Two security specialists who performed a physical break-in on the US courthouse that hired their company for a penetration test have claimed that their break-in was part of their assessment of security.
Dallas’ State Court Administration (SCA) is reported to have hired security company Coalfire Labs to conduct testing of the security of the court’s electronic records at the Dallas County Courthouse in the town of Adel, around 20 miles west of Des Moines.
The police were called to the courthouse just after midnight on the 11 September where two men, who had been seen walking around on the third floor, came to the door to meet the police. When the two men, named as Justin Wynn and Gary Demercurio came to the door they were allegedly carrying multiple burglary tools, and allegedly claimed that they had been ‘contracted’ to break into the building and to check courthouse alarm system, and how responsive the police were. The two men were promptly arrested, jailed and released on a $50,000 bond.
It has been reported that, at the time, Dallas County claimed to have no knowledge of the security company or their plans, but Iowa’s State Court Administration did later release a statement confirming that it hired the company Coalfire Labs to test the security of the court’s electronic records.
The State Court Administration did, however say that, although it has asked the company to attempt unauthorised access to court records through various means to learn of any potential vulnerabilities, it didn’t intend or expect those means to include forced entry to the building, an act that it couldn’t not condone (certainly for cyber testing!).
Would A Physical Break-In Be Part of a Pen Test?
Some tech commentators have speculated that some cybercrimes require the criminal to be physically close to target devices, which would, therefore, require companies and organisations to perhaps consider investing in physical defences as well as cyber defences.
Coalfire Labs, the global company that was hired to carry out pen testing assessment, and is reported to have carried out hundreds of assessments for government agencies in the past, has been unable to comment on this particular case due to the confidential nature of its work, security and privacy laws, and the fact that a legal case is active.
One thing that may not be good news for the two penetration testers is that there have been reports that a break-in at the Polk County Historic Courthouse in nearby Polk County on 9 Sept was apparently similar in nature to the Dallas County Courthouse break-in.
What Does This Mean For Your Business?
Physical security is, of course, an important part of protecting the whole business, but under GDPR data security should not involve leaving personal data anywhere that it could easily be accessed by unauthorised persons, whether its in a physical or virtual location.
Penetration testing is a legitimate and valuable way for companies and organisations to assess where more work needs to be done to ensure the safety of all digital data and information that they hold, but it is unlikely that many UK businesses would consider a physical break-in to be a legitimate part of what is usually and electronic-based assessment. It remains to be seen what happens in the US court case.