Since 2019, 60% of companies in Latin America had cybersecurity incidents. There was a decrease in massive attacks and a transition towards targeted attacks, whose objective is the possibility of collecting economic ransoms, better known as ransomware. This report compiles information from companies located in 14 countries in the region, including Argentina, Brazil, Mexico, Colombia, Chile and Guatemala.

What do these kinds of statistics tell us? They set the standard for multiple risks that information security can run in organizations.

How hacking can hurt cybersecurity

Information theft

Information hijacking attacks (Ransomware)

Business hacking

Targeted attacks (APT)

What is a penetration test?

It is a comprehensive evaluation of your infrastructure or applications, the results of which provide a strategy that will prevent your organization from being part of the statistics.

Penetration testing is an activity that evaluates the security of organizations from a digital point of view. Hack tests are used to identify these flaws and mitigate them before they materialize and cause harm to the organization.

The tests go beyond the analysis of the code, they focus on the hacking of the application and/or the digital infrastructure. In this way, the analysis surface is expanded to detect a greater number of vulnerabilities.

Some benefits

  • Validate whether current security controls such as firewalls, access control, encryption methods, information storage, among others, have been designed and implemented as planned.

  • Identify technical vulnerabilities that cannot be detected by an organizational vulnerability analysis.

  • Identify and classify findings in accordance with international risk management standards such as CVSSv3.1

  • Make a solution plan to the findings and continuous improvement.

Penetration tests also allow classifying vulnerabilities according to their type: application or infrastructure and risk level (Critical, High, Medium, Low, Informational). They provide evidence of exploitation and the impact it generates in the organization. They provide what is necessary to recommend the controls that strengthen the defense in the digital environment with a risk management approach.

It is necessary to identify what type of test will be carried out, if it is an application or its cloud infrastructure. These two options contemplate different scopes and methodologies, so it is advisable to define them. However, both tests can be performed on the system to be audited.

The test type defines how the security assessment will be performed with respect to the point where the attacker is located.

internal tests

Son pruebas que se hacen dentro del ambiente en el que la aplicación converge con infraestructura de nube y en algunos casos en sitio. Generalmente evalúan servicios que no se encuentran publicados en internet. Se pueden realizar en aplicaciones, servidores, bases de datos o la red corporativa.

external tests

Se realizan sobre los servicios accesibles solo desde internet, tal y como lo haría un atacante ajeno a la organización. Generalmente no se evalúan algunos servicios de la infraestructura, que solo están disponible si la prueba fuera interna.

El tipo de caja definirá el contexto de la prueba, estipulando si se realizarán pruebas estáticas, dinámicas, con credenciales de acceso al aplicativo o servidor.

How do we make it happen?

To define this service, Itera advises and explains the characteristics of each of the boxes. We operate with methodologies internationally endorsed by different organizations, each methodology is oriented to a specific type of evaluation. Among the most important are:

OWASP: provides us with an open framework to perform intrusion tests on websites.

OSSTMM : methodology carried out by the community to standardize Security tests. This model is generic for any security test (not just pentest).

NIST 800-115: Provides repeatable processes for conducting security assessments, including methodology for Pentesting.

Cybersecurity is not an impossible mission

Itera is made up of experts who assess and classify risks according to the impact of cybersecurity vulnerabilities on applications and infrastructure. In this way, we design a comprehensive cybersecurity strategy linked to the business objectives of your organization.