Cybersecurity is continually a focus of news headlines and remains very much a topic under discussion across the globe. As the world, its devices and its systems become increasingly connected, the need to have the right cybersecurity defences in place is clear and increasingly understood.
Businesses are certainly aware of how much damage a successful data breach can cause, so much so that it’s become a major boardroom issue, with employee education and their role in preventing cybersecurity incidents key in the thinking of directors and executives.
In Europe, firms also have new laws to think about in the coming years, particularly with new legislation coming in from the EU. The Network and Information Security (NIS) Directive and the General Data Protection Regulation (GDPR) come into force in May 2018.
So the question is, how prepared is Europe for breach prevention and the ability to apply the “state of the art”, as well as for the notification of authorities in the event of a breach, be that aligned to the protection of EU residents’ personal data or the broader requirements to notify around certain security incidents set out in the NIS Directive for operators of essential services and the lighter requirements for digital service providers?
Results from our research, “Clearing the Path: Preventing the Blocks to Cybersecurity in the Business”, are encouraging. The research showed that European businesses certainly understand what’s at stake, with 96 percent of business decision-makers acknowledging that cybersecurity should be a priority.
Cybersecurity is not yet everybody’s business
But it’s not all good news. Cybersecurity should be everybody’s business, but it seems that this isn’t always true in practice – one in five management-level employees don’t feel they have a role to play in cybersecurity, while 40 percent believe that IT alone would be held to blame in the event of a breach. The upcoming pieces of legislation mean that such a legacy view will no longer survive.
By now we should all understand that cybersecurity isn’t just an IT issue but a business practice that needs to involve all employees and all departments. Our research indicates that this isn’t easy, as some cybersecurity policies have a negative effect on productivity – one in five respondents feel policies are frustrating and can prevent access to tools they need to do their job well.
On the other hand, our research indicated that 61 percent of respondents would make sure that they spoke with IT before introducing a device onto a corporate network. While that is an overwhelmingly positive figure, it leaves 39 percent of employees not engaging with IT before connecting – a high margin for risk. There was also some concern around temporary employees, such as contractors; 16 percent of respondents said they had observed that a temporary employee had circumvented policies.
It seems that, even though the bring-your-own-device (BYOD) model has been around for a long time, many companies still have trouble managing both personal and business access, especially with the boundaries between consumer and corporate cloud services becoming increasingly less clear.
Viewing cybersecurity as an integral part of the business
So there is still work to do, but progress is being made. Cybersecurity is becoming a boardroom topic and an integral part of the business. To continue along this path, organisations must understand that cybersecurity education, empowerment and implementation are all ongoing processes. This will mean continuing with education efforts and ensuring employees, both in full-time and non-permanent positions, have all the skills and training needed to identify and prevent threats.
The immediate challenge is to adapt to the cybersecurity requirements laid out by GDPR and the NIS Directive, which create a compelling case to prevent cybersecurity breaches. Looking at the bigger picture, organisations need to prepare for a period in which the number of devices is expected to grow exponentially as more data flows between businesses. Gartner says that 25 percent of identified attacks will involve the internet of things (IoT) by 2020.
Future cybersecurity strategies also need to keep in mind that employees will demand choice over the devices and services that they use. Organisations must enable this, rather than dictate, and that may well mean looking at next-generation security tools designed for a modern computing environment.
Our team recently discovered a new Android Trojan called SpyNote which facilitates remote spying. The builder, which creates new versions of the malware, recently leaked on several malware discussion forums. SpyNote is similar to OmniRat and DroidJack, which are RATs (remote administration tools) that allow malware owners to gain remote administrative control of an Android device.
Like these other RATs, SpyNote has a large feature set including the following:
No root access required
Install new APKs and update the malware
Copy files from device to computer
View all messages on the device
Listen to calls made on the device
List all the contacts on the device
Listen live or record audio from the device’s microphone
Gain control of the camera on the device
Get IMEI number, Wi-Fi MAC address, and cellphone carrier details
Get the device’s last GPS location
Make calls on the device
Figure 1: SpyNote Control Panel
The SpyNote APK requires victims to accept and give SpyNote many permissions, including the ability to edit text messages, read call logs and contacts, or modify or delete the contents of the SD card. We have found that a sample of SpyNote was uploaded to the VirusTotal and Koodousmalware analysis websites.
Analysis
Upon installation, SpyNote will remove the application’s icon from the victim’s device. Also apparent is that the SpyNote builder application is developed in .NET
The application is neither obfuscated nor protected with any Obfuscator or Protector.
Figure 2: Decompiled SpyNote Builder
The uploader might be following the instructions described in YouTube videos on using SpyNote, considering the port number used is exactly the same as in the videos (https://www.youtube.com/watch?v=E9OxlTBtdkA) and the uploader only changes the icon of the APK file.
Furthermore, this RAT has been configured to communicate to the command and control (C&C) IP address (141.255.147.193) over TCP port 2222 as shown in the image below.
Figure 3 – Dalvik bytecode view using Cerbero profiler
Figure 4 – SpyNote opening a socket connection
Based on the information we have already found, we now know that the malware is using the hard-coded SERVER_IP and SERVER_PORT values (Figure 4) for this socket connection. We can now create an extractor for the C2 information using Androguard (https://github.com/androguard/androguard) as shown below. The spynote.C2.py script (shown below) parses these values from the APK file and prints them to the command line (Figure 5).
Figure 5 – Extracted C2 information
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
#!/usr/bin/python
import sys
from sys import argv
from androguard.core.bytecodes import apk
from androguard.core.bytecodes import dvm
#—————————————————
# _log : Prints out logs for debug purposes
#—————————————————
def _log(s):
print(s)
if__name__==“__main__”:
if(len(sys.argv)<2):
_log(“[+] Usage: %s [Path_to_apk]”%sys.argv[0])
sys.exit(0)
else:
a=apk.APK(argv[1])
d=dvm.DalvikVMFormat(a.get_dex())
forcls ind.get_classes():
#if ‘Ldell/scream/application/MainActivity;’.lower() in cls.get_name().lower():
Installing apps from third-party sources can be very risky — those sources often lack the governance provided by official sources such as the Google Play Store, which, even with detailed procedures and algorithms to weed out malicious applications, is not impregnable. Side-loading apps from questionable sources exposes users and their mobile devices to a variety of malware and possible data loss.
Thus far we have not observed SpyNote used in active attacks but we suspect cyber criminals will begin using it as the building of SpyNote is freely available. Palo Alto Networks AutoFocus users can identify this RAT using the SpyNote tag.
Until recently, the healthcare industry has been up in arms on whether ransomware infections should be considered reportable Health Insurance Portability and Accountability Act (HIPAA) breaches. The argument for considering ransomware a HIPAA breach was centered on the fact that covered entities lose control of protected health information (PHI). A counterargument is that ransomware is not known to exfiltrate data outside the network, and hence should not be considered a HIPAA breach.
The U.S. Health and Human Services (HHS) Office for Civil Rights finally weighed in on the discussion with new HIPAA guidance released on July 11, 2016. It covers how activities required by HIPAA can help mitigate ransomware incidents, but more importantly, it directly answers questions related to whether ransomware infections are considered reportable HIPAA breaches.
As a former sec ops lead for a large hospital network, I’ll highlight what I think are the most important excerpts of the HHS guidance and help you interpret some of the language to make it more actionable in a hospital environment.
Excerpt 1:
Is it a HIPAA breach if ransomware infects a covered entity’s or business associate’s computer system?
Whether or not the presence of ransomware would be a breach under the HIPAA Rules is a fact-specific determination. A breach under the HIPAA Rules is defined as, “…the acquisition, access, use, or disclosure of PHI in a manner not permitted under the [HIPAA Privacy Rule] which compromises the security or privacy of the PHI.” See 45 C.F.R. 164.402.6
When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a “disclosure” not permitted under the HIPAA Privacy Rule.
Unless the covered entity or business associate can demonstrate that there is a “…low probability that the PHI has been compromised,” based on the factors set forth in the Breach Notification Rule, a breach of PHI is presumed to have occurred. The entity must then comply with the applicable breach notification provisions, including notification to affected individuals without unreasonable delay, to the Secretary of HHS, and to the media (for breaches affecting over 500 individuals) in accordance with HIPAA breach notification requirements. See 45 C.F.R. 164.400-414.
In short, the guidance is “Yes, a successful ransomware infection is considered a reportable HIPAA breach unless the covered entity can demonstrate that there is a ‘…low probability that the PHI has been compromised.’”
That makes sense, but how do you demonstrate there is a low probability that PHI has been compromised? HHS answers this question directly as well. Hospital IT Security and Compliance teams will want to pay close attention to the following section:
Excerpt 2:
How can covered entities or business associates demonstrate “…that there is a low probability that the PHI has been compromised” such that breach notification would not be required?
To demonstrate that there is a low probability that the protected health information (PHI) has been compromised because of a breach, a risk assessment considering at least the following four factors (see 45 C.F.R. 164.402(2)) must be conducted:
1. the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
2. the unauthorized person who used the PHI or to whom the disclosure was made;
3. whether the PHI was actually acquired or viewed; and
4. the extent to which the risk to the PHI has been mitigated.
A thorough and accurate evaluation of the evidence acquired and analyzed as a result of security incident response activities could help entities with the risk assessment process above by revealing, for example: the exact type and variant of malware discovered; the algorithmic steps undertaken by the malware; communications, including exfiltration attempts between the malware and attackers’ command and control servers; and whether or not the malware propagated to other systems, potentially affecting additional sources of electronic PHI (ePHI). Correctly identifying the malware involved can assist an entity to determine what algorithmic steps the malware is programmed to perform. Understanding what a particular strain of malware is programmed to do can help determine how or if a particular malware variant may laterally propagate throughout an entity’s enterprise, what types of data the malware is searching for, whether or not the malware may attempt to exfiltrate data, or whether or not the malware deposits hidden malicious software or exploits vulnerabilities to provide future unauthorized access, among other factors. […]
Frequently, ransomware, after encrypting the data it was seeking, deletes the original data and leaves only the data in encrypted form. An entity may be able to show mitigation of the impact of a ransomware attack affecting the integrity of PHI through the implementation of robust contingency plans including disaster recovery and data backup plans. […]
The risk assessment to determine whether there is a low probability of compromise of the PHI must be thorough, completed in good faith and reach conclusions that are reasonable given the circumstances. […]
The above few paragraphs of commentary are perhaps the most important guidance from HHS because they outline what HHS defines as reasonable evidence and documentation for a covered entity to determine that a ransomware incident is not considered a reportable HIPAA breach.
Here are some conclusions based on my interpretation of the above HHS statements:
A ransomware incident may not be reportable if a reasonable number of the following three statements are true (I’ll leave it up to you to determine how many of these statements need to be true in order to consider a ransomware incident non-reportable.):
The PHI involved was sufficiently encrypted or de-identified.
The ransomware variant is identified and determined to not exfiltrate data.
The PHI data has been successfully restored from backups.
You’ll notice I ignored the HHS factor related to who the unauthorized person is as I would consider all malware operators to be equally malicious.
The PHI involved was sufficiently encrypted or de-identified: It is clearly a best practice to de-identify PHI data that is exported from your electronic health record (EHR) application, even if it is intended to remain on the internal hospital networks. Doing so can contribute to the likelihood of concluding that a ransomware incident is not reportable.
The ransomware variant is identified and determined to not exfiltrate data: As I described following the second quoted statement, it is critical to understand the specific ransomware variant that infected the hospital network. If you know the ransomware variant, you can research it and confidently conclude that the ransomware did not exfiltrate data. At the time of this blog post, our Unit 42 threat intelligence team is not aware of a ransomware variant designed to exfiltrate data. Malware operators use a different family of malware for data exfiltration.
As strange as it sounds, ransomware operators tend to be trustworthy; they know that, in order for their business model to continue to work (i.e., for them to be paid), they need to provide the key to decrypt the files once they have been paid. Malware operators who exfiltrate data from a hospital network follow a different business model – one based on the sale of health data in underground networks.
Identifying the particular ransomware variant that infected a hospital can be difficult without the right technology because there are many ransomware variants. Our WildFire malware analysis service has evaluated over a million unique ransomware samples, which gives you an idea of the wide variety of ransomware in the wild.
Security architectures that are capable of identifying ransomware variants in hospitals are usually founded on a next-generation firewall designed to prevent malware at the network level, combined with advanced endpoint protection to stop malware at the endpoint.
The PHI data has been successfully restored from backups: As I mentioned in my previous blog posting outlining Tips to Prevent Ransomware in Healthcare Environments, it’s important to review and validate server backup processes in order to restore accessibility to ransomed PHI. Some organizations don’t realize their backups are compromised or were configured improperly until a critical restoration process fails.
Conclusion
HHS’s guidance has made it clear that healthcare organizations should be prepared for ransomware incidents. Hospitals that employ encryption or de-identification of their data at rest, build security architectures based on next-generation firewalls, deploy advanced endpoint protection, and test their backups periodically are better positioned to protect patient data, and hence are much less likely to be required to disclose a breach due to ransomware.
The Rise of Ransomware, a recent paper from our threat intelligence team, Unit 42 on the history of ransomware
Disclaimer – Do not consider any of the above statements as legal advice. You will need to review HHS’s guidance with your own compliance and legal teams.
n our May 2016 blog post, we described Japan’s new Cybersecurity Guidelines for Business Leadership Version 1.0, issued by the Japanese Ministry of Economy, Trade, and Industry (METI) and its Information-Technology Promotion Agency (IPA), and the positive progress seen in Japanese industry since the Guidelines’ release in December 2015. This follow-up blog post analyzes one of METI’s specific recommendations: that companies undertake more cyberthreat information sharing. We provide our thoughts on what more can be done to improve and enhance the cybersecurity of Japanese industry to benefit both Japan and the world.
METI puts information sharing as the Cybersecurity Guidelines’ Action Item 8, which states that leadership should “actively participate in and contribute to cyberthreat information-sharing activities” to the extent possible to minimize incidents or damage to companies’ networks. This is an essential recommendation. To dramatically shift the balance of power, close the competitive gap between the attacker and victim, and realize exponential leverage against cyber adversaries to restore trust in the digital age, we must operationalize cyberthreat information sharing. What is the current status in Japan, what are the obstacles to greater cyberthreat information sharing by companies, and how might things be improved?
Despite varied levels of success, all countries are struggling to establish effective cyberthreat information sharing frameworks in which members can exchange information about threats and incidents—such as botnet command and control servers, malware samples, malware analysis results, and indicators of compromise—in a timely manner. There are myriad reasons that might slow adoption of this practice: technical (many systems cannot adequately share at volume, and there are still a number of different sharing standards), regulatory and legal concerns, and trust issues.
Although all countries need to improve cyberthreat information sharing, Japan seems to lag behind its global peers in adopting the practice. PricewaterhouseCoopers (PwC) reported in its Global State of Information Security Survey 2016 that Japanese companies are less willing to share information about cybersecurity threats than other companies across the globe. While 30.4 percent of Japanese companies share such information, PwC reports that 64.7 percent of companies in the world do. (PwC interviewed more than 10,000 C-level executives and board members in charge of IT in 127 countries between May and June 2015 for this survey report.)
The top reason Japanese companies reported for not wanting to share threat information is that they do not have adequate information sharing frameworks (39%). Until cyberthreat information sharing programs are set up to leverage automation – which requires both technical work and strong privacy protections – such frameworks are dependent upon skilled people to actually do the work. At present, Japan lacks adequate human resources to participate more in information sharing. According to a 2015 METI study, Japanese companies lack IT and cybersecurity professionals who can judge which threat intelligence should be shared, when, and with whom, largely because Japanese companies tend to outsource cybersecurity-related work to system integrators. METI compared Japan to the United States, where large companies, such as banks, sometimes have a cybersecurity team and even an in-house cyberthreat intelligence team. According to METI’s statistics, 24.8 percent of IT professionals in Japan work in-house, whereas 75.2 percent work at IT services companies (e.g., system integrators and others providing cybersecurity to other companies). By comparison, in the United States, 71.5 percent of IT professionals work in-house, with 28.5 percent at IT services companies. Other top reasons cited in the PwC study for low participation of Japanese companies in information sharing are the lack of trust in competitors and in third parties’ information.
We believe cultural attitudes also may contribute to reluctance to participate in cyberthreat information sharing in Japan. As described by anthropologist Ruth Benedict in 1946, Japanese culture has a shame factor, where the desire to avoid “loss of face” is extremely powerful. Although many companies around the world may not wish to admit they have been the victim of a cyber incident, or reveal the fact that they were targeted, admitting so—even within a “trust”-based environment, as cyberthreat information sharing groups are meant to be—may be inordinately difficult for Japanese companies.
Additionally, volunteerism—in the sense of contributing to a community—is likely a factor in the success of information sharing among participants. A Japanese government-affiliated foundation has noted that the United States has had a long history of volunteer-based activities to complement public administration and social welfare, dating from as far back as the 17th century. Japan, on the other hand, started to develop American-style volunteerism only after the end of World War II, and Japanese volunteer activities have tended to focus on social welfare activities for their own residential communities. This history could make it challenging for the Japanese to contribute to a larger, much more distributed volunteer community for information sharing.
To help Japanese companies rapidly embark on more information sharing, it would be useful for other countries to discuss their information sharing best practices with Japan. In fact, some Japanese organizations already are modeled on U.S. approaches. For example, the United States has numerous industry-specific Information Sharing and Analysis Centers (ISACs) which are now being complemented by a broader category of Information Sharing and Analysis Organizations (ISAOs). In fact, Japan launched its first ISAC, the Telecom-ISAC, in 2002, followed by the Financials ISAC in 2014. This ISAC is modeled after the U.S. Financial Services ISAC, or FS-ISAC, arguably one of the most successful ISACs, and it is trying to learn lessons from this body. The Japanese Financial Services Agency’s guidelines for the financial sectorencourage financial institutions to share threat intelligence via relevant information sharing frameworks, including the Financials ISAC.
Like its counterpart in the United States, the Financials ISAC has multiple levels of membership for financial institutions and vendors to disseminate and access threat intelligence. Core and associate members—banks and insurance companies—can receive more sensitive threat intelligence, and they can participate in working groups on such issues as best practices, cyber exercises, global information sharing with the FS-ISAC, and incident response. This type of arrangement generates a comfortable environment in which to exchange sensitive information among trusted members belonging to the same industry.
Japan realizes it needs more ISACs. The Japanese Ministry of Internal Affairs and Communications (MIC) plans to expand and rename the Telecom-ISAC to the “ICT-ISAC” to include not only telecom companies and Internet Service Providers (ISPs), to which membership has traditionally been restricted, but also ICT companies—including security vendors—and system integrators. In addition, a new Electric Power-ISAC will also be established in Japan and work closely with both the U.S. Electricity ISAC and European Energy-ISAC.
These cross-border efforts are commendable. For one thing, they can help to raise the global bar by allowing Japanese companies to share intelligence uniquely seen in Japan to help multinational companies with a presence in the market better protect themselves from threats.
ISACs have traditionally developed in industry verticals (e.g., financial services, healthcare, energy) in which each participating company uses the information it receives to protect its own network and share threats to their specific sector. However, ISACs are not the only form of information sharing organizations in the U.S.
For example, the Cyber Threat Alliance (CTA), established in September 2014 is a group of cybersecurity companies who have chosen to work together in good faith to share threat information for the purpose of improving defenses against advanced cyber adversaries across member organizations and their customers. Palo Alto Networks is proud to be one of the four founding members of the CTA. The CTA reflects a departure from the traditional philosophy of cybersecurity companies, which are known for competing against each other based on the threat information each company has. The CTA enables security companies to act upon a common knowledge of shared cyberthreats. Unlike ISACs, the CTA is tailored to the unique capabilities of the security industry, and a requirement for every member to share previously unknown – or zero-day – threats. Consequently, the shared information is then used by the participating companies to protect their clients across all verticals (financial, health, energy, etc.).
Trust and cultural factors that might impact information sharing are important for any country to address. In fact, trust is a key ingredient to cyberthreat information sharing. It takes time to build mutual confidence and share cyberthreat intelligence among members of any information sharing framework. Personal relationships often make a big difference and can lead to institutionalizing those ties. Japanese companies are beginning to talk more frankly with each other about cybersecurity and share ideas and best practices, as we noted in our May blog, which we believe will lead to greater trust.
Thought leadership engagements are indispensable in helping reduce feelings of shame. Business executives in any country need to understand that all companies are being targeted by cyberattacks and that threat intelligence sharing is an essential ingredient to prevent the expansion of similar attacks. Being targeted is not a shame. It is simply another risk to business operations.
As with many of Japan’s cybersecurity activities, the actions toward greater cyberthreat information sharing reflect the fact that Japan’s government and industry aim to enhance cybersecurity to make the Tokyo Olympic Games 2020 successful, setting the stage for a positive legacy and national cybersecurity capability toward 2020 and beyond. But there also is the larger goal of building cyber resilience throughout the economy. We agree with the Japanese government that cyberthreat information sharing is a crucial part of that equation, as highlighted in METI’s Cybersecurity Guidelines.
This is the third in a series of blogs co-authored by Mihoko Matsubara and Danielle Kriz aimed at introducing Japan’s cybersecurity efforts and their significance to a global audience, including governments, global industry, and other thought leaders. Subsequent blogs are expected to cover Japan’s role in global cybersecurity capacity-building, the cybersecurity ramifications of planning for the Tokyo Olympic Games 2020, and other topics.
Above are the developers of the CynjaSpace mobile app, which was created in partnership with ISACA.
To advance cyber education for children and families, CynjaTech and ISACA are partnering to create a new fully guided educational experience that teaches kids and their families about computer science, security and safety.
The collaboration combines ISACA’s industry-leading Cybersecurity Nexus (CSX)curriculum with the successful Cynja comic series inside the CynjaSpace mobile app to offer exciting interactive games and lessons that teach digital survival skills to children.
CynjaTech’s founders, Heather C. Dahl and Dr Chase Cunningham, started bringing cyberspace to life by publishing their first book, The Cynja® Volume 1, based on their professional experience in tech and cybersecurity. In the following question and answer session Dahl and Cunningham talk about their mission to educate kids on cyber safety.
ISACA Now: Your book series The Cynja tells an action-packed story about malicious cyberattacks, which is an important topic for ISACA members. Why was it important to tell this story? Dahl: The cyber world is filled with battles between good and evil—it’s as thrilling as any comic book—and yet it didn’t have its own superhero. So we started thinking, what would you call someone with super powers in cyberspace? What would they look like? They’d need to be smart and stealthy, wouldn’t they? And have awesome weapons? And before you could say “DDoS attack!” we had “the Cynja”—a cyber ninja!
The other thing was that the kids in our lives were reading stories about old-school bad guys like dragon slayers even as there were digital monsters invading their computers. It was time for an upgrade, one that could teach kids a really valuable life lesson as they grew into technology: There’s a whole new world of digital crime out there!
ISACA Now: How did the writing of your book series lead to the creation of the CynjaSpace app? Cunningham: Think of CynjaSpace as cyberspace with training wheels. The app combines the safety, controls and activity reports parents need, while allowing kids the fun and freedom of using the web and chatting with friends.
This isn’t a web search filter, a ho-hum tutorial, or even just a social network; CynjaSpace inspires kids to learn to be Internet savvy while interacting with our original comic characters and storylines. Ultimately, our Cynja characters are the role models for kids in cyberspace.
We’re very excited to partner with ISACA to bring cyberpower education for kids into CynjaSpace. By adapting the CSX content for kids and including it in our app, we can start children on a path to a smart, safe digital life.
Our mission is personal—together with ISACA, we will develop the educational lessons that we as technology and security professionals want to teach kids, parents and our own families.
ISACA Now: As information security professionals, what can we tell other non-tech parents about the online dangers that many of us see every day? Dahl: Parents need to help their children understand cyberspace isn’t the Magic Kingdom, it’s the Wild West—only worse. Online you rarely see the bad guys before they attack, and it’s hard to see the white hats who serve as role models. No one gets to observe others as they make choices and experience the consequences.
Being a cyber hero for children is far more than being a successful Internet entrepreneur. It’s living a smart, ethical life online. It’s treating people and data with respect.
It sounds straightforward, but here’s the problem: It’s hard for many kids to see their parents as digital role models because parents don’t open up their online lives to their kids. Our kids aren’t riding tandem as we email, shop online, surf the web, and use social media, but that’s the view of the cyber world that kids need to experience. Just like daily life, digital life is not a fairytale; it’s a place where there are real consequences.
I’m here to tell you, all adults—techies or not—are role models for children. If we are concerned about our children’s digital welfare then we must fill this void.
ISACA Now: ISACA members know firsthand that understanding the background behind a cyber-attack is quite technical. There are multiple layers and plenty of technical terms; however, the layout of your Cynja books and the way the stories takes shape, the process is broken down into a more simplified and easy-to-understand progression. How did you translate that process to your comic series and CynjaSpace app? Cunningham: I provided insight into what it was like to fight real battles in cyberspace—in all their glorious, geeky detail. But we then had to turn this into something a kid would relate to—and so Heather spent a lot of time with her nephew trying to see the world through a six-year old’s imagination—and what it’s like to be the hero of your own magical battles against bad guys.
We wanted to illustrate The Cynja so that readers could understand the gravity of being stuck in an infected network or encountering malicious malware. Shirow Di Rosso, our illustrator, who we call the Artmaster, was an IT engineer, so he knew exactly what this world looked like and how to visualize it in an imaginative yet accurate way.
With CynjaSpace and our ISACA partnership, we move the story and technology lessons from the book, into a fully interactive digital learning experience for kids. With ISACA’s expertise and support, we are creating the next generation of cyber education for kids and their families.
It’s important for kids to know that it’s up to people like ISACA members to protect vital computer systems. We need to encourage kids to be safe online and to learn about the technology. Incredibly, we’re facing a shortage of cybersecurity professionals that is expected to last for years. My hope is that the CynjaSpace will inspire kids to in fighting bad guys online.
