This article is more than 1 year old
Communication, communication – and politics: Iowa saga of cuffed infosec pros reveals pentest pitfalls
Tales from the coal face as experts reflect on what can possibly go wrong on the job
Analysis It has been six weeks since Coalfire's Gary Demercurio and Justin Wynn were arrested in Dallas County, Iowa, while performing a paid-for security penetration test at a courthouse. Despite everyone acknowledging there was no foul play, the pair still face criminal charges. They deny any wrongdoing.
The Des Moines Register (no relation) reports Wynn and Demercurio were charged with misdemeanor trespassing, reduced from felony burglary, after their physical pentest went south.
Coalfire CEO Tom McAndrew has pledged to continue to back his testers until they are exonerated.
"If what is happening in Iowa begins to happen elsewhere, who will keep those who are supposed to protect citizens honest?" McAndrew writes. "This is setting a horrible precedent for the millions of information security professionals who are now wondering if they too may find themselves in jail as criminals simply for doing their job."
So what went wrong, and how can other security professionals avoid a similar fate when they are onsite?
Dan Tentler is CEO of the Phobos Group and has been performing red-team pentests for companies for nearly a decade. While he says that while he has never been arrested and charged like Wynn and Demercurio were, he has had some close calls.
One time I had to hide from armed police in a closet ... I have never once left in cuffs, I have never been arrested
"One time I had to hide from armed police in a closet because the people who arranged the engagement left one person off the email," Tentler told The Register this month. "That one person was the connection between the people who did the computer side of things and the physical security side of things."
Such is the nature of enterprise pentests, where a security company is hired by a business to test and verify aspects of its security – both digital and physical – in an effort to get a clear picture of where that client may be vulnerable. Professionals are, basically, paid to break into systems and locations, within agreed-upon boundaries of the project, in an attempt to outwit corporate defenses and employees. The testers have to think and act like hackers and criminals. This means they may be caught seemingly being up to no good by employees who are none the wiser to the project.
Tentler said virtually every pentest will include written agreements and documentation that clearly spell out who is allowed to be where, and when they are allowed to be there, and what systems can be probed. Typically, this is done by the security company and the customer sitting down and conducting a "tabletop" session where they lay out possible scenarios and how to handle them.
The end result is an agreed-on scope and set of parameters of the test, and a short document granting the pentesters permission to access a facility as well as contact numbers for clued-in members of the customer's company, should any trouble kick off.
"You have a handful of people who are there to mitigate any potential pear-shapedness that might happen," Tentler explained. "You would have letter to hand over and say 'Before you call the police, call these numbers'."
The problem, Tentler says, is that pentests are, by nature, secretive. In order to best assess the security of a facility, staff onsite should not have any idea that a test is happening, and the red team should be able to act just as a real attacker would.
Get your excuses lined up first
The key, said Tentler, is making sure there is a clear chain of people to connect the on-site operation with those who arranged for the test to be carried out. When there is a break in that chain, the test can go off the rails.
Such appears to be the case with Coalfire. Reports indicate that while the US state of Iowa had requested the pentest of its court system's IT infrastructure and facilities, and agreed to the parameters with Coalfire, the cops in Dallas County were not notified. Thus, when an intruder alarm tripped at a courthouse after Demercurio and Wynn managed to slip in at night, the police arrived and believed an illegal break-in had occurred.
Politics appear to have played a significant role. The Des Moines Register notes the Iowa state judiciary and the county sheriffs are in a power struggle unrelated to the test, and the bitterness seems to have contributed to the decision to cuff and charge the pair.
Essentially, even though Demercurio and Wynn had documentation on them at the time that showed they were carrying out an official pentest, and the cops were able to verify this was the case with a phone call, the county sheriff went ahead and booked them anyway.
"I advised [Demercurio and Wynn] that this [courthouse] belonged to the taxpayers of Dallas county and the state had no authority to authorize a break-in of this building," sheriff Chad Leonard explained after the kerfuffle in an email obtained by journalists.
Remember that security probe that ended with a sheriff cuffing the pen testers? The contract is now public so you can decide who screwed upREAD MORE
Former pentester Casey Ellis – now founder of bug-bounty organizer Bugcrowd and co-founder of infosec research standardization effort Disclose.io – noted that in many ways the situation Demercurio and Wynn find themselves in mirrors that of white hat researchers who run into trouble when trying to report software vulnerabilities to companies.
"We have seen analogues in vulnerability disclosures and bug bounties. It has sometimes been researchers going out of scope and program, other times it is people on the receiving end getting scared by what was found," Ellis told The Register.
"There were probably people in the mix who did not get what was going on that took it as a threat and acted as they should."
In any case, communication is vital for keeping pentesters safe and out of jail, particularly as getting caught is a major part of any penetration test.
Tentler said that, ideally, on-site staff should be able to collar the red team at some point. When things go right, the situation is quickly deescalated and, more often than not, everyone goes home on good terms with lessons learned.
"Every time I have gotten caught I have never once left in cuffs, I have never been arrested," Tentler said. "You have them show up and shake hands with the guys, you show them the tools. If it is handled appropriately you end up making friends with the cops at the end."
Ultimately, Coalfire's crisis was seemingly caused by a breakdown in communication between Iowa state officials and county authorities, resulting in two infosec pros being treated as political hot potatoes. Red teams and their clients would be wise to remember this when setting up their own tests.
Both Tentler and Ellis agree that the key to avoiding these situations is to have clear communication, clear guidelines, and clear plans for what to do in any scenario.
This, it seems, is the key to keeping everyone safe. ®