In a recent incident in Malta, two cybersecurity professionals from Threat Spike Labs were arrested by armed police during an authorized physical penetration test at a corporate office. Despite possessing authorization documents signed by the client's general manager, the testers were detained, highlighting significant issues in communication and coordination during security assessments.
The Incident: Authorized Test Leads to Arrest
The penetration testers, Curt Hems and his colleague, were engaged in a "black team" operation aimed at evaluating the physical and operational security of the client's premises. Over a two-hour period, they successfully bypassed security controls, accessed restricted areas, and gathered sensitive information, including passwords. However, their activities prompted the general manager to panic and contact law enforcement, mistakenly believing a real attack was in progress. Despite presenting their authorization letter, the testers were detained by armed police officers.
Lessons Learned: Importance of Clear Communication
This incident underscores the critical need for clear communication and coordination between all parties involved in penetration testing engagements. Organizations should ensure that management, security teams, and local authorities are fully informed about scheduled tests to prevent misunderstandings. Comprehensive authorization protocols and incident response procedures must be established and communicated to all relevant stakeholders to avoid such situations.
Industry Implications: Reevaluating Penetration Testing Practices
The arrest of authorized penetration testers is not unprecedented. Similar incidents have occurred, such as the 2019 arrest of Coalfire's Gary De Mercurio and Justin Wynn during a courthouse penetration test in Iowa. These events highlight the necessity for the cybersecurity industry to reevaluate and strengthen protocols surrounding penetration testing, particularly in terms of legal authorizations and communications with law enforcement.
In conclusion, while penetration testing is essential for identifying security vulnerabilities, this incident emphasizes the importance of meticulous planning, clear communication, and comprehensive authorization to ensure the safety and effectiveness of such operations.
