This report describes the results of the research in the context of the Master's degree in Cyber Security. This study researched the problem that public tenders contain information that can be...Show moreThis report describes the results of the research in the context of the Master's degree in Cyber Security. This study researched the problem that public tenders contain information that can be collected by hackers during their preparation for a cyber-attack. Adversaries can easily access this information and abuse it against the tendering organizations. Therefore, the main goal of this research is to establish guidelines aimed at identifying and reducing sensitive information in tenders, in order to prevent that malicious parties gather and use this information in the preparation of cyber-attacks against tendering organizations. To this end, the various concepts of open data, procurement, reconnaissance, cyber kill chain, and open source intelligence were examined. In addition, interviews were held to both identify the risks for tendering organizations due to the above identified problem and to evaluate on the established guidelines. The research results have shown that the information in tenders is public due to the principles on which the rules regarding tenders are based. This is to offer fair opportunities to companies to win contracts through tenders. Due to the public nature of information in tenders, the comparison can be made with the concept of open data. As a result, the risks inherent to open data, such as abuse by malicious parties, also apply to information in tenders.Further research into the reconnaissance activities of hackers has made it clear that hackers are looking for specific types of information in preparation for cyber-attacks. It has been determined through document analysis on real tenders and interviews with security professionals that these types of information occur in tenders. This means that malicious parties can use tenders to collect information about organizations that is relevant for the preparation of cyber-attacks, against the tendering organizations. As a result, the tendering organizations face risks with regard to the confidentiality, integrity and availability of company assets. In particular, the likelihood that such risks arise is increased because the information is easily accessible to malicious parties. In order to prevent this, guidelines have been established. These guidelines should be used in follow-up research where a final solution is created that implements the described functionalities of the guidelines. The established guidelines focus in particular on identifying and reducing information that is relevant to hackers in tenders, before the tenders are made public. In this way the risks for tendering organizations can be prevented because this information can no longer be collected by malicious parties. The likelihood of the identified risks occurring is reduced. In addition, techniques have been suggested for these guidelines on which they can be implemented.The techniques regular expressions, text mining, comparison with known information, optical character recognition, and image recognition are discussed. Furthermore, guidelines have also been established that focus on the practical side of a final solution and the fact that this solution must be used in an existing context: people, processes and organizations. The guidelines and the results of the study were evaluated in interviews with senior purchasers. From these interviews it can be concluded that a solution based on the guidelines is of added value in practice in order to reduce sensitive information in tenders and prevent risks for tendering organizations. The results of this research thus result in recommendations for follow-up research, where the aim is to create an automated solution based on the guidelines that have been established.Show less
