Magecart Strikes Again
Ticketmaster, British Airways, and Newegg have all been compromised. Who’s next? Read our research to see how we discovered the breaches.
IDG Connect: 2017 State of Enterprise Digital Defense Report
Findings quantify the security management gap and business impact of external web, social, and mobile threats.
Get the Research Report
Frost & Sullivan: The Digital Threat Management Platform Advantage
The material benefits of a platform-based approach to security outside the firewall.
Read the Report
2018 Holiday Shopping Season Threat Activity: A Snapshot
The 2018 holiday shopping season was the largest ever for online retailers, but threat actors filled their pockets, too.
So what did the threat activity around this shopping frenzy look like?
Rackspace Accelerates External Digital Threat Investigation with RiskIQ PassiveTotal
Download Case Study
EMA Radar™ Q4 2017 Report
RiskIQ ranked a technology and value leader in digital threat intelligence management.
Get the Analyst Report
When it comes to cybersecurity, mergers and acquisitions (M&As) are like a marriage. When two companies walk down the aisle together, one’s cybersecurity problems become the other’s baggage—whether they disclose it or not.
The first half of 2018 saw $2.5 trillion in mergers in the US. Companies are grappling to understand what this boom means for their online presence.
Today’s brands are no longer responsible for just their network. They’re also responsible for what falls outside their firewall, as well as the firewall of any companies they acquire. All of the company assets that extend from within the corporate perimeter all the way out to the entire internet are known as a digital attack surface. They are a collection of far-flung client-facing assets that hackers can discover in research for their threat campaigns.
Many of these assets are valuable to hackers purely because they’re valuable to customers. Digital channels are the predominant method of customer engagement for many organizations, bringing an explosion of publicly facing web sites, mobile apps, third-party code, servers, and social media accounts. Consumers spent $517 billion online with U.S. merchants in 2018, up 15 percent from $449 billion spent the year prior, according to Internet Retailer’s analysis of the U.S. Commerce Department’s total retail sales figures.
Meanwhile, cyber gangs like Magecart pummeled global e-commerce retailers like British Airways and Ticketmaster, as well as smaller brands, breaching over 319,000 online stores last year.
But there are many reasons why organizations don’t get the full picture of their cyber vulnerabilities in the pre-acquisition (due diligence) process. The first is the sheer scale of a company’s digital presence. It is not uncommon for a large organization to have thousands (or tens of thousands) of active websites and other public-facing assets. While IT and security teams in a to-be-acquired company will have an asset register of web sites, we have found that it is almost always a partial view of what actually exists. The more decentralized an organization’s IT activities are, the more significant a delta we see here.
A recent report by West Monroe Partners found that businesses lack qualified cybersecurity talent during an M&A: “80 percent of companies said cybersecurity issues have become highly important in the M&A due diligence process. But 40 percent of acquiring businesses said they discovered a cybersecurity problem at an acquisition after a deal went through, indicating that standards for due diligence remain low.”
One of the highest-profile examples of the lack of visibility in the due diligence phase was Verizon’s discovery of Yahoo!’s riddled past. Yahoo had two data breaches, one in mid-2013 where hackers stole data on three billion users and one in 2014 that saw 500 million accounts breached. Verizon only discovered this after executing an acquisition agreement to acquire Yahoo!. Verizon dropped its offer price by some $350 million after they understood the scope of the breach.
When evaluating a target company from an M&A standpoint, failing to understand the cybersecurity risks inherent in their digital channels can be risky for the acquiring company. It could lead to:
Such cybersecurity risk assessments all too often get overlooked or marginalized in the pre- and post-acquisition process. What security teams need to know when merging with or acquiring their next company:
The first step is to understand that you are responsible for every digital asset a company owns when you acquire it, whether they disclose it or not. This includes rogue social media pages from ten years ago. It includes the WordPress site that got ditched before the company formally launched. It even includes the old landing page for a product launch from five years ago.
When acquiring only part of an organization, like a line of business, it is essential to identify and document the transferred assets. This would also include digital properties like brand assets, domains, and social accounts. Without a thorough understanding of what currently exists, companies can miss critical digital assets that later result in ownership and security issues.
It is imperative to understand where these rogue assets are so you can fix them! The cyber risks associated with the target company’s digital footprint represent a potential threat to a company’s operations and brand reputation alike.
A merger and acquisition process usually involves a due diligence exercise focused on all aspects of a companies business, including IT. IT due diligence engagements in the past were focused on identifying assets and security issues material to the valuation process, like business processing and reporting systems and the hardware and networks that supported them.
As businesses and consumers have both moved outside the perimeter and onto the open internet, it’s now vital that assets outside the firewall are reviewed and accounted for to get a full understanding of the company’s digital attack surface.
Here’s what your digital attack surface includes:
We’ve found that cybersecurity teams often struggle to cut through the noise and figure out what’s most important to look for when entering an M&A. Here’s a simplified checklist:
Answers to these questions can help direct resources to the areas needing immediate attention. They also help security teams quantify the scope of work required to bring acquired digital assets under management from a security perspective.
No longer do we need to accept the unannounced baggage under the umbrella of network vulnerabilities. We have tools and technologies that can scan the internet to manage your vast digital attack surface, help you make more informed decisions promptly, and understand what true digital attack surface management looks like.
If you have a “c” in your title, you're a target both online and in the physical world. Here are 5 things to "know" about modern executive defense https://t.co/Nl3lrvEM7O
#PlayStore winning war on suspect apps https://t.co/Zw1yuLswXF
Blacklisted apps rise, antivirus apps prove more harm than good, and Google Play continues to set the trends. Download our Q1 Mobile Threat Landscape Report and 2018 review for a deep dive into the last 18 months of #MobileThreats: https://t.co/FipDUCA6wA
Check out my latest interview in Forensic Magazine: Cybercrime, Cybertargets, and Cybersecurity https://t.co/TNy7MhoUn2 @LauraMFrench @ForensicMag @RiskIQ #cybercrime #CyberSecurity #threathunting
If you're at #GartnerSEC be sure to stop by booth #623 to chat with RiskIQ about attack surface management and defending your organization in the age of threats outside the firewall!