Evaluación de riesgos informáticos en grupo guerrero portilla basado en los principios de la metodología osstmm

Abstract

Currently, security at the level of computer networks in small and medium-sized companies is not given the necessary interest or attention as it should be to safeguard their information and data traffic, which is why various inconveniences have arisen at the level of security corresponding to infrastructure of network and what they entail, whether these are communications between devices, information management, the link between a server system and points of use, etc. Managing contingency or improvement plans has proven to be a preventive and corrective method at the same time to optimize and protect business network infrastructures, regardless of the geographical size in which it is established. Based on these cases, it is appropriate to carry out an evaluation, study or analysis corresponding to the necessary points that manage said infrastructures in order to find breaking points by which the institution could be affected, that is why the present work Its main point is to carry out an evaluation of the network infrastructure of Grupo Guerrero Portilla in order to analyze and determine possible computer risks at the network structure level based on the principles of the OSSTMM methodology, in order to develop the results of said analysis. an improvement, optimization, prevention or contingency plan in order to establish a strengthening of said intranet. It is very important to mention that the network of a company or organization is essential for it to function optimally, since the reliability of the data and information received by users and all those directly and indirectly involved with the institution depends on the fact that it is in the best possible conditions, which is why providing a good network infrastructure system is a necessary investment. It is therefore that the present technological proposal entitled Evaluation of Computer Risks in Grupo Guerrero Portilla based on the Principles of the OSSTMM methodology, Manual of the Open Methodology of Security Testing, focuses on data collection through monitoring tools, testing and analyzes such as PRTG Network Monitor, Advanced IP Scanner, Winbox, in order to include the results based on the points proposed by the methodology; being Information Security, Process Security, Internet Technology Security, Communications Security, Wireless Security and Physical Security, covering each one of them in the subpoints that are consistent with the need and case study that the company has. The scope of this work is to analyze the data collected with the various tools and thereby evaluate the situation in which the company is, through the results, determine by ranges of importance or severity the breaking points in which the company should be reinforced. security through an improvement or contingency plan focused directly on the need presented following the most relevant principles of the OSSTMM methodology. Thus, the existing intranet was simulated, while maintaining a monitoring, testing and polling of the infrastructure with a focus on the most relevant devices within the institution, collecting information on the behavior that it took, said information was matched with the principles of the methodology as they corresponded and with it the security optimization proposals were established, which is the purpose of the prototype.

The contingency, optimization or improvement plan has been carried out; The feasibility evaluation was carried out using five of the seven phases of analysis proposed by the ISO 27001 Standard for Information Security Management (Identification of Information Assets, Identification of Vulnerabilities, Identification of Threats, Identification of Risks and Risk Treatment Plan), concluding as optimal and timely the generation of the aforementioned plan to maintain and/or reinforce security at the network infrastructure level.