Iowa drops charges against security pros arrested for courthouse penetration testing
A win for the security industryBy Cohen Coberly 8 comments
In context: Security professionals, particularly penetration experts, have a pretty tough job. Government organizations and corporations will hire these individuals to look for physical vulnerabilities and security loopholes in their operations. Much like the disclosure of serious software flaws, the end goal of this process is to improve security overall. To perform this task, security pros often need to think like a savvy criminal, which is easier said than done.
However, in November of last year, two employees working for security company Coalfire might have done their job a little too well. They were hired by Iowa state officials to conduct penetration tests at the Dallas County Courthouse. After they arrived on the scene, they entered the building and intentionally set off the alarm to see how fast law enforcement officers would come -- standard practice for security experts.
Things went smoothly at first. Deputy sheriffs pulled up to the courthouse and quickly understood the situation. They reportedly checked the Coalfire employees' contract papers, and said they were "good to go." However, once the local sheriff arrived, things took a turn for the worst.
He arrested the workers and charged them with felony burglary, stating that Coalfire's original client (the Iowa State Court Administration) did not have the legal right to authorize penetration testing at the Dallas County Courthouse.
Fortunately, Dallas County's prosecuting attorney has decided to drop the charges, effectively wiping the slate clean for the two Coalfire employees involved in the debacle: Gary DeMercurio and Justin Wynn.
"We are pleased that all charges are dropped in the Iowa incident," Coalfire CEO Tom McAndrew said in a statement. "With positive lessons learned, a new dialogue now begins with a focus on improving best practices and elevating the alignment between security professionals and law enforcement."
It's unfortunate that this situation occurred in the first place -- innocent security pros shouldn't be punished for merely doing their job -- but we're glad to see that the matter has been resolved now.