Don’t Ignore Attack Surface during M&A

Due diligence in mergers and acquisitions (M&A) is a staple of the process, however too often that due diligence is not given to the state of cybersecurity. Most often the CISO is informed when the deal is often done or close to complete. The standard approach is to conduct some kind of assessment “quickly” so the security and IT teams can get some idea of what they are inheriting and have to integrate.

Many will take a NIST or ISO based security assessment approach. Conduct interviews with staff, maybe some scanning or reviewing current risk registers. This gives a limited view of what risks are posed to the business. You are relying on the answers obtained during the interviews, and whatever testing or validation you may have done. Did you validate the answers, conduct any testing? Or did you take the words given to you as facts in an effort to move quickly.

I certainly recommend that some level of validation take place. This is different than managing GRC of an on-going program within the business. This first assessment is not just to build a baseline for long term growth. The goal is to identify, with a high degree of certainty risks you are about to absorb or introduce into your well managed program. This is where the case for an attack surface assessment is made.

When you conduct a comprehensive attack surface assessment, you are doing more than simply running some ASM tool and taking the results. The ideal engagement will leverage multiple technologies to identify what the business looks like to a would-be hacker. This includes conducting the same reconnaissance a threat actor would across the internet and dark web. A targeted assessment will also look into potentially exposed data, systems from prior acquisitions, divestitures, former SaaS solutions, and third parties. All of these aspects could be housing potential risk to your acquisition. And once you integrate will not only become your risk, but could be used to gain access to your business.

The key here is the assessment doesn’t just take the findings at face value. Actual testing and validation is conducted on the findings. This validation means an accurate mapping of the true attack surface. It means the risks identified are real and exploitable. You are not simply accepting a “Critical” because of a CVE number. We have found data for clients they owned residing in easily accessible areas. Often due to misconfigurations and forgotten systems long believed to be offline. These kinds of things are not something you will discover with an interview-based assessment. Nor will internal scanning or a standard pentest find it. The mapping of the attack surface and prioritization of vulnerabilities also delivers attack paths. This is extremely helpful when you consider integration. Ideally you want to remediate any attack paths. Knowing where they are and how they can be used gives you the data to put in compensating controls while remediation is planned or worked.

If you can engage your M&A team early, these kinds of assessments can be conducted prior to final negotiations. This means the findings can be leveraged in those negotiations, or you may require remediation. At the very least you have a much more realistic view of your acquisitions risk. Now when the time comes to integrate you won’t have to start with the assessment, meaning you can move faster. Integrate faster and start reaping the benefits of your new business unit.

This is a repost of an article originally posted on stratascale.com