Physical security testers play a unique role in the cybersecurity world. Also called “red teams,” their mission is to see how easy (or difficult) it is to physically penetrate a facility to gain access to computers, data, or footholds for remote access of a network. The overarching purpose of these physical penetration tests (pen tests or red teaming exercises) is to help organizations understand the physical security limitations of their facilities before bad actors demonstrate those limitations to them the hard way.
Pen testing can take the form of a contractor trailing a badged employee into an office due to lax security controls or maneuvering through a visitor area into a closely protected section of an office. Part scavenger hunt, part escape room, part fire drill, an engagement of this nature stress tests an internal security team to better understanding its susceptibility to outside attacks and intrusions. Upon gaining access to physical facilities, operators will typically try to implant a leave-behind device to test the network and to qualify the security team’s ability to detect and deter the lateral movement of rogue devices attached to the client’s networking environment.
When performing pen tests, there is advance coordination between a testing company and internal stakeholders to determine the rules of engagement for such a test. The scope will often include the compromise of physical security assets such as badge-reading systems, CCTV, and even sensitive production environments. Upon completion of the entire exercise, the tester provides a thorough report detailing the access gained and vulnerabilities exploited, as well as recommendations for remediation of any deficiencies.
An Engagement Gone Wrong
Recently, two employees of Coalfire, a Colorado-based cybersecurity firm, were arrested while performing a routine pen test at a courthouse in Dallas County, Iowa, during an engagement with the State Court Administration (SCA). Notably, Coalfire had also performed a pen test of this nature for SCA in 2015. On September 11, 2019, the Coalfire testers were in the process of breaching the courthouse in the course of the engagement when they found a door left propped open. They then purposefully closed the door and then attempted to open it again, tripping an alarm in the process. After waiting for local law enforcement to arrive, they were arrested on felony burglary charges and possession of burglary tools and spent the night in jail. The charges were later reduced to criminal trespass but have not yet been dropped. According to CNBC, “there appeared to be a miscommunication between the state, which contracted for the pen test, and the county, which had jurisdiction to monitor security at the courthouse.”
After reading numerous analyses of this event by news sources and talking to security and legal experts, the overwhelming sentiment in the security industry, perhaps best expressed by Coalfire, is that the legal system is taking aim at two security professionals who were just trying to do their jobs. The ramification of prosecuting the red teamers is creating a ripple effect of concern among operators and testing firms responsible for insulating them from criminal prosecution in the course of performing their roles. According to Coalfire CEO, Tom McAndrew, “This is setting a horrible precedent for the millions of information security professionals who are now wondering if they too may find themselves in jail as criminals simply for doing their job.” There are few in the industry who would contest that sentiment.
What Went Wrong?
The convergence of local law enforcement and state authority led to the arrests. But on the surface, there seemed to be nothing awry with how the project had been set up. After all, Coalfire had a valid contract with the SCA and a permission letter (also known as a “get out of jail free card”) to present to any questioning authorities, instructing them about the nature of the test and the points of contact who gave authorization. Yet the after-hours nature of the test could have contributed to the arrest, along with gaps in communications and contract language between the various parties.
Faegre Baker Daniels LLP, in a report conducted for the Iowa Supreme Court, came to the following conclusions:
- SCA’s lack of experience with and understanding of penetration testing contributed to a misunderstanding between the SCA and Coalfire about the after-hours nature of the testing.
- The contract language was ambiguous.
- SCA did not conduct a legal review of the agreement.
- Whether SCA had legal authority to grant Coalfire after-hours access to the courthouse was unclear.
Given the fact pattern presented in the Coalfire debacle and the understanding that governments and businesses still require pen testing of physical infrastructures, how can cybersecurity firms continue to perform these tests without putting their workers at undue risk? While lessons from the Coalfire case remain unsettled as the legal battle continues, testing companies can take steps to prevent a similar outcome.
- Double-down on counsel. If the testing firm does not have in-house legal counsel, find experienced outside counsel to mitigate risk by drafting solid contracts, obtaining clear permissions and ensuring 24/7 access to company points of contact.
- Transfer risk when possible. Counsel should consider using concepts or actual templates shared by information security consulting firm Trusted Sec to build a solid legal foundation for physical security engagements, including a master services agreement, statement of work, and permissions letter that impose penalties and ensure protections in case the engagement goes sideways. Transfer the risk associated with the test by including damages when engagements go south. That will incentivize clients to clear a path for a safe and smooth engagement. In addition, agreements should include clear information on the scope of the test, including what activities are allowed and which are not — such as lock picking, physical damage, social engineering — and how the test may be conducted. The agreement should describe the time period in which the testing will occur, including the hours of the day in which the tests can be conducted. Ensure that whomever signs the agreement has the proper authority to do so, as IT and security officers may not have that authority. Make sure that phone numbers are listed for internal stakeholders who can be contacted to verify the information within the letter.
- Issue thorough notifications. If the building owner is not the party ordering the penetration test, it’s imperative to notify the owner about the nature and reason for the test, the proposed dates, and what actions the testers will undertake to gain entry. Notifications should be in writing. “Paperwork needs to be very clear about what you are doing,” says Tyler Robinson, Managing Director of Network Operations of Nisos (disclosure: I work there). This is a tricky balance, since too much notification can diminish the validity of the test. Robinson suggests requesting that internal stakeholders refrain from notifying the security staff of the actual test date to be able to gain a deeper understanding of the actual response time and reactions of building personnel.
- Communicate clearly with local law enforcement and building security. Prep local law enforcement and building security staff about security testing. This may prevent an adverse outcome such as an arrest and also assist in the case of tests that occur in potentially unsafe neighborhoods at night. Testers have shared stories in which they were informed that building security guards were unarmed, when the opposite was true.
- Collaborate and educate. Err on the side of overcommunicating. Ensure that everyone understands the reasons for the test, the different scenarios that can take place during a physical test, and the end benefits: better protection of the organization, its data, its stakeholders, and its reputation.
The Coalfire case, while gravely concerning and very unfortunate for the parties involved, serves as a valuable wake-up call for pen testers, the security firms that employ them, and the organizations hiring them. Best practices call for retooling the rules of engagement and improving communication among all parties, including law enforcement. With proper preparation, legal assistance, coordination with local law enforcement, and detailed contracts and notifications, pen testers should be able to safely execute their missions of improving companies’ security measures without fear of legal consequences.
Jennifer DeTrani is General Counsel and EVP of Nisos, a technology-enabled cybersecurity firm. She co-founded a secure messaging platform, Wickr, where she served as General Counsel for five years. You can connect with Jennifer on Wickr (dtrain), LinkedIn or by email at dtrain@nisos.com.