Land of intrusion –
Rules of engagement covered courthouse and authorized lock picking.
Enlarge/The Dallas County, Iowa courthouse, the site of a penetration test gone wrong.
In a post to the Iowa Judicial Branch website today, a spokesperson for the state’s court administrationreleased redacted images of the documentsassociated with the security tests that landed two penetration testers in jail earlier this month. The“rules of engagement” documentfor the contract shows that the state court administration did request a physical security assessment from the security firm Coalfire. State officials say that Coalfire’s employees interpreted the documents differently than they had. But it would appear that the real problem behind the arrest of Coalfire’s team is a turf war between state and county officials — and whether the state judicial administrators had cleared the security tests with local authorities.
In the post, theIowa Judicial Branch spokesperson wrote:
Coalfire and State Court Administration believed they were in agreement regarding the physical security assessments for the locations included in the scope of work… yet, recent events have shown that Coalfire and State Court Administration had different interpretations of the scope of the agreement. Together, Coalfire and State Court Administration continue to navigate through this process.
State Court Administration has worked with Coalfire in the past to conduct security testing of its data and welcomed the opportunity to work with them again . Both organizations value the importance of protecting the safety and security of employees as well as the integrity of data.
State Court Administration apologizes to the sheriffs and boards of supervisors of Dallas County and Polk County for the confusion and impact these incidents have caused .
The document showed that the state authorized Coalfire’s team to “perform lock-picking activities to attempt to gain access to locked areas.” But the document also stated the testers should “talk your way into areas” and allowed for “limited physical bypass.”
The rules of engagement also dictated that the state authorities said they would not notify law enforcement of the penetration test.
Enlarge/A section of the “Rules of Engagement” document for Coalfire’s engagement with the Iowa Judicial Branch.
There are some areas where confusion may have arisen in the agreements signed to authorize the test. The “Social Engineering Authorization“signed by the Iowa Judicial Branch’s information security officer, chief information officer, and infrastructure manager stated that attempts to gain access to data:
… may include any of the following:
- Impersonating staff, contractors, or other individuals
- Providing false pretenses to gain physical access to facilities
- “Tailgating” employees into facilities
- Accessing restricted areas of facilities
Tasks that shall not be performed include:
- Alarm subversion
- Force-open doors
- Accessing environments that require Personal Protective Equipment
At 12: 30 am on the morning of September 11, penetration testers Justin Wynn and Gary Demercurio were caught with lock picks inside the Dallas County courthouse by Dallas County Sherriff’s Department officers. They presented documents showing they had authorization from the state; theofficers contacted state officialson the document, who verified that the test was authorized. But they arrested Wynn and Demurcurio anyway and charged them with burglary.
Wynn and Demurcurio are free on bail and have waived an initial hearing. They still face charges, despite state officials’ apology to county officials.
GIPHY App Key not set. Please check settings