Mergers and acquisitions: Building up security after an M&A

This tip is part of SearchSecurity.com's Corporate Mergers and Acquisitions Security Learning Guide.

Have you checked out recent business headlines? Mergers and acquisitions have been occurring frequently and often unexpectedly -- especially in the information security market -- and many infosec pros are faced with the daunting task of melding two disparate companies into one. But if the integration process isn't handled properly, it can have serious effects on an organization's security posture, even making the combined companies less secure than before.

When an organization finds itself in the headlines -- for any reason, including a merger or acquisition -- it often becomes a target for vulnerability scans, phishing attempts and other malicious activity. M&A activity can also encourage thr...

BROWSE BY TAG Threat Monitor,   Vendor Management: Negotiations, Budgeting, Mergers and Acquisitions,   Information Security Management,   Information Security Policies, Procedures and Guidelines,   Security Awareness Training and Internal Threats,   Business Management: Security Support and Executive Communications,   VIEW ALL TAGS

RELATED CONTENT Threat Monitor Server Message Block Version 2 security in question: Disable or patch? Preparing for future security threats, evolving malware Best practices for (small) botnets Cut down on calls to help desk with cybersecurity awareness training How to detect software tampering How to prevent phishing attacks with social engineering tests An enterprise strategy for Web application security threats How SSL-encrypted Web connections are intercepted How a corporate Twitter policy can combat social network threats Cyberwarfare and the enterprise: Is the threat real? Vendor Management: Negotiations, Budgeting, Mergers and Acquisitions Database activity monitoring lacks security lift IBM to acquire database security firm Guardium Cost of security, IT management add up at healthcare facilities, study finds Part 2: Marcus Ranum on the state of information security Part 4: Marcus Ranum on the state of information security M86 buys Web security gateway vendor Finjan McAfee survey finds faults in midmarket enterprise security Cisco acquires SaaS security vendor ScanSafe Email archiving vendor sues Gartner over Magic Quadrant Analyst calls Barracuda-Purewire deal proof of cloud dominance Information Security Policies, Procedures and Guidelines Schneier-Ranum face-off part 6: Audience questions Editor's Desk: Apathy and the Cybersecurity Coordinator Writing security policies using a taxonomy-based approach How to detect and respond to money laundering Health Net breach failure of security policy, technology How to protect distributed information flows Whitelists, SaaS modify traditional security, tackle flaws Melissa Hathaway urges more cooperation, government attention to cybersecurity Reuters: Obama ready to select cyber security czar How a corporate Twitter policy can combat social network threats

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary snake oil  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

eats from within, as nervous insiders may fear how a consolidation might affect their job security. As a result, some may start hording valuable information from the network. All this contributes to the challenge facing a security team as it figures out the politics of the merger and how to best protect the company.

Companies going through a merger should keep the following security issues in mind and plan accordingly.

Align information security policies -- Merging organizations almost always have serious disparities in their information security policies. During the merger planning process, these policies must be reviewed and combined. This process can be tricky if each side is wedded to its own guidelines. Work with upper management to pick a single leader who can ultimately decide the touchy political issues. It's likely that one organization will have a more thorough policy than the other, so when it's time to make the tough decisions, it's important to make choices that improve security.

Once policies are aligned, perform a gap analysis, assessing both organizations against the new policy. Generate a roadmap that states which procedural and technological changes will be needed for both companies to comply.

Tweaks to policies and technologies can take time. It's important to start the policy alignment and assessment work as early as possible, perhaps even before the merger announcement is made. Unfortunately, most infosec pros hear about their own company's merger by reading the press release, so pre-planning before an announcement is usually impossible.

During the policy-alignment process, there are some technical areas that must be addressed immediately to shore up an organization and prepare it for attacks because as soon as the merger process begins, an organization could be vulnerable.

Understand the network architecture -- For starters, try to get network architecture diagrams that show Internet and business partner connections for both organizations. Ensure both companies are capable of monitoring their DMZs and vital internal networks, specifically with intrusion detection system (IDS) sensors. While the merger occurs, deploy additional sensors in both companies to look for evidence of compromise. Tune them to look for the most likely attacks, focusing on Windows issues, Web application attacks or other types of threats common to a given environment. Assign information security personnel and system administrators from both companies to analyze the IDS alerts to determine if systems have been compromised.

Decide on wireless LAN deployment -- If one organization relies heavily on Wi-Fi but the other does not, there may be a significant difference in their vulnerability profiles. Rather than ripping wireless out of the organization whose culture may have grown accustomed to having it, check the security settings of their wireless infrastructure. If it lacks encryption or has weak authentication, consider strengthening it with improved technology, such as WPA2.

Make a decision on USBs -- To lower internal data security breaches and other insider threats, companies may choose to disable USB devices on laptops. Before choosing this route though, it's important to consider the political and functional ramifications of such a move.

Keep malware under control -- Make sure that both organizations have up-to-date antivirus and antispyware signatures deployed. Also, to minimize the chance of system compromise, make sure that both organizations' systems are up to date on critical patches.

Educate employees -- Consider employee information security awareness during this vital time. After information security policies are integrated, a full-blown awareness program should follow. Even before the policy is completed, merged companies should consider rolling out a short, focused awareness initiative on the dangers of targeted phishing. Desk-to-desk fliers, table tents in the cafeteria, along with some informative emails can all be used effectively to warn employees that they should not trust every link and that they should always verify the apparent source of email addresses. It's also important to tell workers that they should never run an executable email attachment, even if it is included in a ZIP file.

Monitor firewalls and IDS tools -- Once the merger is complete, members of the security team should watch for large amounts of data being transferred outbound across the Internet. Depending on employees' "normal" Internet usage patterns, companies may want to set up a scan for any FTP or HTTP transfer of a file greater than a certain amount, such as 100 MB or 1 GB. Any violation could be a sign of big-time data exfiltration. Monitor Web proxy logs as well to determine if attack tools are being downloaded and used inside either company.

So, in the end, to avoid information security threats during a merger, companies should have two main goals:

1. A long-term alignment of policies, procedures and technology
2. An augmented policy supported by a series of quick-hit technical defenses.

Successful execution of this two-pronged strategy can help merging companies significantly lower their risk exposure.

About the author:
Ed Skoudis is a SANS instructor and a founder and senior security consultant with Intelguardians, a Washington, DC-based information security consulting firm. His expertise includes hacker attacks and defenses, the information security industry and computer privacy issues. In addition to Counter Hack Reloaded, Ed is also the author of Malware: Fighting Malicious Code. He was also awarded 2004, 2005 and 2006 Microsoft MVP awards for Windows Server Security, and is an alumnus of the Honeynet Project. As an expert on SearchSecurity.com, Ed answers your questions related to information security threats.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.