It was around 12:30 a.m. on Watch Fast & Furious 8 OnlineWednesday morning, and Justin Wynn and Gary Demercurio were in a bit of a tight spot. Specifically, the two were being arrested on the third floor of Iowa's Dallas County courthouse.
But Wynn and Demercurio weren't there to steal the only evidence linking them to some unnamed crime. Rather, reports the Des Moines Register, the two had been hired by the state court administration to attempt to obtain "unauthorized access" to court documents using "various means."
The two men work as physical penetration testers, or pentesters, for the cybersecurity company Coalfire and were simply doing their job. Unfortunately, that message somehow got lost in translation.
You May Also Like
Specifically, the Registerreports that the state court administration now claims it "did not intend, or anticipate, those [security testing] efforts to include the forced entry into a building."
What is and is not off limits — something typically referred to as in or out of scope — during both digital and physical pentests is often a hot-button issue. That the scope of an engagement is often carefully negotiated ahead of time makes sense. After all, you wouldn't want the security company you hired to test your payroll system kidnapping your CEO and demanding he hand over the digital keys.
Coalfire's website includes a detailed penetration testing section, enumerating the various services offered by the company and detailing what a pentest entails.
"Throughout the engagement, we provide ongoing status reports, immediate identification of critical risks, and knowledge transfer to your technical team," reads the company's site. "At the end of the process, we ensure you have a complete understanding of the exploitable vulnerabilities in your environment and recommended remediation strategies."
Physical penetration is a common practice, and is not outside of the industry norm. One such pentester, who goes by Jek Hyde on Twitter, often details her various escapades online with the permission of the targeted client (her Twitter account is worth a follow).
SEE ALSO: The hackers getting paid to keep the internet safe
All of this seemed to be lost on the local law enforcement, however. Both Wynn and Demercurio have been charged with possession of burglary tools and third-degree burglary. A $50,000 bond adds injury to the insult of being caught on the job.
But hey, at least the Dallas County courthouse now knows that its alarm system works.
Topics Cybersecurity
