Risky business
Physical penetration testing is a worthwhile extension to classical IT network pentests, since most technological controls can be negated by physical access to the IT equipment and storage media. In Iowa, a pentest incident that led to two professional pentesters being jailed and taken to court illustrates the importance of the legalities for such work.
A badly-drafted pentest contract and 'get out of jail free' authorization letter led to genuine differences of opinion about whether the pentesters were or were not acting with due authority when they broke into a court building and were arrested.
With the court case now pending against the pentesters, little errors and omissions, conflicts and doubts in the contract have taken on greater significance than either the pentest firm or its client appreciated, despite both parties appreciating the need for the contract. They thought they were doing the right thing by completing the formalities. Turns out maybe they hadn't.
I hope common sense will prevail and all parties will learn the lessons here, and so should other pentesters and clients. The contract must be air-tight (which includes, by the way, being certain that the client has the legal authority to authorize the testing as stated), and the pentesters must act entirely within the scope and terms as agreed (in doubt, stay out!). Communications around the contract, the scope and nature of work, and the tests themselves, are all crucial, and I will just mention the little matter of ethics, trust and competence.
PS An article about the alleged shortage of pentesters casually mentions:
"The ideal pen tester also exhibits a healthy dose of deviancy. Some people are so bound by the rules of a system that they can’t think beyond it. They can’t fathom the failure modes of a system. Future penetration testers should have a natural inclination toward pushing the boundaries – especially when they are told, in no uncertain terms, not to do so."
Hmm. So pentesters are supposed to go beyond the boundaries in their testing, but remain strictly within the formally contracted scope, terms and conditions. 'Nuff said.
PPS Charges against the duo were dropped ~4 months after the incident.