When Their Attack Surface Becomes Your Attack Surface
I formerly ran M&A for public company, and serial acquirer, Compuware. I can tell you from vast experience accrued from managing many transactions, when it comes to cybersecurity, mergers and acquisitions are like a marriage. When two companies walk down the aisle together, one’s cybersecurity problems become the other’s baggage — whether they disclose it or not.
The first half of 2018 saw $2.5 trillion in mergers in the US. Companies are grappling to understand what this boom means for their online presence.
Today’s brands are no longer responsible for just their network. They’re also responsible for what falls outside their firewall, as well as the firewall of any companies they acquire. All of the company assets that extend from within the corporate perimeter all the way out to the entire internet are known as an attack surface. They are a collection of far-flung client-facing assets that hackers can discover in research for their threat campaigns.
Many of these assets are valuable to hackers purely because they’re valuable to customers. Digital channels are the predominant method of customer engagement for many organizations, bringing an explosion of publicly facing web sites, mobile apps, third-party code, servers, and social media accounts. Consumers spent $517 billion online with U.S. merchants in 2018, up 15 percent from $449 billion spent the year prior, according to Internet Retailer’s analysis of the U.S. Commerce Department’s total retail sales figures.
Meanwhile, cyber gangs like Magecart pummeled global e-commerce retailers like British Airways and Ticketmaster, as well as smaller brands, breaching over 319,000 online stores last year.
But there are many reasons why organizations don’t get the full picture of their cyber vulnerabilities in the pre-acquisition (due diligence) process. The first is the sheer scale of a company’s digital presence. It is not uncommon for a large organization to have thousands (or tens of thousands) of active websites and other public-facing assets. While IT and security teams in a to-be-acquired company will have an asset register of web sites, we have found that it is almost always a partial view of what actually exists. The more decentralized an organization’s IT activities are, the more significant a delta we see here.
A recent report by West Monroe Partners found that businesses lack qualified cybersecurity talent during an M&A: “80 percent of companies said cybersecurity issues have become highly important in the M&A due diligence process. But 40 percent of acquiring businesses said they discovered a cybersecurity problem at an acquisition after a deal went through, indicating that standards for due diligence remain low.”
One of the highest-profile examples of the lack of visibility in the due diligence phase was Verizon’s discovery of Yahoo!’s riddled past. Yahoo had two data breaches, one in mid-2013 where hackers stole data on three billion users and one in 2014 that saw 500 million accounts breached. Verizon only discovered this after executing an acquisition agreement to acquire Yahoo!. Verizon dropped its offer price by some $350 million after they understood the scope of the breach.
Know the risks
When evaluating a target company from an M&A standpoint, failing to understand the cybersecurity risks inherent in their digital channels can be risky for the acquiring company. It could lead to:
- A potential misrepresentation of the company’s overall valuation, due to lack of clarity regarding the internet-facing assets
- A lack of planning to address ongoing security risks as the two organizations integrate
Such cybersecurity risk assessments all too often get overlooked or marginalized in the pre- and post-acquisition process. What security teams need to know when merging with or acquiring their next company:
Know what you’re responsible for
The first step is to understand that you are responsible for every digital asset a company owns when you acquire it, whether they disclose it or not. This includes rogue social media pages from ten years ago. It includes the WordPress site that got ditched before the company formally launched. It even includes the old landing page for a product launch from five years ago.
When acquiring only part of an organization, like a line of business, it is essential to identify and document the transferred assets. This would also include digital properties like brand assets, domains, and social accounts. Without a thorough understanding of what currently exists, companies can miss critical digital assets that later result in ownership and security issues.
It is imperative to understand where these rogue assets are so you can fix them! The cyber risks associated with the target company’s digital footprint represent a potential threat to a company’s operations and brand reputation alike.
Know how to take a cyber CAT scan
A merger and acquisition process usually involves a due diligence exercise focused on all aspects of a companies business, including IT. IT due diligence engagements in the past were focused on identifying assets and security issues material to the valuation process, like business processing and reporting systems and the hardware and networks that supported them.
As businesses and consumers have both moved outside the perimeter and onto the open internet, it’s now vital that assets outside the firewall are reviewed and accounted for to get a full understanding of the company’s digital attack surface.
Here’s what your attack surface includes:
- Known assets: inventoried and managed assets such as your corporate website and servers and the dependencies running on them.
- Unknown assets (such as Shadow IT or Orphaned IT): infrastructure stood up outside the purview of your security team, like forgotten websites.
- Rogue assets: malicious infrastructure spun up by threat actors, like malware or a website that impersonates your brand.
Know what questions to ask
We’ve found that cybersecurity teams often struggle to cut through the noise and figure out what’s most important to look for when entering an M&A. Here’s a simplified checklist:
- What assets exist and where are they located?
- Are they compliant with corporate standards?
- Are there health and hygiene issues that could present easy opportunities for a hacker?
- Are there insecure forms collecting personally identifiable information (PII)?
- Have any assets been compromised and therefore represent immediate exposure?
- Are you able to identify indicators of compromise (IOCs) in the acquired digital footprint?
- Did you buy a Trojan horse and are about to plug it into your network?
- What official mobile applications exist, and what app stores do they live in? Is this in line with corporate policy?
- Are there back level or re-engineered corporate mobile apps in any of the official or third-party app stores?
- What corporate social media accounts exist, and on which social media platforms?
- Is this in line with the current corporate policy?
Answers to these questions can help direct resources to the areas needing immediate attention. They also help security teams quantify the scope of work required to bring acquired digital assets under management from a security perspective.
No longer do we need to accept the unannounced baggage under the umbrella of network vulnerabilities. I have decades of expertise in this field. If you want to discuss where YOU and your team may be at risk on a transaction, please drop me a line. With the right approach and methodology, the necessary tools and technologies to scan the internet to manage the vast attack surface, you make more informed decisions promptly and understand what true attack surface management looks like.