Preventing Breaches: 4 Ways to Test Your Company’s Security Controls

November 7, 2018 by Chris Stover

Preventing Breaches: 4 Ways to Test Your Company’s Security Controls

Nearly every week, we hear about another security breach where the user data of millions of people is exposed by malicious hackers. There have been several high-profile breaches this year, including Facebook, MyFitnessPal, and Panera Bread. All of these companies had security controls in place, but they weren’t able to prevent attackers from breaching their perimeters.

To ensure your security controls are effective and work as intended in the event of an attack, it's vital to put them to the test. Here are four tactics your company should consider implementing, internally or through a managed service provider, to test the effectiveness of your company's security controls:

  1. Vulnerability Assessment – Perform an automated scan of your IT environment to detect vulnerabilities in your network and test the effectiveness of your system patching processes.
  2. External Penetration Testing – Exploit vulnerabilities within your perimeter controls (e.g., firewalls, intrusion detection systems, intrusion prevention systems, and email systems) to identify weaknesses that could allow a remote attacker to access your internal network. Additionally, assess the operational security (OPSEC) of your company by analyzing public information about your company and employees.
  3. Internal Penetration Testing – Determine vulnerabilities within your network to see how far a potential attacker could go if they breached your external perimeter. This is beneficial in assessing internal controls such as security information and event management systems, antivirus, and host-based intrusion detection system implementations.
  4. Red Team Assessment – Perform a targeted attack to test your company’s detection and response capabilities. Similar to an advanced persistent threat, this assessment mimics a stealthy attacker which includes social engineering and often includes hours of research on your company. This is the ultimate test for your company’s security controls as well as your security and incident response teams.

By employing these tactics, you'll be able to identify vulnerabilities in your security controls and identify deficiencies that should be addressed. These findings are also valuable because they pinpoint key risk areas that should be prioritized from a budgetary standpoint and help make the case for an increased budget to improve your security posture and prevent breaches from occurring.

Preventing breaches is far more complicated than simply implementing security controls and hoping for the best. These controls need to be assessed regularly to identify changes and areas for improvement. Malicious hackers are working around the clock to bypass your controls, so it’s important that you constantly test and evolve your controls to stay one step ahead of hackers.

How ACA Can Help

We provide Penetration Testing and Vulnerability Assessments that are designed to help your company reduce the risk of financial, operational, and reputational losses that can result from a breach. Our team of certified cybersecurity professionals can help identify vulnerabilities in your network that could lead to a breach through techniques including:

  • Vulnerability scanning
  • External and internal penetration testing
  • Web application testing
  • Physical office security penetration
  • Wireless LAN testing
  • Social engineering
  • Microsoft® Office 365® external access testing

For more information, contact or your ACA consultant.

About the Author

Chris Stover is a Consultant at ACA Aponix, the cybersecurity and IT risk division of ACA Compliance Group. Prior to joining ACA Aponix, Chris served as an Information Security Analyst for Securities America where he focused on web application security and continuous penetration testing. Before that, he was a Security Engineer for Infogressive, Inc.

Chris earned his Computer Science degree from the University of Nebraska. He holds several certifications including Certified Information Systems Security Professional (CISSP), Offensive Security Certified Professional (OSCP), and GIAC Web Application Penetration Tester (GWAPT).