While in traditional cybersecurity (IT) the protection model is based on the triad CID (Confidentiality, Integrity and Availability), in industrial control systems and real-time (OT) systems, priorities are often reversed towards the AIC model (Availability, Integrity and Confidentiality).[1]​.

This is because, in critical environments such as power grids, nuclear plants or medical devices (cyber-physical systems), service interruption (low availability) or delay in data transmission (latency) can have catastrophic physical consequences, unlike the loss of data confidentiality that prevails in corporate environments. Therefore, heavy encryption protocols that introduce latency (jitter) are sometimes not viable in Hard Real-Time systems.

With the Internet and other major technological advances in recent years, cybersecurity has become a more well-known term. In 1967, representatives of the RAND Corporation and the National Security Agency were the first to publish research on security threats in the field of computer time-sharing.[4]​.

Computer security aims to establish standards and measures that minimize risks to information and computer infrastructure. These standards include aspects such as operating hours, access restrictions, authorizations, denials, user profiles, emergency plans, protocols and everything necessary to guarantee an adequate level of computer security without compromising the performance of workers and the organization in general, and as the main contributor to the use of programs made by programmers.

In terms of protected assets, computer security is designed to protect computer assets, which include the following:.

Within the field of cybersecurity, it is essential to have clearly defined roles and responsibilities to ensure effective management of information security. In this sense, the National Security Scheme (ENS) establishes the basic roles that must exist in organizations to ensure the protection of information.

According to the ICT Security Guide CCN-STIC 801, in addition to the three main figures mentioned in article 10 of the ENS (Information Manager, Service Manager and Security Manager), there are other important roles that can play a relevant role in information security management.

One of these roles is the so-called Information System Manager, whose responsibility can be located within the organization itself or compartmentalized between the organization and third parties, whether public or private service providers, in the case of outsourced information systems. The Information System Manager has the responsibility of guaranteeing the proper use and functioning of the information systems, as well as implementing the necessary security measures.

It is important to note that the competencies and responsibilities of the aforementioned roles may vary depending on the organization and its specific context. However, it is essential that these roles are clearly defined and that there is effective coordination between them to ensure comprehensive information security management.

The ENS Framework provides guidance and reference for organizations in implementing information security measures. Establishes the minimum security requirements that the systems and services used by public administrations must meet, as well as the guidelines to evaluate and manage the risks associated with information security.

Contenido

No solamente las amenazas que surgen de la programación y el funcionamiento de un dispositivo de almacenamiento, transmisión o proceso deben ser consideradas, también hay otras circunstancias no informáticas que deben ser tomadas en cuenta. Muchas son a menudo imprevisibles o inevitables, de modo que las únicas protecciones posibles son las redundancias y la descentralización, por ejemplo mediante determinadas estructuras de redes en el caso de las comunicaciones o servidores en clúster "Clúster (informática)") para la disponibilidad.

Las amenazas pueden ser causadas por:.

Social engineering

Social engineering is the practice of obtaining confidential information through the manipulation of legitimate users. It is a technique that certain people can use to obtain information, access or privileges in information systems, with results similar to an attack through the network, bypassing the entire infrastructure created to combat malicious programs. In addition, it is a more efficient attack, because it is more complex to calculate and predict.

The principle that underpins social engineering is that in any system "users are the weak link."

Types of threats

There are countless ways to classify an attack and each attack can receive more than one classification. For example, a case of phishing can involve stealing the password of a social network user and with it carrying out identity theft for subsequent harassment, or the theft of the password can simply be used to change the profile photo and leave it all as a joke (without ceasing to be a crime in both cases, at least in countries with legislation for the case, such as Spain).

The fact of connecting a system to an external environment gives us the possibility that an attacker can enter it and steal information or alter the operation of the network. However, the fact that the network is not connected to an external environment, such as the Internet, does not guarantee its security. According to the Computer Security Institute (CSI) of San Francisco, approximately between 60 and 80 percent of network incidents are caused from within the network. Based on the origin of the attack we can say that there are two types of threats:

The type of threats according to the effect they cause on the person receiving the attacks could be classified as:

They can be classified by the modus operandi of the attacker, although the effect may be different for the same type of attack:.

Cyber ​​threat of the future

If at one time the objective of the attacks was to change technological platforms, now cybercriminal trends indicate that the new modality is to manipulate the certificates that contain digital information. The semantic area, which was reserved for humans, now became the core of attacks due to the evolution of Web 2.0 and social networks, factors that led to the birth of generation 3.0.

It is said that "Web 3.0 provides content and meanings in such a way that they can be understood by computers, which - through artificial intelligence techniques - are capable of emulating and improving the obtaining of knowledge, until now reserved for people." That is, it is about giving meaning to web pages, and hence the name semantic web or knowledge society, as an evolution of the already past information society.

In this sense, the computer threats that come in the future are no longer with the inclusion of Trojans in the systems or spy software, but with the fact that the attacks have become professionalized and manipulate the meaning of virtual content.

To avoid falling prey to this new wave of more subtle attacks, it is recommended:.

El análisis de riesgos informáticos es un proceso que comprende la identificación de activos informáticos, sus vulnerabilidades y amenazas a los que se encuentran expuestos así como su probabilidad de ocurrencia y el impacto de las mismas, a fin de determinar los controles adecuados para aceptar, disminuir, transferir o evitar la ocurrencia del riesgo.

Teniendo en cuenta que la explotación de un riesgo causaría daños o pérdidas financieras o administrativas a una empresa u organización, se tiene la necesidad de poder estimar la magnitud del impacto del riesgo a que se encuentra expuesta mediante la aplicación de controles. Dichos controles, para que sean efectivos, deben ser implementados en conjunto formando una arquitectura de seguridad con la finalidad de preservar las propiedades de confidencialidad, integridad y disponibilidad de los recursos objetos de riesgo.

Elements of a risk analysis

The risk analysis process usually generates a document known as a risk matrix. This document shows the elements identified, the way they are related and the calculations performed. This risk analysis is essential to achieve correct risk management. Risk management refers to the management of the organization's resources.

There are different types of risks such as residual risk and total risk as well as risk treatment, risk evaluation and risk management among others. The formula to determine the total risk is:.

From this formula we will determine its treatment and after applying the controls we will be able to obtain the residual risk.

Types of risk

It is associated with the way the organization is managed. Strategic risk management focuses on global issues related to the mission and the fulfillment of strategic objectives, the clear definition of the design policies and conceptualization of the organization by senior management.

It is related to the perception and trust of society towards the organization.

They include risks arising from the functioning and operability of information systems, the definition of business processes, the structure of the organization and the articulation between areas or dependencies.

They relate to the management of the organization's resources that include:

They are associated with the organization's ability to comply with legal, structural, ethical requirements and in general with its commitment to society and the state.

They are related to the technological capacity of the organization to meet its current and future needs, and the fulfillment thereof.

The challenge is to strategically allocate resources for each security team and assets involved, based on the potential impact for the business, regarding the various incidents that must be resolved.[6]​.

To determine prioritization, the incident management system needs to know the value of information systems that can potentially be affected by security incidents. This may involve someone within the organization assigning a monetary value to each computer and file on the network or assigning a relative value to each system and the information about it. Within the values ​​for the system we can distinguish: confidentiality of the information, integrity (applications and information) and finally the availability of the system. Each of these values ​​is an independent system of the business, suppose the following example, a public web server can have the characteristic of low confidentiality (since all the information is public) but needs high availability and integrity, to be reliable. In contrast, an enterprise resource planning (ERP) system is usually a system that has a high score on all three variables.

Individual incidents can vary widely in terms of scope and importance.

Un mecanismo de seguridad (también llamado herramienta de seguridad o control) es una técnica que se utiliza para implementar un servicio, es decir, es aquel mecanismo que está diseñado para detectar, prevenir o recobrarse de un ataque de seguridad. Los mecanismos de seguridad implementan varios servicios básicos de seguridad o combinaciones de estos servicios básicos, los servicios de seguridad especifican "qué" controles son requeridos y los mecanismos de seguridad especifican "cómo" deben ser ejecutados los controles.

Dentro de las diferentes categorías de mecanismos de seguridad, uno de los aspectos relevantes es la ciberseguridad perimetral. La ciberseguridad perimetral se enfoca en proteger el perímetro de una red contra amenazas y ataques cibernéticos. Consiste en establecer medidas de seguridad en los puntos de entrada y salida de la red, como firewalls, sistemas de detección y prevención de intrusiones (IDS/IPS), sistemas de prevención de pérdida de datos (DLP) y otros dispositivos y técnicas de seguridad.

No existe un único mecanismo capaz de proveer todos los servicios, sin embargo, la mayoría de ellos hace uso de técnicas criptográficas basadas en el cifrado de la información. Los mecanismos de seguridad son acciones llevadas a cabo con el objetivo de reducir el riesgo asociado a las vulnerabilidades. Estas acciones pueden ser preventivas, detectivas, y recuperables.

Federación.

Uno de los riesgos más ignorados en la era de la digitalización es el robo de ventajas competitivas, sobre todo en áreas corporativas con alta rotación de empleados. En el extremo, la propiedad intelectual (PI) dedepartamentos basados en algoritmos está a un solo copiar y pegarde caer en manos de un competidor.[7]​.

Classification by function and purpose

There are different types of security mechanisms, which are classified according to their function and objective. In general, they are divided into two categories:

These mechanisms are directly related to the required security levels and some of them are related to security management. They allow determining the degree of security of the system, since they are applied to comply with the general security policy.

They define the implementation of specific services. The most important are the following:

Classification by actions they perform

Security mechanisms can also be classified according to the actions they perform:

These controls reduce the likelihood of a deliberate attack by implementing measures that deter potential attackers.

Preventative controls protect vulnerabilities and cause an attack to fail or reduce its impact. These controls include implementing security policies, applying patches and updates, securely configuring systems, and using technologies such as firewalls and intrusion prevention systems (IPS).

Corrective controls reduce the effect of an attack once it has occurred. They include data recovery, system restoration, and implementing corrective measures to prevent future security incidents.

These controls focus on discovering attacks and activating the corresponding preventive or corrective controls. They include intrusion detection systems (IDS), log analysis and security monitoring systems.

There is no exact definition of artificial intelligence, however, according to the report by the National Cryptologic Center (CNN) published in October 2023, artificial intelligence is considered a specialized branch within the field of computing. Its main purpose is to develop systems capable of executing tasks that traditionally have human intelligence. (Martín Martín, M. 2024, p.28).[8]​.

The research and analysis platform Deloitte Insights (2021) highlights that, in cybersecurity, artificial intelligence acts as a clear multiplier of capabilities: it allows security teams to react faster than attackers and, in addition, anticipate and foresee types of attacks to design responses in advance.[8]​.

According to experts, AI will facilitate the identification, prevention or neutralization of threats, evolving from reactive measures to proactive strategies by stopping anomalies in real time, intelligent authentication and automated response.[9]​.

AI in general and related technologies will help cyber defenders enhance the detention, response and identification of attackers at scale, in addition to streamlining analysis and other tedious tasks. Meaningful use of AI will allow organizations to reduce work by summarizing large volumes of data and aggregating it into threat intelligence, generating actionable detections and analysis.[9]​.

On the other hand, machine learning from artificial intelligence is transforming cybersecurity by improving and strengthening the detection, prevention and response to digital threats.[8]​.

Currently, the national legislation of the States obliges companies and public institutions to implement a security policy. For example, in Spain, the Organic Law on the Protection of Personal Data (LOPD) "Organic Law on the Protection of Personal Data (Spain)") and its implementing regulations, protects this type of data by stipulating basic measures and needs that prevent the loss of quality of the information or its theft. Also in that country, the National Security Scheme establishes technological measures to allow the computer systems that provide services to citizens to comply with security requirements in accordance with the type of availability of the services provided.

Generally, it is exclusively concerned with ensuring access rights to data and resources with control tools and identification mechanisms. These mechanisms allow us to know that operators have only the permissions that were given to them.

Computer security must be studied so that it does not impede the work of operators in what is necessary and that they can use the computer system with complete confidence. That is why when it comes to developing a security policy, it is advisable to:.

The access rights of the operators must be defined by the hierarchical managers and not by the IT administrators, who must ensure that the resources and access rights are consistent with the defined security policy. Furthermore, as the administrator is usually the only one who knows the system perfectly, he or she has to refer any problem and relevant information about security to management, and finally advise strategies to implement, as well as be the entry point for communicating to workers about problems and recommendations in terms of computer security.

El activo más importante que se posee es la información y, por lo tanto, deben existir técnicas que la aseguren, más allá de la seguridad física que se establezca sobre los equipos en los cuales se almacena. Estas técnicas las brinda la seguridad lógica que consiste en la aplicación de barreras y procedimientos que resguardan el acceso a los datos y solo permiten acceder a ellos a las personas autorizadas para hacerlo.

Cada tipo de ataque y cada sistema requiere de un medio de protección o más (en la mayoría de los casos es una combinación de varios de ellos).

A continuación se enumeran una serie de medidas que se consideran básicas para asegurar un sistema tipo, si bien para necesidades específicas se requieren medidas extraordinarias y de mayor profundidad:.

Information backup

Information constitutes the most important asset of companies, and can be affected by many factors such as theft, fires, disk failures, viruses and others. From the company's point of view, one of the most important problems it must solve is the permanent protection of its critical information.

The most efficient measure for data protection is to determine a good backup policy. This should include full backups (data is stored in its entirety the first time) and incremental backups (only files created or modified since the last backup are copied). It is vital for companies to develop a backup plan based on the volume of information generated and the number of critical equipment.

A good backup system must have certain essential characteristics:

Nowadays, online information backup systems and remote backup services are gaining ground in companies and government agencies. Most modern online information backup systems have maximum security measures and data availability. These systems allow companies to grow in volume of information, deriving the need for backup growth from the service provider.

Virus protection

Viruses are one of the most traditional means of attacking systems and the information they support. In order to avoid its contagion, the equipment and the means of access to it must be monitored, mainly the network.

Having only the necessary software installed on the machine reduces risks. Likewise, having the software under control ensures the quality of its origin (software obtained illegally or without guarantees increases the risks). In any case a software inventory provides a correct method of ensuring reinstallation in the event of a disaster. Software with quick installation methods also facilitates reinstallation in case of contingency.

The entry points into the network are generally email, web pages and the entry of files from disks, or from other people's computers such as laptops.

Keeping the number of network resources in read-only mode to the maximum prevents infected computers from spreading viruses. In the same sense, user permissions can be reduced to a minimum.

Data can be centralized so that virus detectors in batch mode can work during machine downtime.

Controlling Internet access can detect, in recovery phases, how the virus has been introduced.

Physical protection of network access

Regardless of the measures taken to protect computers on a local area network and the software that resides on them, measures must be taken to prevent unauthorized users from gaining access. The usual measures depend on the physical environment to be protected.

Some of the methods are listed below, without going into the topic of protecting the network against attacks or intrusion attempts from external networks, such as the Internet.

Building connection rosettes must be protected and monitored. A basic measure is to avoid having network points connected to the switches "Switch (network device)"). Even so, a device can always be replaced by another unauthorized device, which requires additional measures: 802.1x access standard, access control lists by MAC addresses, DHCP servers by reserved assignment, etc.

In this case, physical control becomes more difficult, although measures can be taken to contain the electromagnetic emission to limit it to those places that we consider appropriate and safe. Additionally, the use of encryption (WPA, WPA v.2, use of digital certificates, etc.), shared passwords and, also in this case, MAC address filters, are several of the common measures that when applied together increase security considerably compared to the use of a single method.

Sanitization

Logical or physical process by which information considered sensitive or confidential is removed from a medium, whether physical or magnetic, either with the aim of declassifying it, reusing the medium or destroying the medium in which it is located.

Use of reliable hardware

Reliable hardware is known as any device designed to offer a series of facilities that allow critical information to be safely handled. It is not necessary to understand that since they are reliable, they have infallible security mechanisms, they have their limitations. The only thing it wants to indicate is that they provide certain facilities that improve security and make attacks more difficult. The Trusted Computing Group is a group of companies that define hardware specifications with the aim of having more secure platforms.[10]​.

Security information collection and analysis

To maintain a secure system, it is necessary to establish mechanisms that monitor the different events and information that are related to the security of the system. It is very useful to have a centralized view of this type of information so that it can be analyzed in a single location. For this purpose, security information management systems (SIM) have been developed, responsible for long-term storage, analysis and communication of security data, security event management systems (SEM), responsible for real-time monitoring, correlation of events, notifications and console views of security information, and finally security information and event management systems, which group the functionalities of the two types of systems. previous.[11]​.

Existen organismos oficiales encargados de asegurar servicios de prevención de riesgos y asistencia a los tratamientos de incidencias, tales como el Computer Emergency Response Team Coordination Center del Software Engineering Institute de la Universidad Carnegie Mellon, que es un centro de alerta y reacción frente a los ataques informáticos, destinados a las empresas o administradores, pero generalmente estas informaciones son accesibles a todo el mundo.

Spain

The National Cybersecurity Institute (INCIBE) is an organization dependent on Red.es and the Ministry of Energy, Tourism and Digital Agenda of Spain.[12]​.

European Union

The European Commission has decided to create the European Cybercrime Center (EC3) as a focal point of the EU police fight against cybercrime, contributing to a faster reaction to online crimes. This center effectively opened on 1 January 2013 and aims to support Member States and EU institutions in building operational and analytical capacity for research, as well as cooperation with international partners.

Germany

On June 16, 2011, the German Minister of the Interior officially opened the new National Cyber ​​Defense Center (NCAZ, or National Cyber-Abwehrzentrum) located in Bonn. The NCAZ cooperates closely with the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, or BSI); the Federal Criminal Investigation Office "Federal Criminal Investigation Office (Germany)") (Bundeskriminalamt, BKA); the Federal Intelligence Service (Bundesnachrichtendienst, or BND); the Military Intelligence Service (Amt für den Militärischen Abschirmdienst, or MAD) and other national organizations in Germany. According to the minister, the primary task of the new organization founded on February 23, 2011, is to detect and prevent attacks against national infrastructure.

USA

On May 1, 2009, Senator Jay Rockefeller (D-WV) introduced the "Cybersecurity Act of 2009 - S. 773" (full text) in the Senate; the bill, co-authored with Senators Evan Bayh (D-IL), Barbara Mikulski (D-MD), Bill Nelson (D-FL), and Olympia Snowe (R-ME), was referred to the Committee. Commerce, Science, and Transportation, which passed a revised version of the same bill (the "Cybersecurity Act of 2010") on March 24, 2010. The bill seeks to increase collaboration between the public sector and the private sector on cybersecurity issues, especially private entities that own infrastructure that are critical to national security interests (quotes says John Brennan, the Assistant to the President for Homeland Security and Counterterrorism: "our nation's security and economic prosperity depends on the security, stability and integrity of communications and information infrastructure that are largely private operating globally" and speaks to the country's response to a "cyber-Katrina"), increase public awareness of cybersecurity issues, and encourage cybersecurity research and background. Some of the most controversial points of the bill include paragraph 315, which gives the President the right to "request the limitation or shutdown of Internet traffic to and from the compromised Federal Government or United States information system or critical network infrastructure." The Electronic Frontier Foundation, a nonprofit digital rights advocacy and legal organization based in the United States, characterized the bill as promoting a "potentially dangerous approach that favors dramatic over sober response."

Mexico

UNAM-CERT is a group of professionals who are in charge of evaluating the vulnerabilities of Information systems in Mexico.

Colombia

On April 11, 2016, the National Council of Economic and Social Policy of the Republic of Colombia officially publishes document CONPES 3854[13]​ within which the national digital security policy is stipulated, in which the MINTIC is designated as in charge of carrying out awareness days on digital security, as well as designing a digital security risk management model.

On the other hand, the Ministry of National Defense MINDEFENSA "Ministry of Defense (Colombia)") must carry out a plan to strengthen the operational, administrative, human, scientific, physical and technological infrastructure capabilities of colCERT.

The National Planning Department DNP "National Planning Department (Colombia)") will be the general coordinator of the implementation of digital security in all public entities of the state and voluntary adoption of private entities and will have the support of the Administrative Department of Public Function (DAFP).

The professional or job opportunities of Cybersecurity are very varied and increasingly in demand due to the continuous changes in the digital age and due to the constant attacks that companies, governments and users suffer daily on their data. This has also been reinforced due to the new data protection law of 2018.[14]​ Among the professional opportunities we can find:.

Mainly focused on protecting network infrastructure from threats and unauthorized access.

It mainly focuses on ensuring that applications are secure against vulnerabilities and attacks (Penetration testing, static code analysis).

Using mathematical techniques, information and communications are secured through authentication tests or digital signatures.

Access to certain resources within a specific organization is controlled through multi-factor authentication, identity management, and role-based access control.

It is the detection and mitigation of attacks to minimize the impact they can cause, protecting the confidentiality and integrity of data, from initial detection using event management and security information systems, to eliminating threats, restoring systems and effective internal and external communication about the incident.

They are the measures and practices that must be followed to protect the systems, data and applications found in computing environments. It goes from managing identities and access to planning data retention.

Cyber ​​incidents are investigated by collecting and analyzing evidence that is found, for example network analysis and data recovery.

It is the design and construction of secure systems, using security architecture, security testing and automation.

What are the skills required for these positions?[15]​.

While in traditional cybersecurity (IT) the protection model is based on the triad CID (Confidentiality, Integrity and Availability), in industrial control systems and real-time (OT) systems, priorities are often reversed towards the AIC model (Availability, Integrity and Confidentiality).[1]​.

This is because, in critical environments such as power grids, nuclear plants or medical devices (cyber-physical systems), service interruption (low availability) or delay in data transmission (latency) can have catastrophic physical consequences, unlike the loss of data confidentiality that prevails in corporate environments. Therefore, heavy encryption protocols that introduce latency (jitter) are sometimes not viable in Hard Real-Time systems.

With the Internet and other major technological advances in recent years, cybersecurity has become a more well-known term. In 1967, representatives of the RAND Corporation and the National Security Agency were the first to publish research on security threats in the field of computer time-sharing.[4]​.

Computer security aims to establish standards and measures that minimize risks to information and computer infrastructure. These standards include aspects such as operating hours, access restrictions, authorizations, denials, user profiles, emergency plans, protocols and everything necessary to guarantee an adequate level of computer security without compromising the performance of workers and the organization in general, and as the main contributor to the use of programs made by programmers.

In terms of protected assets, computer security is designed to protect computer assets, which include the following:.

Within the field of cybersecurity, it is essential to have clearly defined roles and responsibilities to ensure effective management of information security. In this sense, the National Security Scheme (ENS) establishes the basic roles that must exist in organizations to ensure the protection of information.

According to the ICT Security Guide CCN-STIC 801, in addition to the three main figures mentioned in article 10 of the ENS (Information Manager, Service Manager and Security Manager), there are other important roles that can play a relevant role in information security management.

One of these roles is the so-called Information System Manager, whose responsibility can be located within the organization itself or compartmentalized between the organization and third parties, whether public or private service providers, in the case of outsourced information systems. The Information System Manager has the responsibility of guaranteeing the proper use and functioning of the information systems, as well as implementing the necessary security measures.

It is important to note that the competencies and responsibilities of the aforementioned roles may vary depending on the organization and its specific context. However, it is essential that these roles are clearly defined and that there is effective coordination between them to ensure comprehensive information security management.

The ENS Framework provides guidance and reference for organizations in implementing information security measures. Establishes the minimum security requirements that the systems and services used by public administrations must meet, as well as the guidelines to evaluate and manage the risks associated with information security.

Contenido

No solamente las amenazas que surgen de la programación y el funcionamiento de un dispositivo de almacenamiento, transmisión o proceso deben ser consideradas, también hay otras circunstancias no informáticas que deben ser tomadas en cuenta. Muchas son a menudo imprevisibles o inevitables, de modo que las únicas protecciones posibles son las redundancias y la descentralización, por ejemplo mediante determinadas estructuras de redes en el caso de las comunicaciones o servidores en clúster "Clúster (informática)") para la disponibilidad.

Las amenazas pueden ser causadas por:.

Social engineering

Social engineering is the practice of obtaining confidential information through the manipulation of legitimate users. It is a technique that certain people can use to obtain information, access or privileges in information systems, with results similar to an attack through the network, bypassing the entire infrastructure created to combat malicious programs. In addition, it is a more efficient attack, because it is more complex to calculate and predict.

The principle that underpins social engineering is that in any system "users are the weak link."

Types of threats

There are countless ways to classify an attack and each attack can receive more than one classification. For example, a case of phishing can involve stealing the password of a social network user and with it carrying out identity theft for subsequent harassment, or the theft of the password can simply be used to change the profile photo and leave it all as a joke (without ceasing to be a crime in both cases, at least in countries with legislation for the case, such as Spain).

The fact of connecting a system to an external environment gives us the possibility that an attacker can enter it and steal information or alter the operation of the network. However, the fact that the network is not connected to an external environment, such as the Internet, does not guarantee its security. According to the Computer Security Institute (CSI) of San Francisco, approximately between 60 and 80 percent of network incidents are caused from within the network. Based on the origin of the attack we can say that there are two types of threats:

The type of threats according to the effect they cause on the person receiving the attacks could be classified as:

They can be classified by the modus operandi of the attacker, although the effect may be different for the same type of attack:.

Cyber ​​threat of the future

If at one time the objective of the attacks was to change technological platforms, now cybercriminal trends indicate that the new modality is to manipulate the certificates that contain digital information. The semantic area, which was reserved for humans, now became the core of attacks due to the evolution of Web 2.0 and social networks, factors that led to the birth of generation 3.0.

It is said that "Web 3.0 provides content and meanings in such a way that they can be understood by computers, which - through artificial intelligence techniques - are capable of emulating and improving the obtaining of knowledge, until now reserved for people." That is, it is about giving meaning to web pages, and hence the name semantic web or knowledge society, as an evolution of the already past information society.

In this sense, the computer threats that come in the future are no longer with the inclusion of Trojans in the systems or spy software, but with the fact that the attacks have become professionalized and manipulate the meaning of virtual content.

To avoid falling prey to this new wave of more subtle attacks, it is recommended:.

El análisis de riesgos informáticos es un proceso que comprende la identificación de activos informáticos, sus vulnerabilidades y amenazas a los que se encuentran expuestos así como su probabilidad de ocurrencia y el impacto de las mismas, a fin de determinar los controles adecuados para aceptar, disminuir, transferir o evitar la ocurrencia del riesgo.

Teniendo en cuenta que la explotación de un riesgo causaría daños o pérdidas financieras o administrativas a una empresa u organización, se tiene la necesidad de poder estimar la magnitud del impacto del riesgo a que se encuentra expuesta mediante la aplicación de controles. Dichos controles, para que sean efectivos, deben ser implementados en conjunto formando una arquitectura de seguridad con la finalidad de preservar las propiedades de confidencialidad, integridad y disponibilidad de los recursos objetos de riesgo.

Elements of a risk analysis

The risk analysis process usually generates a document known as a risk matrix. This document shows the elements identified, the way they are related and the calculations performed. This risk analysis is essential to achieve correct risk management. Risk management refers to the management of the organization's resources.

There are different types of risks such as residual risk and total risk as well as risk treatment, risk evaluation and risk management among others. The formula to determine the total risk is:.

From this formula we will determine its treatment and after applying the controls we will be able to obtain the residual risk.

Types of risk

It is associated with the way the organization is managed. Strategic risk management focuses on global issues related to the mission and the fulfillment of strategic objectives, the clear definition of the design policies and conceptualization of the organization by senior management.

It is related to the perception and trust of society towards the organization.

They include risks arising from the functioning and operability of information systems, the definition of business processes, the structure of the organization and the articulation between areas or dependencies.

They relate to the management of the organization's resources that include:

They are associated with the organization's ability to comply with legal, structural, ethical requirements and in general with its commitment to society and the state.

They are related to the technological capacity of the organization to meet its current and future needs, and the fulfillment thereof.

The challenge is to strategically allocate resources for each security team and assets involved, based on the potential impact for the business, regarding the various incidents that must be resolved.[6]​.

To determine prioritization, the incident management system needs to know the value of information systems that can potentially be affected by security incidents. This may involve someone within the organization assigning a monetary value to each computer and file on the network or assigning a relative value to each system and the information about it. Within the values ​​for the system we can distinguish: confidentiality of the information, integrity (applications and information) and finally the availability of the system. Each of these values ​​is an independent system of the business, suppose the following example, a public web server can have the characteristic of low confidentiality (since all the information is public) but needs high availability and integrity, to be reliable. In contrast, an enterprise resource planning (ERP) system is usually a system that has a high score on all three variables.

Individual incidents can vary widely in terms of scope and importance.

Un mecanismo de seguridad (también llamado herramienta de seguridad o control) es una técnica que se utiliza para implementar un servicio, es decir, es aquel mecanismo que está diseñado para detectar, prevenir o recobrarse de un ataque de seguridad. Los mecanismos de seguridad implementan varios servicios básicos de seguridad o combinaciones de estos servicios básicos, los servicios de seguridad especifican "qué" controles son requeridos y los mecanismos de seguridad especifican "cómo" deben ser ejecutados los controles.

Dentro de las diferentes categorías de mecanismos de seguridad, uno de los aspectos relevantes es la ciberseguridad perimetral. La ciberseguridad perimetral se enfoca en proteger el perímetro de una red contra amenazas y ataques cibernéticos. Consiste en establecer medidas de seguridad en los puntos de entrada y salida de la red, como firewalls, sistemas de detección y prevención de intrusiones (IDS/IPS), sistemas de prevención de pérdida de datos (DLP) y otros dispositivos y técnicas de seguridad.

No existe un único mecanismo capaz de proveer todos los servicios, sin embargo, la mayoría de ellos hace uso de técnicas criptográficas basadas en el cifrado de la información. Los mecanismos de seguridad son acciones llevadas a cabo con el objetivo de reducir el riesgo asociado a las vulnerabilidades. Estas acciones pueden ser preventivas, detectivas, y recuperables.

Federación.

Uno de los riesgos más ignorados en la era de la digitalización es el robo de ventajas competitivas, sobre todo en áreas corporativas con alta rotación de empleados. En el extremo, la propiedad intelectual (PI) dedepartamentos basados en algoritmos está a un solo copiar y pegarde caer en manos de un competidor.[7]​.

Classification by function and purpose

There are different types of security mechanisms, which are classified according to their function and objective. In general, they are divided into two categories:

These mechanisms are directly related to the required security levels and some of them are related to security management. They allow determining the degree of security of the system, since they are applied to comply with the general security policy.

They define the implementation of specific services. The most important are the following:

Classification by actions they perform

Security mechanisms can also be classified according to the actions they perform:

These controls reduce the likelihood of a deliberate attack by implementing measures that deter potential attackers.

Preventative controls protect vulnerabilities and cause an attack to fail or reduce its impact. These controls include implementing security policies, applying patches and updates, securely configuring systems, and using technologies such as firewalls and intrusion prevention systems (IPS).

Corrective controls reduce the effect of an attack once it has occurred. They include data recovery, system restoration, and implementing corrective measures to prevent future security incidents.

These controls focus on discovering attacks and activating the corresponding preventive or corrective controls. They include intrusion detection systems (IDS), log analysis and security monitoring systems.

There is no exact definition of artificial intelligence, however, according to the report by the National Cryptologic Center (CNN) published in October 2023, artificial intelligence is considered a specialized branch within the field of computing. Its main purpose is to develop systems capable of executing tasks that traditionally have human intelligence. (Martín Martín, M. 2024, p.28).[8]​.

The research and analysis platform Deloitte Insights (2021) highlights that, in cybersecurity, artificial intelligence acts as a clear multiplier of capabilities: it allows security teams to react faster than attackers and, in addition, anticipate and foresee types of attacks to design responses in advance.[8]​.

According to experts, AI will facilitate the identification, prevention or neutralization of threats, evolving from reactive measures to proactive strategies by stopping anomalies in real time, intelligent authentication and automated response.[9]​.

AI in general and related technologies will help cyber defenders enhance the detention, response and identification of attackers at scale, in addition to streamlining analysis and other tedious tasks. Meaningful use of AI will allow organizations to reduce work by summarizing large volumes of data and aggregating it into threat intelligence, generating actionable detections and analysis.[9]​.

On the other hand, machine learning from artificial intelligence is transforming cybersecurity by improving and strengthening the detection, prevention and response to digital threats.[8]​.

Currently, the national legislation of the States obliges companies and public institutions to implement a security policy. For example, in Spain, the Organic Law on the Protection of Personal Data (LOPD) "Organic Law on the Protection of Personal Data (Spain)") and its implementing regulations, protects this type of data by stipulating basic measures and needs that prevent the loss of quality of the information or its theft. Also in that country, the National Security Scheme establishes technological measures to allow the computer systems that provide services to citizens to comply with security requirements in accordance with the type of availability of the services provided.

Generally, it is exclusively concerned with ensuring access rights to data and resources with control tools and identification mechanisms. These mechanisms allow us to know that operators have only the permissions that were given to them.

Computer security must be studied so that it does not impede the work of operators in what is necessary and that they can use the computer system with complete confidence. That is why when it comes to developing a security policy, it is advisable to:.

The access rights of the operators must be defined by the hierarchical managers and not by the IT administrators, who must ensure that the resources and access rights are consistent with the defined security policy. Furthermore, as the administrator is usually the only one who knows the system perfectly, he or she has to refer any problem and relevant information about security to management, and finally advise strategies to implement, as well as be the entry point for communicating to workers about problems and recommendations in terms of computer security.

El activo más importante que se posee es la información y, por lo tanto, deben existir técnicas que la aseguren, más allá de la seguridad física que se establezca sobre los equipos en los cuales se almacena. Estas técnicas las brinda la seguridad lógica que consiste en la aplicación de barreras y procedimientos que resguardan el acceso a los datos y solo permiten acceder a ellos a las personas autorizadas para hacerlo.

Cada tipo de ataque y cada sistema requiere de un medio de protección o más (en la mayoría de los casos es una combinación de varios de ellos).

A continuación se enumeran una serie de medidas que se consideran básicas para asegurar un sistema tipo, si bien para necesidades específicas se requieren medidas extraordinarias y de mayor profundidad:.

Information backup

Information constitutes the most important asset of companies, and can be affected by many factors such as theft, fires, disk failures, viruses and others. From the company's point of view, one of the most important problems it must solve is the permanent protection of its critical information.

The most efficient measure for data protection is to determine a good backup policy. This should include full backups (data is stored in its entirety the first time) and incremental backups (only files created or modified since the last backup are copied). It is vital for companies to develop a backup plan based on the volume of information generated and the number of critical equipment.

A good backup system must have certain essential characteristics:

Nowadays, online information backup systems and remote backup services are gaining ground in companies and government agencies. Most modern online information backup systems have maximum security measures and data availability. These systems allow companies to grow in volume of information, deriving the need for backup growth from the service provider.

Virus protection

Viruses are one of the most traditional means of attacking systems and the information they support. In order to avoid its contagion, the equipment and the means of access to it must be monitored, mainly the network.

Having only the necessary software installed on the machine reduces risks. Likewise, having the software under control ensures the quality of its origin (software obtained illegally or without guarantees increases the risks). In any case a software inventory provides a correct method of ensuring reinstallation in the event of a disaster. Software with quick installation methods also facilitates reinstallation in case of contingency.

The entry points into the network are generally email, web pages and the entry of files from disks, or from other people's computers such as laptops.

Keeping the number of network resources in read-only mode to the maximum prevents infected computers from spreading viruses. In the same sense, user permissions can be reduced to a minimum.

Data can be centralized so that virus detectors in batch mode can work during machine downtime.

Controlling Internet access can detect, in recovery phases, how the virus has been introduced.

Physical protection of network access

Regardless of the measures taken to protect computers on a local area network and the software that resides on them, measures must be taken to prevent unauthorized users from gaining access. The usual measures depend on the physical environment to be protected.

Some of the methods are listed below, without going into the topic of protecting the network against attacks or intrusion attempts from external networks, such as the Internet.

Building connection rosettes must be protected and monitored. A basic measure is to avoid having network points connected to the switches "Switch (network device)"). Even so, a device can always be replaced by another unauthorized device, which requires additional measures: 802.1x access standard, access control lists by MAC addresses, DHCP servers by reserved assignment, etc.

In this case, physical control becomes more difficult, although measures can be taken to contain the electromagnetic emission to limit it to those places that we consider appropriate and safe. Additionally, the use of encryption (WPA, WPA v.2, use of digital certificates, etc.), shared passwords and, also in this case, MAC address filters, are several of the common measures that when applied together increase security considerably compared to the use of a single method.

Sanitization

Logical or physical process by which information considered sensitive or confidential is removed from a medium, whether physical or magnetic, either with the aim of declassifying it, reusing the medium or destroying the medium in which it is located.

Use of reliable hardware

Reliable hardware is known as any device designed to offer a series of facilities that allow critical information to be safely handled. It is not necessary to understand that since they are reliable, they have infallible security mechanisms, they have their limitations. The only thing it wants to indicate is that they provide certain facilities that improve security and make attacks more difficult. The Trusted Computing Group is a group of companies that define hardware specifications with the aim of having more secure platforms.[10]​.

Security information collection and analysis

To maintain a secure system, it is necessary to establish mechanisms that monitor the different events and information that are related to the security of the system. It is very useful to have a centralized view of this type of information so that it can be analyzed in a single location. For this purpose, security information management systems (SIM) have been developed, responsible for long-term storage, analysis and communication of security data, security event management systems (SEM), responsible for real-time monitoring, correlation of events, notifications and console views of security information, and finally security information and event management systems, which group the functionalities of the two types of systems. previous.[11]​.

Existen organismos oficiales encargados de asegurar servicios de prevención de riesgos y asistencia a los tratamientos de incidencias, tales como el Computer Emergency Response Team Coordination Center del Software Engineering Institute de la Universidad Carnegie Mellon, que es un centro de alerta y reacción frente a los ataques informáticos, destinados a las empresas o administradores, pero generalmente estas informaciones son accesibles a todo el mundo.

Spain

The National Cybersecurity Institute (INCIBE) is an organization dependent on Red.es and the Ministry of Energy, Tourism and Digital Agenda of Spain.[12]​.

European Union

The European Commission has decided to create the European Cybercrime Center (EC3) as a focal point of the EU police fight against cybercrime, contributing to a faster reaction to online crimes. This center effectively opened on 1 January 2013 and aims to support Member States and EU institutions in building operational and analytical capacity for research, as well as cooperation with international partners.

Germany

On June 16, 2011, the German Minister of the Interior officially opened the new National Cyber ​​Defense Center (NCAZ, or National Cyber-Abwehrzentrum) located in Bonn. The NCAZ cooperates closely with the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, or BSI); the Federal Criminal Investigation Office "Federal Criminal Investigation Office (Germany)") (Bundeskriminalamt, BKA); the Federal Intelligence Service (Bundesnachrichtendienst, or BND); the Military Intelligence Service (Amt für den Militärischen Abschirmdienst, or MAD) and other national organizations in Germany. According to the minister, the primary task of the new organization founded on February 23, 2011, is to detect and prevent attacks against national infrastructure.

USA

On May 1, 2009, Senator Jay Rockefeller (D-WV) introduced the "Cybersecurity Act of 2009 - S. 773" (full text) in the Senate; the bill, co-authored with Senators Evan Bayh (D-IL), Barbara Mikulski (D-MD), Bill Nelson (D-FL), and Olympia Snowe (R-ME), was referred to the Committee. Commerce, Science, and Transportation, which passed a revised version of the same bill (the "Cybersecurity Act of 2010") on March 24, 2010. The bill seeks to increase collaboration between the public sector and the private sector on cybersecurity issues, especially private entities that own infrastructure that are critical to national security interests (quotes says John Brennan, the Assistant to the President for Homeland Security and Counterterrorism: "our nation's security and economic prosperity depends on the security, stability and integrity of communications and information infrastructure that are largely private operating globally" and speaks to the country's response to a "cyber-Katrina"), increase public awareness of cybersecurity issues, and encourage cybersecurity research and background. Some of the most controversial points of the bill include paragraph 315, which gives the President the right to "request the limitation or shutdown of Internet traffic to and from the compromised Federal Government or United States information system or critical network infrastructure." The Electronic Frontier Foundation, a nonprofit digital rights advocacy and legal organization based in the United States, characterized the bill as promoting a "potentially dangerous approach that favors dramatic over sober response."

Mexico

UNAM-CERT is a group of professionals who are in charge of evaluating the vulnerabilities of Information systems in Mexico.

Colombia

On April 11, 2016, the National Council of Economic and Social Policy of the Republic of Colombia officially publishes document CONPES 3854[13]​ within which the national digital security policy is stipulated, in which the MINTIC is designated as in charge of carrying out awareness days on digital security, as well as designing a digital security risk management model.

On the other hand, the Ministry of National Defense MINDEFENSA "Ministry of Defense (Colombia)") must carry out a plan to strengthen the operational, administrative, human, scientific, physical and technological infrastructure capabilities of colCERT.

The National Planning Department DNP "National Planning Department (Colombia)") will be the general coordinator of the implementation of digital security in all public entities of the state and voluntary adoption of private entities and will have the support of the Administrative Department of Public Function (DAFP).

The professional or job opportunities of Cybersecurity are very varied and increasingly in demand due to the continuous changes in the digital age and due to the constant attacks that companies, governments and users suffer daily on their data. This has also been reinforced due to the new data protection law of 2018.[14]​ Among the professional opportunities we can find:.

Mainly focused on protecting network infrastructure from threats and unauthorized access.

It mainly focuses on ensuring that applications are secure against vulnerabilities and attacks (Penetration testing, static code analysis).

Using mathematical techniques, information and communications are secured through authentication tests or digital signatures.

Access to certain resources within a specific organization is controlled through multi-factor authentication, identity management, and role-based access control.

It is the detection and mitigation of attacks to minimize the impact they can cause, protecting the confidentiality and integrity of data, from initial detection using event management and security information systems, to eliminating threats, restoring systems and effective internal and external communication about the incident.

They are the measures and practices that must be followed to protect the systems, data and applications found in computing environments. It goes from managing identities and access to planning data retention.

Cyber ​​incidents are investigated by collecting and analyzing evidence that is found, for example network analysis and data recovery.

It is the design and construction of secure systems, using security architecture, security testing and automation.

What are the skills required for these positions?[15]​.