Cyber Security Assessments for Mergers and Acquisitions

 

Cyber Security Assessment or more formally "Cyber Risk Assessments" have recently become a critical tool in any M&A activity.  According to Forbes, more than a third (40%) of acquiring companies engaged in a merger and acquisition transaction said they discovered a cybersecurity problem during the post-acquisition integration of the acquired company.  

We all remeber Verizon’s discovery of a prior data breach at Yahoo! after having executed an acquisition agreement to acquire the company.

This discovery resulted in a $350 million reduction in the purchase price paid by Verizon, and almost scuttled the deal with Yahoo! They were required to pay a $35 million penalty to settle securities fraud charges alleged by the U.S. Securities and Exchange Commission (SEC) and an additional $80 million to settle securities lawsuits brought by unhappy shareholders.Factors for M&A due Diligence

In 2019, Cyber Security company Forescout published a comprehensive report entitled "The Role of CyberSecurity in Mergers and Acquisitions Diligence."  The global study was based on discussions with 2,779 companies across all Industry Verticals. They spoke to both IT decision makers, as well as Business decision makers in the quest to understand the value of Cyber Risk during an M&A transaction.

Key Findings from the report:

  • Cybersecurity issues are prevalent and can put a deal into jeopardy:

Over half of respondents (53%) report their organization has encountered a critical cybersecurity issue or incident during an M&A dealthat put the deal into jeopardy.

  • Organizations are placing more focus on a target’s cybersecurity posture than they did previously: 

81% of ITDMs and BDMs agree that they are putting more of a focus on a target’s
cybersecurity posture than in the past, highlighting that cyber is a top priority for both IT and business
decision makers.

  • An undisclosed data breach is a deal breaker for most companies:

73% of respondents agreed that a company with an undisclosed data breach is an immediate deal breaker in their company’s M&A strategy.

  • Decision makers sometimes feel they don’t get enough time to perform a cyber evaluation:

Only 36% of respondents strongly agree that their IT team is given time to review the company’s cybersecurity
standards, processes and protocols before their company acquires another company.

  • Internal IT teams may lack the skills to conduct cybersecurity assessments:

Among ITDMs, only 37% strongly agree that their IT team has the skills necessary to conduct a cybersecurity assessment for an
acquisition.

  • Organizations allocate third party resources to their cybersecurity assessments:

Nearly all respondents (97%) reported that their organizations spend money on outside contractors for IT audits or cybersecurity
risk assessments.

  • Connected devices and human error put organizations at risk:

When asked what makes organizations most at risk during the information and technology process, two answers stood out: human error and
configuration weakness (51%) and connected devices (50%).

  • Devices often get overlooked and missed during integration:

Over half (53%) of ITDMs say they find unaccounted for devices after completing the integration of a new acquisition.

  • Failure to address cyber risk can lead to major acquisition regrets:

Nearly two-thirds of respondents (65%) said their companies experienced regrets in making an M&A deal due to cybersecurity concerns.

 

Typical Cyber Risk Assessment for Mergers and Acquisitions

An organizations ability to protect, detect, and respond to Cyber threats is only as good as it's documented and implemented Information Security controls.  Having a mature Cyber Security program developed around an established Information Security Policy Framework is key.

During a Cyber Maturity Assessment, we will conduct interviews with your staff, from HR, Compliance, Audit, Legal, Corporate Communications, Information Security, Privacy, Developers, and IT Operations. We will assess the current level of understanding, documentation, and implementation for the various standard Information Security controls.

The type and size of company will determine which Information Security Framework we will assess maturity against.  Small to medium sized unregulated companies may be assessed against the ISO27002 standards, while larger companies that require regulation (Government, Healthcare, Utilities, etc...) would likely require the rigor of NIST standards assessment.

Your corporate infrastructure is typically connected to the Internet in one or more controlled access points. A firewall with specific access rules allows daily business functions like email, file transfer, and Web browsing to be conducted easily, but that level of access also brings risks that must be evaluated.  Every day you hear about hackers gaining access to corporate networks and either stealing data, holding it for ransom, deleting or modifying it with malicious intent.

An External Penetration Test consists of a review of vulnerabilities that could be exploited by external users without credentials or the appropriate rights to access a system.

The assessment will show how well existing implemented security controls, such as firewalls, and intrusion detection and prevention systems, are functioning. As well, an external penetration test will validate whether your Internet facing applications are protected appropriately from external threats such as breaches, denial of service, and/or ransomware.

In this engagement, analysts would take on the role of an external attacker and attempt to exploit vulnerable systems to obtain confidential information. They do this in two phases.  The first phase utilizes automated tools to develop a fingerprint of your applications infrastructure and configuration.  All existing known vulnerabilities will be tested automatically against your Internet facing applications, to determine if you’ve missed applying patches or have mis-configured the environment.  Once this automation has generated its reports, our team will manually attempt several exploits designed to leverage the information leaned to compromise the network perimeter security controls.

The analyst would build scenarios utilizing the compromised system as a pivot point to further penetrate the network infrastructure, to demonstrate the potential impact of a successful compromise. Our methodology is in accordance with best practice standards and incorporates guidelines from OSSTMM, NIST and OWASP. TeamCISO makes use of our extensive experience in penetration testing and security research to uncover previously undisclosed vulnerabilities providing an unparalleled level of security assurance.

A Corporate Website or Client Portal is your face on the Internet.  It is the first place people go when they want to engage with you.  It is also one of the first placec an attacker will go during a their reconnaisance phase. A corporate website or client portal could be attacked, breached, or defaced, to cause reputational damage, or steal client personal data (PII).

Similar to the Infrastructure Penetration test, A Website Application Assessment consists of a review of vulnerabilities that could be exploited by external users without credentials or the appropriate rights to access a system.

The assessment will show not only how well existing implemented security controls, such as firewalls, and intrusion detection and prevention systems, are functioning, but whether the application development team has implemented appropriate application security controls within the code and functions of the website/portal.

In this engagement, analysts would take on the role of an external attacker and attempt to exploit vulnerable systems to obtain confidential information. They do this in two phases.  The first phase utilizes automated tools to develop a fingerprint of your applications infrastructure and configuration.  All existing known vulnerabilities will be tested automatically against your Internet facing applications, to determine if you’ve missed applying patches or have mis-configured the environment.  Once this automation has generated its reports, our team will manually attempt several exploits designed to leverage the information leaned to compromise the network perimeter security controls.

The analyst would build scenarios utilizing the compromised system as a pivot point to further penetrate the network infrastructure, to demonstrate the potential impact of a successful compromise. Our methodology is in accordance with best practice standards and incorporates guidelines from OSSTMM, NIST and OWASP. TeamCISO makes use of our extensive experience in penetration testing and security research to uncover previously undisclosed vulnerabilities providing an unparalleled level of security assurance.

A network vulnerability assessment is a process/tool that we use to identify vulnerable computer and network assets connected to the corporate network.  We would need to impose a network scanning device (one or more) onto the client network with routable access to all corporate subnets.

The scan will identify any and all devices that are logically connected to the network.  Through a series of tests, it will try to determine the operating system and applications installed on the device, and document any known vulnerabilities or mis-configurations found.  

Any software (Applications, Operating Systems, or Firmware) that is at, or beyond it's end-of-life will be flagged.  End-of-life software no longer has vendor provided patches to secure it, and will become an unmanageable risk to the company. 

A network vulnerability assessment can also generate a list of all the network attached assets to validate your Asset Management strategy. 

 

A cloud based network vulnerability assessment is identical to that run on the corporate network, but instead of placing a scanning appliance on the physical network, we provide a "virtual appliance" to be implemented within the client's cloud infrastructure. Similarly, it would need to have routable access to all of the client's cloud based network assets. 

The scan will identify any and all devices that are logically connected to the network.  Through a series of tests, it will try to determine the operating system and applications installed on the device, and document any known vulnerabilities or mis-configurations found.  

Any software (Applications, Operating Systems, or Firmware) that is at, or beyond it's end-of-life will be flagged.  End-of-life software no longer has vendor provided patches to secure it, and will become an unmanageable risk to the company. 

A network vulnerability assessment can also generate a list of all the network attached assets to validate your Asset Management strategy. 

SaaS... Software as a Service..  or "The Other Cloud"

Most companies, large and small have strongly adopted Cloud based services today, whether they think so or not.  Services such as Office365, Salesforce, Workday, Concur, SAP, DocuSign, Dropbox, Slack... Even communications services such as Zoom, Microsoft Teams, and Cisco WebEx are cloud based SaaS apps. 

All of these services, are merely just software applications running on someone elses computers.  Each of these vendors does their own due diligence to protect your data, however, each of them have a best practice guidance for ensuring that *you* are incontrol of that data and have your "tennant" configured approprriately. 

To assess your SaaS cloud security posture, we must first identify and enumerate all of the various SaaS applications used within the corporation.  Some of this can be easily discovered through the procurement team and billing, but a more effective and accurate enumeration comes from the firewall logs.   Identifying "who" in the company is accessing "which" SaaS apps, and assessing the corporate risk or business importance that each SaaS app holds. 

Once we have identified the various SaaS apps, and their corporate owner/admin, then we will work with them to review the in place security controls of each app against both it's vendor's recommended security best practices as well as any Industry guidance available. 

 

Industrial Controls Systems are typically segregated onto their own network, and protected from the corporate IT network.  They are the devices, sensors, controls, and monitors, that manage and maintain industrial processes for services such as manufacturing, public utilities, and healthcare to name a few. 

Our team has a specific set of tools and scanning devices to assess the vulnerabilities and mis-configurations existing in these IoT, IIoT, SCADA, and ICS networks.

A network vulnerability assessment is a process/tool that we use to identify vulnerable computer and network assets connected to the corporate network.  We would need to impose a network scanning device (one or more) onto the client network with routable access to all corporate subnets.

The scan will identify any and all devices that are logically connected to the network.  Through a series of tests, it will try to determine the operating system and applications installed on the device, and document any known vulnerabilities or mis-configurations found.  

Any software (Applications, Operating Systems, or Firmware) that is at, or beyond it's end-of-life will be flagged.  End-of-life software no longer has vendor provided patches to secure it, and will become an unmanageable risk to the company. 

A network vulnerability assessment can also generate a list of all the network attached assets to validate your Asset Management strategy. 

 

Remote Access systems such as VPN, Citrix, and Microsoft Remote Desktop provide unique Cyber Security challenges, not the least of which is user role management. 

Our Remote access assessment will identify *all* users of the remote access systems, and their specific corporate role vs the remote role access provided to them. 

We will assess how you manage authentication, authorization, and privileged access, both for employee/contractors as well as for 3rd party access.

We will evaluate the amount and type of access provided to each role in the remote access technology stack.

We will review the configuration and security controls in place within the remote access infrastructure against both the vendors best practices as well as general Industry guidance.

 

With the Bronze package, we will provide you with a detailed list of all of the Network-Attached assets, and any Operating Stems and Applications identified on them. 

  • Workstations / laptops
  • Servers
  • Network switches, routers, and Wireless Access points.
  • Printers/Scanners
  • Voip Phones
  • IoT devices

In the silver and gold package, we will work with your procurement team to review the asset procurement process from beginning to end looking for procedural deficiencies. We will review and compare the existing known assets from procurement to those discovered through the network scans and provide a delta map.

In the Gold package, we will also review any other available asset inventories such as firewall logs, active directory logs, endpoint protection consoles, etc to provide a holistic map of those logical assets.

Our Breach Readiness Assessment reviews your organization’s current cyber security practices in and around Incident and Breach management.  We will help you establish a specific plan that addresses the requirements of Board members, technology stake-holders, staff and your technical implementations.

In a study of security breaches in 2015, hacking incidents reached a nine-year high of 37.9%, a jump of 8.4% over 2014 figures. This was followed by employee error/negligence at 14.9%, more than double the 7.2% first reported in 2012.

Accidental e-mail/internet exposure was the third most common source of compromised data at 13.7% followed by insider theft (10.6%), physical theft (10.5%) and subcontractor/3rd party (9.0%). Data on the move was the final culprit, with 7.3% of the reported breaches occurring in this manner, down from a record high of 27.6% in 2007.

Each Breach Readiness Plan is defined in audience-oriented sections with specific pre- and post-breach response activities, goals, logic and values. Plans are reviewed and where plausible, tested by our security professionals. We take into consideration:

  • Methods to enhance a forensic investigation including anti-forensic methods and tactics.
  • Understanding your critical assets; recognizing the tangible value of digital assets.
  • Review and validate business continuity plans.
  • Management of supplier access to your systems and services.
  • Validation of your e-mail polices.
  • Review your Breach Communications Templates.
  • The facts, pros and cons of cyber insurance for your organization.
  • Strategic plans, timelines and milestones in a cyber breach incident.

A dark web assessment is a comprehensive approach to detecting information such as corporate Intellectual property or Personally Identifiable Information (PII) in the dark and open web that may be  leveraged to launch a cyber attack against your organisation.

Digital credentials, such as usernames and passwords, connect you and your employees to critical business applications, as well as online services. Unfortunately, digital credentials are leveraged by criminals. These credentials are among the most valuable assets found on the Dark Web where it is estimated that over 50% of all sites are used for criminal activities. 

We will use a number of different resources to search for any information available on the dark web about your company, it's executives, and/or board of directors. 

M&A Cyber Assessment

TeamCISO has been conducting Cyber Security Risk Assessments across all business verticals, public and private since 2015, and can help you understand the qualitative and quantitave Cyber Risks involved in your impending M&A activities.  

 

 

 

 

 

 

 

All of our assessments will provide both Executive and Technical reports on any deficiencies found, the relevant risk rating and affected systems of that deficiency, as well as remediation advice and links to corrective measures where possible.

 

We have prepared three packages to help you with your assessment:

Bronze

  • Information Security Program Maturity Assessment
  • Infrastructure Security Controls from the Internet
  • Infrastructure Security Controls from Internal Access
  • Discovered Network Attached Assets List

Silver

  • Information Security Program Maturity Assessment
  • Infrastructure Security Controls from the Internet
  • Corporate Website / Client Portal Security Controls
  • Infrastructure Security Controls from Internal Access
  • Remote Access / 3rd Party Access Controls (VPN & B2B)
  • Asset Management Assessment

Gold

  • Information Security Program Maturity Assessment
  • Infrastructure Security Controls from the Internet
  • Corporate Website / Client Portal Security Controls
  • Infrastructure Security Controls from Internal Access
  • Cloud Based Services Infrastructure Controls (IaaS,PaaS)
  • Cloud Based Services Security Controls (SaaS)
  • Industrial Controls Security - IoT/IIoT/SCADA/ICS
          • Remote Access / 3rd Party Access Controls (VPN & B2B)
          • Asset Management Assessment
          • Breach Readiness Assessment
          • Dark Web Assessment