Originally published at: https://boingboing.net/2019/09/13/omission-commission.html
…
This is at the heart of my consulting work - physical and operational security, and how it’s breached. I make sure that my fee proposals state what I’ll be covering and what’s specifically excluded.
People are always amazed at how vulnerable their facilities are. I don’t need to breach their networks; I’ll just take the servers.
First, pick a better day to schedule the “Phsyical Penetration…” part of the test…(and if you can’t, definitely don’t don’t use anything in flight to “breach the perimieter”)
Ok, a little light B&E, but just how loosely are we defining “what it takes?”
Obviously the state officials fucked up by not informing the county and law enforcement, BUT how on earth does Coalfire not have as part of its standard procedures a requirement that the actual building operators and security have notice and give sign-off? Seems to be asking for one of their employees to be shot, doesn’t it?
Isn’t it exactly these unanticipated efforts that pen testing is supposed to exploit?
My guess in this is that this sort of work is on very high demand right now and that in order to stay on top of it they probably did not cross the i’s and dot the T’s. There is also a reticence on the part of these contractors to discuss methods and or results outside the need to know crowd.
You are welcome to attempt that with Boing Boing, but you will be disappointed.
Seems to me you’re not going to get an accurate assessment if you’ve tipped off security that you’re doing a test.
I’d imagine that would be relatively cold comfort if/when a jumpy security guard or deputy pulls a gun and things escalate faster than the tester can explain. I’d be curious if Coalfire’s insurer would have something to say about updating their best practices.
I was thinking the same thing. Seems like you could notify upper management (that hired the tests) and local law enforcement but not the actual onsite security as a happy middle ground.
Are they being paid overtime while in prison?
They should have been reading BB. Then they’d know how this goes:
Is this where you reveal that you’re a wereorenwolf who defends the BBS servers in a secret dungeon under a mountain?
“But it’s airgapped. It’s fully secure!”
“Except for the fact that you used a high-school locker level padlock on the back door. The literal back door.”
People always underestimate the importance of physical security. More breaches come from stolen laptops than remote hax0rs.
I hope this company has a good contract and these guys get out of jail, soon. Good on the arrest (security worked there), not so much on the “Yes, we’ve confirmed they were employed by us for this purpose, so we’re still going to hold them.”
There’s so much to unpack here. Being one of the first companies in infosec to offer these types of full scope services, there are a ton of learning lessons along the way. I assume there are multiple factors that led to this response. A combination of sales and hand over issues, project scoping requirements, the point of contact likely biting off more than they were actually able to be responsible for, the testers not being as prepared as they should be, the communication paths not being in place to understand what should happen when things go wrong, and a number of training or eagerness issues on the identifying officer or guards case. Like anything that says a lot of levels but one of the things that concerns me the most is that these engineers sat in a jail cell. I would think that coal fire would treat their engineers with more respect than that. Needless to say the fingers are blame point in many directions but it’s unfortunate to see events like this go down. I am quite glad that they did not go down other ways as many of these areas have armed guards and could have caused a lot more trouble than a few nights in jail. More of the story is to always be prepared that starts at the beginning of the process when talking and scoping with a client all the way to the execution of the job. Any lack of planning preparing or communication in between can land you in a jail cell or sometimes with a hole in you.
Back in the late 90’s when I worked at a cable company, we had a ‘Manager of Digital Penetration’ and it took a few months for the head sales office to come to their senses and change the job title.
There are conflicting accounts, but supposedly Richard Marcinko hijacked a nuclear submarine while testing the readiness of the US military.
That is a silly title for such an important job. It should have some military bearing…something like Rear Admiral of Digital Penetration would be a lot better.
My first dev job after college was for a company owned by couple that ended up being grifters of a sort. Every promise of money to one person was backed by a promise of money to another person. It was a house of cards where the cards are all lies. I quit the obvious shit show after my first month.
One day we were all working away when the network went down. I walked to the main hallway to the server room to see what was the issue when an older guy walked by followed by 3 linebacker sized guys, each carrying one of our infrastructure servers. I stepped aside before they plowed through me.
It ended up they were from the company that leased the servers to the couple and they were sick of not being paid and decided the best course was to just walk in and take them back. They would have gotten away with it (because no one was telling those big dudes to stop) except they had called the police ahead of time and the police said they had to follow the laws about how to reprocess unpaid for leased equipment.
After that day all the doors had to remain locked.
Fun fact:
The lock on the server room door of a company that I used to work for remained broken for two years straight.
It always blew my mind how very nonchalant HR/admin was about it.