December 4, 2019

Pen(intentiary) Testers

Anonymous

One of the hottest jobs in the cybersecurity field is penetration testing. Whether or not one wants to make it an actual career, penetration testing is a huge part of information security. For those that want to make it a full-time job, it can be a very exciting proposition. The basic job duties sound more like a spy than a normal information technology position. Gathering information from dumpsters, wearing disguises, gaining access to secure buildings, and many more normally nefarious acts are all apart of the job. Although these actions may seem borderline illegal to outsiders, pen testers operate in a completely legal area. These individuals are contracted out by companies to point out vulnerabilities within their systems and facilities. Once a scope is defined, a contract is signed, and the pen testers are free to go about their business. Sounds exciting doesn’t it? Getting to break into areas, steal information, and potentially wear disguises is a job that many people dreamed about as children. As a pen tester, all this can be done legally and without consequence, until recently.

Two pen testers in Iowa recently ran into some problems while conducting a penetration test. The state of Iowa hired a cybersecurity company to conduct penetration tests of their facilities. A scope was set to investigate and test certain municipal buildings, most of which were courthouses. Both pen testers had already tested two other buildings and interacted with authorities positively. It is not uncommon for the testers to interact with authorities during these tests. If anything goes wrong a plan is usually in place to handle the situation. For example, when the scope is set, and the pen testers go out, they usually carry documentation to legitimize the test. A document that provides the scope and at least one contact of the business being tested is included. That way if any security or police get involved, the testers can provide the documentation to get things straightened out. Unfortunately, that did not help these testers.

While investigating a third building, the pen testers found a door that had been left propped open. As anyone in the security industry knows, this is an obvious issue to investigate. The two testers closed the door and reopened it, which set of an alarm. They followed their companies’ protocol and waited for the authorities to arrive. Once authorities arrived, they produced their documentation and credentials. Usually this is where things would clear up and everything would be kosher, but the two ended up being arrested on burglary charges. They spent a night in jail and their company had to bail them out. One would think that would’ve been the end of it and everything would have been cleared up, but the two are still facing charges.

Why did this happen? Did the two pen testers break their code of ethics, the scope of the test, or disrespect the officers? The answer is no to all of these. A problem occurred because there was a miscommunication between the state and the county. The county was responsible for the monitoring of security at that courthouse, not the state. Although the error seems to be made by the state, the two pen testers are still facing charges. They were told that the charges are being reduced, but not dropped.  This is highly unusual in the field of pen testing.

Pen testing companies should be paying attention to this story. Although it is a rare occurrence, those that do this work for a living should be prepared to mitigate situations like this. The two-man team did everything correctly, as far as the industry is concerned. The issue arose because the client did not recognize their jurisdictional boundaries. This can be avoided in the future by learning from this mistake and mitigating it as much as possible. Going forward as more pen tests are needed, the scope of these pen tests is extremely critical. If one is working with a government agency or a private business, make sure they know where they have jurisdiction.

 

Reference(s)
Fazzini, K. (2019, November 11). Iowa paid a security firm to break into a courthouse, then arrested employees when they succeeded. Retrieved from http://www.msn.com/en-us/news/us/iowa-paid-a-security-firm-to-break-into-a-courthouse-then-arrested-employees-when-they-succeeded/ar-BBWEQ5M?ocid=ientp