Reviewing IT in Due Diligence: Are you buying an IT asset or liability by Christopher Wright & Brian Altimas

Author:Christopher Wright & Brian Altimas [Wright, Christopher]
Language: eng
Format: azw3
ISBN: 9781849287159
Publisher: IT Governance Publishing
Published: 2015-05-04T16:00:00+00:00

State-sponsored hacking

Organised crime

‘Hacktivist’

Internal to the organisation.

State-sponsored hacking is where certain countries acquire economic knowledge by hacking the systems, usually by a complex Trojan horse, and extracting information in a constant feedback to the offending state. McAfee has a well-documented case study, Night Dragon, of state-sponsored hacking of five oil and gas companies.

How is state-sponsored hacking relevant to a due diligence project? It is much the same as if the doors to the research and development or design offices were left wide open. People would come in and steal the designs, see how our products were made and copy them, thus gaining intimate knowledge of the company’s intellectual property and its value would fall. State-sponsored hacking is exactly the same and opens the systems of the company to the theft of intellectual capital or knowledge. Such hacks can often go undetected for years if an effective ISMS is not implemented. If such a hack is discovered during due diligence, the value of the company significantly reduces.

Organised crime is the hacking of systems to gain from crime. Several banks have suffered from key logging devices being fitted onto computers to enable criminals to bypass security features in the systems and steal millions of dollars/pounds and so on. In another case drug smugglers hid drugs among legitimate cargo in shipping containers; they subcontracted the hacking of the port’s systems to enable them to remove the containers before the legitimate customer arrived.

Hacking by organised crime is the same as leaving the safe door open and allowing all to steal the money from it. The prime objective is to make financial gain. Again, if funds can be stolen relatively easily, it indicates perimeter controls are weak. So it can have a detrimental effect on the value of the company.

‘Hacktivists’ are the activists who hack systems to cause reputational damage to defence companies, drugs companies, construction firms and other high-profile causes. Normally the attack is either defacing a website or conducting a distributed denial-of-service attack rather than direct economic damage.

Reputational damage to a company can devalue it as much as the loss of data or funds. If the wider community believes the ‘hacktivist’, the company can be devalued. Sony paid a high price when its PlayStation network was taken down for weeks and millions of user accounts were accessed by a group known as LulzSec. It is estimated to have cost the company $100m. However, it is well documented the highest risk for all organisations is the accidental hack caused by poor processes or the disgruntled employee deliberately damaging the systems.

Due diligence projects are interested in the internal control systems because if there are poor processes and weak controls, it can indicate that the environment is open to systemic errors. In performing IT due diligence we have to consider the threat landscape that the organisation is exposed to.

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.