This tip is part of SearchSecurity.com's Corporate Mergers and Acquisitions Security Learning Guide.
Have you checked out recent business headlines? Mergers
Companies going through a merger should keep the following security issues in mind and plan accordingly.
Align information security policies -- Merging organizations almost always have serious disparities in their information security policies. During the merger planning process, these policies must be reviewed and combined. This process can be tricky if each side is wedded to its own guidelines. Work with upper management to pick a single leader who can ultimately decide the touchy political issues. It's likely that one organization will have a more thorough policy than the other, so when it's time to make the tough decisions, it's important to make choices that improve security.
Once policies are aligned, perform a gap analysis, assessing both organizations against the new policy. Generate a roadmap that states which procedural and technological changes will be needed for both companies to comply.
Tweaks to policies and technologies can take time. It's important to start the policy alignment and assessment work as early as possible, perhaps even before the merger announcement is made. Unfortunately, most infosec pros hear about their own company's merger by reading the press release, so pre-planning before an announcement is usually impossible.
During the policy-alignment process, there are some technical areas that must be addressed immediately to shore up an organization and prepare it for attacks because as soon as the merger process begins, an organization could be vulnerable.
Understand the network architecture -- For starters, try to get network architecture diagrams that show Internet and business partner connections for both organizations. Ensure both companies are capable of monitoring their DMZs and vital internal networks, specifically with intrusion detection system (IDS) sensors. While the merger occurs, deploy additional sensors in both companies to look for evidence of compromise. Tune them to look for the most likely attacks, focusing on Windows issues, Web application attacks or other types of threats common to a given environment. Assign information security personnel and system administrators from both companies to analyze the IDS alerts to determine if systems have been compromised.
Decide on wireless LAN deployment -- If one organization relies heavily on Wi-Fi but the other does not, there may be a significant difference in their vulnerability profiles. Rather than ripping wireless out of the organization whose culture may have grown accustomed to having it, check the security settings of their wireless infrastructure. If it lacks encryption or has weak authentication, consider strengthening it with improved technology, such as WPA2.
Make a decision on USBs -- To lower internal data security breaches and other insider threats, companies may choose to disable USB devices on laptops. Before choosing this route though, it's important to consider the political and functional ramifications of such a move.
Educate employees -- Consider employee information security awareness during this vital time. After information security policies are integrated, a full-blown awareness program should follow. Even before the policy is completed, merged companies should consider rolling out a short, focused awareness initiative on the dangers of targeted phishing. Desk-to-desk fliers, table tents in the cafeteria, along with some informative emails can all be used effectively to warn employees that they should not trust every link and that they should always verify the apparent source of email addresses. It's also important to tell workers that they should never run an executable email attachment, even if it is included in a ZIP file.
Monitor firewalls and IDS tools -- Once the merger is complete, members of the security team should watch for large amounts of data being transferred outbound across the Internet. Depending on employees' "normal" Internet usage patterns, companies may want to set up a scan for any FTP or HTTP transfer of a file greater than a certain amount, such as 100 MB or 1 GB. Any violation could be a sign of big-time data exfiltration. Monitor Web proxy logs as well to determine if attack tools are being downloaded and used inside either company.
So, in the end, to avoid information security threats during a merger, companies should have two main goals:
- A long-term alignment of policies, procedures and technology
- An augmented policy supported by a series of quick-hit technical defenses.
Successful execution of this two-pronged strategy can help merging companies significantly lower their risk exposure.
Corporate Mergers and Acquisitions Security Learning Guide
M&A: Merging network security policies
Best practices for compliance during a merger
Ensuring Web application security when companies merge
Mergers and acquisitions: Building up security after an M&A
About the author: This was first published in June 2007
Ed Skoudis is a SANS instructor and a founder and senior security consultant with Intelguardians, a Washington, DC-based information security consulting firm. His expertise includes hacker attacks and defenses, the information security industry and computer privacy issues. In addition to Counter Hack Reloaded, Ed is also the author of Malware: Fighting Malicious Code. He was also awarded 2004, 2005 and 2006 Microsoft MVP awards for Windows Server Security, and is an alumnus of the Honeynet Project. As an expert on SearchSecurity.com, Ed answers your questions related to information security threats.
This was first published in June 2007