Luigi Villafuerte Clavijo

*

Byron Oviedo Bayas

*

ABSTRACT

The present research addressed the critical issue in the

field of cybersecurity. The technological infrastructure of

information systems known as MAGERIT was employed,

providing a systematic and structured framework to

identify, analyze, and manage risks related to information

security in an organization. In the context of this research,

this methodology was applied to conduct a comprehensive

risk analysis of the institution's infrastructure. During the

analysis, risk levels were verified in each department,

identifying critical areas of vulnerability that could

compromise the integrity and operational effectiveness of

the institution. The results confirmed the existence of

against potential cyber attacks.

* Msc. Universidad Península de Santa Elena | Facultad de

Posgrado | La Libertad-Santa Elena | Ecuador,

https://orcid.org/0009-0003-9995-5551, Email:

luigi.villafuerteclavijo0878@upse.edu.ec

* Ph.D Universidad Técnica Estatal de QuevedoQuevedo -

Los Ríos, Ecuador, https://orcid.org/0002-5366-5917,

RESUMEN

La presente investigación abordó la cuestión crítica en el

campo de la ciberseguridad. La infraestructura tecnológica

objetivo, se empleó la metodología de análisis y gestión de

riesgos de los sistemas de información conocida como

MAGERIT, que proporciona un marco sistemático y

estructurado para identificar, analizar y gestionar los

riesgos relacionados con la seguridad de la información en

una organización. En el contexto de esta investigación, esta

metodología se aplicó para realizar un análisis de riesgos

exhaustivo de la infraestructura de la institución. Durante

el análisis, se verificaron los niveles de riesgo en cada

departamento, identificando las áreas críticas de

plan incluye medidas específicas para reforzar la seguridad

de la infraestructura tecnológica del Cuerpo de Bomberos

de Salinas y garantizar su eficacia operativa frente a posibles

ciberataques.

Palabras clave: ciberseguridad, infraestructura

tecnológica, MAGERIT, gestión de riesgos, vulnerabilidades

INTRODUCTION

The growing dependence on technology in contemporary institutions has led to a

significant increase in the vulnerability of their infrastructures to cyber threats (Mogollón

economic and reputational damage to the organization, as well as harm to individuals. It

is emphasized that most security failures are attributable to human error (Baca Urbina,

2017).

infrastructure with Kali Linux, Nessus, NMAP tools to identify risk levels in data transfer.

In this context, it was crucial to examine the security of key entities, such as the Salinas

Fire Department (CBS), which not only plays a vital role in protecting the community,

but also manages a technological infrastructure essential to its internal operations.

The CBS not only has a dedicated systems unit, but also hosts a network consisting of

approximately 21 computers, a database server, router and switch. In addition, the

institution uses institutional e-mail and maintains an official website that hosts

administrative information crucial to its operation. This set of technological elements,

although fundamental for optimizing internal operations, also becomes a potential target

for various types of computer attacks.

weaknesses and risks, allowing the strategic and intelligent implementation of effective

security measures. (Mieres, 2009).

In the past, the CBS network has faced a series of threats, ranging from DNS attacks to

intrusions using techniques such as SQL injection and the propagation of malware. These

events underscored the urgent need to evaluate and strengthen the security of the

institution's technological infrastructure, thus guaranteeing the integrity, confidentiality

and availability of the administrative information circulating on its network.

This study focused on analyzing and identifying the vulnerabilities of CBS's technological

infrastructure, applying a methodology that revealed the weaknesses of the

infrastructure and allowed correcting the problems, highlighting the importance of

Infrastructure Processes", M. Cando and P. Medina (2021) focused on reviewing the

existing literature on processes related to the prevention of cyber-attacks targeting

technological infrastructures. This review was carried out by examining Spanish and

Technological Infrastructure of the Second Local of the Piura Regional Government using

the Magerit Methodology". In this study, the MAGERIT methodology was used and the

identification of 348 assets was carried out, including computers, communication assets,

information support, auxiliary equipment, among others. For data collection, the author

used observation guides in the form of log sheets, where information assets, threats,

vulnerability analysis and safeguards were recorded.

H. Bolaños, J. Cruz, and J. Reyes. (2018) conducted an assessment of the security

platforms and servers in the technological infrastructure, which revealed that the Keralty

entity lacked well-defined security policies in general. As a result, they proceeded to

debug internal firewall policies and perform a vulnerability scan on servers in the

for critical vulnerabilities identified during an intrusion assessment conducted on the

technological infrastructure of a Colombian bank in October 2016. To develop this plan,

the author used two methodological approaches: one based on penetration testing,

consisting of four stages (evasion of network access controls, remote privilege

escalation, discovery of assets and services, inspection and exploitation of

vulnerabilities), and another based on risk management according to ISO 27005.

B. Aviles (2023) in his research entitled "Application of the threat hunting process for

the detection of vulnerabilities and countermeasures in the network infrastructure of

the Ambato Fire Department" proposed the creation of a detailed manual to deploy the

Threat Hunting process in the network of that entity. In this process, several specialized

them to critical assets in areas such as government, health and energy. Threats were

categorized according to their origin, such as user error, technical failures, deliberate

attacks, and natural disasters. The evaluation of the potential impact of each threat in

ISO/IEC 27001 Standards in the Technological Infrastructure of the State University of

Milagro" carried out by R. Ramírez (2022) was to identify the vulnerabilities present in

the entity with the purpose of improving its technological infrastructure. This was done

in accordance with the ISO/IEC 27001 standard, in order to reduce risks in the

institution's information systems. The author used the Failure Mode and Effects Analysis

(FMEA) methodology to evaluate the risk level of each component, which allowed him

to take mitigation measures to protect the integrity of the information. As a result of

this research, a list of recommendations aimed at improving information security, based

on the vulnerabilities identified, was drawn up.

Researchers R. Avila and J. Cuenca (2021) in their study entitled "Risk Analysis and

present in the technological infrastructure of the Universidad Laica Eloy Alfaro de

Manabí. For this purpose, they used the Failure Mode and Effects Analysis methodology

to evaluate the probability and impact levels of the risks. In addition, they used the

MAGERIT methodology to identify the unit's assets and the threats to which they could

be exposed. As a result of this study, they developed a Continuity Management Model,

which consists of several phases, including Business Continuity Plan Scoping, Risk

Assessment, Business Impact Analysis, Recovery Strategies and Plan Development.

In their research project entitled "Exploration of Vulnerabilities in the Technological

Infrastructure of an Enterprise using Intrusion Testing Tools," researchers E. Yánez and

L. Parra (2017) conducted a detailed examination of the vulnerabilities present in the

Cryptologic Center (CCN-CERT), and has been conceived as a comprehensive approach

to risk management in information systems. Its design provides a structured and

comprehensive framework that facilitates the assessment, analysis and effective

Identification of threats and vulnerabilities: Potential threats that could affect information

assets are identified, as well as vulnerabilities that could be exploited by these threats.

Risk assessment: The probability of occurrence of the identified threats and the potential

impact they would have on the information assets is evaluated. This allows prioritizing

risks and focusing mitigation efforts on the most critical areas.

Risk treatment: In this phase, strategies are developed to mitigate, transfer, avoid or

accept the identified risks. Controls and security measures are established to reduce the

probability of occurrence of threats and minimize their impact should they occur.

Monitoring and review: The risks and controls implemented are monitored and

reviewed periodically to ensure that they remain effective and adequate as conditions in

identifying and assessing the threats and vulnerabilities that impact information security,

in order to determine the level of risk to which it is exposed. This process provides the

organization with a detailed and accurate understanding of the areas where security

controls should be implemented and their specific nature. (Pagliari and Eterovic, 2012)..

Risk analysis comprises three fundamental stages (Naveiro Flores and Ríos Insúa, 2022):

1. Risk assessment: Focused on gathering information on the probability and impacts

associated with threats that could affect a system should they materialize.

Risk management: Includes activities aimed at controlling threats in order to reduce the

probability of their occurrence and/or reduce their impact should they occur.

3. Risk communication: Consists of the exchange of opinions and information about risks

the impact that these would have on the system.

Probability

In the context of risk management, the term "probability" is used to express the

possibility of an event occurring, the occurrence of which may be established, measured

or determined objectively or subjectively, both qualitatively and quantitatively, and is

described using general terms or mathematically.

Technological Infrastructure

Resources are defined as the assets, both tangible and intangible, available to carry out

tasks. Available information is considered an intangible asset, including customer

databases, suppliers, production manuals, research and patents. On the other hand,

this infrastructure is a critical factor that ensures the operational continuity, image and

integrity of the organizations. (Santiago Chinchilla and Sánchez Allende, 2017)..

According to the analysis of Gómez and Parra the protection of technological

infrastructures that support essential services has acquired a significant priority for

nations and organizations, given the growing dependence on these that is increasing

exponentially every year (Gómez and Parra, 2017).. Similarly, Roy highlights that

cybersecurity aims to preserve the availability and integrity of networks and

technological infrastructures, as well as to maintain the confidentiality of the information

hosted on these platforms (Roy, 2017).

Computer security encompasses the development of standards, procedures, methods

any type of threat, minimizing both physical and logical risks to which the information

may be exposed (Baca Urbina, 2017)however, despite the security precautions applied

to an information system, there is always a level of inherent risk (Aguilera López, 2010).

The measures necessary to know, prevent, impede, reduce or control potential risks,

involving the decision on the services and security mechanisms that will minimize risks.

After conducting a risk study and implementing measures, it is essential to carry out

periodic monitoring to review and update the measures taken.

The researcher and author specialized in computer security considers that a system is

secure when it complies with the properties of integrity, confidentiality and availability

of information, each of which requires the implementation of specific security services

and mechanisms. (Aguilera López, 2010). However, the COBIT enterprise not only

considers the aforementioned properties, it also adds effectiveness, efficiency,

compliance with standards, and reliability (Baca Urbina, 2017).

a company is always exposed to varying degrees of vulnerability. When an IT security

vulnerability is identified, it is usually the result of a flaw in the design, implementation

or operation of the system (Baca Urbina, 2017).

A computer attack implies taking advantage of any vulnerability or failure in the software,

hardware or even in the people that make up a computer environment, with the aim of

obtaining a benefit, generally of an economic nature, and generating a negative impact on

the security of the system, directly affecting the assets of the organization. (Mieres,

2009).

Mieres in his research identifies five common stages of a computer attack when it is

executed: Phase 1 Reconnaissance, Phase 2 Scanning, Phase 3 Gaining Access, Phase 4

Hacking lies in taking advantage of the vulnerabilities present in the "target" system by

means of intrusion tests, which evaluate both the physical and logical security of

information systems, computer networks, web applications, databases, servers, among

Information Systems Risks) was applied in this study. The application of this

methodology sought to identify, evaluate and manage the risks associated with possible

threats to information security and the continuity of the institution (CBS), therefore, it

considering its technological infrastructure, its operating environment and the most

relevant threats. In addition, the active participation of those responsible for and key

users of the system was essential for the successful implementation of security measures.

The phases that were carried out are presented below.

Asset Identification: The critical assets of the Salinas Fire Department's technological

infrastructure were identified, including servers, databases, communication systems and

Risk Analysis: The impact and probability of occurrence of the risks associated with the

identified vulnerabilities were evaluated using the Magerit risk matrix.

Mitigation Strategies: Strategies were designed to mitigate the risks identified, prioritizing

those measures that reduce both the probability of occurrence and the impact of the

risks.

Phase 1. Contextualization and Scope:

Identification of the operational context of the Salinas fire department, including its

critical functions and associated technological infrastructure.

Clear definition of the scope of the analysis, identifying systems, applications and data

critical to operations.

A proposal for Web Services Risk Reduction is provided, addressing several critical areas

of concern in terms of security. First, the lack of security updates in web services can

expose the organization to significant risks due to the exploitation of known

vulnerabilities. Implementing regular security updates is critical to patch these

vulnerabilities and maintain the integrity of web services. In addition, poor protection

against denial of service (DoS) attacks can result in serious disruption to web services.

Adopting DoS mitigation solutions can help prevent or mitigate the effects of such

malicious attacks. Also, the lack of encryption in data transmission represents a major

concern, and it is critical to perform regular security testing and employ web application

security solutions to proactively identify and mitigate these vulnerabilities.

Network risk reduction focuses on addressing common vulnerabilities that compromise

the security of the network infrastructure. This includes implementing regular security

updates to mitigate known vulnerabilities, properly configuring network devices to

Table 10: Proposed Risk Reduction Solution for the Server

unused functionality to reduce the attack surface. Poor protection against malware and

brute force attacks on the server can compromise its integrity and availability, so the

use of anti-virus and anti-malware solutions is recommended to detect and prevent the

execution of malicious software. Likewise, the lack of monitoring and event logging on

the server makes early detection of malicious activity difficult, so the configuration of

event logs and audits is essential to quickly identify and respond to potential threats.

Finally, insufficient access control on the server can result in unauthorized access and

compromise the security of stored data, highlighting the importance of implementing

strict access control policies and ensuring strong authentication of users and

administrators to protect the integrity and confidentiality of critical data.

phase of the investigation, making it possible to identify the institution's current

weaknesses and the level of risk to which the information circulating within its network

is exposed.

risk in the infrastructure of the Salinas Fire Department. Based on these findings, a

contingency plan has been proposed with the objective of reducing these risks and

guaranteeing greater security for the information available in said institution.

This contingency plan will establish clear guidelines for those in charge of the Salinas Fire

Department, in order to strengthen data protection, especially administrative

information, which plays a crucial role in the operation of the institution.

REFERENCES

Aguilera López, P. (2010). Seguridad Informática. Madrid: Editex.

https://doi.org/8497717619, 9788497717618.

Andrade Talero, D. L. (2021). Analysis of the concepts, elements and techniques of risk

management oriented to SMEs in the telecommunications sector based on magerit v3.

UNAD.

vulnerabilities and countermeasures in the network infrastructure of the Ambato

Fire Department. Degree dissertation prior to obtaining the degree of Engineer in

Information Technology. Technical University of Ambato, Ambato.

Baca Urbina, G. (2017). Introducción a la seguridad informática. Mexico: Grupo Editorial

Patria. https://doi.org/6077444715, 9786077444718

https://doi.org/148223162X, 9781482231625.

Bolaños González, H., Cruz Cuellar, J. M., & Reyes Peñaloza, J. (2018). Identification and

proposal of an improvement solution to the computer vulnerabilities of the

network and pre-production server environment of the Keralty entity.

Specialization in telematic network security. Universidad El Bosque, Bogotá.

https://repositorio.unbosque.edu.co/server/api/core/bitstreams/887a6923-50ef-

Magerit methodology. Thesis to obtain the professional degree of Systems Engineer.

Universidad César Vallejo, Piura.

https://repositorio.ucv.edu.pe/bitstream/handle/20.500.12692/59829/Delgado_

MJE-SD.pdf?sequence=1&isAllowed=y.

https://repositorio.ucv.edu.pe/bitstream/handle/20.500.12692/59829/Delgado_

MJE-SD.pdf?sequence=1&isAllowed=y

Gómez, Á. (2022). Computer security auditing. Bogotá: Ediciones de la U.

https://doi.org/9587628195, 9789587628197.

Gómez, F. S., & Parra, J. L. (2017). Public-private cooperation in infrastructure

protection. Cuadernos de estrategia, 185, 11-216.

Guamán, M., Carrillo, J. A., Flores Urgilés, C., Flores Urgilés, C., & Ron Egas, M. (2023).

1000vol7iss49.2023pp139-165

the Ecuadorian state in the period 2008-2015. Thesis for the postgraduate degree.

Naveiro Flores, R., & Ríos Insúa, D. (2022). Análisis de riesgos. Los Libros De La Catarata.

https://doi.org/8413524598, 9788413524597

https://doi.org/8494930613, 9788494930614

Roy, A. M. (2017). Cybersecurity, the external auditor and OCEXs. Auditoría pública:

penetration test to the technological infrastructure of a Colombian banking

Yánez Cedeño, E. S., & Parra Barzola, L. M. (2017). Analysis of vulnerabilities in the