Status of the situation
- Loss of company image.
- Economic losses.
- Legal, contractual or regulatory problems.
- Loss of availability and operational problems.
- Information leakage, improper alteration of information.
The security environment in which an organization operates is not static:
-
Discovery of new attack vectors.
-
Changes in infrastructure (new equipment, core software, protocols, devices, etc.).
-
Changes in the environment and exposure of applications.
-
Evolutionary and corrective changes in applications.
Solutions
Vulnerability scanning
A Vulnerability Scan is the identification, analysis and reporting of vulnerabilities (understood as a flaw that allows a threat to become a risk).
The scanning of ports, services, applications can be:
-
External : it is performed remotely, assuming the perspective of someone outside the organization.
-
Internal : the security profile is examined from the perspective of someone internal or who has access to the organization's systems and networks.
-
Mixed : it combines external and internal perspectives.
Ethical Hacking
An ethical hack is the service carried out by specialized personnel who, using the same tools and techniques as a real attacker (a cracker), seeks to identify security flaws in order to report and correct them (instead of using those flaws to cause damage or for personal gain).
An ethical hack seeks to provide an answer to the following questions:
- What can an attacker know?
- What can an attacker do with that information?
- Could an attack attempt be detected?
- Could the attack be stopped?
For this purpose, a methodology is usually used for the following phases:
- Recognition
- Scanning and enumeration
- Access
- Access maintenance
- Deletion of fingerprints
Types of ethical hacks
-
Black box: there is no information on the evaluation objective, simulating the attack of an external attacker who seeks to penetrate the systems from the outside.
-
White box: unlike black box hacking, ethical hacking is performed with full knowledge of the target's network, infrastructure and systems. An informed attack is simulated.
-
Gray box: partial knowledge of the target. An attack is simulated by someone who has partial information and seeks to gain unauthorized access.
Secure Development Assurance
In recent times, security in software development has evolved to the point that today there are different best practice frameworks against which development processes and models can be evaluated from a security point of view and throughout the entire application lifecycle.
Using the frameworks, Datasec consultants can perform a gap analysis that allows the organization to have a state of the art on the practices it uses and does not use in terms of security in order to identify strengths to replicate in its different projects and opportunities for improvement to incorporate.
This service requires the generation of some interviews with personnel from the organization's development team in order to go through the different aspects they wish to evaluate.
Security training in software development
It has already been fully proven that to produce secure software is necessary:
-
[Technology ] Have a development platform that favors security.
-
[Processes ] Have development processes that incorporate an adequate form of security aspects.
-
[People ] Train development personnel in security aspects.
It is common to find organizations that incorporate security elements and technically very competent personnel when using a technology. However, the development processes do not include security considerations and sometimes the personnel do not have a "culture of security", which means that the products generated are not as secure as we would like them to be.
This service is aimed at training development personnel in security through a recording of the considerations they should have during the entire software life cycle.
The course introduces concepts, tools and frameworks that will allow participants to immediately transfer the acquired knowledge to their daily work.