Pentest Gone Bad: The Iowa Incident

What’s supposed to happen when penetration testers get caught? Not this. It was a normal Wednesday night at the Dallas County Courthouse in Adel, Iowa on Sept. 11, 2019. Nothing seemed to be amiss. Except, of course, for the two men who had broken into the courthouse and were now walking around the building.

The two men, penetration testers working for Colorado-based cybersecurity firm Coalfire, had apparently tripped an alarm system in the building. Police showed up at around 12:30 a.m. and found them on the third floor, according to local media reports.

The men told authorities that they were contracted by Iowa’s Judicial Branch to test the security of the courthouse. The pen-testers also physically entered the Polk County Courthouse just a few days earlier. But the most interesting part about this story is undoubtedly what transpired in the month after the two pen-testers were caught.

Confusion over pen-tests

When Dallas County Sheriff Chad Leonard was investigating the break-in, he was contacted by a state official who told him to release the pen-testers. He refused. He also claimed that he had no prior knowledge of the pen-test.

Subsequent investigations by third parties also questioned whether the state even had the authority to contract physical tests of county courthouses.

Questions about whether the pen-testers were within their scope also remain. While state officials claim that they didn’t know after-hours assessments was included in the contract, a judicial branch information security officer did agree to after-hours testing.

The state court administration had also contracted Coalfire in the past — and “welcomed the opportunity to work with them again.”

Copies of the contract were also released by the Judicial Branch. It appeared to authorize physical access attempts, but was vague on whether or not after-hours break-ins were within scope. The contract didn’t specifically mention or forbid it.

Throughout the entire process, there also appeared to be a distinct lack of knowledge about information security — and even the existence of physical penetration tests — among local and state authorities.

What the Judicial Branch is doing

Suffice to say, it’s a jurisdictional mess. But, arguably, it’s the way that the state has apparently chosen to deal with the fallout that may end up problematic.

After an independent investigation carried out by an international law firm, Faegre Baker Daniels, the Iowa Supreme Court has issued new policies regarding security testing for courthouses.

The new rules state that all information security contracts, and presumably all pen-tests, will now be subject to legal review. It also stipulates that local law enforcement and security personnel be consulted before any tests are actually carried out.

Notably, it also bans entry into courthouses outside of business hours and completely bars testers from performing any sort of physical break-in.

All of this is, apparently, a move to patch up an incident that Iowa Supreme Court Justice Mark Cady said damaged “public trust and confidence in the court system.”

A tricky precedent

Here’s the problem: Iowa’s new policies regarding information security contracts are likely going to make the state’s court system less secure, not more.

Penetration tests and Red Team assessments are essential parts of analyzing and securing a system. The entire point of a Red Team assessment is to simulate a real-world attacker. Without the basic methods and tools an attacker might use, future tests may be less effective.

To put it another way, bad guys are not going to stop at the front door because it’s locked and the courthouse is closed.

Pen-tests and Red Team assessments should be carried out responsibly, of course. There are some real questions about jurisdiction and scope in this story. It’s the responsibility of both the contracting entity and contractor to figure out these questions ahead of time.

But snarling a Red Team’s ability to thoroughly test a security system is not going to make anyone’s court records safer. Not only that, but it’s safe to assume that many pen-testers and security firms will think twice about carrying out assessments in Iowa now.

And if other government bodies and private companies follow Iowa’s lead, it may lead to a dangerous precedent that’ll make a lot of systems less secure going forward.

There's also another issue here: ignorance about information security strategies in general. It seems that various authorities and government bodies throughout this story were actually completely unaware of penetration testers and what they do.

Part of the responsibility of contracting these tests is to understand what you're getting into. Education about information security, penetration tests, and the scope of what a Red Team assessment might entail is absolutely essential. The same goes for anyone investigating the crimes.

If lawmakers and other officials actually had some background knoweldge about pen-testers, they wouldn't liken the work of security personnel to people who "commit crimes."

Don’t punish the pen-testers

The two pen-testers remain charged with third-degree burglary and possession of burglary tools, but no date is set for their next court appearance.

While there were certainly questions of scope and confusion over physical break-ins, Coalfire’s pen-testers should not be punished for mistakes made by the Judicial Branch in understanding the contract they had agreed on.

The pen-testers are being charged with burglary, but they aren’t burglars. By Iowa state law, burglary is entering a building with the intention to commit crimes.

These pen-testers were clearly employees of a cybersecurity company contracted by the state. They weren’t there to do anything other than to test the security of the system and find vulnerabilities. In other words, they were not burglars.

The burden of responsibility shouldn’t fall solely on them — and it’s up to both the state and the Dallas County Sheriff’s Department to make this right.