Computerworld - Our company is frequently involved in mergers and acquisitions, and we typically don't know the security posture and integrity of the IT resources in the company we're acquiring.
In the past, rather than conducting an upfront security audit, we simply opened the floodgates to allow network traffic to flow from the acquired company into our trusted environment. In one case, that allowed a virus to propagate through several parts of our network, requiring many hours of cleanup.
A security audit could have prevented that. But unless an upfront audit is written into the acquisition agreement, it can't be started until after the merger or acquisition is completed. Many target companies resist such upfront agreements, however, fearing the loss of sensitive information if the deal doesn't go through.
But that's not the worst of it. Once the acquisition deal is signed, the executive staff is in such a rush to integrate the companies that security assessments typically take a back seat to bottom-line profitability concerns.
Fear of the Unknown
It's difficult to determine the integrity of another company's infrastructure prior to establishing a trust environment between our environment and theirs. Here's what usually happens: The network team configures a dedicated circuit to the acquired company, throws up a firewall and asks the acquired company to configure its servers to set up trust relationships with ours. The most important goals are to give new employees access to our e-mail, human resources applications, company intranet and a few other critical applications. If the company we are acquiring sells a software product, its engineering team also needs access to our source code - our company's bread and butter.
What we fear most is that the newly introduced resources may be infected with a virus. It's also possible that the other company's servers don't meet our security configuration requirements and are vulnerable to an attack, or have already been compromised.
I've seen incidents where the e-mail server at the acquired company had been fully compromised when someone added a packet-sniffing device to the network. The company had contracted out the installation and configuration of its e-mail server, and no one on staff was capable of managing the resource. The server was never maintained properly, so the packet sniffer went unnoticed for more than three months.
We need a security gateway product that can act as an interim measure until a full assessment can be completed, mitigating the most common problems we might encounter during an acquisition. We want something that offers good protection at a
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
