The Beans, Shall We Say, Have Been Spilt: State of Iowa Executes Partial Spillage

Dallas County Iowa Courthouse

Dallas County Iowa Courthouse

This suprisingly frank initial statement regarding the work Coalfire was contracted to perform and regarding the actions to be taken, thereto, follows after the next paragraph split.

Perhaps this entire scenario is indicative of governmental malfeascenace rather than profit-driven overreach by the corporate entity contracted to perform the labor and analysis… You be the judge…

September 18, 2019

State of Iowa State Court Administration Statement on the Coalfire Debacle:

Malicious cyber criminals use all techniques at their disposal—fair or foul—to access valuable data from private and public organizations. Global cybersecurity firms (such as Coalfire) involved in technical testing are professionally contracted to simulate real-world attacks using the same techniques any attacker may use to test the company’s defenses so that they can remedy their vulnerabilities before a real-world attack occurs.

Recently, two penetration testers employed by Coalfire were arrested in the Dallas County Courthouse during a security testing exercise to help the Iowa Judicial Branch ensure the court’s highly sensitive data was secured against attack. Coalfire was working to provide quality client service and a stronger security posture. Coalfire and State Court Administration believed they were in agreement regarding the physical security assessments for the locations included in the scope of work. Yet, recent events have shown that Coalfire and State Court Administration had different interpretations of the scope of the agreement. Together, Coalfire and State Court Administration continue to navigate through this process. To that end, the Iowa Judicial Branch and Coalfire will each be conducting independent reviews and releasing the contractual documents executed between both parties.

State Court Administration has worked with Coalfire in the past to conduct security testing of its data and welcomed the opportunity to work with them again. Both organizations value the importance of protecting the safety and security of employees as well as the integrity of data.

State Court Administration apologizes to the sheriffs and boards of supervisors of Dallas County and Polk County for the confusion and impact these incidents have caused.

Links below are to the contract documents with allowable redactions

Requirements and Assumptions
Service Order—Redacted
Rules of Engagement—Redacted
Social Engineering Authorization—Redacted
Master Agreement—Redacted


*** This is a Security Bloggers Network syndicated blog from Infosecurity.US authored by Marc Handelman. Read the original post at: