Module: 01w — Physical Penetration Testing and Red Team Operations: Exact Statute + Case Analysis for Security Researchers Difficulty: intermediate

Questions

  • A) The entry is authorized because the client owns both buildings.
  • B) The entry is unauthorized and may constitute criminal trespass and CFAA § 1030(a)(3) exposure because the SOW did not name that location.
  • C) The entry is authorized under the spirit of the engagement even without explicit listing.
  • D) Verbal confirmation from the client's CISO immediately before entry cures the scope deficiency.

Correct answer: B Explanation: Courts evaluate whether the specific act at the specific location was authorized, not whether the general category of testing was authorized. Verbal authorization has no legal force, and "physical testing" without a specific location list is legally insufficient to cover entry into unnamed facilities.

Q2. Under 18 U.S.C. § 1030(a)(3), what is the maximum sentence for a second offense involving unauthorized access to a federal government computer?

  • A) 1 year
  • B) 5 years
  • C) 10 years
  • D) 20 years

Correct answer: C Explanation: Section 1030(a)(3) carries a maximum of 1 year for a first offense and 10 years for a second offense. The statute requires no damage and no intent to harm — unauthorized access alone is sufficient.

Q3. 18 U.S.C. § 1036 is most directly relevant to which red team scenario?

  • A) A tester who deploys a hardware keylogger on a corporate network.
  • B) A tester who impersonates a federal vendor or GSA contractor to gain physical access to U.S. government property.
  • C) A tester who tailgates through a private company's lobby using a cloned badge.
  • D) A tester who conducts drone reconnaissance over a private data center.

Correct answer: B Explanation: Section 1036 prohibits entry into "any real property" belonging to the United States by false pretense, fraud, or deceit. It carries up to 10 years for entry into a secure government facility and applies to anyone impersonating a federal vendor or GSA contractor to gain access to government property.

Q4. During an authorized physical engagement, a red team operator deploys a LAN tap. The tap captures VoIP calls between two employees, neither of whom has individually consented to recording. Which statute is most directly implicated for the captured employee-to-employee calls?

Correct answer: B Explanation: The Wiretap Act (18 U.S.C. § 2511) covers communications intercepted in transit. The consent exception under § 2511(2)(d) does not extend to third-party communications where neither the client nor the tester is a party. Client CTO consent covers company-to-company traffic but not personal employee calls where individual consent was not obtained.

Q5. Under California Penal Code, a red teamer who enters a commercial building intending to steal credentials from a workstation screen could be charged with which offense — more serious than simple trespass — if the intent is evaluated at the moment of entry?

  • A) Criminal trespass under § 602(m) — a misdemeanor
  • B) Burglary under § 459, which carries 16 months to 3 years for second-degree commercial burglary
  • C) Possession of burglary tools under § 466
  • D) Identity theft under § 530.5

Correct answer: B Explanation: California Penal Code § 459 escalates trespass to burglary if the defendant entered a building with intent to commit theft or any felony inside, and the intent is evaluated at the moment of entry. Second-degree commercial burglary carries 16 months to 3 years; first-degree (residential) carries 2–6 years.

Q6. Texas Penal Code § 30.05 makes criminal trespass at a critical infrastructure facility a state jail felony. Which of the following is NOT included in Texas § 30.05(b)(2)(C)'s definition of critical infrastructure?

  • A) Water treatment facilities
  • B) Electrical utilities
  • C) Telecommunications facilities
  • D) Public libraries

Correct answer: D Explanation: Texas § 30.05(b)(2)(C) specifically defines critical infrastructure to include water treatment, electrical utilities, gas, petroleum, and telecommunications. Public libraries are not enumerated. A red team against a utility company in Texas creates state jail felony exposure (180 days to 2 years) even for a first offense.

Q7. In New York, which statute is described as the most directly dangerous for physical pen testers and requires only that the possessor intend to use tools for breaking and entering — not that a specific crime have been planned?

  • A) NY Penal Law § 140.10 — Criminal Trespass in the Third Degree
  • B) NY Penal Law § 140.20 — Burglary in the Third Degree
  • C) NY Penal Law § 140.35 — Possession of Burglar's Tools
  • D) NY Penal Law § 140.17 — Criminal Trespass in the First Degree

Correct answer: C Explanation: New York Penal Law § 140.35 (Class A misdemeanor, up to 1 year) covers possession of tools adapted, designed, or commonly used for breaking into buildings with intent to use. Unlike California, NY's intent standard requires only intent to use for breaking and entering — not a specifically planned crime — making it the most prosecutorial-friendly burglar's tools statute for pen testers.

Q8. What were the four documented failures that led to criminal charges against Coalfire consultants Gary De Mercurio and Justin Wynn in the 2019 Iowa courthouse arrests, despite their having a signed authorization letter?

  • A) The letter was unsigned, they carried picks, they had no photo ID, and the building was federal property.
  • B) The letter was signed by ISCA but local sheriff's office had not been pre-notified; the emergency contact was unreachable at 1 AM; a jurisdictional dispute arose between state and county; and possession of bypass tools triggered an independent burglary tools charge.
  • C) The letter named the wrong tester, the engagement was after hours, they had no insurance, and they refused to show ID.
  • D) The letter lacked physical addresses, it was signed by an IT director rather than C-level, they were not FAA certified, and the engagement window had expired.

Correct answer: B Explanation: The Coalfire case revealed four specific failures: the Linn County Sheriff had not been pre-notified; the ISCA emergency contact was unreachable at 1 AM; the Linn County Attorney disputed whether ISCA had authority to authorize entry to county-operated buildings; and possession of picks and bypass cards triggered an independent burglary tools charge. Charges were eventually dropped after two months and significant legal expense.

Q9. Impersonating a federal officer (e.g., an FBI agent or OSHA inspector) to gain building access during a red team engagement violates 18 U.S.C. § 912 regardless of client authorization. What is the maximum sentence under § 912?

  • A) 6 months
  • B) 1 year
  • C) 3 years
  • D) 10 years

Correct answer: C Explanation: 18 U.S.C. § 912 carries a maximum sentence of 3 years. Client authorization cannot cure § 912 exposure because the statute protects the integrity of federal authority — the target organization has no right to waive a federal officer's identity on behalf of the government. The statute applies regardless of who signed the engagement letter.

Q10. A commercial drone operation in support of a paid security engagement is conducted by an operator without an FAA Part 107 Remote Pilot Certificate. What is the maximum criminal penalty under 49 U.S.C. § 46306 for operating a commercial drone without certification?

  • A) A civil warning only; no criminal penalties apply.
  • B) $27,500 civil fine with no criminal exposure.
  • C) Up to $250,000 in fines plus imprisonment under 49 U.S.C. § 46306.
  • D) A misdemeanor with 90 days maximum imprisonment.

Correct answer: C Explanation: Under 14 C.F.R. Part 107, any commercial use of a drone requires a Remote Pilot Certificate. Operating without Part 107 certification carries civil fines up to $27,500 per violation and criminal penalties of up to $250,000 plus imprisonment under 49 U.S.C. § 46306. Security engagement drone flights are commercial operations regardless of whether they are for a client.