Análisis de vulnerabilidades para la infraestructura de red de la bolsa de valores de Quito, aplicando una metodología de Ethical Hacking

Abstract

The Quito Stock Exchange (BVQ) needed to perform a vulnerability scan on the computer security of its data network. In this proposal, the current situation of the BVQ is reviewed before the intervention on vulnerability analysis, and a conceptual review is also carried out that provides theoretical support for the work. For the development of this project, the exploratory study type was used because when carrying out the vulnerability scan, the BVQ data network was examined, thus determining the security gaps, through the inductive-deductive method, public information was collected, the same which provided some possible reasons for the alleged localized vulnerabilities. For this study, two ethical hacking methodologies were analyzed, which allowed selecting the one that best suits the reality of the BVQ, the selected methodology was OSSTMMv3 since it is a complete methodology, it also shows the criteria that must be considered to audit or assess vulnerabilities within an organization; It does not establish any analysis objective, but indicates the guidelines for the most appropriate selection of the objective to be analyzed. For risk assessment, the methodology uses RAVS. For the vulnerability analysis the channels suggested by the OSSTMMv3 methodology were used, these are: physical, human, wireless, telecommunications and data network, the methodology indicates that it must be verified, verified and accounted for in each of the channels according to the selected objective, so free software tools such as Kali Linux were used for internal and external scanning of the BVQ data network. At the end of the document, the results obtained after the vulnerability scan are presented, as well as a risk matrix that allowed the analysis of the probability and impact of each of the vulnerabilities detected within the channels of the methodology.