While strong policy and governance are vital to an enterprise’s security posture, adequate technical solutions that address security risks should be implemented. This is particularly important when sensitive or regulated data needs to be protected from a breach, or key products and services must be available to customers. To address the attack surface malicious actors will exploit, technical security solutions should be implemented throughout the entire IT stack, with additional specialized solutions in place to limit the scope of the breach.
Consider the following fictitious example of an acquisition gone wrong:
Ajax Software was a start-up rising star in the e-commerce world. They created a solution that took the internet payments world by storm. Recognizing their growth and the need to expand operations, the owners sought a strategic partner to help grow their business. Attracted by Ajax’s existing market share and recognizing the synergy with their current web-based business, MegaWeb Corporation presented Ajax an acquisition offer. Owners of both companies agreed on the terms.
Prior to the acquisition, the secret to Ajax Software’s success was their proprietary, home-grown software platform and its simple integration with customer websites. With the acquisition complete, MegaWeb Corporation realized integrating Ajax’s systems into theirs would be the most effective way to help both companies scale and beat competitors.
Due to management, investor, and market pressures, MegaWeb Corporation conducted a shortened due diligence process to speed the acquisition. The next release of Ajax’s platform would bring much-requested features and address a market on which they wanted to rapidly capitalize. The acquisition process was completed, and the “Mega-Ajax” platform was released to great fanfare and success.
A year after the acquisition, a national news site published a story with headlines identifying Mega-Ajax as a victim of EvilX, an international crime syndicate that compromised Mega-Ajax’s customer account database and corporate systems. In the days and weeks following the article, customers reported their identities and credit card information had been stolen. Worse still, as Mega-Ajax began to respond to these claims, their corporate systems were shut down by a devastating ransomware attack.
Our fictional company MegaWeb Corporation needed to spend time taking an in-depth look into the security configurations and solutions of the payment processing system, as well as the supporting infrastructure that Ajax had developed. As soon as MegaWeb completed the acquisition, the vulnerabilities that once belonged to Ajax now belonged to MegaWeb.
While limiting financial and other types of operational risk that often garner more attention from leadership, it is equally important to curb the potential security vulnerabilities to your organization. What could Mega Web have analyzed to ensure their risk acceptance was as low as possible?
Did Ajax require multi-factor authentication be deployed everywhere possible?
One of the easiest ways to prevent unauthorized access to customer applications and platforms, and supporting infrastructure on the backend, is to enforce multi-factor authentication (MFA). MFA requires a user to provide both something they know (e.g., a password or pin) with something they have (e.g., a smart card, SMS or email code, or biometric marker such as a fingerprint, retina scan, or voice analyzation).
Alexander Weinert, Director of Identity Security at Microsoft Corporation, revealed at the 2020 RSA Conference that 99.7 percent of compromised Azure (their cloud computing service created for building, testing, deploying, and managing applications and services through their data centers) accounts did not employ MFA, relying simply on password authentication.
Had Ajax employed MFA on its customer portal as well as the backend infrastructure and applications, the attackers likely would have been thwarted before the attack even began.
What if Mega Web had ensured Ajax employed encrypted data at rest and in transit?
Another key method to prevent unauthorized access to customer and organizational data is to ensure strong forms of encryption are used from the time it is generated to the time it reaches its storage location. When a customer supplies data to an application, it needs to be encrypted in transit, which prevents an attacker from capturing it en route, preventing man-in-the-middle attacks to your organization’s infrastructure.
Transport Layer Security (TLS) version 1.3 is the strongest form of transit encryption available (although most web applications currently use version 1.2, which is still considered secure). Websites that require users to enter credentials should use HTTPS (the secure version of HTTP), which ensures that credentials are encrypted prior to passage through the internet for user authentication; without it, an attacker can see your passwords in clear text.
Once data reaches its destination, it will be stored within a database. In the event an attacker can access the contents of a database server, it is vital they use AES-256 bit encryption, currently the strongest commercially available, to prevent them from viewing sensitive customer data. Because weaker encryption protocols such as RC4 and 3DES can be cracked, it is insufficient.
Had MegaWeb ensured Ajax employed encryption in transit and at rest, the attackers would have been prevented from obtaining the credentials that compromised the customer databases and corporate systems.
Did Ajax scan systems for vulnerabilities and patch them regularly?
Attackers are constantly searching for exploits to use on systems, as well as the software and services that run as part of those systems. Often, they are successful at their attempts once an exploit is discovered, which is why it is essential that organizations properly manage vulnerabilities and patch software and hardware. As a best practice, organizations should scan their internet-facing infrastructure on a weekly basis, and internal systems bi-weekly. Popular scanning tool brands such as Nexpose, Qualys, and Tenable will rate the urgency of the vulnerability and often provide a method for its remediation.
Critical vulnerabilities should be patched immediately, and high vulnerabilities within a week to limit the window an attacker will exploit it. Infrastructure should also undergo regular, third party-driven patching of firmware and software to ensure that systems are consistently running up-to-date versions that often remediate exploits or vulnerabilities. Microsoft’s “Patch Tuesday” is a good example of third party-driven patching.
Had MegaWeb validated the vulnerability management posture of Ajax prior to integrating Ajax’s systems into their infrastructure, the exploit likely would have been remediated before the attackers could take advantage.
Did they ensure that their logs were configured and analyzed for threats?
To properly respond to a potential attack, organizations must ensure they have information about what is occurring and acknowledge anomalies that appear in their normal activity. To do this, businesses should install Security Information and Event Management (SIEM) software (such as LogRhythm, Splunk, ArcSight, and QRadar) that has the capability to ingest and analyze the logs from the system stack, as well as monitor the infrastructure for indications of or attempts at compromise. To ensure a quick response and to contain any potential threats, your organization should have on-call staff, ideally 24/7, that monitors and analyzes alerts generated by the SIEM tool.
Had MegaWeb ensured that Ajax configured their infrastructure for monitoring via SIEM, the attack would have likely been detected and contained more quickly, minimizing the impact.
Did they attempt to penetrate their infrastructure and applications through tests?
It is critically important to gauge the effectiveness of your security controls and application development security practices. This can be accomplished through penetration testing, when a skilled tester is tasked with finding and validating vulnerabilities that would allow an attacker access to the application or associated infrastructure and the sensitive data contained within. Vulnerability scanning alone often results in false positives; penetration testing can validate which ones are exploitable and help prioritize the vulnerabilities for remediation.
As a best practice, organizations should employ an annual penetration test on all critical customer applications/ platforms, including the network. This will help organizations identify weaknesses in code, infrastructure misconfigurations, or security gaps that need addressing. These are better found by a skilled “good guy” versus a skilled attacker. Once discovered, the tester can work with your organization to remediate the findings.
MegaWeb should have ensured that the Ajax platform and network had received annual penetration tests before integrating it into their own infrastructure, enabling the “good guy” to find the exploit before the attackers could.
Some organizations see investments in security technology as an impediment and a delay in go-to-market for new products and features. This could not be further from the truth. Investing in security protects customers from the headaches associated with a breach and organizations from the negative financial and reputational impacts that cost more than the original investment. Leadership must stay on top of the latest threats within the cyber world and invest in technology to prevent those threats from occurring.
We see what happened when MegaWeb did not perform the proper due diligence on Ajax’s investments in security technology. It cost them more than if they had taken the time to properly evaluate and remediate any gaps. Slow down and make sure the proper security technology is implemented. Your customers and organization will thank you for it, and your merger or acquisition will be better positioned for success.
To learn more, click the image below to view our guidebook “Avoiding Cybersecurity Risk Through Enhanced Due Diligence”