Page 35 - Cyber Defense Magazine RSA Edition for 2021
P. 35
Modern IT infrastructure is a mélange of on premises and cloud, hardware and software, owned and
subscribed, in-house and third-party, fixed and ephemeral. And even if you have a handle on monitoring
your IT estate, you’ve still got to pay attention to conditions affecting your direct and indirect partner
relationships. The recent SolarWinds breach was a reminder of the ways criminal hackers can exploit
weaknesses in the digital supply chain to work their way into target networks. But there is another threat
that can take advantage of vulnerabilities in third-party systems and relationships that does not get the
attention it deserves.
The high-tech industry changes quickly. Innovators come on the scene with new ways to solve old
problems and, with the backing of venture capital, aggressively work to build market share. Mid-market
players merge to create momentum. Large companies buy startups to add capabilities without incurring
undue risk. Stockholders, founders, and venture capitalists, all eager to make money on their
investments, push for deals that will turn them a profit, disrupting markets and often creating chaos for
customers.
Wall Street tracks these mergers and acquisitions. When a public company is involved in the deal, it can
affect stock prices and so it’s important for portfolio managers to pay attention. Industry analysts track
these moves in an effort to provide guidance to clients who want to know what it means for them. Hackers
pay attention to these developments, too. M&A activity often affects the security posture of organizations
that are users of the technology or applications involved.
After a company has been acquired, major changes to the product typically follow. That can mean
products that are redundant to the acquirer’s catalog are killed and the customers migrated to the
incumbent, or customer service and support teams that had developed detailed institutional knowledge
of their users are not retained and the responsibilities shifted to new personnel or even outsourced. That
can result in vulnerabilities that go undiscovered, unpatched, and exploitable.
When disruption affects products that organizations rely on to keep data safe, the implications can be
serious. The managed file transfer (MFT) industry, where Coviant Software operates, is one such
example. MFT products are a foundational element in data management and security programs, and
their essential role is reflected in an annual growth rate of over 10%, and market value that will exceed
$3 billion by 2026, according to Global Market Insights. That value has attracted M&A activity resulting
in industry consolidation, with a number of key players getting purchased by larger organizations.
In one case, a twenty-year-old file transfer appliance in wide use got caught between the obsolescence
of its operating system and the release of its newly designed replacement. Hackers took advantage of
the lapse and breached a number of well-known companies, including the Kroger supermarket chain and
Royal Dutch Shell, operator of Shell gas stations. According to TechRepublic, the appliance was left
vulnerable to exploitation by a common SQL injection attack, and while it is hard for an outsider to know
the details of any data breach, experts familiar with the situation suggest that resources and attention
were shifted from the legacy product to the replacement. Meanwhile, the operating system’s maker ended
its support of the product, and so patches were not being written and distributed.
Poor communication and coordination seem to be the common thread in the breaches that resulted,
prompting one security expert to recommend to TechRepublic that organizations “do a closer analysis of
35
