Cybersecurity Education—Starting Young and Making It Fun


Above are the developers of the CynjaSpace mobile app, which was created in partnership with ISACA.

To advance cyber education for children and families, CynjaTech and ISACA are partnering to create a new fully guided educational experience that teaches kids and their families about computer science, security and safety.

The collaboration combines ISACA’s industry-leading Cybersecurity Nexus (CSX)curriculum with the successful Cynja comic series inside the CynjaSpace mobile app to offer exciting interactive games and lessons that teach digital survival skills to children.

CynjaTech’s founders, Heather C. Dahl and Dr Chase Cunningham, started bringing cyberspace to life by publishing their first book, The Cynja® Volume 1, based on their professional experience in tech and cybersecurity. In the following question and answer session Dahl and Cunningham talk about their mission to educate kids on cyber safety.

ISACA Now:  Your book series The Cynja tells an action-packed story about malicious cyberattacks, which is an important topic for ISACA members. Why was it important to tell this story?
Dahl: The cyber world is filled with battles between good and evil—it’s as thrilling as any comic book—and yet it didn’t have its own superhero. So we started thinking, what would you call someone with super powers in cyberspace? What would they look like? They’d need to be smart and stealthy, wouldn’t they? And have awesome weapons? And before you could say “DDoS attack!” we had “the Cynja”—a cyber ninja!

The other thing was that the kids in our lives were reading stories about old-school bad guys like dragon slayers even as there were digital monsters invading their computers. It was time for an upgrade, one that could teach kids a really valuable life lesson as they grew into technology: There’s a whole new world of digital crime out there!

ISACA Now:  How did the writing of your book series lead to the creation of the CynjaSpace app?
Cunningham: Think of CynjaSpace as cyberspace with training wheels. The app combines the safety, controls and activity reports parents need, while allowing kids the fun and freedom of using the web and chatting with friends.

This isn’t a web search filter, a ho-hum tutorial, or even just a social network; CynjaSpace inspires kids to learn to be Internet savvy while interacting with our original comic characters and storylines. Ultimately, our Cynja characters are the role models for kids in cyberspace.

We’re very excited to partner with ISACA to bring cyberpower education for kids into CynjaSpace. By adapting the CSX content for kids and including it in our app, we can start children on a path to a smart, safe digital life.

Our mission is personal—together with ISACA, we will develop the educational lessons that we as technology and security professionals want to teach kids, parents and our own families.

ISACA Now:  As information security professionals, what can we tell other non-tech parents about the online dangers that many of us see every day?
Dahl: Parents need to help their children understand cyberspace isn’t the Magic Kingdom, it’s the Wild West—only worse. Online you rarely see the bad guys before they attack, and it’s hard to see the white hats who serve as role models. No one gets to observe others as they make choices and experience the consequences.

Being a cyber hero for children is far more than being a successful Internet entrepreneur. It’s living a smart, ethical life online. It’s treating people and data with respect.

It sounds straightforward, but here’s the problem: It’s hard for many kids to see their parents as digital role models because parents don’t open up their online lives to their kids. Our kids aren’t riding tandem as we email, shop online, surf the web, and use social media, but that’s the view of the cyber world that kids need to experience. Just like daily life, digital life is not a fairytale; it’s a place where there are real consequences.

I’m here to tell you, all adults—techies or not—are role models for children. If we are concerned about our children’s digital welfare then we must fill this void.

ISACA Now:  ISACA members know firsthand that understanding the background behind a cyber-attack is quite technical. There are multiple layers and plenty of technical terms; however, the layout of your Cynja books and the way the stories takes shape, the process is broken down into a more simplified and easy-to-understand progression. How did you translate that process to your comic series and CynjaSpace app?
Cunningham: I provided insight into what it was like to fight real battles in cyberspace—in all their glorious, geeky detail. But we then had to turn this into something a kid would relate to—and so Heather spent a lot of time with her nephew trying to see the world through a six-year old’s imagination—and what it’s like to be the hero of your own magical battles against bad guys.

We wanted to illustrate The Cynja so that readers could understand the gravity of being stuck in an infected network or encountering malicious malware. Shirow Di Rosso, our illustrator, who we call the Artmaster, was an IT engineer, so he knew exactly what this world looked like and how to visualize it in an imaginative yet accurate way.

With CynjaSpace and our ISACA partnership, we move the story and technology lessons from the book, into a fully interactive digital learning experience for kids. With ISACA’s expertise and support, we are creating the next generation of cyber education for kids and their families.

It’s important for kids to know that it’s up to people like ISACA members to protect vital computer systems. We need to encourage kids to be safe online and to learn about the technology. Incredibly, we’re facing a shortage of cybersecurity professionals that is expected to last for years. My hope is that the CynjaSpace will inspire kids to in fighting bad guys online.

[ISACA Now Blog]

Modern Endpoint Backup Sees Data Leak Before It Hurts

Picture this: You’re enjoying a beautiful summer Saturday, watching your kid on the soccer field, when your phone rings. It’s work. Bummer. “Hi, this is Ben from the InfoSec team. It appears that John Doe, whose last day is next Friday, just downloaded the entire contents of his work hard drive to an external drive. Given his role, there’s a high probability that it includes confidential and sensitive employee data.”

There goes your Saturday.

It happened to us—it’s probably happened to you
This happened to us at Code42 a few months ago. A longtime employee was coming up on his last day, and innocently wanted to take years of work with him. We’ve all probably done this—grabbed some templates and examples of our work to use in our next chapter—and instead of sorting through years worth of work, it’s just easier to copy the whole drive. Unfortunately, this is against company policy and puts the company at risk. And in this case, there were confidential and sensitive files related to company personnel.

Not all data theft is malicious, but it’s still dangerous
Of the fifty percent of departing employees that take sensitive or confidential data—most are not malicious. Some don’t know the rules; some don’t follow the rules; and most see no harm in their small actions. At Code42, we’re fortunate to have great people, and they have good intentions. But even the best intentions can have terrible consequences, especially when it comes to enterprise data security.

Too often, “innocent” data taken by employees inadvertently includes sensitive corporate data such as financial information, employee data, trade secrets or even customer information. There are risks and costs associated with leaked data; but knowing what was leaked and where it is greatly reduces the risk and damages.

Code42 CrashPlan avenges data theft—saves the weekend
Back to the sunny soccer field, where I might have spent horrible moments dreading the fallout from this particular data pilfer, I make a single phone call and spend no time worrying about the cost of tracking down or trying to recreate lost files or deal with a potential breach.

With Code42 CrashPlan, I have complete certainty that all of this employee’s endpoint data is backed up, down to the minute. And I know our InfoSec team can tell me what the data is, what was copied and where it was copied to—down to the serial number of the external drive.

Modern endpoint backup: Sees what data you have, and it knows where it goes
From there, the resolution is quick and—while it sounds dramatic—painless. A company representative contacts the departing employee, explains that we observed the content of the hard drive has been copied to a drive and requests return of the drive to Code42 on Monday morning. The employee promptly returns the drive.

And the best part of the story, I enjoyed the rest of the weekend, without the threat of data theft clouding the summer sky.

This is the power of modern endpoint backup. No matter where insider threat comes from—malicious lone wolves, employees conspiring with external actors, or well-intentioned, accidental rule-breakers—modern endpoint backup sees it all, in real time.

Download The Guide to Modern Endpoint Backup and Data Visibility to learn more about selecting a modern endpoint backup solution in a dangerous world.

Ann Fellman, Vice President/Marketing and Enterprise Product Marketing Director, Code42

[Cloud Security Alliance Blog]

Effective Third-Party Risk Assessment – A Balancing Process

The vendor risk assessment is the lynchpin of every effective third-party risk management program. In theory, the essential components of an assessment are easily determined. However, in practice, the ability to effectively understand and assess third-party controls usually conflicts with the resources available to perform the assessments, and is further handicapped by the need to rapidly conclude assessments so contracts can be finalized and projects begun.

All too often this results in assessments that are performed based on resource availability and time rather than an appropriate review of required security controls.

Adding additional complexity is the growing pressure to expand third-party assessments. Regulatory agencies have significantly increased third-party assessment requirements. The U.S. Office of the Comptroller of the Currency (OCC) now requires companies to look at the entire vendor lifecycle when managing third-party risk (OCC 2013-29). The U.S. Federal Financial Institutions Examination Council (FFIEC) recently added the requirement that companies include an assessment of their vendors’ business continuity programs as part of the assessment process (FFIEC Examination Handbook, Exhibit J). Healthcare regulators have also joined in requiring a thorough security risk analysis as part of the HITECH Act/Omnibus rules.

Industry standards are also increasing the focus on third-party security. PCI DSS 3.0 (12.8.2) and the latest versions of ISO 27001/2 require a comprehensive assessment of third-party security controls. NIST also requires that third-party information security risk be evaluated for NIST compliance (SP 800-39).
The very practical need for thorough third-party assessments is the fact that third-parties are increasingly targeted by criminals, and continue to be the primary source of breach incidents. Rather than attempt to breach the systems of large and usually well protected company networks, criminals look for the weakest link in the chain, which is all too often a third-party.

The growing demand for more comprehensive third-party assessments necessarily requires expanded resources, budgets and timelines for completion. These needs run contrary to very real budget and staff constraints, and the pace at which business units need to bring new (often web/cloud based) products and services to market. So, how do you satisfy the growing demand for more comprehensive assessments of third-party risk controls without substantially increasing the cost and time for conducting assessments?

The first step is to fully understand your assessment workflow, and identify all of your information requirements, both internal and external. Then identify those activities that are extremely manual in nature. The simple truth is that it is difficult, if not impossible, to effectively manage assessments in a manual environment. From initiating and collecting assessment information, to managing your workflow and providing a centralized repository for all assessment-related activities, there are a number of industry applications that can automate the assessment process and provide significant relief for overburdened processes and resources.

Also, make sure that you don’t reinvent the wheel. There are a number of existing assessment frameworks you can use to refine or jumpstart your program. NIST, Health Information Trust Alliance (HITRUST), and PCI all have framework controls and questionnaires.

To learn more, join us on 26 July for an ISACA webinar, titled Effective Third-Party Risk Assessment – A Balancing Process, on how to manage all of these competing requirements and develop an effective program for third-party assessments. We will discuss how to find the best methods to balance these competing demands, and key ways to enhance your assessment process so you can do more comprehensive assessments without increasing the time and cost of assessment due diligence.

Brad Keller, Senior Director of Third-Party Practice Lead, Prevalent

[ISACA Now Blog]

Mobile Payments: Risks Versus Opportunities

Have you heard the story about the foolish farmer’s new horse? The story goes that one day in early spring, a farmer’s horse dies. The farmer needs a horse to pull his plow, so he goes to market to buy a new horse. There he meets a neighbor who says, “I have a promising yearling [adolescent horse] that will be up for sale in a month or two. Why not wait? The yearling will be much stronger and healthier than some old nag you’d buy here.” The farmer agrees.

A few months go by, and on the way to bring the yearling to market, the neighbor tells the (still horseless) farmer, “I have a foal—born just this season—that will be the strongest and healthiest of all my animals. Much stronger than this yearling if you wait a few more months.”

The farmer once again agrees, and as the harvest time is coming to a close, the neighbor comes again, this time saying, “I’ve found a stallion that will surely sire the strongest line of horses this town has ever seen…” The farmer stops him and says not to bother because, “Without a horse, I could not till. Without tilling, I could not reap. Without reaping, I could not lay stores. And without laying stores, I won’t survive the winter.”

The point of this parable isn’t hard to understand. Specifically, while future opportunities are great, it does not matter if you are not handling the critical needs of today. It’s a balance between the advantages of what you might get in the future against the “opportunity cost” of taking action right now.

This is a useful principle for practitioners making risk decisions for their firms. For example, consider a new technology, new application or new business process. There’s often a temptation to focus almost exclusively on the new risks such changes might introduce. But what about the risks offset by that change? What about the business risks in failing to adopt (i.e., if we don’t adopt and our competitor does)? The holistic risk equation is more complicated than it might seem on the surface, and saying that something new is “risky” is really only accounting for one half of the equation.

Mobile Payment Opportunity Costs?
One noteworthy example of this phenomenon right now involves mobile payments. Specifically, we know that many technology professionals are extremely leery of mobile payments. ISACA’s 2015 Mobile Payment Security Study found only 23 percent of IT and security professionals believe mobile payments will keep information safe—which, let’s face it, is not exactly a vote of confidence.

It bears asking, though, how that compares to the alternative. Meaning, are there risks to mobile payment scenarios? Sure. Show me a technology without some risk and I’ll show you a technology that’s completely valueless. But even if there is risk, what is the opportunity cost? What do we miss out on by waiting for some future scenario that is even more locked down? And how does the risk of mobile payments compare, for example, to the physical and e-commerce transactions that you perform already using your physical card?

Is a mobile payment scenario riskier than, for example, handing your credit card to a waiter at a restaurant? Is it more likely to bring about fraud than using a “knuckle-buster” in a taxicab? Is it more or less likely for the card number to be stolen when making a mobile payment versus entering the card number into the web form at a merchant? In most situations—and for most frequently encountered types of fraud—the traditional payment scenario is arguably significantly less risky than the mobile one.

For example, the mechanisms used to protect a point-of-sale mobile payment (e.g., tokenization and encryption) might have some advantages; likewise, a lost/stolen mobile phone probably provides better protection of the cardholder data (where usually enhanced authentication such as a fingerprint or facial recognition is required to make a payment) compared to a scenario like a lost/stolen wallet.

Holistic Analysis
In short, accounting for mobile payments from a holistic standpoint means understanding how the mobile payments themselves work, understanding what the risks associated with that usage are, and understanding how that usage might be applicable to the enterprise.

ISACA’s new white paper, Is Mobile the Winner in Payment Security?, tries to help practitioners do this. The paper outlines mobile payments from a practitioner point of view:  going into potential risk areas, ways mobile payments can offset risks, and exploring business-enhancing value opportunities. Likewise, the document explores some possible controls that might bring about a value-add in light of mobile payments.

Ed Moyle, Director of Emerging Business and Technology, ISACA

[ISACA Now Blog]

Pokémon Go Issues Underline Importance of Technology Pros

It is unlikely there are many people left who have not heard of Pokémon Go. Maybe you are an active player, maybe your stock portfolio includes Nintendo shares, or maybe you have heard the warnings about criminal activity related to the game. For the uninitiated, Pokémon Go is a mobile app that uses a phone’s GPS and camera to create an augmented reality experience in which players traverse the physical world and capture animated creatures.

Niantic, Inc.—which actually began as a Google project before splitting off from the company last year—partnered with Nintendo to create the mobile app. Whether you are playing the game or not, one thing is for sure – this is a truly disruptive technology; one that came on the scene and infiltrated people’s lives in record time.

Just how pervasive is Pokémon Go? The app has drawn just under 21 million active daily users in the United States since its 7 July debut. In Germany the game was released on 13 July and rose to the top of the charts in just three hours. In less than two weeks Pokémon Go has attracted more daily active users than Twitter – an app that has been in existence for ten years.

From a practitioner perspective, concerns arise around such rapid and widespread adoption of an emerging technology. Organizations are often unable to accommodate such unprecedented interest—in this case, server issues plagued the game’s developers, particularly in the first few days of its release, when Niantic seemed unprepared for the rapid onslaught of users. High levels of usage may also increase exposure for security flaws, which may be exploited before an organization has an opportunity to correct them.

In the case of Pokémon Go, the software company has also come under fire for privacy concerns related to the game – while an update has since been released that corrects the error, an earlier version of the app granted full Google account access to Niantic when users chose that method of sign-in. When millions of users downloaded the app before the update was released, it is unlikely many of them were reading the fine print to understand the scope of access to their personal information they had handed over.

As technology professionals, we have an opportunity and an obligation to anticipate and prepare for what is next, even when we might not be quite sure what it is. While we may not all be developing the next viral app, we do all serve as advisors on technology in some capacity within our organizations. Technology is evolving at exponentially faster and faster rates, and it can seem daunting to keep pace. But even as advances are made, the old standards ring true – build privacy and security standards into technology from the beginning, optimize risk, and approach future technologies with a healthy sense of cautious optimism.

Betsie Estes, Research Resource Manager, ISACA

[ISACA Now Blog]

English
Exit mobile version