A security-conscious organization would stand a good chance at expanding their market-share (sustainably) in a highly competitive environment, while corporations in the opposite side of consciousness would indubitably (and by huge impact,) experience the opposite, just a matter of time. “That hackers will attempt to hack your infrastructure, expose your data, or sell your product design and trade secret is not a question of ‘if’, but a debate about ‘when.’
Do not suffer unjustly or act ignorantly! There are number of things you could do to prevent a successful attack by starting to recognize the impact of acquired vulnerabilities and taking necessary actions (as recommended below) to mitigate the pending security incidence.
How many times have organizations paid a close attention to existing vulnerabilities in the IT infrastructure of their acquisitions? Most times, the dollar value is given the front wheel (which makes sense, but not without a consideration for security), while security is retained in the back seat. Unfortunately, such attitude towards security must be changed to sustain the profitability and sustainability of your firm.
Generally, acquisitions are great when the current assets are higher than the current liabilities, acquired vulnerabilities, however, could wreak havoc to an organization, making a just case to my classification of the AV as perpetual liabilities.
What are Acquired Vulnerabilities? I define the concept of Acquired Vulnerabilities as inherited security gaps (loop holes) known, or unknown to the original owner, but transferred to a new owner through acquisition of business or a merger.
How many times have we seen companies bought another company, and how much of these times have we heard of security incidence hitting these companies like tsunamis shortly or long after the ownership relinquish? The recent and what appears years-in-making attacks against Marriot security infrastructure would probably pass, or even “lead the class” of Acquired Vulnerabilities.
If I may use an analogy to drive home my points. A firm has recently acquired another business, and everything appeared great from all financial analyses (current ratio, profitability analysis, liquidity, ROI, EPS, etc.) and legal standing (regulatory compliance audit, pending law suits).
Shortly after the books have been reviewed, the IT initiated the data migration of business partners (customer and vendors), adoption of all codes including the programs used to develop some of the resident custom applications by the firm. However, the buying company failed to pay attention to those little ‘grey’ areas called vulnerabilities, which could badly spoil the ‘show’ and bring all those nice financial details to nothing in a jiffy!
Now back to my illustration, the firm has gone too deep into the process, and late into the game of security, when they realized all the vulnerabilities which had long existed in some of the applications used by their business partner have been copied and pasted on their infrastructure thus, exposing their environment to acquired vulnerabilities. While scrambling their heads to close the loop, hackers were already celebrating, and cutting through customers’ data and vendor master records at will.
Recently, Facebook was hacked to the impact of 30 million users. Think about that for a second! Those are real people having their personal details exposed to the rest of the world or used for various things with some personal gains or profits in mind. A good study about the events that led to the hack might tell us some of the dangers of AV.
The birthday picture upload application which was recently bought by the Facebook was said to have opened the floodgate for hackers to come in and dine with your personal information. Perhaps, the recent acquisitions by Marriot may have contributed to the sad security incidence, which opened the personal details including the passport and credit card information of over 500 million users to “men in the dark.
While above analogy may have presented the concept of Acquired Vulnerabilities from the technical security perspective, there are other elements of AV that could unleash terror on the organization, the human side of acquired vulnerabilities. However, for the purpose of this article, I’d rather stayed on tasks by providing some of the recommendations, which I believe could insulate your organization against the danger of acquired vulnerability.
- Identify all custom applications and off-the-shelve products currently implemented or installed by the company you are acquiring or merging with.
- Critically analyze their system architecture
- Engage their IT management by asking questions about any security incidence, and what the organization has done to fix it.
- Interview the key members of the business units about the general security operations (if you can).
- Ensure your legal expert considers the impact of acquired vulnerabilities and possibly, find some clauses to protect you.
- Spend time to review any code or application you intend to migrate to your infrastructure
- Highly important, involve your CISO, or CSSO in your acquisition plan.
Acquiring business is often a good sign that your organization is thriving and meeting all its objectives but acquiring security vulnerabilities could soon bring all the excitement to unbelievable regret. You can eliminate this by focusing on what is important. Remember! An urgent thing of today is most likely to occur when you have failed to acknowledge and act on the importance of yesterday.
Yomi Olalere, LLM, CISM, CISA, CRISC
Abaster Consulting Inc.
Member, 2019 International Cybersecurity and Intelligence Conference