Security Manager's Journal: M&A prep all goes according to plan

Computerworld - I've been through several mergers and acquisitions, so with my company preparing to acquire a small business, I pretty much know what I have to do. That means I don't have any crises to report this time, but I hope the lack of difficulties will reassure the security managers who read this column that things don't always have to be difficult.

My M&A assessment typically starts with an interview with the CIO of the acquisition target. In this case, though, the company is so small that there is no CIO, and the IT function is completely outsourced, so I met with the CEO instead. He could give me only a few minutes, so my questions were brief. I wanted to know what company data he considered sensitive, where this data resided and whether there had ever been any security breaches.

In a small company, the CEO is also likely to know of any employees who might react negatively to the news of an acquisition. It's good to find out about people like that, because employees who feel threatened by an acquisition can do some damaging things. In one case in my experience, an employee altered the source code algorithms he was working on. He was found out and fired, whereupon he told us that he took the action as "job security." Didn't quite work out. Neither did the action of an employee at another company who decided to take home some gold electronic connectors to help tide him over in the event of a layoff. He explained that he was planning on returning the property after he was sure he wouldn't be fired.

I also met with the consultants who manage the IT infrastructure. They were very courteous and had already prepared an abundance of information to make my job easier: network diagrams, lists of servers and IT assets, contracts with service providers, points of contact, etc.

I always carry a USB device containing tools such as Microsoft Baseline Security Analyzer, Sysinternal's RootkitRevealer, and Wireshark, an open-source analyzer for reviewing network traffic. With those, I could get a feel for the security posture of the PCs and servers in regard to patches, baseline configuration and antivirus software and determine whether there was any suspicious network traffic that would indicate a compromise or abuse of the network. I know it's not a 100% indication, but since I had only a limited amount of time, it had to do. Lack of time also means my recommendations will be based on some assumptions, since I can run my tools on only a few PCs.

This case seemed pretty typical of most M&As I've done, with many of the PCs not up to date with security patches, and the antivirus software not from a leading vendor. I didn't spot any suspicious network activity, but the company does have a weak firewall policy, insecure wireless access points and unsecured remote access. It also pays no attention to intellectual property protection and has a fairly open and shared directory structure.

On to Day 1

In my company's M&A life cycle, Day 1 is when the acquired company legally becomes ours. As we work toward Day 1, employees at our target will need to access various apps and services such as e-mail, benefits and payroll. I've allowed the use of Citrix XenApp to give them access to our company's resources via two-factor authentication. The only restriction is that they can't upload any data from their current PCs to the Citrix environment and vice versa. This is a small inconvenience that will last only a short period of time, until we mitigate the security findings and then connect the networks. At that point, our new office will become an extension of our current corporate environment through a dedicated VPN or MPLS circuit.

This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at mathias_thurman@yahoo.com.

Read more about Security in Computerworld's Security Topic Center.