Participé como expositor en el OWASP Latam Tour 2015 celebrado en Santa Cruz - Bolivia, con el tema "Análisis de riesgos aplicando la metodología OWASP".
Blockchain technology is being touted as the Next Big Thing, seemingly capable of great feats of strength and perhaps even curing the common cold. But what exactly is it and how could it contribute to a security program? This session will describe how blockchain works, define its value proposition, and identify specific use cases where blockchain makes sense and some where it doesn't. Along the way, we will discuss similar capabilities and technologies that accomplish the objectives.
NIST Cybersecurity Framework is voluntary framework to support the emerging needs for having robust and effective cyber security practices across an enterprise. This presentation recaps the Framework 6 months into implementation and along with changes. Also, discusses the capabilities of TrustedAgent GRC to accelerate and strengthen the implementation of an effective cybersecurity program by automating or addressing many of the practices required by the framework.
Distributed Immutable Ephemeral - New Paradigms for the Next Era of SecuritySounil Yu
We are rapidly approaching the next era of security where we need to be focused on the ability to recover from irrecoverable attacks. This can also be defined as resiliency. The traditional view of resiliency attempts to quickly restore assets that support services that we care about. This new approach/paradigm looks at resilience in ways that promote design patterns (distributed, immutable, ephemeral) where we do not care about a given asset at all while still keeping the overall service functioning. This new approach allows us to avoid having to deal with security at all.
Threat modeling is a way of viewing the world, and so what's changing in threat modeling reflects that. There's a global pandemic. The ways we build software are changing. The threats are evolving, and attacks through systems are growing in importance.
Basic awareness in cybersecurity.After study people become aware in cyber security.The understand what is cyber security .They understand about some common threats. They also become aware that how to protect theirs data and devices from some common cyber attack.
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsShawn Tuma
Everyone should now understand that no bank or financial institution is immune from cyber risk. Many are now ready to move forward with improving their cyber risk posture but do not know what to do next or how to prioritize their resources. Recognizing that cybersecurity is an overall business risk issue that must be properly managed to comply with many laws and regulations governing banks and financial institutions, this presentation will provide a strategy for how to better understand and manage such risks by:
(1) Providing an overview of the legal and regulatory framework;
(2) Examining the most likely real-world risks; and
(3) Providing strategies for how to manage such risks, including cyber insurance and the development and implementation of an appropriate cyber risk management program (which is not as difficult as it sounds).
Shawn E. Tuma, cybersecurity and data privacy attorney at Spencer Fane, LLP, delivered the presentation titled Cybersecurity: Cyber Risk Management for Banks & Financial Institutions (and Attorneys Who Represent Them) at the Southwest Association of Bank Counsel 42nd Annual Convention on September 20, 2018 (formerly, Texas Association of Bank Counsel).
Blockchain technology is being touted as the Next Big Thing, seemingly capable of great feats of strength and perhaps even curing the common cold. But what exactly is it and how could it contribute to a security program? This session will describe how blockchain works, define its value proposition, and identify specific use cases where blockchain makes sense and some where it doesn't. Along the way, we will discuss similar capabilities and technologies that accomplish the objectives.
NIST Cybersecurity Framework is voluntary framework to support the emerging needs for having robust and effective cyber security practices across an enterprise. This presentation recaps the Framework 6 months into implementation and along with changes. Also, discusses the capabilities of TrustedAgent GRC to accelerate and strengthen the implementation of an effective cybersecurity program by automating or addressing many of the practices required by the framework.
Distributed Immutable Ephemeral - New Paradigms for the Next Era of SecuritySounil Yu
We are rapidly approaching the next era of security where we need to be focused on the ability to recover from irrecoverable attacks. This can also be defined as resiliency. The traditional view of resiliency attempts to quickly restore assets that support services that we care about. This new approach/paradigm looks at resilience in ways that promote design patterns (distributed, immutable, ephemeral) where we do not care about a given asset at all while still keeping the overall service functioning. This new approach allows us to avoid having to deal with security at all.
Threat modeling is a way of viewing the world, and so what's changing in threat modeling reflects that. There's a global pandemic. The ways we build software are changing. The threats are evolving, and attacks through systems are growing in importance.
Basic awareness in cybersecurity.After study people become aware in cyber security.The understand what is cyber security .They understand about some common threats. They also become aware that how to protect theirs data and devices from some common cyber attack.
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsShawn Tuma
Everyone should now understand that no bank or financial institution is immune from cyber risk. Many are now ready to move forward with improving their cyber risk posture but do not know what to do next or how to prioritize their resources. Recognizing that cybersecurity is an overall business risk issue that must be properly managed to comply with many laws and regulations governing banks and financial institutions, this presentation will provide a strategy for how to better understand and manage such risks by:
(1) Providing an overview of the legal and regulatory framework;
(2) Examining the most likely real-world risks; and
(3) Providing strategies for how to manage such risks, including cyber insurance and the development and implementation of an appropriate cyber risk management program (which is not as difficult as it sounds).
Shawn E. Tuma, cybersecurity and data privacy attorney at Spencer Fane, LLP, delivered the presentation titled Cybersecurity: Cyber Risk Management for Banks & Financial Institutions (and Attorneys Who Represent Them) at the Southwest Association of Bank Counsel 42nd Annual Convention on September 20, 2018 (formerly, Texas Association of Bank Counsel).
Secure web programming plus end users' awareness are the last line of defense against attacks targeted at the corporate systems, particularly web applications, in the era of world-wide web.
Most web application attacks occur through Cross Site Scripting (XSS), and SQL Injection. On the other hand, most web application vulnerabilities arise from weak coding with failure to properly validate users' input, and failure to properly sanitize output while displaying the data to the visitors.
The literature also confirms the following web application weaknesses in 2010: 26% improper output handling, 22% improper input handling, and 15% insufficient authentication, and others.
Abdul Rahman Sherzad, lecturer at Computer Science Faculty of Herat University, and Ph.D. student at Technical University of Berlin gave a presentation at 12th IT conference on Higher Education for Afghanistan in MoHE, and then conducted a seminar at Hariwa Institute of Higher Education in Herat, Afghanistan introducing web application security threats by demonstrating the security problems that exist in corporate systems with a strong emphasis on secure development. Major security vulnerabilities, secure design and coding best practices when designing and developing web-based applications were covered.
The main objective of the presentation was raising awareness about the problems that might occur in web-application systems, as well as secure coding practices and principles. The presentation's aims were to build security awareness for web applications, to discuss the threat landscape and the controls users should use during the software development lifecycle, to introduce attack methods, to discuss approaches for discovering security vulnerabilities, and finally to discuss the basics of secure web development techniques and principles.
Everyone knows you ought to threat model, but in practical reality it turns out to be tricky. If past efforts to threat model haven't panned out, perhaps part of the problem is confusion over what works, and how the various approaches conflict or align. This talk captures lessons from years of work helping people throughout the software industry threat model more effectively. It's designed to help security pros, developers and systems managers, all of whom will leave with both threat modeling lessons from Star Wars and a proven foundation, enabling them to threat model effectively.
La presentación contiene, a un alto nivel, diferencias claves entre implementar un SGSI y nivelar el área de SI a través de la definición de un Plan Director de SI #SGSI #seguridad #infosec #PlanDirectorSI
Threat Modeling as a structured activity for identifying and managing the objects (such as application) threats.
Threat Modeling – also called Architectural Risk Analysis is an essential step in the development of your application.
Without it, your protection is a shot in the dark
Operational Risk Management under BASEL eraTreat Risk
Operational risk have always ignored by Banks as they thought Credit and market risks can cause catastrophe. But history of misfortunes taught us different lessons. Controls and internal audit have long been construed as guard till BASEL II dictates forced banks to look with insight. Understand the dimension of ORM in this presentation.
Threat modeling is an approach for analyzing the security of an application. It is a structured approach that enables you to identify, quantify, and address the security risks associated with an application.
Jonathan Pollet and Mark Heard of Red Tiger Security at S4x15 OTDay.
The NIST Cybersecurity Framework (CSF) has been out for a year now, and some owner/operators have begun to use it to help create an ICS cyber security program. The Red Tiger Security team discusses what the CSF is and there experience in using it with real world clients.
Risk Analysis Of Banking Malware AttacksMarco Morana
Analysis of How Banking Malware Like Zeus Exploit Weakenesses In On-Line Banking Applications and Security Controls. This prezo is a walkthrough the attack scenarion, the attack vectors, the vulnerability exploits and the techniques to model the threats so that countermeasures can be identified
IBM AppScan - the total software security solution, Content:
- Introduction to security
- Best Practices for Application Security
- IBM AppScan security solution
- DEMO
As delusions of effective risk management for application environments continue to spread, companies continue to bleed large amounts of security spending without truly knowing if the amount is warranted, effective, or even elevating security at all. In parallel, hybrid, thought-provoking security strategies are moving beyond conceptual ideas to practical applications within ripe environments. Application Threat Modeling is one of those areas that, beyond the hype, provides practical and sensible security strategy that leverages already existing security efforts for an improved threat model of what is lurking in the shadows.
Tony UcedaVelez, Managing Director
An experienced security management professional, Tony has more than 10 years of hands-on security and technology experience and is a vocal advocate of security process engineering – a term that describes the design and development of secure processes and controls working symbiotically to create a unique business workflow. Tony currently serves as Managing Director for an Atlanta based risk advisory firm that focuses on security strategy and delivering effective means for risk mitigation and security process engineering. He has worked and consulted for the Fortune 500, as well as federal agencies in the U.S. on the topic of application security and security process engineering.
Falcon OverWatch Experts Hunt 24/7 To Stop Incidents Before They Become Breaches
Is your IT security team suffering from alert fatigue? For many organizations, chasing down every security alert can tax an already overburdened IT department, often resulting in a breach that might have been avoided. Adding to this challenge is an increase in sophisticated threats that strike so fast and frequently, traditional methods of investigation and response can’t offer adequate protection.
A new webcast from CrowdStrike, “Proactive Threat Hunting: Game-Changing Endpoint Protection Above and Beyond Alerting,” discusses why so many organizations are vulnerable to unseen threats and alert fatigue, and why having an approach that is both reactive and proactive is key. You’ll also learn about Falcon OverWatch™, CrowdStrike’s proactive threat hunting service that investigates and responds to threats immediately, dramatically increasing your ability to react before a damaging breach occurs.
Download the webcast slides to learn:
--How constantly reacting to alerts prevents you from getting ahead of the potentially damaging threats designed to bypass standard endpoint security
--Why an approach that includes proactive threat hunting, sometimes called Managed Detection and Response, is key to increasing protection against new and advanced threats
--How CrowdStrike Falcon OverWatch can provide 24/7 managed threat hunting, augmenting your security efforts with a team of cyber intrusion detection analysts and investigators who proactively identify and prioritize incidents before they become damaging breaches
The New Pentest? Rise of the Compromise AssessmentInfocyte
If an attacker had a foothold in your network today, would you know it?
If they made it past your real-time defense measures (EDR, EPP, AV, UEBA, firewalls, etc.) or an analyst misinterpreted a critical alert, chances are they've entrenched themselves for the long haul. Skilled and organized attackers know long-term persistence in your network is the most critical component to meeting their goal of stealing information, causing damage, or pivoting attacks on other organizations.
Threat hunting is the proactive practice of finding attackers in your environment before they can cause damage (or at least stop the bleeding from continued exposure). Unfortunately, effective threat hunting practices remain out-of-reach for most organizations due to lack of security infrastructure and qualified people to manage advanced endpoint security solutions.
One solution to this problem is to hire a third party to conduct a periodic assessment geared toward discovery of unauthorized access and compromised systems. This is called a "compromise assessment" and just recently compromise assessments have become one of the most requested services from top security service providers.
Customers don’t want to just know if they can be hacked (a good penetration tester will generally conclude “yes”) they want to know if they ARE hacked—right now—and if so, what endpoints/hosts/servers on their network are compromised.
In this presentation, which was originally prepared for Black Hat 2018, Chris Gerritz outlines the growing practice of compromise assessments and the best practices being utilized by some of the largest and most sophisticated managed security service providers (MSSPs) with this offering.
What approaches are most effective?
What data is being utilized?
What are some of the top challenges?
To request a free 100-node compromise assessment or to learn more about Infocyte HUNT — our comprehensive threat hunting platform — and start a free trial, please visit https://try.infocyte.com.
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...grecsl
Knowing how to perform basic malware analysis can go a long way in helping infosec analysts do some basic triage to either crush the mundane or recognize when its time to pass the more serious samples on to the the big boys. This presentation covers several analysis environment options and the three quick steps that allows almost anyone with a general technical background to go from n00b to ninja (;)) in no time. Well … maybe not a "ninja" per se but the closing does address follow-on resources on the cheap for those wanting to dive deeper into the dark world of malware analysis.
Secure web programming plus end users' awareness are the last line of defense against attacks targeted at the corporate systems, particularly web applications, in the era of world-wide web.
Most web application attacks occur through Cross Site Scripting (XSS), and SQL Injection. On the other hand, most web application vulnerabilities arise from weak coding with failure to properly validate users' input, and failure to properly sanitize output while displaying the data to the visitors.
The literature also confirms the following web application weaknesses in 2010: 26% improper output handling, 22% improper input handling, and 15% insufficient authentication, and others.
Abdul Rahman Sherzad, lecturer at Computer Science Faculty of Herat University, and Ph.D. student at Technical University of Berlin gave a presentation at 12th IT conference on Higher Education for Afghanistan in MoHE, and then conducted a seminar at Hariwa Institute of Higher Education in Herat, Afghanistan introducing web application security threats by demonstrating the security problems that exist in corporate systems with a strong emphasis on secure development. Major security vulnerabilities, secure design and coding best practices when designing and developing web-based applications were covered.
The main objective of the presentation was raising awareness about the problems that might occur in web-application systems, as well as secure coding practices and principles. The presentation's aims were to build security awareness for web applications, to discuss the threat landscape and the controls users should use during the software development lifecycle, to introduce attack methods, to discuss approaches for discovering security vulnerabilities, and finally to discuss the basics of secure web development techniques and principles.
Everyone knows you ought to threat model, but in practical reality it turns out to be tricky. If past efforts to threat model haven't panned out, perhaps part of the problem is confusion over what works, and how the various approaches conflict or align. This talk captures lessons from years of work helping people throughout the software industry threat model more effectively. It's designed to help security pros, developers and systems managers, all of whom will leave with both threat modeling lessons from Star Wars and a proven foundation, enabling them to threat model effectively.
La presentación contiene, a un alto nivel, diferencias claves entre implementar un SGSI y nivelar el área de SI a través de la definición de un Plan Director de SI #SGSI #seguridad #infosec #PlanDirectorSI
Threat Modeling as a structured activity for identifying and managing the objects (such as application) threats.
Threat Modeling – also called Architectural Risk Analysis is an essential step in the development of your application.
Without it, your protection is a shot in the dark
Operational Risk Management under BASEL eraTreat Risk
Operational risk have always ignored by Banks as they thought Credit and market risks can cause catastrophe. But history of misfortunes taught us different lessons. Controls and internal audit have long been construed as guard till BASEL II dictates forced banks to look with insight. Understand the dimension of ORM in this presentation.
Threat modeling is an approach for analyzing the security of an application. It is a structured approach that enables you to identify, quantify, and address the security risks associated with an application.
Jonathan Pollet and Mark Heard of Red Tiger Security at S4x15 OTDay.
The NIST Cybersecurity Framework (CSF) has been out for a year now, and some owner/operators have begun to use it to help create an ICS cyber security program. The Red Tiger Security team discusses what the CSF is and there experience in using it with real world clients.
Risk Analysis Of Banking Malware AttacksMarco Morana
Analysis of How Banking Malware Like Zeus Exploit Weakenesses In On-Line Banking Applications and Security Controls. This prezo is a walkthrough the attack scenarion, the attack vectors, the vulnerability exploits and the techniques to model the threats so that countermeasures can be identified
IBM AppScan - the total software security solution, Content:
- Introduction to security
- Best Practices for Application Security
- IBM AppScan security solution
- DEMO
As delusions of effective risk management for application environments continue to spread, companies continue to bleed large amounts of security spending without truly knowing if the amount is warranted, effective, or even elevating security at all. In parallel, hybrid, thought-provoking security strategies are moving beyond conceptual ideas to practical applications within ripe environments. Application Threat Modeling is one of those areas that, beyond the hype, provides practical and sensible security strategy that leverages already existing security efforts for an improved threat model of what is lurking in the shadows.
Tony UcedaVelez, Managing Director
An experienced security management professional, Tony has more than 10 years of hands-on security and technology experience and is a vocal advocate of security process engineering – a term that describes the design and development of secure processes and controls working symbiotically to create a unique business workflow. Tony currently serves as Managing Director for an Atlanta based risk advisory firm that focuses on security strategy and delivering effective means for risk mitigation and security process engineering. He has worked and consulted for the Fortune 500, as well as federal agencies in the U.S. on the topic of application security and security process engineering.
Falcon OverWatch Experts Hunt 24/7 To Stop Incidents Before They Become Breaches
Is your IT security team suffering from alert fatigue? For many organizations, chasing down every security alert can tax an already overburdened IT department, often resulting in a breach that might have been avoided. Adding to this challenge is an increase in sophisticated threats that strike so fast and frequently, traditional methods of investigation and response can’t offer adequate protection.
A new webcast from CrowdStrike, “Proactive Threat Hunting: Game-Changing Endpoint Protection Above and Beyond Alerting,” discusses why so many organizations are vulnerable to unseen threats and alert fatigue, and why having an approach that is both reactive and proactive is key. You’ll also learn about Falcon OverWatch™, CrowdStrike’s proactive threat hunting service that investigates and responds to threats immediately, dramatically increasing your ability to react before a damaging breach occurs.
Download the webcast slides to learn:
--How constantly reacting to alerts prevents you from getting ahead of the potentially damaging threats designed to bypass standard endpoint security
--Why an approach that includes proactive threat hunting, sometimes called Managed Detection and Response, is key to increasing protection against new and advanced threats
--How CrowdStrike Falcon OverWatch can provide 24/7 managed threat hunting, augmenting your security efforts with a team of cyber intrusion detection analysts and investigators who proactively identify and prioritize incidents before they become damaging breaches
The New Pentest? Rise of the Compromise AssessmentInfocyte
If an attacker had a foothold in your network today, would you know it?
If they made it past your real-time defense measures (EDR, EPP, AV, UEBA, firewalls, etc.) or an analyst misinterpreted a critical alert, chances are they've entrenched themselves for the long haul. Skilled and organized attackers know long-term persistence in your network is the most critical component to meeting their goal of stealing information, causing damage, or pivoting attacks on other organizations.
Threat hunting is the proactive practice of finding attackers in your environment before they can cause damage (or at least stop the bleeding from continued exposure). Unfortunately, effective threat hunting practices remain out-of-reach for most organizations due to lack of security infrastructure and qualified people to manage advanced endpoint security solutions.
One solution to this problem is to hire a third party to conduct a periodic assessment geared toward discovery of unauthorized access and compromised systems. This is called a "compromise assessment" and just recently compromise assessments have become one of the most requested services from top security service providers.
Customers don’t want to just know if they can be hacked (a good penetration tester will generally conclude “yes”) they want to know if they ARE hacked—right now—and if so, what endpoints/hosts/servers on their network are compromised.
In this presentation, which was originally prepared for Black Hat 2018, Chris Gerritz outlines the growing practice of compromise assessments and the best practices being utilized by some of the largest and most sophisticated managed security service providers (MSSPs) with this offering.
What approaches are most effective?
What data is being utilized?
What are some of the top challenges?
To request a free 100-node compromise assessment or to learn more about Infocyte HUNT — our comprehensive threat hunting platform — and start a free trial, please visit https://try.infocyte.com.
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...grecsl
Knowing how to perform basic malware analysis can go a long way in helping infosec analysts do some basic triage to either crush the mundane or recognize when its time to pass the more serious samples on to the the big boys. This presentation covers several analysis environment options and the three quick steps that allows almost anyone with a general technical background to go from n00b to ninja (;)) in no time. Well … maybe not a "ninja" per se but the closing does address follow-on resources on the cheap for those wanting to dive deeper into the dark world of malware analysis.
Memorias webCast Introduccion al analisis y gestión de riesgosAranda Software
Conozca la metodología para que las organizaciones definan una estrategia de gestión del riesgo, basados en los resultados de las mediciones de su impacto y de su probabilidad de ocurrencia.
[WEBINAR] Construyendo el Nuevo Data Center.Grupo Smartekh
Este webinar tiene como objetivo principal dar a conocer como el concepto Cloud Computing es cada vez más conocido, se trata de un entorno en el que es posible almacenar diferentes tipos de contenidos o aplicaciones, sin tener que disponer de una infraestructura propia que lo mantenga.
Aunque es cierto que tiene beneficios asombrosos hay ciertas dudas en las organizaciones sobre su cambio a los ambientes virtuales. Es importante pensar en los riesgos que esto tiene y como puedes minimizarlos.
En este webinar expertos te ayudaran a conocer los beneficios que el Cloud Computing brinda a las organizaciones, así como los riesgos que representa y que debes considerar a la hora de migrar a la nube.
El temario que se engloba es el siguiente:
¿Qué es Cloud Computing?
¿Por qué las empresas y personas ven como opción Cloud Computing?
Beneficios en personas y empresas.
¿Qué desafíos enfrentan las instituciones durante la construcción del nuevo Centro de Datos?
Riesgos de seguridad.
Bring the cloud down to earth: Consideraciones Clave para tu viaje a la nube.
Webinar impartido por Jazmin Ortiz y Ana Risueño, el 26 de Abril de 2013 a las 12 hrs.
Congreso Europeo sobre Eficiencia Energética y Sostenibilidad en Arquitectura y Urbanismo (EESAP 9) y Congreso Internacional de Construcción Avanzada (CICA 2).
Lunes: 10 de Septiembre
Ponencia: Amenazas y medidas frente a ciberataques. ¿nos afecta realmente? ¿cómo protegernos? Juantxu Mateos. S21 SEC/NEXTEL
Ser pyme no es excusa, para no ocuparse de la ciberseguridadSantiago Cavanna
Las PyMEs también son blanco de ciber amenazas, La falta de recursos y conocimiento las hace más vulnerables. Es probable que una PyME no pueda darse el lujo de contratar un CISO para que atienda la gestión de la ciberseguridad. Es probable incluso que sea una sola persona la que esté a cargo de toda infraestructura tecnológica que soporta la empresa.
¿Qué hacer en estos casos? ¿Es posible enfrentar estos desafíos sin ser especialista en ciberseguridad? ¿Qué atender primero y por que? ¿Cómo pensar en este juego de roles y tener éxito?
Be Aware Webinar - Como symantec puede ayudar cuando existe una brecha de se...Symantec LATAM
Como symantec puede ayudar cuando existe una brecha de seguridad
Be Aware Webinar - Siga la programacion en nuestra página de Facebook
31. january 20th 2016
(PROYECTO) Límites entre el Arte, los Medios de Comunicación y la Informáticavazquezgarciajesusma
En este proyecto de investigación nos adentraremos en el fascinante mundo de la intersección entre el arte y los medios de comunicación en el campo de la informática.
La rápida evolución de la tecnología ha llevado a una fusión cada vez más estrecha entre el arte y los medios digitales, generando nuevas formas de expresión y comunicación.
Continuando con el desarrollo de nuestro proyecto haremos uso del método inductivo porque organizamos nuestra investigación a la particular a lo general. El diseño metodológico del trabajo es no experimental y transversal ya que no existe manipulación deliberada de las variables ni de la situación, si no que se observa los fundamental y como se dan en su contestó natural para después analizarlos.
El diseño es transversal porque los datos se recolectan en un solo momento y su propósito es describir variables y analizar su interrelación, solo se desea saber la incidencia y el valor de uno o más variables, el diseño será descriptivo porque se requiere establecer relación entre dos o más de estás.
Mediante una encuesta recopilamos la información de este proyecto los alumnos tengan conocimiento de la evolución del arte y los medios de comunicación en la información y su importancia para la institución.
3Redu: Responsabilidad, Resiliencia y Respetocdraco
¡Hola! Somos 3Redu, conformados por Juan Camilo y Cristian. Entendemos las dificultades que enfrentan muchos estudiantes al tratar de comprender conceptos matemáticos. Nuestro objetivo es brindar una solución inclusiva y accesible para todos.
Es un diagrama para La asistencia técnica o apoyo técnico es brindada por las compañías para que sus clientes puedan hacer uso de sus productos o servicios de la manera en que fueron puestos a la venta.
En este documento analizamos ciertos conceptos relacionados con la ficha 1 y 2. Y concluimos, dando el porque es importante desarrollar nuestras habilidades de pensamiento.
Sara Sofia Bedoya Montezuma.
9-1.
2. About Me
• Alvaro Machaca Tola
• Experiencia laboral en áreas de seguridad de la información,
seguridad informática y auditoria de sistemas en entidades
financieras, bolsa de valores y empresas de medios de pago
electrónico.
• CCNA | CEH | ISO 27001 Internal Auditor.
• Actualmente consultor experimentado en la firma global
Ernst & Young (EY).
• alvaro_machaca@hotmail.com
• alvaro.machaca@bo.ey.com
• https://bo.linkedin.com/pub/alvaro-machaca-tola/42/85b/7
4. Riesgos en la Empresa
Riesgos
relacionados
con TI
Riesgos
Operacionales
Riesgos de
Crédito
Riesgos de
Mercado
Riesgos
Estratégicos
5. Riesgo Tecnológico
Es la probabilidad de sufrir
pérdidas por caídas o fallos
en los sistemas informáticos o
transmisión de datos, errores
de programación u otros,
siendo un componente del
riesgo operativo.
Fuente: ASFI 207/13 – Dic/2013 Directrices Básicas
para la Gestión del Riesgo Operativo
7. Riesgos en Aplicaciones
Los atacantes pueden usar
potencialmente rutas diferentes a
través de la aplicación para hacer
daño al negocio u organización,
estas rutas representan un riesgo
que puede, o no, ser lo
suficientemente grave como para
justificar la atención.
Fuente: OWASP Top 10
9. OWASP Risk Rating Methodology
Para valorar el riesgo, se deben tomar en cuenta los
siguientes aspectos:
Una vulnerabilidad critica para un tipo de negocio no lo es
necesariamente para otro negocio.
Existen metodologías y estándares internacionales para la
gestión de riesgos las cuales deben adaptarse al negocio.
10. Identificar el Riesgo
El primer paso es identificar un
riesgo de seguridad que necesita
ser tratado:
Identificar agentes de amenaza.
Identificar vulnerabilidades que
pueden ser explotados por los
agentes de amenaza.
Estimar el impacto sobre el negocio
de una materialización de la
amenaza.
11. Estimar la Probabilidad
Una vez identificados los
riesgos, debe estimarse:
La probabilidad de que una
vulnerabilidad en particular sea
descubierta y explotada.
Inicialmente es recomendable
definir parámetros de
calificación cualitativos para
estimar la probabilidad. Para un
calculo con mayor certeza s
recomendable el calculo
cuantitativo.
ALTA
Vulnerabilidad que si es
explotada comprometería
la seguridad de la
información ocasionando
un impacto negativo sobre
la empresa. Debe
solucionarse
inmediatamente.
MEDIA
Vulnerabilidad que si es
explotada tendría un
impacto leve sobre la
operativa del negocio.
Puede solucionarse en
un tiempo prudente.BAJA
Vulnerabilidad que si es
explotada no ocasionaría
mayores inconvenientes.
Su solución no
necesariamente será
inmediata.
12. Agentes de Amenaza
• * Desarrolladores (2)
• Administradores de sistemas (2)
• Usuarios internos (4)
• Socios de negocio (5)
• Usuarios autenticados (6)
• Anónimos (9)
•Acceso total (0)
•Acceso especial (4)
•Algunos accesos (7)
•Sin acceso (9)
•Baja o sin motivación (1)
•Algo de interés (4)
•Bastante interesado (9)
• Penetration tester (1)
• Redes y Programación (3)
• Usuario avanzado en computación
(4)
• Habilidades técnicas medias (6)
• No cuenta con habilidades
técnicas (9)
Habilidades
Técnicas
Motivación
TamañoOportunidad
13. Vulnerabilidades
•Detección activa en la
aplicación (1)
•Autenticado y monitoreado (3)
•Autenticado sin monitoreo (8)
•No autenticado (9)
•Desconocido (1)
•Medianamente conocido (4)
•Común (6)
•De conocimiento público (9)
•Complejo (1)
•Dificultad media (3)
•Sencilla (5)
•Herramientas automatizadas
disponibles (9)
• Dificultad alta (1)
• Dificultad media (3)
• Sencilla (7)
• Herramientas automatizadas
disponibles (9)
Facilidad de
Descubrimiento
Facilidad de
Explotación
Detectores de
Intrusión
Conciencia o
Conocimiento
14. Estimar el Impacto
Cuando una amenaza es
materializada, deben
considerarse dos tipos de
impacto:
Impacto Técnico.
Impacto sobre el Negocio.
15. Impacto Técnico
• Totalmente auditable (1)
•Posiblemente auditable (7)
•No auditable (9)
• Mínima (servicios no críticos) (1)
• Mínima (servicios críticos) (5)
• Considerable (servicios no críticos)
(5)
• Considerable (servicios críticos) (7)
• Pérdida total de los servicios (9)
• Mínima (data no critica) (1)
• Mínima (data critica) (3)
• Considerable (data no critica) (5)
• Considerable (data critica) (7)
• Corrupción de datos total (9)
• Mínima (data no critica) (2)
• Mínima (data critica) (6)
• Considerable (data no critica) (6)
• Considerable (data critica) (7)
• Corrupción de datos total (9)
Pérdida de
Confidencialidad
Pérdida de
Integridad
Pérdida de
Auditabilidad
Pérdida de
Disponibilidad
16. Impacto en el Negocio
•Una persona (3)
•Cientos de personas (5)
•Miles de personas (7)
•Millones de personas (9)
•Mínimo (2)
•Medio (5)
•Alto (7)
•Daño mínimo (1)
•Pérdida de grandes cuentas (4)
•Pérdida de credibilidad a gran
escala (5)
•Daño total de imagen (9)
• Menor que el costo de la solución
total (1)
• Efecto menor en el costo anual (3)
• Efecto significante en el costo
anual (7)
• Efecto devastador (bancarrota) (9) Daño
Económico
Daño de
Imagen
Violación a la
Privacidad
No
cumplimiento
17. Determinar la Severidad del Riesgo
Para determinar la severidad del riesgo, se debe trabajar con los
siguientes valores:
Probabilidad de la ocurrencia de la amenaza.
Impacto generado sobre el negocio.
18. Ejemplo – Cálculo de la probabilidad
Variables de agentes
de amenaza
y
Variable de factores
de vulnerabilidad
8
19. Ejemplo – Cálculo del Impacto
Variables de Impacto
técnico
4
Variables de Impacto
sobre el negocio
4
21. Priorizar Planes de Acción
Luego de que se hayan
clasificado los riesgos de la
aplicación, debe desarrollarse
una lista de priorización para
dar solución inmediata a los
riesgos identificados con
prioridad ALTA.
22. Personalizar el modelo de clasificación de Riesgos
Es fundamental crear un modelo o marco de clasificación y de
riesgos para las aplicaciones del negocio, los siguientes son
puntos que deben considerarse en el modelo:
Adicionar Factores de Riesgo: define que deben identificarse factores de
riesgo que sean representativos para el negocio en específico.
Personalización de Factores de Riesgo define que la personalización de los
factores de riesgos es adecuada para la eficacia del mismo y permite una
adecuación sobre los procesos reales del negocio.
Ponderar Factores de Riesgo: define que deben ponderarse los factores de
riesgos, esto requiere de un mayor análisis pero es lo mas adecuado para
lograr una clasificación y análisis detallada.