Protecting Acquired Network and Information Assets

The period following a merger or corporate acquisition can be chaotic and fraught with feelings of apprehension among the acquired company's employees, vendors and the interested public. Rumors or an announcement of a transaction can raise a company's public profile. Such conditions increase the possibilities of an attack on the company's network and digital resources. Potential intruders can range from harmless snoops to malicious saboteurs. A digital assault can come from outside the company or from within its facility.

The security of a company's network is the only guarantee that confidential information and proprietary systems are safe. Confidential information can be wide in scope and potential impact. Sensitive personnel information, employee medical information, financial information, and credit card numbers are among the many types of data that can be found on some computer networks. Intruders could steal and misuse research and development information, customer information and engage in reconnaissance of the company's on-line processes. In today's digital environment, companies of all sizes depend upon their internal and external network systems to communicate and conduct business.

A sensible, well-planned acquisition can quickly become a disaster if the company's digital resources are rendered inoperable or if sensitive data falls into the wrong hands. For that reason, the security of the company's digital and network resources should be among management's top priorities during due-diligence and after the transaction closes.

Outside Threats
Intruders with the right skills acting from the comfort of their homes can have their way with any information stored on an inadequately protected network. Once an intruder gets access to the system, information can be downloaded, changed or erased; web pages can be defaced; or severs crashed. Purloined information can find its way to competitors or wind up posted on the Internet.

Former employees, disgruntled customers, malicious competitors, or hackers-crackers testing their skills can initiate an outside attack. For example, say a former employee with moderate computer knowledge knew that their co-worker always checked their e-mail through the company's Internet e-mail access service. That employee could send, attached to e-mail, an HTML document. The HTML document-"HTML document" is the technical name for a web page-wouldn't register with most users as a potential carrier of a virus. Unfortunately, one particular e-mail product is known to have a hole whereby any program imbedded in the HTML document will run in if the document were opened in this example situation. The intruder could manipulate files and read mail in addition to other malicious acts. As is usually the case, the manufacturer has recently released an update that patches this hole (but the patch needs to be installed).

In a lax security environment-which most environments are, frankly-many users use their first name, name of their child, pet's name, etc., as their password because it's easy to remember. A would-be intruder could make educated guesses at to what a co-worker's password might be, in some cases success can be achieved on one or two tries. What if an employee's friend is holding a grudge?

Combined with the fact that most networks now allow, as in the aforementioned scenario, employees to access their company e-mail from remote locations, it's easy to see that getting into another employee's mailbox might not be so hard. If reconnaissance doesn't work, there's always the seemingly endless supply of password "cracking" utilities available for free on the Internet. These utilities send randomly generated or pre-selected passwords to a machine at blazing speed. With a four-number password for protection, you can expect an intruder to be in within minutes.

Inside Jobs
In environments where physical access to the company's network is unmonitored, a malicious user has free reign to engage in any phase of an attack. Reconnaissance can be executed from within the company walls. Hard drives can be examined for content, files can be saved to a portable media format or e-mailed to another user and viruses can be loaded directly on to machines from a disk.

Most of the tools an intruder needs will fit on a floppy disk. A "password-recovery utility" can be loaded on to a machine allowing every password stored locally to be viewed in plain text. A "Trojan horse" program can be loaded on to a machine from a disk thereby laying the groundwork for an efficient and potentially devastating attack on the system from a remote location.

Anti-virus software does little good in this scenario as the intruder can simply shut it down at the local machine.

For all of the advances in digital technology, physical access is most easily controlled by locks and keys. The network room should be locked when it's unattended and the disbursement of keys restricted. While the bulk of network security concerns are best addressed by your IT department, some are best served by the services a locksmith. Some network rooms are monitored and video taped for additional security.

The role of a good network administrator
If a network is poorly maintained, if the latest updates from the manufacturer haven't been loaded or if the network administrator had little support staff and was constantly involved in tasks outside the scope of their regular position, then you can be almost certain that security on the system hasn't been maintained as well as it should have been.

Everyone knows about viruses, everyone knows about passwords, but good network administrators know that security involves being aware of what's transpiring on their systems, what potential openings exist for would-be intruders and how much of the company's information is available to those who know how to look for it.

Let's take, for example, an Internet-based attack. One morning, an employee turns on his computer and surfs to the company web site only to find that the page has been defaced. No one knows where it came from, no one knows who did it.

But a good administrator with the time to do their job right would have seen it coming.

In this example case, two days before the attack occurred intruder-detection software would have detected a port scan being done on the company's network. This act isn't malicious in itself, but it's akin to having someone pull on your window to see if it's locked.

Using the right software, the network administrator could've traced the scan back to its source and possibly averted the attack. If a trace didn't succeed-and there's a good possibility that the intruder would have taken measures to ensure that it didn't-the administrator would've at least known to be ready.

One day before the attack, several system files were changed on the network. Again, there are programs that would have notified the administrator of this, but many networks don't make use of them. If this had been detected, the intruder could've been found out or, at the very least, the hole in the network's security the intruder used to get in could have been plugged.

The night of the attack, the intruder sat at their computer in complete control of the network hundreds of miles away. The web page was altered; files were erased off the network. All of this could have been avoided with simple security precautions and a security assessment that would've plugged the holes the intruder used.

While there are countermeasures that can be taken to prevent or trace the source of an attack, these countermeasures themselves can be countered. For example, it is possible to trace the IP address of an attacker, as the network administrator might have attempted in the example above. However, attackers will often route their attack through one or a series of different servers. This tactic serves as a sort of network camouflage that effectively hides the IP address from where the attack actually originated. Tracing the attack will only lead to a series of machines that, like the victim's, have been invaded by the attacker. Or, the trace may lead to a "proxy" server that has no means of revealing the intruder's IP address.

Network Security Diligence
Part of any due-diligence process should involve personnel from the buyer's IT department. IT professionals should be brought in early to assess the security of the company's network. Given the time and resources, most holes can be patched quickly and efficiently. You may have to negotiate with the seller for access to their network. Because information on a computer network is proprietary, the seller has an obvious vested interest in keeping the buyer away before the deal is closed. However, even a cursory look by an IT professional reveal a great deal about the company's awareness and level of network security.

Before you do anything, find out who has access to what information and why. It's a very simple-sounding bit of advice, but probably the most important advice there is.

Any good IT person will first look at the operating system and determine if the updates have been kept current. Many manufacturer updates are patches for security holes, and this simple auditing of the computer equipment can give a good picture of how important network security was to the prior owners of the system.

Don't overlook the human factor. Get information about the seller's network administrator. Are they experienced? Are they both a top-notch IT professional and a top-notch leader? All of the security software and protocols in the world are worthless if they're not implemented and overseen by a diligent and conscientious professional.

Hiring a security consultant can also be a good move for those who have recently acquired a company. Good security consultants will perform a series of tests, in-house and from a remote location, that will let you know how easy it is for an intruder or unauthorized person within the company to access confidential information.

Below is a list of questions that should be asked as part of any due-diligence process:

• Is there a written network security policy in place?
• How qualified is the network administrator?
• Are programs kept updated as a matter of policy or is it just assumed to be done on a regular basis?
• Are logs of any past intrusions/attacks kept?
• How strictly controlled are employee rights and privileges to the network server?
• Is there a written policy regarding the complexity of passwords and how frequently they are to be changed?
• Do employees with remote access have written security guidelines regarding that access?

Remember, when you're asking these questions and others like them, listen for specific, detailed answers. Incomplete and overly general answers probably indicate an incomplete and ineffective security policy.

No Time Like the Present
When the merger or acquisition is complete there should be an immediate and efficient plan put into action to ensure the smooth takeover of the seller's network assets.

The buyer's IT department should move in with a sense of urgency. An intruder's dream is to simply have a password that gives them access to their target network. The easiest way avoid that unfortunate situation is to change passwords immediately. The first step should be that high-level passwords are changed in accordance with the buyer's protocols. Employee passwords should be changed as quickly as possible as well, again in accordance with the buyer's policies. Simple, one-word passwords should be replaced with strong passwords (more than 8 digits that combine letters of varying case, numbers, and symbols.

While it may cause some toes to be stepped on, user rights and privileges should be examined immediately. Any access that looks to be beyond the normal scope of an employee's job should be revoked. If it's important that a particular employee have that access, it will become readily apparent and giving those rights back to the employee is a simple task.

Operating systems should be given a thorough review and the latest updates should be installed. Remember, someone in the IT department could deliberately skip loading a security patch in the interest of keeping a door into the system open for later use.

And, as always, anti-virus software should be among the first priorities. The latest definitions should be loaded immediately.

The Right Tools For the Job
One thing that should be kept in mind when checking for programs that are a potential security threat is that the tools intruders use are, for the most part, legitimate networking applications. For instance, a "packet sniffer" potentially allows an intruder to intercept e-mails or any other transmission originating from their target. A network administrator, however, will use a packet sniffer to troubleshoot problems on the company network. Think of it like this, if someone uses a slim-jim to break into your car you may view the tool itself as malicious. But, if a locksmith opens your door for you with the same tool, you'll be glad slim-jims exist. People are sometimes malicious in their intentions; the tools they use are simply tools. If your network administrator has a collection of "password recovery" tools, chances are he or she is keeping them around for the inevitable day when one of your employees designs a strong password for themselves and subsequently forgets it. Of course, this should make it clear what sort of integrity a network administrator should have.

Helpful and Informative Links
Fortunately, the Internet is a treasure-trove of information regarding network security. Commercial and non-commercial sites offer reviews of products, tutorials and frequently asked question lists about security issues. Here are some links to explore, in ascending order of detail and complexity:

• C-net at www.cnet.com. C-net is a wealth of information used by pros and amateurs alike. A search of their site will yield up to date and well-researched information regarding security and viruses.
• Symantec at www.symantec.com. Symantec manufactures the popular Norton Anti-Virus and Norton Firewall programs. Their site has extensive information regarding viruses, worms and Trojan horses. Their products are among the most respected available.
• Sygate at www.sygate.com. Sygate produces a very aggressive firewall that is free to home users. Business prices are reasonable. Their site contains information on security-related issues and even allows you to give your computer a security check for free.
• ZD-net a www.zdnet.com. ZD-net is a tech site that features tight, plain English writing. Good information on networking, security and viruses.
• Cisco Systems, Inc. at www.cisco.com. Cisco has a wealth of information regarding Internet and network security. The materials are well written and detailed.
• CERT at www.cert.org. CERT is an authority among authorities where Internet and network security are involved. The site is geared toward professionals and the information tends to be quite technical.

Concluding Thoughts
A company may appear to be "low tech," but still have digital resources that need to be protected. Security starts with an awareness of the threat. Include a review of network security as part of due-diligence and if the transaction closes, be prepared to immediately step in and secure the network and related resources. Audit security and be prepared to plug any holes. Develop a security plan, implement it and keep it current. Finally, if your team lacks competence in this area, consider the services of a network security consultant.

Chris Dufek

Back to Main

Printer Friendly Version (Full Article)