Two months after employees of the cybersecurity firm Coalfire were arrested during penetration testing of state and county courthouses, the security community in Iowa gathered in an Adel Public Library community room — just blocks from the Dallas County Courthouse where they were caught.
Awareness Con, organized by Black Hills Information Security, went to the front door of the state’s penetration testing (also known as “pentesting”) conflict, which broke open in September. About three hours into Wednesday’s gathering, organizers, Dallas County community members and security experts received a brief visit from Dallas County Sheriff Chad Leonard himself.
“Without question, that was the highlight,” said organizer and Black Hills Information Security owner John Strand. “He said there were a lot of mistakes that were made both on the state side and the pentesting firm side, but based on the information that he had at the time, with him and his deputies, he felt like he did the right thing by the state, by the county. He was even willing to take some questions from the audience.”
It was about as positive a turn as could be had for the community, after the incident prompted the late Chief Justice Mark Cady to publicly apologize for the Iowa court system’s authorization of pentesting in county courthouses. The charges against Coalfire employees had brought blistering criticism from CEO Tom McAndrew, who called the situation “completely ridiculous.”
“I know that this seems counterintuitive, but [the goal] was to try to de-escalate as much as we could,” Strand said. “[The presenters] are leaders in computer security, and by bringing them in and having them speak, I’m hoping it was actually a calming effect for the security community. This needs to be a nuanced conversation of how we communicate effectively.”
Organizers, 13 presenters and attendees had a lot to cover during the daylong live event and webinar: The Sept. 11 incident, which was examined in depth by a Faegre Baker Daniels investigative report released Oct. 9, identified multiple breakdowns in communication, including inconsistent legal agreement documentation.
Notably, the documents were inconsistent in the timing of when Coalfire employees could test: One document specified normal business hours between 6 a.m. and 6 p.m. Mountain time, instead of Iowa’s Central time zone; one document designated “day and evening hours”; and a third did not specify hour limits at all.
The arrest of two security employees by a branch of government separate from those who hired Coalfire for testing demonstrated inconsistent communication among stakeholders, said presenter Benjamin Wright, a private attorney specializing in data compliance and data security instructor at SANS Institute.
“The people who were leading this from the state court administration were technical people, they weren’t legal review. It was not a political review,” Wright said. “Technical people are not often as highly attuned to legal concerns, they’re not as highly attuned to political concerns as other people might be.”
Charges for the two Coalfire pentesters were recently downgraded from third-degree burglary to trespassing; a trial is pending in April 2020.
“Because the fact that people were arrested, the fact that it’s in the media the way it is, there was fundamentally a breakdown of communication. The only way we improve communication for penetration testing is if we have outreach and communication with each other,” Strand said. “This is truly one of those situations where there’s enough blame to go around for various parties, and I don’t think it sets up a situation where anybody wins.”
The “worst possible situation” for Iowa following arrests is that pentesting firms may refuse to do business in the state, Strand said.
“When we’re talking about firms that do this type of work, there was an extensive conversation about setting up proper scoping, making sure that the targets you’re going to are owned by the organizations that you’re doing testing for,” he added. “I think the way a lot of firms did physical pentesting and set up contacts is very fragile, and I think what happened here is we saw breakage.”
Outside of the community room, Awareness Con had more than 500 viewers log in for the event’s livestream; the full webinar will be hosted at www.awarenesscon.com in about a week.
For Strand, meeting with Leonard briefly convinced him that bringing Awareness Con to Adel was the right decision.
“I asked, ‘How do you want me to introduce you?’ He laughed and he goes, ‘You could just tell people in that room that I’m the bad guy,’” Strand said. “It was all joking, but he knew that he was coming into what could be perceived as hostile territory, and he was still willing to show up. I want to stress that it wasn’t hostile territory, but the fact that he was willing to do that was incredibly impressive to me.
“For me as a firm, I’d still be willing to do business in the state of Iowa. I absolutely would,” he added.