Rafael Bucio
TPX Security
View from the Top

Cyber Vulnerabilities Are Constantly Evolving

By Jan Hogewoning | Wed, 02/03/2021 - 08:00

Q: How does your company add value to cybersecurity services?

A: TPX security is dedicated to cybersecurity, ethical hacking and intelligence. One of our added values is our research and analysis on informatics attacks. In contrast to companies that offer just software, such as antivirus and detection tools, we specialize in finding vulnerabilities. We cover almost all areas related to communication. Infrastucture, which includes servers and digital devices such as computers, are the most common areas of vulnerability. However, we also provide industrial systems, such as SCADA systems.

Our main methodology is black box. This means that we emulate an attack that a real cybercriminal would attempt on a system. Often, these are zero-day attacks, meaning without the use of public information on the company already available before the attack. When we carry out an analysis like this, we uncover the vulnerabilities in the company’s systems, detecting where there could be a breach and then we patch it.

Q: How long do these analyses take?

A: This really depends on the system. For an infrastructure with 30 PCs and two servers, it can take two weeks. For big industrial systems, which include hardware like robots, it can take almost a month. In 2017, we actually found a breach at storage sites for gasoline products that were operated by an entity in Mexico and other countries in Latin America. People were connecting to Wi-Fi at these locations. Using their devices as the entry to the system, you could actually manipulate the temperature and other conditions of the gasoline. Our investigation took six months and during this time we created an automated software that could detect every breach.

Q: Is it correct to assume that while you may be investigating a vulnerability, the vulnerability itself may actually be evolving?

A: This is correct. Technology keeps changing and so do the vulnerabilities. It is a bit like a life cycle. We find a vulnerability, we patch it and then we verify its status. Then we test again and seek a new vulnerability. Thankfully, there are frameworks and tools that make use of machine learning to gain a better understanding of where vulnerabilities are. For example, they know how web applications work, they can see if there is a code error or where information is exiting the system.

Q: In which sectors are your clients?

A: Our company started in the financial sector. Banks and fintechs remain the majority of our clients. However, we also have clients in industrial areas, such as oil and gas, energy, even nuclear energy and automotive. We are located in Aguascalientes, and in this region, there are many automotive suppliers. Furthermore, our company provides training in cybersecurity areas for the private and public sectors. We provide courses on the behavior of cyber and regular criminals to the police and to military entities. One of our clients is the Bolivian government. For financial sector clients, we provide training on data loss prevention, among other topics. Anyone can take part in the training. We have a certification program for ethical hacking, as well. In the industrial area, we offer training on how to protect operational technologies. Often, we look at a company’s protocol, we conduct ethical hacking and then we provide personalized advice on the basis of the company’s needs. Apart from training, we also offer awareness activities, which is more like sharing information on how to have a more secure password, for example.

Q: How would you characterize cybersecurity of industrial operations in Mexico?

A: The problem is that the technology used in many plants tends to be very old. Robotic systems can be more than 10 years old. This increases the areas for potential exploitation. Some manufacturing companies are implementing upgrades, like many German companies. However, it is definitely a major risk area. An advantage for industrial systems is that they tend to not be public. Banks have very public systems, with data that is more easily accessible. Industrial plants need to be attacked directly and in many cases someone actually needs to be at the plant to enter the system. However, if cybercriminals find a server that is public, they could find a way into the system. From there, they can scale up privileges and move laterally across the system. It is very important that companies have segmentation in place. Wi-Fi should not be connected to a robotics system.

Q: In which countries are you present besides Mexico?

A: After Mexico, Panama was the first market we entered. There is a great deal of potential for financial sector clients there. We also expanded into Colombia and are present in Chile and Bolivia. We have a physical presence in Panama but also an alliance there with a well-regarded company called Ethical Hacking Group. We also have partnerships with a cybersecurity company in Colombia and a company in Chile.

Q: What service model do you offer to clients?

A: We can offer one-time services as well as packages for a certain time frame. For example, we can do a one-time audit or tests. However, we have plans to offer cybersecurity services that last a month, six months, a year or two years. Some companies need to abide by very strict norms and they require monthly audits.



TPX Security is an ethical hacking company that specializes in vulnerability analysis and management, audits, security testing, secure software development, storage and information integrity and information security architecture

Photo by:   TPX Security
Jan Hogewoning Jan Hogewoning Journalist and Industry Analyst