And it only took, er, four and a half months for people to see sense
Criminal charges have been dropped against two infosec professionals who were arrested during a sanctioned physical penetration test gone wrong.
On Thursday, the Des Moines Register – no relation – reported that a judge in Dallas County, Iowa, formally dismissed the third-degree burglary and possession of burglary tools allegations against Coalfire employees Gary DeMercurio and Justin Wynn.
Back in September, Coalfire had been hired by the judicial branch of the US state of Iowa to put its IT systems and physical security to the test. As such, DeMercurio and Wynn were tasked with sneaking into one of the state’s courthouses – in Dallas County – at night and accessing the building’s PCs to infiltrate its computer network.
During the attempted break-in, an alarm was tripped, county deputies arrived, and the men were detained. After the Coalfire pair – and Iowa officials in a phone call – explained the situation to the plod, Wynn and DeMercurio were about to be let go and sent on their way.
And that’s when things got stupid.
The Dallas County sheriff rolled up, and in a stunning display of state-versus-county pettiness, overruled the Iowa officials who said the test was allowed, and booked the pair on burglary charges despite it being clear there was no criminal activity. The sheriff was furious that a courthouse in his jurisdiction had been broken into by two guys authorized by the Mid West state’s bureaucrats. The charges were later reduced, and the men were released on bond.
The case, understandably, created a stir among security professionals, and led to a re-examination of security testing contracts and procedures.
Now, with the prosecution agreeing to drop the charges, and the legal red tape and bureaucratic posturing finally wrapped up, Coalfire is trying to be diplomatic about a situation it has every right to be furious over.
“We are pleased that all charges are dropped in the Iowa incident,” CEO Tom McAndrew said in a statement.
“With positive lessons learned, a new dialogue now begins with a focus on improving best practices and elevating the alignment between security professionals and law enforcement. We’re grateful to the global security community for their support throughout this experience.” ®