GuidePoint stands with Coalfire
A Message of Support
As you’ve likely heard by now, on September 11th, two Coalfire penetration testers were arrested and charged with felony burglary while performing a physical penetration test against the Dallas County Courthouse in Iowa. The two penetration testers were conducting the assessment at the request of, and under contract from, the Iowa State Judicial Branch. In fact, the reason that they were arrested is because they purposely triggered an alarm in order to test law enforcement’s response after they successfully evaded detection during the test. Now, these two professionals who were doing exactly what they were hired and authorized to do are embroiled in a legal chest-thumping battle between the state and county governments.
Penetration testing of all varieties is commonly performed by organizations to identify weaknesses and vulnerabilities in systems and facilities so that the organization can mitigate the risk of these weaknesses being exploited by criminals. This type of assessment is widely considered industry best practice to validate that security controls are working as designed.
The nature of this work dictates that there be a minimal amount of people privy to the testing in order to maintain its objectivity. Because of this, it’s extremely common for those responsible for the security of these facilities to get personally offended and sometimes vindictive towards the consultants performing the testing when security controls are bypassed. It would be a dreadful shame if this sort of testing is ultimately crippled because someone’s feelings got hurt.
If charges are not dropped and records expunged, it sets an exceptionally dangerous precedent for professionals that do this legitimately. We have performed this sort of work in hundreds of different locations across the country, many places in consecutive years. Now, I lead teams who regularly perform these assessments with the utmost care and pro-active communication. I can attest to its effectiveness in improving the security posture of many organizations. The assessments are critically important not only to the government as in this scenario, but also to other industries that routinely handle arguably the most important data a human can have, such as financial and health care data, and also routinely fail to have the appropriate safeguards in place to protect this data.
While this is obviously a nightmare for the two Coalfire team members, the implications are much farther reaching. Even beyond the threat to my (our) career, this is one more area that is terrifyingly easy to exploit that our global adversaries will use to their advantage. Without the ability to legitimately help people improve in this area, it’s only going to make attacks against our critical infrastructure that much more likely and damaging.
GuidePoint proudly stands by Coalfire and will be submitting a letter to both the state of Iowa and Dallas County to drop the charges against these professionals immediately. Additional information on the case can be found via CoalFire’s press release.
About GuidePoint
GuidePoint Security LLC provides customized, innovative and valuable information security solutions and proven cyber security expertise that enable commercial and federal organizations to successfully achieve their security and business goals. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification can be found with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.
Contributing Authors
Bryan Orme, Principal and Partner – GuidePoint Security
Victor Wieczorek, Practice Director, Threat & Attack Simulation at GuidePoint Security
Ed Dunnahoe, Senior Managing Security Consultant, GuidePoint Security