The thesis set out with the goal of exploring what does information security mean in the context of a large organization, a multinational engineering group to be exact. How could the challenge of securing millions of documents without losing business value be tackled? It quickly became apparent that the field was vast and a lot of decisions regarding the scope of this thesis would have to be made to prevent it from growing in to a behemoth of a write up.
On the theoretical side of things, the aim of this thesis was to present what principles is information security in a large organization based on and how are robust security practices against loss of digital assets achieved without encumbering the value creating employees.
The practical case and basis for this thesis were the data loss prevention measures taken by Andritz group. The questions we set out to answer regarding their case was how to improve the management of their data loss prevention system.
The choices made for recommendations in the thesis are based on the discussions with the personnel of the company and observations about the culture at Andritz. Priority was given to most easily implementable and cost-effective methods. Some thoughts were also presented about the possible future needs that could be considered. The biggest being the rise of visualization and the author’s interests in that area. Insider threats were talked about in the context of malicious actors and this is also an area that could extensively benefit from increasing capabilities in modelling and simulation.
The answer to the research question and conclusions for the practical methods that can be quite easily be integrated into the current workflows at Andritz are such as the creation of a stylebook of coding conventions and starting a guidebook of best practices, for example to achieve the maximum reusability of configuration code. The usage of a wiki, in Andritz’s case Confluence, could be in a vital role in this, as there is precedent set in usage of that already in the company. The aim of these measures is to make sure the silent knowledge is not left silent and to increase the collective intelligence of the security team. This would lead to a lowered barrier of entry to the system for new users and make it easier to introduce new contributors, especially it is important as the Digital Guardian setups in every company are so tailored to organizational needs that additional documentation is certainly needed in addition to the official documentation provided by DG. These suggestions were based on the prior experiences of large organizations and best practices in the software engineering
industry.
The advantages of security data analysis and visualization are presented as a more of a future concept based on the discussions with Andritz. Data visualization was discussed from two sides, based on historical and real-time data. Historical data can be used to create graphs to present ideas to non-technical people and find hidden relations in data. Real-time data on the other hand is used to monitor the trends of organization’s security. Easily implementable recommendation is to utilize the already existing capabilities of Digital Guardian and use the real-time data analysis offered by it. The dashboards created from the data streams are then to be provided on a TV-screen constantly showing the state and trends of the system or hosted in a web service to also offer a remote access to the information
In the future, I think that with the amount of data being created all the time increasing so quickly, the importance of data science in the field of cyber security will increase. I feel that the adaptiveness that cyber security systems need as attack vectors increase can only be achieved with predictive security modelling and finding the hidden relations in big data. My interest towards the field of cyber security has only increased during the writing process of this thesis and I plan to continue my studies with career in security in mind. As an exchange student in Paris, I have also complemented my studies with courses in machine learning and data science and I feel the value of these skills in the security domain is constantly increasing.
The need for security is on a higher demand than ever and I wish to be part of the movement making sure that interconnectivity does not mean that we must compromise on security.
.
REFERENCES
Allianz, “A Guide to Cyber Risk” (2016) [WWW-document] Available at:
http://www.agcs.allianz.com/insights/white-papers-and-case-studies/cyber-risk-guide/
[Accessed 25.10.2016]
Andriole Stephen. J. (2010) “Business Impact of Web 2.0 Technologies” [pdf] Available at:
https://www.researchgate.net/publication/220425294_Business_Impact_of_Web_20_Techn ologies [Accessed 20.1.2017]
Andritz Group, (2016) [WWW-document] Available at: http://andritz.com/ [Accessed 13.10.2016]
Burguera I., Zurutuza U. and Nadjm-Tehrani S. (2011) [pdf] “Crowdroid: Behavior-Based Malware Detection System for Android” Available at:
http://www.ida.liu.se/labs/rtslab/publications/2011/spsm11-burguera.pdf [Accessed 7.4.2017]
Burzstein, E. (2016) “Does dropping USB drives really work?” [WWW-document]
Available at: http://www.slideshare.net/elie-bursztein/does-dropping-usb-drives-really-work-blackhat-usa-2016 [Accessed 20.1.2017]
Cai R., Bai J. Moore K. (2009) “Employee Online Privacy in China”
[WWW-document] Available at:
http://www.dwt.com/advisories/Employee_Online_Privacy_in_China_05_06_2009/
[Accessed 28.3.2017]
The Cert Insider Threat Center “Common Sense Guide to Mitigating Insider Threats, Fifth
Edition” [pdf] Available at:
http://resources.sei.cmu.edu/asset_files/TechnicalReport/2016_005_001_484758.pdf [Accessed 22.3.2017]
Digital Guardian, (2016) “Digital Guard Rule Implementation Guide” [pdf], p. 44 – 46, 52, 55 [Accessed 08.01.2017]
Dobie, G. (2015) “A guide to Cyber Risk – Managing the Impact of Increasing
Interconnectivity” [pdf] Available at:
http://www.agcs.allianz.com/assets/PDFs/risk%20bulletins/CyberRiskGuide.pdf [Accessed 20.10.2016]
FBI (2015) “Economic Espionage” [WWW-document] Available at:
https://www.fbi.gov/news/stories/economic-espionage [Accessed 10.2.2017]
Juris GmbH (2014) “Federal Data Protection Act” [WWW-document] Available at:
https://www.gesetze-im-internet.de/englisch_bdsg/englisch_bdsg.html#p0020 [Accessed 27.3.2017]
Few S. (2006) "Common Pitfalls in Dashboard Design" [pdf] Available at:
http://www.perceptualedge.com/articles/Whitepapers/Common_Pitfalls.pdf [Accessed 21.2.2017]
Google (2008) “Google XML Document Format Style Guide” [WWW-document] Available at: https://google.github.io/styleguide/xmlstyle.html [Accessed 10.4.2017]
Government of Canada (2016) “Cyber Security While Travelling” [WWW-document]
Available at: https://travel.gc.ca/travelling/health-safety/cyber-safe [Accessed 20.2.2017]
Haikala I. and Mikkonen T. (2012) “Ohjelmistotuotannon käytännöt” Second Edition, Talentum, p. 190-191 [Accessed 28.12.2017]
Howard P. (2014) “Data Breaches in Europe: Reported Breaches of Compromised Personal
Records in Europe, 2005‐2014” [pdf] Available at:
http://cmds.ceu.edu/sites/cmcs.ceu.hu/files/attachment/article/663/databreachesineurope.pd f [Accessed 20.10.2016]
Luotonen A. and Altis K. (1994) “World-Wide Web Proxies” [pdf] Available at:
http://courses.cs.vt.edu/~cs4244/spring.09/documents/Proxies.pdf [Accessed 25.3.2017]
Lutz H. (2016) “MONITORING OF EMPLOYEE EMAIL AND INTERNET USE IN GERMANY – GUIDANCE FROM DATA PROTECTION AUTHORITIES” [WWW-document] Available at: http://www.bakerinform.com/home/2016/2/23/monitoring-of-employee-email-and-internet-use-in-germany-guidance-from-data-protection-authorities [Accessed 25.3.2017]
Marty R. (2008) “Applied Security Visualization" , First Edition [pdf] Pearson Education, p.
5–8, 56–58, 222, 227–228, Available at: http://www.foo.be/cours/dess-20122013/b/AppliedSecurityVisualization.pdf [Accessed 20.2.2017]
McCullagh A. and Caelli W. (2000) “Non-Repudiation in the Digital Environment” [WWW-document] Available at http://firstmonday.org/ojs/index.php/fm/article/view/778/687 [Accessed 11.2.2017]
National Institute of Standards and Technology, (1995), “An Introduction to Computer
Security: The NIST Handbook” [pdf] Available at:
http://www.davidsalomon.name/CompSec/auxiliary/handbook.pdf [Accessed 20.10.2016]
Sun Microsystems (1999) “Code Conventions for the Java Programming language”
[WWW-document] Available at:
http://www.oracle.com/technetwork/java/javase/documentation/codeconventions-139411.html#16712 [Accessed 14.01.2017]
Penn-Hall, L. (2016) “Russia, China and Cyber Espionage” [WWW-document] Available at: https://www.thecipherbrief.com/article/tech/russia-china-and-cyber-espionage-1092 [Accessed 20.10.2016]
Proofpoint (2017) [WWW-dcoument] Available at:
https://www.proofpoint.com/us/products/email-dlp [Accessed 20.3.2017]
Reed, B. and Wynne N. (2016) “Magic Quadrant for Enterprise Data Loss Prevention”
[WWW-document] Available at: https://www.gartner.com/doc/reprints?id=1-2X96R6A&ct=160128&st=sb [Accessed 19.10.2016]
SANS (2011) “Securely Integrating iOS Devices into the Business Environment “ [WWW-document] Available at: https://www.sans.org/reading-room/whitepapers/apple/securely-integrating-ios-devices-business-environment-33679 [Accessed 15.3.2016]
Shey, H. “The Forrester Wave™: Data Loss Prevention Suites, Q4 2016” [pdf] Available at:
https://www.forrester.com/report/The+Forrester+Wave+Data+Loss+Prevention+Suites+Q4 +2016/-/E-RES119806 [Accessed 20.2.2017]
Stallings W. and Brown L. (2012), “Computer Security – Principles and Practice” 2nd edition, Pearson p. 33-34 [Accessed 7.10.2016]
Symantec (2002), "Securing Instant Messaging" [WWW-document] Available at:
https://www.symantec.com/avcenter/reference/secure.instant.messaging.pdf [Accessed
20.3.2017]
Vacca, J. (2010). “Network and System Security”, First Edition, Syngress, p. 2 [Accessed 10.10.2016]
Universal Serial Bus Specification (2000) “Universal Serial Bus Specification Revision 2.0”
p. 15 [WWW-document] Available at:
http://sdphca.ucsd.edu/Lab_Equip_Manuals/usb_20.pdf [Accessed 16.1.2017]
World Intellectual Property Organization, (2016) “What is a Trade Secret?”
[WWW-document] Available at:
http://www.wipo.int/sme/en/ip_business/trade_secrets/trade_secrets.htm [Accessed 1.11.2016]
World Intellectual Property Organization (2016) “How are Trade Secrets Protected??”
[WWW-document] Available at:
http://www.wipo.int/sme/en/ip_business/trade_secrets/protection.htm [Accessed 1.11.2016]
Walsh, N. (1998) "A Technical Introduction to XML" [WWW-document] Available at:
http://www.xml.com/pub/a/98/10/guide0.html?page=2#AEN58 [Accessed 22.11.2016]