Iowa drops charges against security pros arrested for courthouse penetration testing

Polycount

Posts: 3,017   +590
Staff
In context: Security professionals, particularly penetration experts, have a pretty tough job. Government organizations and corporations will hire these individuals to look for physical vulnerabilities and security loopholes in their operations. Much like the disclosure of serious software flaws, the end goal of this process is to improve security overall. To perform this task, security pros often need to think like a savvy criminal, which is easier said than done.

However, in November of last year, two employees working for security company Coalfire might have done their job a little too well. They were hired by Iowa state officials to conduct penetration tests at the Dallas County Courthouse. After they arrived on the scene, they entered the building and intentionally set off the alarm to see how fast law enforcement officers would come -- standard practice for security experts.

Things went smoothly at first. Deputy sheriffs pulled up to the courthouse and quickly understood the situation. They reportedly checked the Coalfire employees' contract papers, and said they were "good to go." However, once the local sheriff arrived, things took a turn for the worst.

He arrested the workers and charged them with felony burglary, stating that Coalfire's original client (the Iowa State Court Administration) did not have the legal right to authorize penetration testing at the Dallas County Courthouse.

Fortunately, Dallas County's prosecuting attorney has decided to drop the charges, effectively wiping the slate clean for the two Coalfire employees involved in the debacle: Gary DeMercurio and Justin Wynn.

"We are pleased that all charges are dropped in the Iowa incident," Coalfire CEO Tom McAndrew said in a statement. "With positive lessons learned, a new dialogue now begins with a focus on improving best practices and elevating the alignment between security professionals and law enforcement."

It's unfortunate that this situation occurred in the first place -- innocent security pros shouldn't be punished for merely doing their job -- but we're glad to see that the matter has been resolved now.

Permalink to story.

 
Took them long enough. Looks like an apparent pissing contest between the sheriff and the state. Perhaps they need to inform next time prior to testing to be sure everyone's on the same page.
 
That is like saying you are going to rob a bank. But before you do, you are obligated in telling the security guards.
 
You don't have to notify the deputies, but it would have helped to notify the sheriff. Still doesn't make the test invalid.
 
Hot shot like that sheriff, would have certainly told his deputies.
Probably, which is why I called it a pissing contest. At least beforehand they would know what they're dealing with before involving innocents. Or at least notify the attorney office prior which is probably more important anyway.
 
"However, once the local sheriff arrived, things took a turn for the worst." Journalism is a lost art. Why in the world did the person who wrote this article refuse to name the ***** local sheriff? Name them and shame them.
 
Back