Embed Size (px)
Citation preview
Everyone is awareof the legalrequirements for
public companies torestrict knowledge of apending merger oracquisition. In this arti-cle, I want to focus onthe information securi-ty requirements, fromthe first hint of a dealup to the actual marry-ing of the two organiza-tions. The issues identi-fied in this article arebased on the network security andpenetration results of recent auditsdone by Canaudit, my consultingfirm. All but two networks failedour tests this year. It appears thatAmerican organizations have notsuccessfully protected their infor-mation assets and that confiden-tial communications are not con-fidential. To ensure that acorporate combination is success-ful, the initial communicationsand subsequent discussions mustbe private. The Internet, mail, andnetworks, as well as the serversand workstations within the net-work, must be secure from thoseseeking to gain financial advan-tage before the merger and fromdisgruntled employees and con-tractors after the merger.
CAPTURING “THE DEAL”INFORMATION
There are many ways that aperson can gain access (from anIT perspective) to information ofa pending deal. The greatestweakness in corporate communi-cation is e-mail and Web mail.E-mails are often sent unen-crypted through the Internet.With the right tools and tech-niques, it may be possible tointercept e-mails. The mosteffective control is to encrypt thee-mail using an encryption prod-uct such as PGP. PGP interfaceswith Microsoft Outlook andExchange, making it a simplematter to encrypt any outbounde-mail. It is also possible toencrypt e-mail transmissions
using other techniques,such as creating anencrypted communica-tion path using SecureSocket Layer.
Before reading ane-mail, it must bedecrypted. Again, thisis a simple click-of-a-button process. A com-mon flaw withencrypted e-mail isfailing to properlysecure the decryptedversion. E-mail is
often decrypted and then savedin an unencrypted file. My solu-tion for this is to use an encrypt-ed file system. Confidentialinformation can be stored in thisprotected section of a hard drive,with access only by individualswho are authorized to view ormodify the data and who usesecurity tokens or biometrics(fingerprint or iris scan) to con-firm that they are who theyclaim to be.
WEB MAIL SYSTEMS CAN BECOMPROMISED
Web mail also poses a sig-nificant threat. Many of ourclients use Web mail but do notproperly protect it. When the
Everyone is aware of the legal requirements forpublic companies to restrict knowledge of a pend-ing merger or acquisition. But in this article, theauthor looks at information security require-ments—from the first hint of a deal up to theactual merger. The author’s real-life audit testshave shown that American organizations have notsuccessfully protected their information assets—and that confidential communications are not con-fidential. © 2005 Canaudit Inc.
Gordon Smith
Warning: M&A Needs More IT Security!
featu
reartic
le
53
© 2005 Canaudit Inc. Printed with permission.Published online in Wiley InterScience (www.interscience.wiley.com).DOI 10.1002/jcaf.20183
user wants to log in from homeor a hotel room, he logs in to thenetwork using his normalaccount and password, which canbe easily compromised. On ouraudits, we use special tools toidentify the poorly secured Win-dows machines within the net-work. In some cases, only one ortwo poorly secured machineswill give us the information weneed to gain control of the Win-dows domain or Active Directo-ry. With this access, it is a sim-ple matter to download andcrack everyone’s password. Oncethe password cracking is com-plete, “spies” can simply log intothe Web mail application usingthe CFO’s account andpassword. Now they canview his or her e-mail aseasily as the CFO can.They can even send mes-sages from the CFO to vir-tually anyone, anywhere.These appear to be authen-tic messages, as the mes-sages are actually sent from thecorporate e-mail application.
SECURING THE VIRTUALPRIVATE NETWORK IS A MUST
Some of our clients use aVirtual Private Network (VPN)to create a secure remote con-nection to the internal network.While this may seem acceptable,this is not necessarily a trulysecure connection, as many VPNWeb mail applications use a soft-ware client on the user’smachine. This software is freelyavailable and can usually bedownloaded from the softwareprovider’s Web site. The use of asimple account name or pass-word as the primary means ofauthentication will permit any-one who gains access to thepassword files, as mentionedearlier, to gain access to theVPN. The control we suggest is
to use two-factor authentication:the use of a security token, a cer-tificate of authentication, or bio-metrics, in addition to theaccount and password. With thistechnology, it will be very diffi-cult indeed for an intruder tosuccessfully masquerade as avalid user.
REMOTE DESKTOP ACCESSCAN RESULT IN SECURITYBREACHES
Another way to glean infor-mation is to use existing poorlysecured software to gain access.Virtual Network Computing(referred to as VNC) is often
used by help-desk staff andadministrators to provide remotesupport to clients. Most imple-mentations of this product relyon a simple password. Softwaretools such as NBTEnum enablethe capture of the encryptedVNC password. The encryptionalgorithm is very weak, enablingthe encrypted password to becracked in seconds. WindowsTerminal Services can also beused for remote support. In mostimplementations, any domainadministrator or attacker whogains domain administratorrights can view desktops runningWindows Terminal Services. Aslong as your machine is poweredon, VNC and Windows TerminalServices can be used to gainaccess to your machine or viewyour files. “Locking” the com-puter only stops a passerby fromsitting down at your workstation.It does not stop a skilled hacker
who gains domain access fromcompromising a machine that ispowered on.
In my opinion, poorlysecured VNC should be eradicat-ed from the network. To reducethe damage that can be donefrom an attacker, we stronglysuggest that the executive net-work be segmented from the cor-porate network (using a firewall,router, or switch that is properlyfiltered). We also suggest execu-tives have their own Windowsdomain or Active Directory con-tainer that is administered byone or two trusted and bondedadministrators. The executivePCs should have encrypted hard
drives, or segments of thehard drive should beencrypted so that sensitiveinformation can be storedin a protected manner. Ifinformation needs to beviewed by various execu-tives, then an encryptedshared drive should be set
up and access granted on aproven need-to-know basis. Allmachines that access the shareddrive should be within the seg-mented executive network orusing a VPN with two-factorauthentication to connect to theshared drive.
NETWORK SEGMENTATION IS AMUST
One of the questions thatoften arise in conjunction with aseparate executive network is“Who should use the executivenetwork?” There are two answersto this question. The first is fornormal business operations,excluding mergers and acquisi-tions. I believe that the firstgroup to be included should bethe executives and their assis-tants. I also believe that thelegal, internal audit, and some ofthe HR staff who have access to
54 The Journal of Corporate Accounting & Finance / January/February 2006
DOI 10.1002/jcaf © 2006 Wiley Periodicals, Inc.
To reduce the damage that can bedone from an attacker, we stronglysuggest that the executive network besegmented from the corporate network.
sensitive information should beincluded in the segmented exec-utive network. The employeesand contractors working in theseareas have access to very sensi-tive information. Lawyers haveaccess to confidential documentsthat are subject to client-attorneyprivilege. Auditors have docu-mentation that identifies securityflaws in the control structures, aswell as documentation on thebusiness applications them-selves. These areas need separateencrypted shared drives withinthe Executive VPN.
The second answer to thequestion relates to the mergersand acquisitions staff and con-sultants themselves. Webelieve that these peopleshould have their ownhighly protected andsecured network segment.Again, their e-mail shouldbe encrypted, and theyshould have a separateencrypted shared drive.This group should be on theirown VPN. To deter the chanceof information leakage, filetransfers and e-mails betweenthis VPN and the outside worldshould be monitored. Anyunusual activity should beinvestigated.
WHO IS LOOKING OVER YOURSHOULDER?
Another source of informa-tion leakage are Blackberries(handheld devices used to sendand receive e-mail). Let’s lookfirst at the major security issue.Most Blackberry users do nothave a password on their Black-berry. It is a simple matter tolift the device off a desk or eventake it out of someone’s pocket,purse, or briefcase. The perpe-trator can now read all of the e-mail and send bogus emailsfrom the executive’s Blackberry.
These unauthorized e-mailsfrom your executive’s official e-mail address could irreparablydamage the relationshipbetween the dealing parties.Always ensure that there is acomplex password on theBlackberry and that the loss ofa Blackberry is reported imme-diately so that the appropriatesecurity measures can be imple-mented. Many of our clientshave Blackberry servers withintheir network. This by itself isnot an issue. The security con-cern I have is from defaultaccounts and passwords. Onseveral occasions, we have iden-tified an administrative account
called bberry with a passwordof bberry. In most cases, thisgave us administrative access tothe Blackberry server. Bydownloading and cracking thepassword file off this server, wewere then able to glean anaccount that gave us domainadministrator rights. I alsoobserved another Blackberryissue on airplanes. It is surpris-ing the number of people whoread their e-mails while they areflying. They do not understandthat there are prying eyes sittingbeside and behind them. Thesame holds true for those whodo e-mail on their laptops orread briefs and other documentswhile flying or in Internet cafes,bars, or restaurants. Oh, let’salso not forget cell phone con-versations in public places orprior to and after landing. Somepeople do not exercise commonsense when using phones.
DON’T FORGET WIRELESSNETWORKS
Home networks can also be agood source of unauthorizedinformation. The first issue iswith wireless networks. Manyexecutives like to be able to usetheir laptop anywhere in thehouse. They set up a simplewireless network, often withouttechnical support and, hence,without proper security. Sincethey are using a “secure VPN,”they think they are fine. Thatmay be true for communicationsbetween their laptop and the cor-porate network, but it is not truefor communications between
other PCs and peripheralson the household network.Often, they transmit docu-ments to the printer ortransfer files through thenetwork from the corporatelaptop to their personalcomputer. If this is doneusing a wireless network,
then a person with a wirelessdevice and software may be ableto pick up their transmissions.One of my senior staff memberswas once able to pick up a wire-less signal more than a mile awayusing a special antenna.
SURVEILLANCE DEVICES NEEDTO BE IDENTIFIED ANDNEUTRALIZED
Our clients are often sur-prised at the beginning of ouraudits when we perform a “bug”sweep of the room our team willuse. Most organizations do notperform regular bug sweeps ofthe executive and the M&Ateam’s facilities. A competitor oreven a suitor sure would love toglean information about the dealand any potential roadblocks fac-ing them, as well as determinewho is on board and who is not.Often in M&A meetings, tem-
The Journal of Corporate Accounting & Finance / January/February 2006 55
© 2006 Wiley Periodicals, Inc. DOI 10.1002/jcaf
To deter the chance of informationleakage, file transfers and e-mailsbetween this VPN and the outsideworld should be monitored.
pers flare and people get excited.What is better for a potentialbuyer or seller to know thanwhat hot buttons exist and whomthey have to entice to win thedeal? Conversely, competitorswill learn how to best squelch adeal if they gain access to thistype of information.
Another similar concern isthe widespread use of video con-ferencing. We are used to seeingthis equipment in most confer-ence rooms. Often, the micro-phones and cameras can be acti-vated remotely from another site.If you are using a conferenceroom with video conferencingfacilities, ensure that themachines are unpluggedfrom the electrical outlets.This is a simple yet veryprudent precaution. Some-thing less obvious is a teammember who has his or herlaptop on in the conferenceroom. They could be trans-mitting the meeting to thecompetitor or simply just record-ing the presentation for later useor sale using readily availablesoftware. For this reason, we sug-gest that the people in the roomnot be permitted to use the Inter-net. All laptops and devices in themeeting room and those used inthe M&A process should havemonitoring software installed onthem (without the user’s knowl-edge). If anyone is tempted to sellinformation or accept a bribe,then your security folks should beable to detect them early in thegame.
DUMPSTER DIVING ANDSOCIAL ENGINEERING STILLWORK
Let’s not forget the paperrecords. “Dumpster diving” hasbeen updated to the twenty-firstcentury. One trick is to rent atruck and show up in the uni-
form of your document destruc-tion or shredding firm. Thesepeople can then load your sensi-tive documents into the truckand drive away with them. Evenif you have a shredder, it is nowpossible for most shredded docu-ments to be recovered. The FBIperfected these techniques yearsago and use document-recoveryprocedures in some of their cor-porate forensics investigations. Ifthey can do it, so can “consult-ants” hired by your competitor.
Don’t neglect the courierssuch as UPS, FedEx, and DHL.What procedures are in place toensure that the person who picksup your confidential packages is
really from the courier? Is it pos-sible that it is an imposter whohas the right uniform? Most peo-ple give packages to courierswithout any thought. You mightwant to drive particularly confi-dential documents to a drop-offcenter or street drop box your-self. Make sure that you vary thetime and the drop location everyday to avoid someone monitor-ing your habits.
NETWORK SECURITY IS AMUST
The last major area I wouldlike to cover is network security.Based on the results of ouraudits, most corporate networksare not secure. At the earliestindication that a deal is in theworks, a full network penetrationtest or vulnerability assessmentshould be performed to identifysecurity issues. Using our philos-
ophy, a specially trained team,such as the Canaudit SecuritySquadron, should rigorously, yetsafely, test the corporate Internetpresence and dial-in and otherexternal connections, as well asthe internal network. They shouldalso test for wireless both atcompany locations and near thehomes of corporate executivesand merger team members.Needless to say, vulnerabilitieswill be discovered. These vulner-abilities should be corrected, andthen the network should beretested. To ensure that the net-work remains secure, regular net-work security procedures shouldbe implemented to scour the net-
work, looking for vulnera-bilities.
Once “the deal” isannounced, some of youremployees may be con-cerned about their futurewith the company. Net-work, database, and serveradministrators are known
for putting back doors onto theirsystems. They are worried thatsomeone will inadvertentlychange the environment or dis-able their account. Should thishappen, they use a back door ortrust relationship from anothermachine to gain access. If any ofthese people will be leaving thecompany, then additional securi-ty measures are required. Theback doors and trust relation-ships will have to be identifiedand removed. Strong changemanagement will need to be inplace to ensure that unauthorizedmodifications are not placed onthe systems or in the databases.People may be physicallyremoved from the premises, butthey may still be able to remote-ly access the network for mali-cious purposes after they are ter-minated.
Normal users can also do alot of damage to company
56 The Journal of Corporate Accounting & Finance / January/February 2006
DOI 10.1002/jcaf © 2006 Wiley Periodicals, Inc.
To ensure that the network remainssecure, regular network security proce-dures should be implemented to scourthe network, looking for vulnerabilities.
records or simply take copies ofconfidential formulae and cus-tomer or vendor records, or justinsert erroneous data into theapplications. Clearly, a strongIT security function is required.They will need to be constantlyreviewing the systems to ensurethat they remain secure, appli-cations to ensure that data isnot needlessly altered or delet-ed, and network traffic to
ensure that copies of companyrecords are not transmittedthrough the firewall to a homePC or a competitor.
SECURITY IS CRITICAL
I have just scratched thesurface in this article. Peoplecan be very ingenious whenthere is money to be made ortheir jobs are at stake. IT securi-
ty is a critical part of any merg-er or acquisition. It will requirefunding and possibly some addi-tional staff or contractors.Keeping the pending deal pri-vate until it is publicly an-nounced is essential. The risksof premature disclosure to oneor two people are seriousenough, as premature public dis-closure can have serious legaland financial ramifications.
The Journal of Corporate Accounting & Finance / January/February 2006 57
© 2006 Wiley Periodicals, Inc. DOI 10.1002/jcaf
Gordon Smith, president of Canaudit Inc., a consulting firm in Simi Valley, California, has over a quarter-century of progressive audit experience. Specializing in high-tech auditing, Mr. Smith is a recognizedexpert on auditing complex networks, operating systems, databases, and forensic auditing. He pioneeredthe integrated audit concept. He is the published author of Network Auditing: A Control AssessmentApproach and the recently released Control and Security of E-Commerce, both published by John Wiley &Sons. You can contact him at [email protected].
