Sedena cybersecurity is disapproved by the Superior Audit of the Federation

The ASF said that in the analysis carried out it was identified that only two cyber defense controls are acceptable, four need to be strengthened and 14 more are totally vulnerable to cyber attacks.

(MEXICO – ASF).- There are deficiencies in the hardware and software infrastructure used for the cybersecurity of the Secretariat of National Defense (Sedena), which put the operation of the Mexican Armed Forces headed by General Luis Cresencio Sandoval at risk.

This is the conclusion of a review by the Superior Audit of the Federation (ASF), which warns that the deficiencies found could affect the integrity, availability and confidentiality of the information handled by Sedena.

The ASF said that this conclusion was reached when analyzing the review of the information provided by Sedena, related to the administration and operation of the Secretariat’s cybersecurity controls.

He explained that the guidelines, infrastructure and computer tools in this area were analyzed. For this, the Center for Internet Security (CIS) Controls IS Audit/Assurance Program document was used as a reference.

In this document, 20 controls are established, made up of 171 activities to carry out the evaluation and identification of the cyber defense strategies, policies, procedures and controls implemented by the National Defense Secretariat (Secretaría de la Defensa Nacional: Sedena).

He pointed out that, in relation to the response and management of cybersecurity incidents, it was detected that Sedena lacks the definition of a response procedure for cybersecurity incidents.

He added that no evidence was presented that proves that the Secretariat of National Defense has communication with organizations, authorities, computer emergency response teams or any other groups, in order to notify vulnerabilities or incidents of great importance.

Likewise, the audit pointed out that tests of cybersecurity incident scenarios are not carried out with Sedena users, in order to validate that the response strategy defined by the unit is adequate and sufficient, in the event of a contingency.

“There was no evidence of penetration tests and red team exercises, in order to identify unprotected information and devices, nor of the documentation and follow-up given to what is reported in these tests”, the ASF explained.

President López Obrador has been granting the Secretary of National Defense (SEDENA) all kinds of tasks and activities not related to National Defense, such as the construction and operation of large infrastructure works such as the Felipe Angeles Airport (as well as the communication routes that will connect it with CDMX), the Tulum Airport, the Maya Train project, the Dos Bocas Refinery, plus whatever the president may come up with in the next two and a half years.

The question at this point is: Does the SEDENA have the capacity and expertise to be in charge of so many different projects (not related to their field), developing at the same time in different parts of the country?

TYT Newsroom