The importance of security assessments and penetration testing is well established. And just when an information security department thinks they have a handle on the security of their company’s operations, try introducing merger or acquisition. What can be—and often is—a monkey wrench thrown in a company’s information security works, mergers and acquisitions (M&As) can introduce a foreign entity into the network and information infrastructure, usually with aggressive timelines.
The chaos and confusion of these events make it difficult to keep track of systems and data, as well as the added task of integrating new web applications—both internal and external-facing—into the organization’s infrastructure.
Given the additional complexities of an M&A event, performing security assessments both before and after a merger is crucial to understanding the new overall security footprint.
The critical nature of regular security assessments during M&A was on public display when, in 2016, Marriott International acquired Starwood Hotels. Unbeknownst to Marriott, attackers had exploited a flaw in Starwood’s reservation system two years earlier.
Over the next couple of years, they:
In 2017, Verizon’s acquisition of Yahoo! highlighted two very significant data breach nightmares—undisclosed to Verizon by Yahoo!—that also put on public display the critical nature of penetration testing during M&A events.
In the first breach, an attacker stole the personal data of at least 500 million users, including some unencrypted passwords and answers to security questions. In the second breach, 1 billion accounts were compromised, and users’ personal information and login credentials were once again stolen.
Yahoo! tried to defend itself from liability by saying the passwords were hashed with MD5 (a message-digest algorithm) but by 2017, MD5 had already been deemed obsolete since it is easily cracked to reveal passwords with off-the-shelf computer technology at the time.
In the wake of the Verizon-Yahoo! M&A landmine, the Securities and Exchange Commission (SEC) was prompted to issue new guidelines for cybersecurity disclosures so neither shareholders, customers, nor acquiring companies are kept in the dark about a data breach.
The unfortunate part about these M&A disasters is that they were unforced errors that could have easily been prevented with security assessments and penetration testing. These two vital services would have revealed the critical vulnerabilities attackers were exploiting and created a high likelihood that a security consultant would have discovered evidence of the previous breaches and leakage of data before the M&A activity began.
A security assessment can evaluate either a security architecture or a security program. Or both.
Assessing a security architecture involves measuring an organization’s infrastructure and practices using well-established security best-practice standards, such as the CIS Critical Security Controls.
Security program assessments measure an organization’s security policy and risk using a well-established security framework, such as NIST Cybersecurity Framework. Both CIS and NIST are mainly interview-based, meaning the assessor interviews the organization’s information security team, and each of the controls in the framework is answered and discussed.
The result of these interviews is a findings report that the customer can use to understand how they compare to their peers in the same industry. In addition, the security architecture assessment has another component: a hands-on test of an assessor tool against the organization’s “gold” workstation and server deployment images.
The results of this assessor tool’s run are integrated into the final report. The report will identify areas where the company’s architecture is sound and where they have gaps with standing best practices.
Penetration testing can be time-boxed or continuous. Time-boxed penetration testing has a start and stop date, resulting in a report that signals the end of the activity. While time-boxed penetration testing offers significant value and could have easily prevented the aforementioned M&A disasters, they are no longer considered best practice given how quickly new vulnerabilities are exploited.
They are, in essence, a snapshot in time. Continuous penetration testing is, as the name implies, the process of continuous scanning and attempted exploitation of systems, resulting in periodic reports that can be compared to each other to show delta.
Today, continuous penetration testing is considered best practice. The periodicity of the continuous testing will quickly reveal vulnerabilities that are inadvertently introduced during the M&A process, whether through the phased integration of the acquired party’s systems and applications, or through attempted remediation of vulnerabilities identified in a previous penetration test run. These efforts can be implemented either in-house or through a managed service.
If your company is about to embark on a merger or acquisition, it is crucial to conduct security assessments and penetration tests on both your infrastructure as well as the M&A target’s infrastructure.
It is the only way both entities will know what they are getting into and the work needed to shore up network infrastructure before the M&A happens. CBTS is a trusted third party that has not only an industrial-strength information security practice, but also a dedicated penetration testing team that offers services ranging from security architecture and security program assessments to time-boxed penetration testing, and managed continuous penetration testing. If you have questions about how a security assessment can benefit you, contact us.