Propuesta proceso de gestión de vulnerabilidades
| dc.contributor.advisor | Díaz García, Javier Leonardo | |
| dc.contributor.author | Meneses Cerquera, Diana Carolina | |
| dc.contributor.author | Cruz Rodríguez, Juan Camilo | |
| dc.contributor.author | Márquez Romero, Daniel Felipe | |
| dc.date.accessioned | 2024-07-23T02:53:07Z | |
| dc.date.available | 2024-07-23T02:53:07Z | |
| dc.date.issued | 2024-06 | |
| dc.description.abstract | El siguiente documento tiene como objetivo presentar el desarrollo, aplicación y análisis de resultados de un proyecto de gestión de vulnerabilidades basado en el marco de seguridad propuesto por el Instituto Nacional de Estándares Internacionales (NIST) enfocado hacia infraestructuras implementadas en la nube, durante este proceso de documentación, se implementan los distintos controles y elementos descritos en el marco y son aplicados sobre un entorno simulado en la plataforma de Cloud Computing AWS con el fin de demostrar la aplicabilidad del proceso de gestión desarrollado y que este pueda ser entregado a la Universidad El Bosque como parte complementaria a su documentación de políticas de seguridad de la información y de desarrollo seguro de software. | |
| dc.description.abstractenglish | The following document aims to present the development, application and analysis of results of a vulnerability management project based on the security framework proposed by the National Institute of International Standards (NIST) focused on infrastructures implemented in the cloud, during this process of documentation, the different controls and elements described in the framework are implemented and are applied on a simulated environment on the AWS Cloud Computing platform in order to demonstrate the applicability of the developed management process and that it can be delivered to the El Bosque University as a complementary part to its documentation of information security policies and secure software development. | |
| dc.description.degreelevel | Especialización | spa |
| dc.description.degreename | Especialista en Seguridad de Redes Telemáticas | spa |
| dc.format.mimetype | application/pdf | |
| dc.identifier.instname | instname:Universidad El Bosque | spa |
| dc.identifier.reponame | reponame:Repositorio Institucional Universidad El Bosque | spa |
| dc.identifier.repourl | repourl:https://repositorio.unbosque.edu.co | |
| dc.identifier.uri | https://hdl.handle.net/20.500.12495/12708 | |
| dc.language.iso | es | |
| dc.publisher.faculty | Facultad de Ingeniería | spa |
| dc.publisher.grantor | Universidad El Bosque | spa |
| dc.publisher.program | Especialización en Seguridad de Redes Telemáticas | spa |
| dc.relation.references | [1] K. Scarfone, M. Souppaya, A. Cody, and A. Orebaugh, “Technical guide to information security testing and assessment,” NIST Special Publication, vol. 800, no. 115, pp. 2–25, 2008. | |
| dc.relation.references | [2] J. A. Monsalve-Pulido, F. A. Aponte-Novoa, and D. F. Chaves-Tamayo, “Estudio y gestión de vulnerabilidades informáticas para una empresa privada en el departamento de Boyacá (Colombia),” Revista Facultad de Ingenier\’\ia, vol. 23, no. 37, pp. 65–72, 2014. | |
| dc.relation.references | [3] D. N. Orejuela Jarrin and M. E. Pineda León, “Diseño e implementación de un centro de gestión de vulnerabilidades para la Empresa ASAP business sa ubicada en la Ciudad de Guayaquil,” Universidad de Guayaquil. Facultad de Ciencias Matemáticas y F\’\isicas~…, 2022. | |
| dc.relation.references | [4] M. B. Oña Garcés, “Gestión de riesgos informáticos utilizando NIST SP-800 e ISO/IEC 27005 en la empresa international forest products del Ecuador SA,” 2019. | |
| dc.relation.references | [5] B. Villora Divino and others, “Evaluación y gestión de vulnerabilidades: Cómo sobrevivir en el mundo de los ciberataques,” Universitat Politècnica de València, 2018. | |
| dc.relation.references | [6] B. Cortés Santamar\’\ia, “Caso práctico de una prueba de concepto de tres herramientas de gestión y análisis de vulnerabilidades,” 2021. | |
| dc.relation.references | [7] A. A. Dávila Angeles and B. J. Dextre Alarcón, “Propuesta de una implementación de un programa de gestión de vulnerabilidades de seguridad informática para mitigar los siniestros de la información en el policl\’\inico de salud AMC alineado a la NTP-ISO/IEC 27001: 2014 en la ciudad de Lima-2021,” 2021. | |
| dc.relation.references | [8] R. S. Perdana, A. Effendy, H. Garnida, A. Fidayan, F. Nazar, and D. Saepudin, “Security and Risk Assessment of Academic Information System By Using NIST Framework (A Case Study Approach),” in 2022 16th International Conference on Telecommunication Systems, Services, and Applications (TSSA), 2022, pp. 1–5. doi: 10.1109/TSSA56819.2022.10063890. | |
| dc.relation.references | [9] E. F. Morales Idrogo and O. A. Cadena Cartagena, “Análisis e implementación de una solución para correlacionamiento de eventos,” 2022. | |
| dc.relation.references | [10] J. D. Lopez Pezo, “Gestión de riesgos con metodolog\’\ia NIST SP 800-30 a la seguridad en redes inalámbricas en la empresa Servintecomp Ucayali-Pucallpa: 2018,” 2021. | |
| dc.relation.references | [11] A. Mahn, J. Marron, S. Quinn, and D. Topper, “Primeros pasos de NIST,” 2021. | |
| dc.relation.references | [12] IBM, “Gestión de vulnerabilidades.” 2023. | |
| dc.relation.references | [13] National Institute of Standards and Technology, “Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1,” Gaithersburg, MD, Apr. 2018. doi: 10.6028/NIST.CSWP.04162018. | |
| dc.relation.references | [14] International Organization for Standardization, “ISO/IEC 27000:2023 Information technology – Security techniques – Information security management systems – Overview and vocabulary.” 2023. [Online]. Available: https://www.iso.org/obp/ui/#iso:std:iso-iec:27000:ed-5:v1:en | |
| dc.relation.references | [15] Microsoft, “ ¿Qué es la seguridad de la información (InfoSec)?” 2021. | |
| dc.relation.references | [16] RedHat, “What is security information and event management (SIEM)?” 2021. [Online]. Available: https://www.redhat.com/en/topics/security/what-is-SIEM | |
| dc.relation.references | [17] CVE Mitre, “About CVE - Overview,” https://www.cve.org/About/Overview. | |
| dc.relation.references | [18] RedHat, “Los proveedores de servicios de nube,” https://www.redhat.com/es/topics/cloud-computing/what-are-cloud-providers. | |
| dc.relation.references | [19] Rapid7, “What is Patching,” https://www.rapid7.com/fundamentals/patch-management/. | |
| dc.relation.references | [20] Trend Micro, “Vulnerability Scanner.” 2023. [Online]. Available: https://docs.trendmicro.com/all/ent/officescan/v8.0/en-us/osce_8.0_olhsrv/osce_topics/vulnerability_scanner.htm | |
| dc.relation.references | [21] Tenable Inc., “Nessus: The Industry’s Most Trusted Vulnerability Assessment Solution.” 2023. [Online]. Available: https://www.tenable.com/products/nessus | |
| dc.relation.references | [22] I. Amazon Web Services, “Amazon Web Services (AWS) - Cloud Computing Services.” | |
| dc.relation.references | [23] I. Amazon Web Services, “AWS - Inspector,” https://aws.amazon.com/inspector/. Accessed: Apr. 26, 2024. [Online]. Available: https://aws.amazon.com/inspector/ | |
| dc.relation.references | [24] I. Amazon Web Services, “Use Case Labs - Inventory and Patch Management,” AWS Management and Governance,” https://mng.workshop.aws/ssm/use-case-labs/inventory_patch_management/patch.html. | |
| dc.relation.references | [25] N. I. of Standards and Technology, “Risk Management.” | |
| dc.relation.references | [26] National Institute of Standards and Technology, “Cybersecurity Framework.” 2024. [Online]. Available: https://csrc.nist.gov/projects/cybersecurity-framework/filters#/csf/filters | |
| dc.relation.references | [27] International Organization for Standardization, “ISO/IEC 27001:2013: Information technology – Security techniques – Information security management systems – Requirements.” 2013. [Online]. Available: https://www.pmg-ssi.com/2014/08/iso-2700-12013-politica-roles-responsabilidades-autoridades-organizacion/ | |
| dc.relation.references | [28] A. Tundis, W. Mazurczyk, and M. Mühlhäuser, “A review of network vulnerabilities scanning tools: Types, capabilities and functioning,” in Proceedings of the 13th international conference on availability, reliability and security, 2018, pp. 1–10. | |
| dc.relation.references | [29] I. Chalvatzis, D. A. Karras, and R. C. Papademetriou, “Evaluation of security vulnerability scanners for small and medium enterprises business networks resilience towards risk assessment,” in 2019 IEEE International Conference on Artificial Intelligence and Computer Applications (ICAICA), 2019, pp. 52–58. | |
| dc.relation.references | [30] J. Backes et al., “Reachability analysis for AWS-based networks,” in Computer Aided Verification: 31st International Conference, CAV 2019, New York City, NY, USA, July 15-18, 2019, Proceedings, Part II 31, 2019, pp. 231–241. | |
| dc.relation.references | [31] W. Tai, “What Is VPR and How Is It Different from CVSS?,” https://www.tenable.com/blog/what-is-vpr-and-how-is-it-different-from-cvss. | |
| dc.relation.references | [32] A. Nelson, S. Rekhi, M. Souppaya, and K. Scarfone, “Incident Response Recommendations and Considerations for Cybersecurity Risk Management: A CSF 2.0 Community Profile,” 2024. | |
| dc.relation.references | [33] N. I. of Standards and Technology, “About the Risk Management Framework (RMF).” 2024. | |
| dc.relation.references | [34] M. de Educacion, “Guia de Administracion del Riesgo.” 2018. [Online]. Available: https://www.mineducacion.gov.co/1780/articles-322548_recurso_5.pdf | |
| dc.relation.references | [35] Hackmetrix Blog, “Descriptivo de Roles y Responsabilidades.” | |
| dc.rights | Atribución-NoComercial-CompartirIgual 4.0 Internacional | en |
| dc.rights.accessrights | info:eu-repo/semantics/openAccess | |
| dc.rights.accessrights | http://purl.org/coar/access_right/c_abf2 | |
| dc.rights.local | Acceso abierto | spa |
| dc.rights.uri | http://creativecommons.org/licenses/by-nc-sa/4.0/ | |
| dc.subject | NIST | |
| dc.subject | Vulnerabilidades | |
| dc.subject | Seguridad de la información | |
| dc.subject | Detección | |
| dc.subject | Identificación | |
| dc.subject | Protección | |
| dc.subject | Remediación | |
| dc.subject | Recuperación | |
| dc.subject | AWS | |
| dc.subject.ddc | 621.3820289 | |
| dc.subject.keywords | NIST | |
| dc.subject.keywords | Vulnerabilities | |
| dc.subject.keywords | Information Security | |
| dc.subject.keywords | Detection | |
| dc.subject.keywords | Identification | |
| dc.subject.keywords | Protection | |
| dc.subject.keywords | Remediation | |
| dc.subject.keywords | Recuperation | |
| dc.subject.keywords | AWS | |
| dc.title | Propuesta proceso de gestión de vulnerabilidades | |
| dc.title.translated | Vulnerability management process proposal | |
| dc.type.coar | https://purl.org/coar/resource_type/c_7a1f | |
| dc.type.coarversion | https://purl.org/coar/version/c_ab4af688f83e57aa | |
| dc.type.driver | info:eu-repo/semantics/bachelorThesis | |
| dc.type.hasversion | info:eu-repo/semantics/acceptedVersion | |
| dc.type.local | Tesis/Trabajo de grado - Monografía - Especialización | spa |
Archivos
Bloque original
1 - 5 de 5
Cargando...
- Nombre:
- Trabajo de grado.pdf
- Tamaño:
- 1.99 MB
- Formato:
- Adobe Portable Document Format
Cargando...
- Nombre:
- Anexo 2 Proceso de Gestion de Vulnerabilidades.pdf
- Tamaño:
- 154.58 KB
- Formato:
- Adobe Portable Document Format
Cargando...
- Nombre:
- Anexo 3 Inventario de Activos.pdf
- Tamaño:
- 119.66 KB
- Formato:
- Adobe Portable Document Format
Cargando...
- Nombre:
- Anexo 4 Vulnerabilidades encontradas.pdf
- Tamaño:
- 1.27 MB
- Formato:
- Adobe Portable Document Format
Cargando...
- Nombre:
- Anexo 5 Plantilla del perfil organizativo.pdf
- Tamaño:
- 207.67 KB
- Formato:
- Adobe Portable Document Format