NEW YORK -- Service Provider & Enterprise Security Strategies -- Merger and acquisition activity may be financially rewarding but it can actually create and contribute to enterprise security risks, Verizon Enterprise Solutions' Christopher Novak warned today.
The Risk Team director said many data breaches, including some that last for months, have targeted assets that are networked but not covered by company security solutions, often because the corporation is unaware of their existence.
"We call that 'known unknowns,' " he said. In a recent post-breach investigation of a large customer, for example, Verizon Enterprise Solutions 's managed security services team found 40,000 endpoints that weren't included in the company's asset inventory, and those unknown assets become major points of vulnerability because they can be left unprotected.
Often, Novak said, the post-acquisition environment brings unprotected systems under the umbrella of the new company, where no one is familiar with how they operate but there is reluctance to disrupt what seems to be working.
"The threat actor can move into that environment with relative ease and it becomes the hacker's playground," he commented. "Because the company doesn’t know these assets exist, they often aren't being protected or patched, and they may be exposed to the Internet without going through proxies."
Companies often don't know where their sensitive data -- the intellectual property or other information that is valuable to bad actors -- is stored or whether it is protected properly, Novak added. A lot of this seems like Security 101 but it continues to contribute to data breaches.
The urgency to see best practices implemented more universally grows as more things are networking and therefore risks increase. Novak cited industrial control systems such as automation of traffic lights and networked medical devices as the next generation of threat targets, with potentially devastating results.
"Imagine if someone decided to turn all the traffic lights in Manhattan red for the day," he said. "It would be a disaster."
But not all threats are new -- good old-fashioned phishing still reaps rewards, producing 900 data breaches in the most recent Verizon DBIR, Novak said. One third of enterprise workers opened phishing messages and 13% clicked on attachments -- human behavior that can undermine the best of networking protections.
— Carol Wilson, Editor-at-Large, Light Reading