When I am speaking or training, and the subject turns to penetration testing, I make certain to explain to the class or audience that nearly everything a pen-tester does violates federal laws. For starters, there is the Computer Fraud and Abuse Act. There are many other computer laws at both the federal and state levels.
Penetration testing takes a vulnerability assessment to the next level, from merely identifying a vulnerability to actually using that vulnerability to break into a computer or network. Often in a pen-test there is a physical security test, as well. This involves physically gaining access to a locked, alarmed, or guarded facility. A pen-tester may use lock picks or other entry bypass devices. The police know this as breaking and entering.
A pair of pen-testers were arrested on September 11 2019. Justin Wynn, of Naples, Florida, and Gary Demercurio, of Seattle, Washington, were charged with third-degree burglary and possession of burglary tools. They were held on $50,000 bond. Their disposition is still up in the air, but the likelihood is they will eventually be released.
What happened? Initially, they triggered an alarm that summoned the police. As the case unfolded, it seemed that the pair may have exceeded the scope of work, which specifically forbade alarm subversion or forcing open doors.
The two documents that a pen-tester should have on their person when performing physical intrusions (break-ins) is the scope of work authorizing the activity, signed by someone at the client (target) organization, and something I call a “get-out-of-jail-free-card,” a letter, again signed by someone in authority at the client, that explains this is in the nature of a contracted security test, and provides some after midnight phone numbers that the police can call to verify the Scope and GOOJFC.
In this specific case, it appears that these two had neither, but a subsequent call to the client, the Iowa Judicial Branch, did not resolve the case. As of this writing (9-20-2019) the two remain in jail.
This story stands as a warning to the rest of us who perform these types of tests. Nearly everything that we do is illegal. Just because it is authorized by the client, it is still illegal activity in the eyes of the police. The exception may be open-source intelligence gathering, which is at the start of a pen-test. I have done tests that were done without advising the IT staff, to better see how well they would deal with a real threat. Of course there was panic, and actions were taken that caused impacts to the business. I have phished using health care enrollment emails that caused the HR department to freak out. Sometimes these sorts of tests can be messy. That is why it is important to write a detailed scope of work and stick to it. Anything else invites lawsuits or worse.
More information:
Share
OCT
About the Author:
I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com