United We Stand: Support for Coalfire Consultants and The Information Security CommunityRecent events have broad implications for penetration testing, potentially making organizations more vulnerable to legitimate criminals.
By: Jake Dorval
As we say, the information security field is small – scary small. Every time you go to a trade show, conference, or a similar event, you're likely to run into someone in your network that you know. It's one of the things that we information security professionals love – reuniting with friends, colleagues, mentors, notable personnel, unicorns – whatever – and catching up on the security topics about which we're all passionate.
Recent news regarding our peer, Coalfire, and its two consultants Justin Wynn and Gary DeMercurio, should raise concerns across the security industry. Justin and Gary are part of a penetration testing team who were contracted by the Iowa State Judicial Branch. They were authorized to perform a physical penetration testing engagement and unfortunately got caught right in the middle of what appears to be a political battle between the state and the county. Despite authorization to conduct the penetration test, both consultants were arrested and charged with felony accusations of burglary in the third-degree and possession of burglary tools. This week, these charges were reduced to criminal trespass, but as security consultants ourselves, we believe the charges should be dropped altogether. These two security professionals were hired to perform this job specifically and regularly conduct these tests for clients around the world – they're not criminals – on the contrary, they help organizations secure their operations against legitimate security threats by performing this function. Coalfire's CEO, Tom McAndrew, released a public statement on the topic which embodies our thoughts, and it was important for us as peers to reiterate the importance of penetration testing to thwart criminals. You can read his statement here.
Here at the Secureworks® Adversary Group (SwAG), this is personal for us. Not only does our team perform similar engagements for clients worldwide, but in this very small security community, our team personally knows these two consultants and their pristine reputation as law abiding security professionals. Penetration testers following this story cannot help but be concerned about their next engagement. If we can be arrested for conducting a sanctioned job, how can this function continue?
As a security community, we need to speak up and show our support for these consultants and the value security testing provides – but only if the agreement with clients is honored and does not put security professionals in legal jeopardy. Engaging organizations like Secureworks, Coalfire, TrustedSec, and others to perform engagements just like this is critical to helping organizations understand their security posture and address any weaknesses they may have. Secureworks Adversary Group performs these engagements, and many others, every week for thousands of clients to help them understand their weaknesses and give them visibility into what's needed to protect themselves from a true adversary.
These events concern all of us at Secureworks, and we would like to stand proudly next to Tom McAndrew and Dave Kennedy as they both demonstrated their passion and support for having the charges against Justin and Gary dropped. This is something that could have happened to any one of us, and if any of us are to conduct these tests comfortably moving forward, we must stand together and support dropping all charges against these two practitioners performing the job they were hired to do.