Starting in 2025, innovation will accelerate with the opening of the AWS region in Mexico, breaking historical paradigms in technology and digital transformation, since, in a country known for its strict regulations in the financial sector – where banks, insurers and fintechs must guarantee the residency of productive data – this new region eliminates barriers that previously limited digital transformation.

Now, however, the transformation will have no limits.

Cybersecurity continues to be a priority investment for companies. In Latin America, the share of IT security in the overall IT budget grew from 22% in 2019 to 30% in 2020 in SMBs and from 27% to 34% in larger companies. Likewise, 59% of organizations expect to increase their cybersecurity budget in the next three years.
This is according to the report Adjusting investment: aligning IT budgets with security priorities, released by the company Kaspersky. Such estimates come despite the fact that, in general terms, during the COVID-19 pandemic, IT spending, and cybersecurity spending in particular, has been cut, especially among those SMEs most economically impacted.

Companies’ IT priorities can be conditioned by certain external events. Such is the case of the crisis resulting from the COVID-19 lockdown, which has led organizations to adjust their plans to adapt to new needs, from urgent digitization to cost optimization.

Kaspersky conducted this study, based on a survey of more than 5,000 IT and cybersecurity professionals in 31 countries, which analyzes the latest economic trends in IT security and their relationship with what happened this year.
According to the research, the IT budget dedicated to security continues to grow year after year in the countries of the region: from $114,000 in 2019 to $250,000 in 2020 in the case of Latin American SMEs, and from $13 million in 2019 to $20 million in 2020 in large companies.
However, a small percentage of enterprises, 9% of SMBs and 13.5% of large Latin American companies plan to reduce IT security spending in the next three years.
Of the latter, 28% allege that senior management sees no reason to invest so much in IT security, while another 28% commented that they can make this decision, because IT Security functions have been taken over by outsourcing companies.

Tips for Staying Safe

Kaspersky suggests that businesses follow the following recommendations to stay secure, even with limited budgets:
• Always keep the team aware of IT security risks, such as phishing, web threats, banking malware, and others that can affect employees in their daily work routine.
• Make sure all systems, software, and devices are up to date. This will help prevent malware infiltrations into corporate systems, through, for example, an operating system without update patches.
• Establish the practice of using strong passwords to access corporate services. Use multi-factor authentication for access to remote services.
• Ensure that all corporate devices are protected with strong passwords and that they are changed on a regular basis.
• Use proven cloud-based services and platforms when transferring business data. Make sure that you password-protect all shared files, such as in Google Docs, or make them available to a limited circle within a workgroup.
• Use a free endpoint security tool, such as Kaspersky Anti-Ransomware Tool for Business, which offers protection for both PCs and servers against a wide range of threats, including ransomware, cryptominers, adware, pornographic software, exploits, and more.
• There are also some useful tools that could help cover specific cybersecurity needs, such as checking suspicious files, IP addresses, domains, and URLs.

Source: https://cio.com.mx/aumenta-el-presupuesto-para-ciberseguridad-en-empresas-pese-a-los-recortes-por-covid-19/

At Itera we can help you.
Contact a specialist: seguridad@iteraprocess.com

These are issues related to security and shared compliance between AWS and the customer. This shared model can ease the operational burden on the customer, as AWS operates, manages, and controls the components of the host operating system and virtualization layer right down to the physical security of the premises in which the services operate. Customer assumes responsibility for and management of the guest operating system (including updates and security patches), any other associated application software, and security group firewall configuration provided by AWS.

Customers should think carefully about the services they choose, as responsibilities vary depending on the services they use, the integration of those services into their IT environment, and the relevant laws and regulations. The nature of this shared responsibility also offers the flexibility and control on the part of the customer that allows the implementation to be completed. As shown below, the differentiation of responsibilities is commonly referred to as “on” cloud security and “on” cloud security.

AWS Responsibility

AWS is responsible for securing the infrastructure that runs all services provided in the AWS Cloud. This infrastructure is made up of the hardware, software, networks, and facilities that run AWS cloud services.

Customer Responsibility

Customer liability will be determined by the AWS cloud services that Customer selects. This determines the scope of configuration work by the customer as part of their security responsibilities. For example, a service such as Amazon Elastic Compute Cloud (Amazon EC2) is classified as Infrastructure as a Service (IaaS) and, as such, requires the customer to perform all necessary security configuration and management tasks.

Customers who deploy an Amazon EC2 instance are responsible for managing the guest operating system (including security patches and updates), any utilities or application software that the customer has installed on the instances, and configuring the AWS-provided firewall (called a security group) on each instance. For pulled services, such as Amazon S3 and Amazon DynamoDB, AWS handles the infrastructure layer, operating system, and platforms, while customers access endpoints to retrieve and store data. Customers are responsible for managing their data (including encryption options), classifying their resources, and using IAM tools to request appropriate permissions.

This model of shared responsibility between customers and AWS also encompasses IT controls. Just as AWS and its customers share responsibility for the operation of the IT environment, they also share responsibility for managing, operating, and verifying IT controls. AWS can help ease the burden on customers by operating controls by managing the controls associated with the physical infrastructure deployed in the AWS environment that was previously managed by the customer. Because each customer’s deployment is done differently on AWS, customers have the opportunity to migrate the management of certain IT controls to AWS for a (new) distributed control environment. Customers can use the available AWS compliance and control documentation to execute their controls verification and assessment procedures as needed. Below are examples of controls that are managed by AWS, AWS customers, or both.

Physical and environmental controls

Legacy controls

Controls that a customer inherits entirely from AWS.

Shared Controls

Controls that apply to both the infrastructure layer and the customer layers, but in completely separate contexts or perspectives. In a shared control, AWS provides the requirements for the infrastructure, and the customer must provide its own implementation of controls on its use of AWS services. Examples include:

Patch Management

AWS is responsible for patching and fixing imperfections within the infrastructure, but customers are responsible for patching their applications and guest operating systems.

Configuration Management

AWS maintains the configuration of its infrastructure devices, but the customer is responsible for configuring its applications, databases, and guest operating systems.

Technical information and training

AWS trains AWS employees, but the customer must train their own employees.

Customer-specific controls

controls that are the sole responsibility of the customer based on the application they deploy within AWS services. Examples include:

Zone security or protection of communications and services, which might require the client to route or zone data in specific security environments.

Source: https://aws.amazon.com/es/compliance/shared-responsibility-model/

At Itera we can help you.
Contact a specialist: seguridad@iteraprocess.com

Businesses rely on SaaS applications for countless features, such as collaboration, marketing, file sharing, and more. But, problematically, they often lack the resources to configure those applications to prevent cyberattacks, data exfiltration, and other risks.

Catastrophic and costly data breaches are the result of SaaS security misconfigurations. Verizon’s 2020 Data Breach Investigations Report found that bugs are the second leading cause of data breaches, accounting for about one in three breaches. Of these, misconfigurations are by far the most common, often resulting in the exposure of databases or file system content directly to a cloud service.
Enterprises tend to be only as vulnerable as the weaker security configurations they have enabled for their SaaS applications. To illustrate, the Adaptive Shield team has uncovered SaaS misconfigurations that leave companies open to corporate espionage with a single click, exposing their entire cloud.

IT security teams need to do more to protect their organizations from risks caused by misconfigured SaaS applications. Here are five SaaS configuration errors that we see all the time that you should check and fix as needed:

1. Ensure that your SaaS system administrators use MFA, even if SSO is enabled.
   SSO has become a key feature for securing access to SaaS applications; However, there are still some users who may, by design, bypass this control. For maintenance purposes, most SaaS providers allow system owners to log in with their username and password, even if SSO is enabled. Make sure that mandatory multi-factor authentication is enabled for these super users. If your administrators trust the username and passwords, and an administrator’s credentials are compromised, attackers will be able to access the account.
2. Shared mailboxes are easy dishes, appreciated by Cybercriminals. Fix yours.
   Many businesses use shared mailboxes for financial, customer, and other information. We found that organizations have one shared mailbox for every 20 employees on average. These present problems because they do not have a clear owner and each user has a password, which is static because no one changes it. The problems are so severe that Microsoft even recommends blocking sign-in for shared mailbox accounts.
3. Manage external users with access to internal information.
   Today, many companies exchange information using collaboration tools. While external sharing is a great way to extend your organization to your vendors and partners, it comes with the risk of losing control over your data. Be sure to define a collaboration policy with external users and set appropriate limitations on all SaaS applications.
4. You don’t know what you can’t see; Enable auditing to maximize visibility and control.
   As a security expert, you need to know the information you’re missing. While the default audited actions are sufficient for some organizations, for others, it can be a major security breach. Make sure you understand what you’re not seeing and optimize for gaps.
5. Ensure that no data entity is accessible anonymously without your knowledge.
   Maintaining full control over your corporate data is not an easy task. And it only gets harder as you add SaaS applications.

Identify which resources are publicly exposed, such as dashboards, forms, discussions, or any other data entity, and act now to fix them.

Source: https://thehackernews.com/2020/11/worried-about-saas-misconfigurations.html

At Itera we can help you.
Contact a specialist: seguridad@iteraprocess.com

Contact us at

Request a free consultation. Send us a message and one of our representatives will contact you shortly.

The gap due to lack of skills and talent in cybersecurity continues to grow.
A study by ESG and the Information Systems Security Association (ISSA) highlights that 70% of companies are affected by this lack of resources.
Despite the importance that cybersecurity has taken as one of the basic pillars of digital transformation – even more so with the presence of forced teleworking – the gap generated by the absence of technical skills and the shortage of professionals continues to grow, according to a study by ESG and the Information Systems Security Association (ISSA). Up to 70% of skilled workers believe that their organization is affected by a lack of skills. In the last four years, this figure has grown by up to five percentage points.

In this way, this lack generates an extra and increasingly increasing workload for cybersecurity experts, who also have to take care of staff training and deal with insufficient resources. “We are so busy putting out fires that we have not taken time to learn how to take advantage of the tools,” they say.

Likewise, the gap is widened when it comes to application security, cloud, and analytics. Organizations are moving more and more workloads to the public cloud and are facing increasingly sophisticated threats, leading to bewilderment.

The report also highlights that only 7% of professionals believe that their company has improved its position in terms of cybersecurity in recent years. 45% say they have worsened and 48% believe they are in the same situation.

As final conclusions, the survey expresses that this shortage shows two aspects; on the one hand, that there are not enough professionals; on the other; skills are also in short supply.
Source: https://cso.computerworld.es/tendencias/la-brecha-por-falta-de-habilidades-y-talento-en-ciberseguridad-sigue-en-aumento
At Itera we can help you.
Contact a specialist: seguridad@iteraprocess.com

As the pandemic continues to force organizations to shift to work-from-home setup, more companies are coming to terms with the fact that changes are needed in continuity, security, and mobility.
In the industry, including changes in online security and cybercriminal activities and the need for a greater understanding of governance as a distributed function.
Misconceptions about safety must be changed.
Working remotely is now a bit easier now that security is seen as a critical element of success. However, in the past, security teams were considered only as support to the administrative function; Too often, they were also perceived as “roadblocks” that, at the last minute, pointed to issues that needed to be addressed before solutions could be implemented.
Improving Safety has involved many changes, including changing misconceptions, transforming perspectives, asking questions that are difficult and beyond operations, continuing education, and practicing self-reliance for safety compliance. As a result, the role of security has also become more visible and involved.
However, the strategy of involving safety from the beginning depended not only on the security team, but also on changing the mindset of the entire team.
Security continues to be paramount for the company, especially since working remotely has become part of the “new normal.” To secure your operations in these circumstances, you should evaluate what changes need to be made, either temporarily or permanently, to ensure that the business is enabled and that customer privacy is maintained.

A cloud-centric strategy and enabling mobility.

The company must adopt a cloud-first mindset for quite some time and has been moving forward with significant digital transformation efforts, both of which clearly help enable a smooth transition to an equally significant remote workforce. The flexibility, availability, easy acquisition, and expandability of the cloud provide ease and help enable mobility.
Cloud security is a model of shared responsibility. Some of the controls and governance are the responsibility of the hosting provider, while others belong to the solution provider. To do this, it is key for an organization to have a good process to evaluate the security of the solutions it uses, both internally and externally through partners.

Key points:

• Perception changes. Involve security teams early on and often to build partnerships and stop being a hindrance.
  • Enable resources. Whether an organization is educating teams on how to look at functionality from an adversary’s point of view or providing tools and processes that allow them to be self-sufficient, the end result will be stronger security and better relationships.
  • Coordinate with third parties. Even today, there are many cases where businesses mistakenly trust or believe that the hosting provider only has their security covered. However, organizations need to ensure that their third-party management program is asking the right questions regarding cloud/hosted solutions so that they can make informed risk-based decisions.
  • Trust partnerships. When you need new solutions/tools for the cloud, leverage existing partnerships as much as possible to drive efficiencies and integrations.

At Itera we can help you.
Contact a specialist: seguridad@iteraprocess.com

In this digital era accompanied by contingency scenarios, we know of several cases in which the privacy and confidentiality of organizations have been violated by cyber means. Which has obviously caused damage to his image, as well as time and money. Hence, it is essential to have quality assurance measures in the services that provide profitability to the business guaranteeing its continuity.

Facing such a challenge has to do with the transformation in the way we operate, implementing performance tests and vulnerability analysis. Measuring the performance of your technology solutions to reduce risks and increase certainty.

A CLEAR EXAMPLE

Let us think of a federal agency in energy matters, which must fulfill very relevant functions that mark a benchmark in the field of national and international security and development.

This government agency needs to verify the quality of its technological solutions developed to validate the correct performance of its applications, stressing them with performance tests to detect the number of concurrent users that each of its applications will support.

Confirming that they comply with security standards through the detection of vulnerabilities, supported by an auditing security methodology. A methodology aimed at the security analysis of its applications and used as a reference.

In this context, it is necessary to ensure a Software Factory, quantitatively validating the quality of the development delivered by the provider. A quality assurance service should be in place to perform performance testing and vulnerability analysis.

WE MAKE IT HAPPEN

As a business partner, Itera adapted the testing methodology presented, adapting to the needs of this agency, taking as a reference international frameworks such as ISTQB, CMMI, OWASP, TMMi and PMI. Within the activities prior to the execution of tests, tools, testing process and standards (metrics) that certify the quality of the solutions developed were defined.

Once we carry out the execution of quality tests, in order to objectively evaluate the technological solutions, we help to implement a methodology for the management of product quality during the development life cycle.

This is how at Itera we can guarantee the availability of information systems that ensure business continuity, allowing Senior Management to know the real performance of these systems compared to expectations.

Improving the customer experience, increasing online revenue, keeping the detection of threats that compromise the protection of information up to date. Having a set of measures that are effective in detecting, preventing and mitigating possible cyberattacks.

Ensuring an ideal state precisely in information security to organizations that like to trust our IT Governance solutions: Performance Testing and Vulnerability Analysis.