Problem solve Get help with specific problems with your technologies, process and projects.

Mergers and acquisitions: Building up security after an M&A

Mergers and acquisitions are common headlines in today's information security world, and that's great news for malicious hackers and data thieves. When companies join forces, they often leave themselves open to attack. In this tip, contributor Ed Skoudis reviews the top merger-related threats and how to avoid them.

This tip is part of's Corporate Mergers and Acquisitions Security Learning Guide.

Have you checked out recent business headlines? Mergers and acquisitions have been occurring frequently and often unexpectedly -- especially in the information security market -- and many infosec pros are faced with the daunting task of melding two disparate companies into one. But if the integration process isn't handled properly, it can have serious effects on an organization's security posture, even making the combined companies less secure than before.

When an organization finds itself in the headlines -- for any reason, including a merger or acquisition -- it often becomes a target for vulnerability scans, phishing attempts and other malicious activity. M&A activity can also encourage threats from within, as nervous insiders may fear how a consolidation might affect their job security. As a result, some may start hording valuable information from the network. All this contributes to the challenge facing a security team as it figures out the politics of the merger and how to best protect the company.

Companies going through a merger should keep the following security issues in mind and plan accordingly.

Align information security policies -- Merging organizations almost always have serious disparities in their information security policies. During the merger planning process, these policies must be reviewed and combined. This process can be tricky if each side is wedded to its own guidelines. Work with upper management to pick a single leader who can ultimately decide the touchy political issues. It's likely that one organization will have a more thorough policy than the other, so when it's time to make the tough decisions, it's important to make choices that improve security.

Once policies are aligned, perform a gap analysis, assessing both organizations against the new policy. Generate a roadmap that states which procedural and technological changes will be needed for both companies to comply.

Tweaks to policies and technologies can take time. It's important to start the policy alignment and assessment work as early as possible, perhaps even before the merger announcement is made. Unfortunately, most infosec pros hear about their own company's merger by reading the press release, so pre-planning before an announcement is usually impossible.

During the policy-alignment process, there are some technical areas that must be addressed immediately to shore up an organization and prepare it for attacks because as soon as the merger process begins, an organization could be vulnerable.

Understand the network architecture -- For starters, try to get network architecture diagrams that show Internet and business partner connections for both organizations. Ensure both companies are capable of monitoring their DMZs and vital internal networks, specifically with intrusion detection system (IDS) sensors. While the merger occurs, deploy additional sensors in both companies to look for evidence of compromise. Tune them to look for the most likely attacks, focusing on Windows issues, Web application attacks or other types of threats common to a given environment. Assign information security personnel and system administrators from both companies to analyze the IDS alerts to determine if systems have been compromised.

Decide on wireless LAN deployment -- If one organization relies heavily on Wi-Fi but the other does not, there may be a significant difference in their vulnerability profiles. Rather than ripping wireless out of the organization whose culture may have grown accustomed to having it, check the security settings of their wireless infrastructure. If it lacks encryption or has weak authentication, consider strengthening it with improved technology, such as WPA2.

Make a decision on USBs -- To lower internal data security breaches and other insider threats, companies may choose to disable USB devices on laptops. Before choosing this route though, it's important to consider the political and functional ramifications of such a move.

Keep malware under control -- Make sure that both organizations have up-to-date antivirus and antispyware signatures deployed. Also, to minimize the chance of system compromise, make sure that both organizations' systems are up to date on critical patches.

Educate employees -- Consider employee information security awareness during this vital time. After information security policies are integrated, a full-blown awareness program should follow. Even before the policy is completed, merged companies should consider rolling out a short, focused awareness initiative on the dangers of targeted phishing. Desk-to-desk fliers, table tents in the cafeteria, along with some informative emails can all be used effectively to warn employees that they should not trust every link and that they should always verify the apparent source of email addresses. It's also important to tell workers that they should never run an executable email attachment, even if it is included in a ZIP file.

Monitor firewalls and IDS tools -- Once the merger is complete, members of the security team should watch for large amounts of data being transferred outbound across the Internet. Depending on employees' "normal" Internet usage patterns, companies may want to set up a scan for any FTP or HTTP transfer of a file greater than a certain amount, such as 100 MB or 1 GB. Any violation could be a sign of big-time data exfiltration. Monitor Web proxy logs as well to determine if attack tools are being downloaded and used inside either company.

So, in the end, to avoid information security threats during a merger, companies should have two main goals:

  1. A long-term alignment of policies, procedures and technology
  2. An augmented policy supported by a series of quick-hit technical defenses.

Successful execution of this two-pronged strategy can help merging companies significantly lower their risk exposure.

Corporate Mergers and Acquisitions Security Learning Guide
   M&A: Merging network security policies 
  Best practices for compliance during a merger
   Ensuring Web application security when companies merge
   Mergers and acquisitions: Building up security after an M&A

About the author:
Ed Skoudis is a SANS instructor and a founder and senior security consultant with Intelguardians, a Washington, DC-based information security consulting firm. His expertise includes hacker attacks and defenses, the information security industry and computer privacy issues. In addition to Counter Hack Reloaded, Ed is also the author of Malware: Fighting Malicious Code. He was also awarded 2004, 2005 and 2006 Microsoft MVP awards for Windows Server Security, and is an alumnus of the Honeynet Project. As an expert on, Ed answers your questions related to information security threats.

Next Steps

Michael Cobb explains how to ensure security during a Web application infrastructure merger.

Joel Dubin reviews post-merger compliance strategies.

Visit's mergers and acquisitions resource center for more M&A security management advice.

This was last published in June 2007

Dig Deeper on Information security program management