GuidePoint stands with Coalfire
Posted by: Bryan Orme
A Message of Support
As you’ve likely heard by now, on September 11th, two Coalfire penetration testers were arrested and charged with felony burglary while performing a physical penetration test against the Dallas County Courthouse in Iowa. The two penetration testers were conducting the assessment at the request of, and under contract from, the Iowa State Judicial Branch. In fact, the reason that they were arrested is because they purposely triggered an alarm in order to test law enforcement’s response after they successfully evaded detection during the test. Now, these two professionals who were doing exactly what they were hired and authorized to do are embroiled in a legal chest-thumping battle between the state and county governments.
Penetration testing of all varieties is commonly performed by organizations to identify weaknesses and vulnerabilities in systems and facilities so that the organization can mitigate the risk of these weaknesses being exploited by criminals. This type of assessment is widely considered industry best practice to validate that security controls are working as designed.
The nature of this work dictates that there be a minimal amount of people privy to the testing in order to maintain its objectivity. Because of this, it’s extremely common for those responsible for the security of these facilities to get personally offended and sometimes vindictive towards the consultants performing the testing when security controls are bypassed. It would be a dreadful shame if this sort of testing is ultimately crippled because someone’s feelings got hurt.
If charges are not dropped and records expunged, it sets an exceptionally dangerous precedent for professionals that do this legitimately. We have performed this sort of work in hundreds of different locations across the country, many places in consecutive years. Now, I lead teams who regularly perform these assessments with the utmost care and pro-active communication. I can attest to its effectiveness in improving the security posture of many organizations. The assessments are critically important not only to the government as in this scenario, but also to other industries that routinely handle arguably the most important data a human can have, such as financial and health care data, and also routinely fail to have the appropriate safeguards in place to protect this data.
While this is obviously a nightmare for the two Coalfire team members, the implications are much farther reaching. Even beyond the threat to my (our) career, this is one more area that is terrifyingly easy to exploit that our global adversaries will use to their advantage. Without the ability to legitimately help people improve in this area, it’s only going to make attacks against our critical infrastructure that much more likely and damaging.
GuidePoint proudly stands by Coalfire and will be submitting a letter to both the state of Iowa and Dallas County to drop the charges against these professionals immediately. Additional information on the case can be found via CoalFire’s press release.
About GuidePoint
GuidePoint Security LLC provides customized, innovative and valuable information security solutions and proven cyber security expertise that enable commercial and federal organizations to successfully achieve their security and business goals. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification can be found with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.
Contributing Authors
Bryan Orme, Principal and Partner – GuidePoint Security
Victor Wieczorek, Practice Director, Threat & Attack Simulation at GuidePoint Security
Ed Dunnahoe, Senior Managing Security Consultant, GuidePoint Security
Bryan Orme
Principal & Partner,
GuidePoint Security
Bryan Orme leads the information assurance consulting organization; which includes application security, cloud security, governance, risk, and compliance services, threat and attack simulation and incident response and forensics. Additionally, Bryan leads the internal IT and information security teams as well as the project management office and services operations. Bryan also serves on the Board of Directors of deepwatch, a next-generation managed security services provider. Since 2001, his primary focus has been on designing and implementing comprehensive information security programs and assisting clients with building business-aligned programs to mitigate risks associated with today’s increasingly sophisticated array of threats. Bryan has extensive backgrounds in multiple disciplines within information security, including security program strategy, application security, penetration testing, PCI DSS, incident response and forensics and vendor management.
Prior to joining GuidePoint, Bryan was the Director of Information Security for Capital One. His accomplishments there included building and leading the application security, third-party management and PCI DSS programs. He is a frequent speaker at industry conferences including OWASP, SecureWorld, HP Protect, ISSA, ISACA and HIMSS on a wide array of information security topics. Bryan also served as a member of multiple special interest groups of the PCI Security Standards Council.
He earned a bachelor’s degree from James Madison University and an MBA from the Robert H. Smith School of Business at the University of Maryland. Bryan holds QSA, CISSP and CISM certifications.