The post-acquisition blues

The company calls in our manager to take a look around at a small software company it’s acquiring — after the deal has been signed

I have written before about the wisdom of involving security early in the process of acquiring another company. But given what happened at my company last week, it’s probably a good idea to say it all again.

The CFO broke the news that we were acquiring a smaller software company in a meeting with most of the executive staff and other department heads. It was greeted as a welcome development, since we had been struggling with the question of whether we should divert resources to develop a needed feature in our product or instead purchase a company that could fill that gap. The problem for me was that I was learning this news along with the other department heads, even though the deal was already signed. I would be given a couple of weeks to conduct due diligence, but it was too late for any discovery that I made to be used as leverage to reduce the acquisition price tag — or even to scuttle the deal entirely.

The risks that might be uncovered in such a review can have tremendous implications. For example, it isn’t unusual for a small software company to use someone else’s proprietary software code as a base platform to build upon (why re-create the wheel, right?). The acquisition target might infringe on copyrights in less significant ways, as well, requiring fees to be paid. Those are just two of the many land mines that can be hidden from view in an acquisition, and both of them carry potentially large financial burdens that could fall on the acquiring company.

Although there was no chance of backing out of the deal, it was still important that I conduct a review, so that we would at least know what sorts of problems were in store for us. I dusted off my M&A questionnaire and got to work. After several sessions with the company’s small IT team, engineering department and customer service folk, I had a decent handle on the security maturity of the company — or rather, it’s security immaturity. It fell short on several measures.

This didn’t surprise me, since the company doesn’t have anyone dedicated to overseeing security matters. In fact, it was obvious from my review that security wasn’t a priority. Nearly all of the company’s infrastructure was installed on virtual servers located in a small data center closet, with all the servers on the same network and several exposed to the public Internet. One of the servers was hosting Subversion (used for source code management) as well as a wiki to manage product ideas and changes. Another was being used for the open-source PBX phone system Asterisk. The company’s public-facing Web server was also acting as the corporate mail server.

The Asterisk server had Secure Shell (SSH) available to the Internet. I asked the IT guy why, and he said a contractor maintained the server and needed remote access. Remediation of those problems wouldn’t have been difficult for them; they just had to set up a “demilitarized zone” for all Internet-facing resources and configure a VPN to provide restricted and secure access to those resources. The problem in my mind was that, when you run into big security risks that can easily be fixed, it’s a red flag that alerts you to the extremely low priority that security considerations have been given.

Next, a quick Nessus scan turned up many vulnerabilities. The company was running outdated software for Apache, DNS, Asterisk and other things. No server had been patched in over a year. Some of the servers were even running Telnet, which is an unencrypted method for accessing a Unix server. Such servers should never be exposed to the public Internet; due to the lack of proper hygiene and network segmentation, I had to consider the entire network compromised. Although what I had already seen had prepared me for some real problems, I was still surprised that, in an age of breaches, a company could be so irresponsible about securing its infrastructure.

I then turned my attention to the cloud-based enterprise applications that the company was using, including Salesforce, Google Docs and QuickBooks. The big problem here was that the list of active users retained many people who had been terminated — and some of them were still actively logging in. In the case of Google Docs, many sensitive documents had been recently modified by a user who had been terminated more than a year earlier. On top of that, password policies hadn’t been implemented, and many users had weak passwords with no expiration.

Obviously, I had my hands full.

My first order of business was to secure the source code, which is our main interest in this company. I had the entire source code tree evaluated for any signs of manipulation; luckily, it was clean. I then had it moved to our own source code repository and decommissioned the old server.

I drafted a remediation plan to close the egregious security holes, the eventual plan being to decommission all of the acquired company’s internal infrastructure and migrate data and people to our own corporate servers. I felt it was too risky to even attempt to integrate its network with ours. And of course, with the enterprise cloud-based applications, we’ll be terminating accounts and securing data.

It’s a long list of problems, but it gives force to my message to the executive staff: Next time you think about acquiring another company, get security involved early.

This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at

Click here for more security articles.

Join the CSO newsletter!

Error: Please check your email address.

More about ApacheAsteriskClickGoogleSSHTelnet

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By Mathias Thurman

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place