Cleveland bSides 2012 - Jeff Kirsch - People

alright time for our next presentation we have Jeff Kirsch here he's going to be talking about people process and technology focusing on the people side

all right so like he said my talk is people process and technology and as you can see technology got cut off and when don't we get cut off so I left it that way I thought it would just play it into what I was going to talk about today first I want to warn you the views expressed here are mine and mine alone they do not represent my family friends co-workers employ or any other person who may or may not know me my insanity is my own I say that every time but it's still true so just hold me responsible for what you hear before I tell you a little about myself I want to get a kind

of an idea about you guys so who here in the room has kids that are in school now raise your hand okay whew you guys you may not know this but you may know this that some of the concepts i'm going to talk here today about are actually being used on your kids in school today and so this may actually help you with their education as well as as what you're doing in your organization's hopefully so a little bit about myself i am ghost nomad on twitter i'm a geek I'm a husband father I write haiku on my blog I wrote a book for it I used to be an auditor I put it in really small font I

could have gone smaller trying to sneak that by you guys know I did it for 14 years for the government and for an organization and then I decided I wanted to have my heart back so i switched to infosec I've been doing that for two years and the scars starting to go away so you know I'm still trying to fly low that I used to be an auditor but it is actually part of who I am and it did build on some of the things that I talked about here I was a painter blogger gamer avid reader carpenter and I probably should make it bigger now I'm a cook I took a resolution two years ago

almost to try to cook something new everyday or every week every day that would be quite a challenge and I'm on a year and a half now I've made something new every week and it's teaching me not just a lot about cooking but it's teaching me a lot about life and information security so I want to give you some words and right now these are just going to be words they're not going to make much sense unless you've heard them before but at least I want to throw these out for you so the first words i'm going to say is response to intervention and you're probably thinking okay this guy needs an intervention definitely and it's

probably true response to intervention can also be referred to as RTI so if you've heard this before please don't tell anyone the secret yet if not we're good to go second thing is progress monitoring interesting words and then the three-tier model now I do want to say the gentleman before me gave a talk on training and awareness if you were in the room some of these things may be a little bit redundant hopefully not but hopefully I'm building on some different concepts that they didn't touch on I think they had some great points about awareness is not training and training is not awareness and education is something completely different what I really want to focus on is that training

and education component but in a little different perspective than what they did response to intervention has three components that you need to know about it identify monitor and intervene I could go into a little bit more now but I'm going to hold off until I get to some more concepts with that so when we talk about response to intervention there's three concepts in there and then the three-tier model the three-tier model can be referred to as the pyramid of learning it has a lot of other terms but the idea is that there's three tiers to education and this is used in schools today a lot more than it used to be tier 1 is your general tier this is everybody

this is whoever your audience's tier 2 is specialized I'll get more into that later and then tier 3 is the intensive so I kind of built a pyramid with the words give you the idea that as you go up the pyramid the group that you're talking to gets smaller and smaller all right now traditional school we all went through school maybe just for a day maybe for a long career but there's a traditional perception that in school you send the kid off they go through this black box of Education and they come out with a degree everything's great right i mean yeah they have homework and they have all these different things that they have to do

but you put them into the black box and what you get out is a graduate hopefully the problem with that is that that's not what happens and then we look at our organizations today kind of a similar thing we bring in the security guy I call that Dave Kennedy because he's thinking about Oh day I probably should have put dropping Pease since that's what he focused on today but we bring in that security guy into our organization hopefully that's one of us and what comes out of security right I mean that's why we bring them in well unfortunately what we do is we equate education to compliance so we think not only does our security guy make us

secure but he brings us into compliance and compliance is not security and compliance is not education we need to have training and awareness to meet our compliance needs well we don't want to do is sit there and say just like with security say oh I'm this compliant so I'm secure we know that that's not really the case that's a baseline for where we need to start it's the same thing with training and education if you're meeting compliance you're not really educating the people that you want to do and the problem with trained education or training and awareness as compliance is it's pass or fail now I gave a similar talk a year ago called step away from the binaries the idea is

that pass or fail is a binary situation you take a class you either pass it or you fail it it's the same way in school you go through school you either pass or you fail now you can say oh I got an A a BSC addy or failed but really do through a is a binary past you've made enough of a grade to get that pass there's not more detail behind how you got that so the question is do you want your training and education system to be a binary thing because when we talk about fear uncertainty and doubt flood and security we said that's not a good thing that's not a way we should deal

with people we should deal with them on a level set well pass and fail is one of the biggest flood things in the world I mean how many of us got so scared the day we were having a final exam in school Vic got a bunch of them fairies in your hands and shake your heads I mean I mean the fear that just overtakes you you know you get that that sense of oh my gosh but don't do this right I'm done that's the same thing with education in an organization do we want people to feel that fear that if I don't pass I haven't got it because ultimately if they don't pass and they don't get it

like the two gentlemen said before it's our responsibility it's it's it's a likely our fault that it didn't happen but at the same time as we come back to here we're not secure because in the people process and technology side of the equation we get process and technology but people is our weakest link and so how can we be secure if we can't get people to that state the second part the reason why I came back to this slide showing our security guy coming in and making us secure is our businesses generally aren't focused on security most of our businesses are focused on making a profit they have shareholders they have owners we're here to make money and so ultimately what

happens is as security folks we come in and we say you need to do this to be secure and if we don't meet that security level then we say we're not secure stop the presses don't go forward well what that does to our organization is our organizations start losing money they start losing shareholder value the shareholders aren't confident in the organization anymore and people start to walk away the company loses business and what happens does we're not the company anymore because there's no room for us so what we need to do is to really focus on how can we make our organization secure but do it in a manner that meets the organization's goal of making a

profit now there's compliance reasons why we need to do things but beyond that we should do it because we want to be the best organization in our field that we can be and bring in the profit and generate the money for not only the owners but for the shareholders and so I go back to talking about people process and technology and if you know PHP people is in the insert you know server-side include people's a variable so let's go ahead and let's talk about people let's talk about what we're going to insert before we hand this off before we can talk about people we have to talk about intelligence now if you if you've been through school you may have taken

some tests iowa tests intelligence tests various other tests to try to determine what your ability is really intelligence is your ability to learn when you talk about the IQ factor somebody says my IQ is this what that really is telling you is that in the educational system is it's designed today this is what their ability is so if I have an IQ of 100 which is average right then that's saying that I have a good chance of achieving pass the ability to pass in the educational system as it's designed today if I'm below average I may have a harder time but my ability is where that is IQ doesn't necessarily equate to real life it can if you're a smart person

hopefully you're going to do well in life but we know that there's a lot of smart people that are book smart but aren't street smart and we know a lot of people who have a lot of street smarts than our book smarts so when we say smart it can really mean a lot of different things but it doesn't necessarily equate to IQ and when we talk about IQ and intelligence we have to talk about the bell curve I don't know if you've seen this before but it's a statistical that shows a statistical distribution of people from the norm so in the middle we have this is normal to the direct left and right of normal

we have a standard deviation of one and that covers 68% 68.2 percent if you want to be accurate of the population so sixty-eight percent of the people that are out there just walking about could be 68% people sitting in this room but everybody here is smart so we'll put ourselves up maybe I up top I don't want to insult anybody's intelligence but but most of the people 68.2 percent of the people that we deal with anybody deals with our normal right as you get farther out it gets smaller thirteen point six percent on either side then two percent then point one percent so when you talk when somebody says that I have an IQ of

130 they're putting themselves in that point one percent of the population now we all like to think we're smart we probably all are pretty smart in what we do but where would you put yourself in this this you know distribution this bell curve of intelligence the reason why I bring this up is because when we get to the people part we're dealing now just with the smartest people in the world we're dealing with everybody so we have to cater to this whole spectrum we have to understand that when we design a training awareness education system that we're not just going to get the cream of the crop that we may not even be the cream of the crop but we have to

identify that we need to cover this whole spectrum okay so who are the people well first off in our organizations the people that we want to deal with our employees this can be the whole organization that's where your main training and awareness comes in what's the password why you should keep it safe it could go down even farther it could be the developers of the organization I know a lot of people talk about baking in security and then it needs to be in the development lifecycle well so the people in that case those employees maybe your developers the point is is that each level of our organization that we want to deal with is going to require a different set of

training and education but people doesn't just cover our employees we're a business if you are a business and so people also covers customers you need to educate your customers as to what security is because again you can do everything you want to do you can make your webapp secure you can do everything possible but if your users download something if your customers download something onto their pc laptop smart mobile device then their information is going to get stolen on their side not on your side and so we need to educate the customers we also have to educate each other you know the people in this is peers we come to things like b-sides and other trainings

and conferences and and get-togethers because we want to learn from each other so as peers were people and then of course there's family and friends now family and friends can be peers they can be customers they can be employees the point is is that if we as professionals go down to that base level and try to educate at the beginning this will trickle up into the other areas of life alright so we talked about the three-tier model we've talked about who these people are I'm going to kind of go a little more in depth now as to what the tears are and what they look like so general level Tier one is your full audience now in an education environment

this is your whole school population these are all the kids so if you're in an elementary school first grade it's all the first graders if your second grade second graders if you're an organization this could be your entire population now this may be where your training and awareness program comes in for compliance purposes but we can use that to step in to the next level so one of the things we need to do for response to intervention is identify so at this at this general level we're doing what do we want to educate what do we want to teach people it could be something simple as this is why you need to keep your password safe this is why you need

to have strong passwords this is why you can't click on an email that has a link especially if it has a document you don't know who it comes from whatever that may be you need to you need to tailor that to that full audience that you're looking and now you're going to have people in that audience that have different levels of understanding but at this level what we're talking about is that generalized program the intervention is administering the program it's delivering that training so response to intervention at the highest level is just going out and doing it in a school environment this would be a teacher going into the classroom every day and teaching the math curriculum right all

first grade is going to get the same math curriculum generally and then monitor now in the previous talk if you were in here they talked about monitoring baselines as not being as valuable there's a little bit of difference with that I think I agree to some point to what they were talking about but in the end for for this type of program you need that baseline and I'll go a little more into that so you need baselines and you need pasta cess manao let's take an example a little bit farther an organization you have your developers and and let's say your population is developers who do web apps so we need to teach them the tools that

they can put into the code before it goes into production that's going to protect your organization because once it goes into production you're talking about putting a lot more cost into securing something than if you build it in so you bring your developers in and you do things like you teach them about the tools of how they can how they can test the system itself teach them defensive coding teach them all those things but before you start that class you should do a baseline now most people think okay baseline I got to give all the information that's not true in the program that my wife is administered in her school district the baseline test is

one two three minutes so you sit down with a student and you can go through an entire class of 20 kids in about 35-40 minutes pull each kid out individually so you know what you need to do is you need to develop a quick way to gauge the the key points that you want to make sure that your developers know or don't know again the key here is this is not a test use the word assessment because when we hear the word test we check out if you have had an audit you may think of assessment is not it but really what you're doing is you're assessing the knowledge so give them that quick one to two minute what do you

know and and give them multiple choice questions get a baseline and that baseline is really going to help you define are you speaking to the right people did they understand what you told them and did their knowledge base change and then after you administer the training after you've had them come in do all the things go back and give them the exact same questionnaire the exact same quick assessment because if you change the questions you don't know if something's changed or not right I mean if I ask you one question before I started speaking and then I asked you a question after I started speaking it was a different question I could extrapolate as to how those things matched up but I

don't know that that's really the same information that you're giving me so the general level your full audience what to educate and then get your baseline and post assessment now you've brought your developers and you've given them the training on how to test what they do codes securely and now you've given in the post assessment and you can one for one match by each person what they've gained now what you do then is you take that and you go to your second tier so now I know that eighty percent of the people that sat in the room improved if they if they didn't already know something their knowledge improved they got what I taught them they can move on

right but there's that twenty percent that didn't quite get what we needed them to get so now what we need to do is we need to move to a tier two specialized so in this case the people are small groups this is your people that you've identified from the baseline to that first post assessment did they get what I taught them right and you need to identify what was missing what didn't they get why didn't they get it and how can I present that not just rege if it to them not just pull them in a room and you know in the smaller group and say okay you guys didn't get this let's go through to get now what you

need to do is you need to figure out why didn't they get it is there a barrier to the lure style that you're giving to them so if a person's hands on and you gave them a lecture for an hour that could be the only reason why they didn't get what you gave them if they're quite the opposite if you gave them a hands-on session and they're more conceptual again you fail to give them what they need so giving them what's missing and not the full program is what happens in the second specialized level intervention is administering the program so now you've identified what that is missing what's the gap you you're bringing them in as a

small group and you're giving them a new training it may be a subset of what you already did it may be a different style of what you did but your rhiness turing a program and to monitor this you use existing data so you've got your benchmark you've got your first post assessment and now then you're going to add the second post assessment so now you can track here's where they were they didn't make much progress now how they do and what you should see is more people start to fall off okay now I've gone from this twenty percent of that twenty percent ninety percent of those people actually got it so now your population of who gets it has gone up

but you're still going to have a small group of people that they can quite get it so you've brought your developers back in you've given them a new training whether its hands on whether it's lecture style whether it's okay tell me why you didn't understand what I was trying to convey to you you've administered that and now you've got that final few percent maybe five six percent that just still aren't getting it this is your intensive level and at the intensive level you don't want to be doing small group stuff anymore you want to be at the individual level you want to be bringing somebody in and talking to them now the caveat to all of this is

that you cannot make this program feel like it's a punishment and that's what sometimes happens in a compliance setting when you given a test for compliance and you say you need to pass this or I'm going to bring you in for remediation people freak out oh geez you know so now now I'm the bad kid in the class i'm at the back of the bus that's not what this is meant to do this the whole point of specializing a program more and more detail is because you're not getting through to that person's learning style or the content that you're giving them isn't matching up with what they're thinking it's not because they don't know what they're

you're talking about they're just not getting it the way you're giving it to them and what you need to do here is you need to identify those specific needs of that person so in the case of the web developer who didn't get the first program and didn't get the second program now you're going to sit down and say okay help me to help you and what what can we do to do this we need to gauge their knowledge we need to gauge their understand maybe they just don't care and that can happen you could be at this level and find out that somebody just doesn't care they just want to do their job because we all have a budget

we all have a timeline and we all need to get it done and yeah i SAT through your trainings and I get what you're saying but in the end my boss is going to hold me accountable for why my product didn't go live on the day we said it did well okay now you've got now you know where your gap is now you know what their specific need is or it could be something as to I just wasn't comfortable in understanding what you were saying and I didn't want to raise my hand in either of the previous sessions but now that you're at the individual level and more apt to talk to you the intervention here is the

coaching and mentoring this may be an extended program this might not be just an hour-long thing you need may need to sit down and coach this person on an ongoing basis and the monitoring is outcome-based so now we're not we're not giving them an assessment of the knowledge they know at this point we're saying I'm going to give you a task can you accomplish it okay now let's move on that's what mentorship and coaching is really all about it's giving somebody things to do and seeing how they interact with that and how they accomplish the goal if they can't accomplish it you need to go back and find out okay where's the gap and so

really when you talk about people we're talking about unique individuals now we can't Taylor a program to each unique individual need we have to generalize it enough and then move forward and go down and down and down and so in this in this concept of response to intervention you don't just design a program put it out there I do like in the previous talk they talked about doing a three to six-month review and then doing an annual review and trying to see what you're getting but this needs to be a little more not just I need to retool my program because of that three to six-month assessment this means i need to redesign what i'm doing

i need to focus it on the general tier specialized to your individualized here and not only that i want to give that same assessment i want to keep track as it goes along how are you answering those same questions because what you may see is after the training people get it a little bit longer people may start to drop off as it goes longer it may drop off even more and so that's when you know that you have to bring them back in but at the same time what you should see is that as you get to that general specialized in intensive level they're going to have different needs of when they need to be refreshed so you

need to design based on that you need to deliver it progress monitor and refine it it's a constant cycle that you go through and ultimately what it comes down to is is my program meeting the needs now the reason why I started thinking about response to intervention in in the in the sense of a business is because what we're finding going back to the whole profit model what we're finding is that people are making business decisions and sometimes they're ignoring information security people they're saying yeah I get what you're saying but I need to make a profit based decision I need to ultimately look at what's the cost of what you're saying you're going to do and what's the cost

of me just moving forward without doing what you said and a lot of times they can find a way to say I'd rather accept the cost of not doing what you're doing and put the company at risk because I can pay a lot less for that and so as security information people you can become completely irrelevant to your organization simply because you're not meeting the needs of the people that you're working with and so when you talk about the example I gave those web developers but let's take it a step higher and go to executives who are making a decision for your organization they need to understand not just what you do but the risks of not

complying with with secure practices and so if you can educate them at a higher level than what you're used to dealing with and talk about in their terms risk and get down to this is what we do this is why it's risky to the organization then when they sit down at the table to figure out what they want to do for their business they may say hey you know what I need to pull that information security group in here because they actually kind of get when I think it they kind of understand this whole concept of risk and profit and and that we're not just a security organization at the same time what that does is it

puts you in a better position that when things come up a new new processing technology comes up you can get it implemented because they're saying this guy gets what I want to do for the business and so when they go to make that decision of processing technology I think they get what I'm thinking and so it's really a two-fold thing one is to make your kind of organization more secure because people is the weakest link and you need to ultimately get people to understand the second thing though is that your business is making better decisions and there including you instead of excluding you you're not looking in from the glass outside you're actually inside looking out now all that

said I said I write haiku at the beginning and a while ago I wrote this haiku just a box now the concept that when i wrote this was about a piece of technology firewall route or whatever it's designed to protect you must configure properly otherwise useless now let's take this a step farther so that's a device but we're talking about people here designed to protect okay so we need to design our people to protect our organization we can't be the sole bearers of security I think if you take a look at history and you say i want to open up a bank and i never want to be robbed so i'm going to do all of this I can't tell you it

was probably hundreds if not thousands of years ago that the first bank robbery occurred whenever the first bank was there still occurring today you can't stop it and as security people we know we can't stop it well we can do is minimize the risk we can minimize those things that our organization takes on that puts us at risk and so we need to design to protect and in order to do that we have to configure properly we get configuring black boxes we can go into a device and issue all the commands to set the firewall rules set up the routers to block people from coming in from the bad IPS we can do all that

stuff but do we configure our people properly do we really make them a part of the organization security program not just here's some information past the compliance test so we can tell our regulators were good and let's move on and I'll just continue to try to build things around your inability to do things it's not their inability they have more important things to think about we're security professionals on a daily basis we look into these things if if I'm a person who's issuing insurance policies I don't care about that what I care about is meeting my sales goals in understanding the product that I'm selling so i can sell it the best to the people out there that need it so it's

our job as security people to make the sales person or the the mortgage person or you know the investment guy understand that they're a part of security and and how they fit into that so we have to configure the person properly otherwise useless now if you if you extrapolate this to people that may seem a bit harsh right i mean we don't want to call our people useless but it's not our people that are useless it's our program that's useless we've designed the process and technology and we've left the back door wide open so all the stuff we've done no matter how good we've made it we've left the door open right I mean we talk about social

engineering and customers being hacked on their computer you know so that their their bank accounts are stolen off of their computer not off of a hack into our system so in effect we've rendered what we've done useless and we don't want to do that we don't want to be the kids sitting in the corner while the grown-ups are sitting at the big table eating dinner we want to be at that table making good decisions for the organization and showing them that we understand what they're doing and ultimately response to intervention is a way to get that and in the next question that I've been asked a couple times I've done this is okay so how can I get funding for this and how

much is it going to cost right I mean that's the big thing that you really want to know about in your organization because none of us have funding right I mean I think the guy is before me said that your funding is your paycheck right so ultimately with the concept that I've talked about are very simple to implement at very little cost if you really think about it if somebody says here I want you to go do this and you say okay my organization doesn't have this tool they don't have this tool and they don't allow me to down any of the free tools I've got to use what I have and build what I need and so ultimately

that's what this is take about take the approach of I'm not just going to go and implement this all at once it's really you need to proof of concept this in your organization take a training find a few questions that you can ask beforehand and ask them whether it's through an email whether it's through standing up a little survey monkey you know do whatever you can through your organization's guidelines to ask those few questions of everybody that's coming to the training and then follow it up and then dump all that into your spreadsheet and go to the person who's in charge of setting up awareness programs and say okay this is what I found right I mean it's pretty clear

that i asked the same question and people made progress and people did in another cab yet i'll give is I don't do training and awareness the guys before me did that's not my role in my organization so this isn't a neat my own dog food thing I mean I'm not telling you something I do because it's not my role what I do know is that my wife does this she doesn't do it in a organization for security she doesn't in education so she's responsible at her district for going out and administering the same type of program to students and schools have no money I mean we think our organizations have no money how many cities and counties and states are going

bankrupt right now so there's no money there's no funding and yet they find ways to implement these things so I think in our organizations the best thing to do is to take the information and go back and say okay how can I do this little by little how can I start to show and that's what we do with everything else I mean we say well I want to implement siem right I want to do logging but my organization doesn't want to pay for the server to store all the data so how can I gather little bits of information little by little to show that hey if we did this it would be beneficial to the organization and

that's what we need to do we need to be innovative in the way that we approach this so that it's not costing organization a lot of money but we can get that by in alright so I've gone on and on about response to intervention progress monitoring and the three-tier model if you want to talk to me about it beyond right now you can email me go snowman echoes nomad com you can catch me on Twitter I'm getting a little bit better i was pretty frequent on it started backing off and getting much better at it now i have a blog Oh snowman com or IT dash I could come if you want to read haiku about technology

IT haiku is where you want to go I have quite a bit i think i'm almost over 700 now so that can keep you busy if you haven't read it before if you've read it before i'm trying to do new content every day ghost nomad calm i'm not i wasn't raised in the security field i don't know how many people ever were I came to it through an accounting degree and I had done a little bit of computer science in college so I tend to think of security not in a techno gee sense but in the theoretical sense so I try to marry technology to real-world situations I haven't been as good but I'm getting back into it but I

may take a police blotter and say how that equates the security I may take what my kids do and equate that to security actually on that note I woke up this morning to oh no oh no he's got a game hack log off now before he finds our secret lair from my nine and eleven year old so I must be doing something right to get that geek news out there but so if you want to read my blogs that's where they're at and at this point I'll open it up to any questions sure

you

sure

well and and to that comment I would like to add an addendum I think that yes our employees do have we need to instill a need to want to defend the organization but at the same time as the as a security professional it's our duty to make sure that we're giving them all the tools that they can have so simply giving a one once a year training on security is not going to do it I mean kids go to school for how many years and at the end of it we have a show like are you smarter than a 5th grader because half of us adults don't even remember what we learned in fifth grade right so

it makes us look like goofballs when when you go into a show and a fifth grader gets a question that you don't it's the same thing as security professionals we need to continuously push people the information that they need so it's a duty to protect the organization I completely agree with that but it's it's also a duty of ours to make sure that we're giving those people all the tools to keep fresh on that information Rick

sure

so so the question is how can we as professionals protect against the people right and and my answer to that would be we need to continue to do what we do we need to build those technologies the bad guys are always going to find a way around what we build today right I mean we can't stop them from from being more motivated than we are to break what we build that's always going to be the case so we need to just continue to plow ahead I mean I know a lot of people get despondent over well I fixed it today and now some guy broke into it tomorrow I just recently went to the beach on

vacation and I decided to dig holes in the sand every day and I dug it where I knew that high tide would bury it every day and that the next day I went out and dug the hole again that's what we do in information security right we dig a hole and the next day it's Phil because somebody's broken what we build so I guess what I'm trying to convey here isn't that we need to make our users more aware because I agree with you when you go to the mechanic you want the mechanic to fix it for you right it's the same thing we can't expect people who are doing their job you can't expect

a doctor previous guys can't expect a doctor to have to worry about does my password have a special character a number and an uppercase letter we can't expect them so we need to give them the tools whether it's a password vault or make it easier to use a token or something like that we need to give them the tools but at the same time the same way that your mechanical say okay Mick every three months you got to bring your car in for an oil change or I can't help you I mean your engine's going to blow and I can't rebuild it it's going to cost you a bunch of money that's the same thing that we're doing we need to

give them enough information so that in their daily job if they don't feel comfortable with it they feel comfortable coming to us because we're not just going to throw this Technic about babble about well the firewall blocked you and the proxy said this and I'm going to build a reverse proxy to let you out and Dave's going to drop pease on you that are encrypted base64 we can't do that we have to talk just like that so I agree I think that we need to keep building and I don't know the answer of what the right thing to build is because if I give you an answer today it will be broken tomorrow a Dave will be the first

one to break it right I mean we can't help that so we just have to keep plowing ahead on the process and technology but we can't forget about the people I guess that's my ultimate message and and this was just a way of a different approach to looking at how we can communicate with those people anybody else no I'm an open book so ask away all right well you know how to get ahold of me feel free to say that I'm wrong or whatever I won't take it personal because as we know we build things today and they get broken tomorrow just a reminder everybody lunch is on your own I believe they have a

restaurant out here in the hotel and there's you know a bunch around the area here