building.”
This is just one case that highlights the fact that the difference between a legal pen test and an illegal intrusion or burglary is an agreement between all relevant stakeholders that includes a specific scope of the test and the methods that will be used. Some organizations may not want to share all of this information with their teams in unannounced tests, but it’s still important that someone at the customer agency agree to the test that will be conducted.