It's 3am, do you know where your backup is?

all right everybody let's get started up next we have Robin wild it's 3:00 a.m. do you know where your backups are Robin I'm going to hand over control to you now thank you you're welcome there you go

so I want to introduce myself first of all my name is Robin wild I am a senior systems analyst for information security for team health I've also worked at several other big shops here in town so I'm happy to have a few of my current colleagues the next colleagues on board today thank you for joining me today and show me some support if I haven't met you I'd like to meet you the link on the screen please feel free to connect with me via LinkedIn I love to share ideas with everybody so if you'd like to do that after today's session I'd be delighted to make a connection with you and talk offline about this subject that

I am so passionate about I'd like to go ahead and get started my session is it's 3:00 a.m. do you know where your backup is I know that sounds like a pretty pedantic question for this day and age but I want to talk to you about why backups are important it used to be back in the day that backups were only important for things like application failure or power outages or things of that nature that seemed to happen much more frequently back in the day than they do now as a result many of our businesses have become kind of complacent about their backups or there's an assumption that what they're backing up is efficient which may or may

not be true also we've become a much more aware of our need for disaster recovery and business continuity especially in light of the current pandemic some people were more prepared for everyone to go off-site and be ready to do business continuity remotely some were not and now that subject has become much more in the in the talk these days than it was obviously prior to the pandemic but the most important reason especially for this audience is ransomware ransomware has really become the predominant reason for beyond just the health and hygiene of systems for backups to become an important part of it part of your information security strategy a new organization will fall victim to ransomware every 14 seconds in 2019 and

that's expected to go down to every 11 seconds by 2021 ransomware attacks typically are done via phishing emails and fish me which is a major source of data in this area said that phishing emails increased 109 percent that delivered ransomware packages in 20 in 2019 ransomware attacks themselves have increased 97 percent in the last two years it's become a very profitable business and one of the top three vectors for cyber security attacks in the United States that all being said 34 percent of businesses hit with this type of malware took a week or more to regain access to their data of course this doesn't include whether or not they paid for it or not and so there is a cost for

not being prepared for a ransomware event it's not to say that backups are a hundred percent bulletproof I'm not gonna lie to this audience that knows a whole lot better than I do that all backups are not bulletproof however having a backup and following best practices is a whole lot better than having no backup at all in these situations so you're going to protect yourself much better from any kind of application failure any kind of business continuity or disaster recovery incident and of course you're going to also get the benefit of at least a decent amount of protection from ransomware in an acceptable talking discussion with your business owner about where recovery time for them makes

sense so let's talk about how you get this done a lot of people a lot of businesses are going to go out and they're gonna hire some kind of consulting firm to do a business impact analysis on their enterprise but some people can't afford that they're just not big enough for it or they just don't want to come out of pocket for that this is really not that hard you can get it done and I'm gonna give you a really basic five-step action plan that'll take you through identifying and defining the priority and scope of an app creating a back-up plan and building best practices into that plan based on this and I soccer recommendations testing that plan

monitoring the plan and then finally and most importantly developing and as and practicing a routine recovery validation of your plan and that's a that's a key piece of your security program whether you're following new CSF or you're following ISO or anything else it's important for you to practice that routine recovery validation that not only are you able to back those files up but you're able to recover in the time you say you can to a to a business client and you you are able to restore to the point promised so that's really important as we move forward so let's go over each one of these steps in a little bit more detail and again you would want

to do this on each system that you deem critical so let's talk about that what are critical applications a lot of people think my app is special every app is a special snowflake and it needs to be backed up may or may not be true but what does aisaka think which is a great governing body here in the United States that helps with risk management particularly IT operational risk management how do they define critical applications it's really important for you to understand what from a business risk standpoint should be considered critical and this is helpful when talking with business owners because every business owner thinks their app is special right so what makes it critical downtown of these

applications even for a few seconds could result in serious financial loss legal loss customer dissatisfaction or loss of productivity if you are dependent on a system that is processing for example invoices that are bringing revenue into your company on a minute-by-minute basis that is really important and that does make that system critical because these applications have access to high sensitivity data breaches to them could result in a total halt of organizational service high risk data exposure severe legal and financial loss and complete loss of customer trust and brand value work for to employers here in town that fit most of this second bullet is criteria they have pH I public protected health healthcare information PII personally identifiable information

in large measure therefore they are exposed to legal in financial loss by breach to those data populations so the data categorization very important around criticality compliance stringency is generally very high so if you're not sure but you know hey I get socks audited on this every year probably useful to you as an indicator that this is a critical application other things enterprise applications a business applications and clients specific lines of business applications that are prime categories for critical business operations on a day to day basis whether or not they might be considered critical as someone else is irrelevant if they're critical to your business your enterprise how you conduct business on a day to day basis and they impact your

revenue stream your reputation or your finances definitely we're going to qualify is a critical application I also would highly recommend within your critical applications for you to take a step further if you're doing this as a more holistic approach on more than one app that you identify what are those things that are the crown jewels of your organization that you want to make sure that you take the utmost care and caution with identify those make sure that you do those first so let's talk about that exact thing priority how do you manage priority in the priority discussion with business owners again every business owner thinks that their app is the most important happen that's important to them and we understand that

but as a business we have to define or help them define and manage the risk posture for the company is information security professionals so what priority factors or criteria can you use to help the business owner frame the actual risk or the on the the business risk outside of their perception within the posture of the business as a whole obviously financial things that bring in money anything that's part of your revenue stream should be considered a priority anything that's compliance oriented that might get you in a litigation or in a situation where you would be prohibited to continued business in a space until it was remediated would cost you money in other words should be considered data

categorization should be considered as priority as a part of your written information security plan you should have a data categorization policy and a data strategy that every system adheres to or at least has a categorization within larger asset management practice that allows you to say these pieces of data are these groups of data across the company our mission critical right there their business critical they're confidential they are business sensitive any one of those types of categorizations that you think would be an impact a priority versus something for example that would be public facing that kind of data data categorization might be important to the web team they care about what their website does but that is public facing

data and backing it up is not my first priority backing up my financial systems however would be and then finally upstream choice sources of record or master data components this is where ransomware can get very insidious if it can infect something upstream that has many integrations downstream and I'll give you a for example in many places here and in the United States especially that are Microsoft shops and they use Active Directory for example that's fed from a source of record upstream usually a human resource system that says that someone is active or inactive if you can get your hands in that and manipulate it that becomes a very disruptive factor very very quickly if you can't get your

hands around it so upstream sources of record and master data components that feed things like enterprise data systems as well as enterprise reporting those things can do a lot of damage and it could be high-value targets for ransomware and then finally in your BIA one two three is your scope and requirements checklist so I'm gonna move to the next slide in and I've intentionally kept this separate so that you can just print this slide out and help you walk through this discussion with a business owner but before I do that I want to take a quick second to look at this priority sample I talked with a friend offline who has a consulting business and kind

of took my checklist for a test run and we talked about what were the things in his business that he felt kind of what were the priorities this person does IT consulting if that's helpful for you obviously they outsource their their payroll services but they do the injury themselves to save money so that's a QuickBooks file that's very important to them especially for invoicing reasons they want to make sure that they don't have a disruption to their income flow so they they listed that as number one and then work product files that they have spent an enormous amount of time on for clients was number two email was surprisingly number three - this individual client relationship

management on business development records that they kept about those clients leads things they got from conferences etc those things were all important in developing business in keeping the money rolling in to their consulting business client contracts personnel files and employment contracts and then administrative and then finally their public facing information such as social media and websites so that was this clients take on priority you'll notice it started with finance and kind of worked its three through its way through sensitive activities one of the things that we did tease out as a part of this is I'm talking about retention or modality of backups so for the QuickBooks backup it was easily something they could backup to disk and it not be a problem

so you don't have to go through a lot of time and money to do something you can't pick a modality that works well for this business 15 year retention according to the IRS was sufficient they haven't been in business that long so right now they're keeping all six years that they have available and then when it comes to email they went with a much shorter retention they went with a two-year retention and was able to set policy on that so that they can keep their email more manageable and a two-year rolling basis so again there's some choices that you can make as you talk through priority and as well as modality on what will work even something as basic as a

paper backup file for personnel files in their case was more than sufficient it didn't have to be electronic most people obviously wanted to fall to that but if you have everything on paper and you keep it in two separate places that's okay in some in some instances now in larger businesses that wouldn't be even viable so you have to think about it from the scope and the scale that you're applying this criteria to so let's talk about the scope and requirements checklist and this would be the checklist that you would sit down with your business owner a business partner for a specific application and have this discussion with them in reference to how you can best serve them and building a

plan that is reasonable and repeatable for them to provide them best quality service as an information professional and support personnel partner for them so answers you need from the business owner what you need from the business owner is ask them what do you feel is the likelihood that this application could fail have you ever experienced a failure find out whether or not they have been through a failure how did they deal with it before what impact did it have how long were they out what would they do differently you'll be surprised what people will share with you because they they learnt them something during that time period do they think it might be a target for

ransomware you know if their financial owner they might think that they are a target and they may have some anxiety about what they share with you as an IT partner it's really important for you to set expectations early that we don't want to over calibrate what we do with them and back up everything and in that sense we want to have some sense of reasonableness but at the same time we don't want to to go with the least the least cost approach if this truly is a source of anxiety and concern for them and they may be more than willing to pay to make sure that that's calibrated according to the correct level of risk

acceptance for them and then the most two important questions you're going to get after you kind of break the ice there with the likelihood question is you want to know what is the acceptable acceptable recovery time objective and I'm gonna put this some very layman terms for everyone in this group as well as anybody who might view this later the recovery time objective is specifically how much time can something go out be offline and then be recovered within so it's not just how long can you be down or down time you want to be very specific with them about now only is it downtime but time to re-establish services should be part of that recovery time our RTO objective

calculation so if you know it's gonna take you a half a day to reinstall everything on the server install the configs run some tasks put correct users in and put in the encryption keys password resets everything that needs to go in and then you load their data they need to be very aware of how that works in some cases you may not have to go through quite so much as far as all those activities are concerned but as you are talking through recovery time objective it's important for the business owner to know it's not it's a little bit more complicated than you just reloading a file onto a server and poof everything's perfect again it

doesn't quite work that way as everyone on this call knows but the business owner would not so it's very important for you to educate them as to what RTO truly means into end and then establish an accept acceptable recovery point objective now this is more important with things that are processing at a very high transactional rate so if you are on in e-commerce in York you are processing hundreds or hundreds of thousands of transactions obviously your recovery point might be extremely important you might only you might want to be able to go back and recreate transactions you know as much as within an hour or two in some cases of processing that but that is a very

stringent backup and it would require quite a bit of cost and service to provide so you want to make sure that you are managing those expectations accordingly and you do not want to talk about recovery point until you talked about recovery time because that has a tendency to help the business owner understand what recovery point really is reasonable after they talk about recovery time if they say well I can be down for you know three days and everything and if we as long as we can get back to the day that we had the incident I'm good or if we can get back you know get back on line and rebuild transactions within 24 to 48 hours I'm good so then you

start having a much more meaningful conversation about downtime in recovery are bringing things back online versus the point at which the data is lost and needs to be rebuilt so that's kind of important as well those two conversational points need to happen during this initial conversation and then the next two things are things that I added that I do is sort of a best practice and that is do you know if your system is a dependency for another system of critical value you'd be surprised a lot of your business centers know a whole lot more about integrations and who are they dependent on then sometimes your asset management people they're getting data into their systems in a

variety of ways they're not always well documented especially if the system is older than two years sometimes the documentation past implementation kind of drops off and some people don't always update things like they should so it's important for you to know whether or not that this application is it's a pendency for something else in which case you're about your backup plan then takes on additional importance for that other system the critical value as well because they're depending on you to come up first and then finally you want to create a communication plan at that time with the business owner around an incident management playbook script you want to know what's your call tree what happens

this goes down who do I call how can the business step in and partner with you to understand yes we have an issue we're going to put our playbook in play we need to get these following people on line to help us you know ratify or validate that the recovery has been successful and go ahead and put in any back transactions or redo transactions or records back into the system in order to get things back up to you know pre failure point if at all possible and you want to make sure that they understand what that communication plan is and what your service level agreement as well for that communication point is they get notified within you know two hours

within four hours they get minified in 15 minutes if they're a critical application etc it just depends on your company and what SLA is are around critical systems as well as tailoring it to - to the backup itself and what needs to happen and in reference to you 84 that as you bring it back online so now once you get those things established with a business owner there's a few things that kind of you need to tailor around the system itself or the application itself what mode of backup is sufficient I know it sounds like a really stupid question but for some people paper is good enough there they're actually okay with it being paper as long as it's held offline

I know one company in particular keeps I nines of human resource individuals on paper file for two years and that is their backup they scan it and it goes in as a part of the person's HR record but at the same time they keep the paper copy for two years so then they have to obviously copies and the paper copy is considered the backup and it's kept off-site so it might be something that's simple maybe goes to disk maybe goes to tape in some older situations in situations where none of that exists or is desirable there are obviously lots of managed service providers in this space that would be more than delighted to walk you through how to back things

up to the cloud and if you don't have you know if if you have a lot of data that would definitely be something obviously that you would want to do with some more serious consulting onboard but if you are a small to medium sized you know concern and you have a good plan you may be able to walk through that fairly quickly with Azure or AWS and and be up and running with a very solid off-site backup why is that important why is offsite important most ransomware is going to come in directly through your network so they're gonna hit your your if you're backing up to a share drive or if you have shadow copies

they're going to hit those before they pull the trigger so you definitely want to make sure that your backup is off-site also if you have something that's super mission-critical and you think it's super likely that it might get hit it might also be who view to have more than one backup instance so that there is if you will an air gap between those backups that's done you know on an acceptable rotating basis whether that's weekly or monthly it's kind of what your pocketbook and your wrist posture will allow you but seriously do ask on what mode is sufficient and that mode may be different for different types of system or data what is the retention policy I

think I mentioned that earlier in the priority sample but what is the retention policy for the system or the data in this system specifically if you don't have one established the time to get one is now there's never a better time to ago she ate a retention policy then when you're talking backups because that's really you're only going to back up what's going to be used or what you're going to be held accountable for I do know some organizations that in the past have literally backed up everything forever and that's not the best policy long term that actually can legally get you into trouble long term it is much more to your benefit to have an established written

information security plan that says this type of data is kept for this long and that you can establish a routine basis that shows that you keep the data for that long and only that long as it applies now of course data retention guidelines for different types of data are different so obviously you don't want to keep you know everything here some things obviously required by different bodies legal documents you want to keep for example leases and real estate things you want to keep for the entirety of your tenure with that piece of property whether you were the owner or the buyer in that situation if you are if you have been involved in a real

estate transaction hold on to that contract period it is extremely important that you do that in case there is some kind of legal situation that comes up years later after even if you are not in the property at that time so real estate IRS data financial merger and acquisitions data all of those types of things you're going to want to keep ten to fifteen years in the case of medical records there are stringent HIPAA guidelines around that that are age specific so if you have patients within your firm that are under 18 obviously retention for those records is longer than an adult over the age of 18 so do consult the appropriate guidelines and either

mr. Osaka for retention policies for legal reasons contact your attorney if you have one and they'll be happy to walk you through that retention policy time box but now is the perfect time if you don't have a retention policy to get one what frequency doesn't need to be backed up sometimes you know you only need to back it up you know once a month or just not that many changes in this application over that time period it might be daily it might be an incremental over the course of the week and a full backup on Sunday you're going to want to look at what those requirements need to be from an RTO RPO perspective that you've already

gained from your initial conversation from the business owner and then what kind of backup are they accepting and you're probably going to need what is acceptable right what works in this situation in some cases you know they're they're using a software you know a backup that's acceptable to that version of that cots software may be just fine so is it's a data that's it's a data file essentially that is configured to work if you will by being reinstalled into an existing situation however there are other situations in enterprises where it would require for you to completely strip the server do an app install know what the configuration was prior to failure and then also install

the backup accordingly so what kind of a cup are you talking about when you say yeah sure well back that up be specific with the business owner as to and the technical owner for that matter as to what that backup would entail what that backup plan should entail and then finally do you need to store copies independently as I mentioned earlier about air gaps between separate locations just cetera and making sure if you have a dependency that you work with who the application owner of the tendency is and the order of operations to restore if you happen to be lucky enough to be in an enterprise operation where you have either a disaster recovery or a risk management function I

would obviously recommend that you work with them as to what that order of operations is is a part of your overall disaster or business continuity plan so that as you conduct exercises you do them in the appropriate order so that operations are restored optimally for all across dependencies so once you've got your plan all put together and you got your checklist of requirements and and what you need to do you for that particular application next you're going to put those things into play a couple of best practices to reiterate number one you want to identify an off network location for the backup and yes that includes if it's a paper backup you definitely want it off site or off

network and so that is completely not reachable by someone who is either a insider threat be ransomware and laterally moving within your system etc you want to make sure that you are off network that you are not relying solely on something that's on a share or even on a segmented component of your network is less desirable than being completely separated do not rely on shadow copies and do not rely on an alternate share you want to use a separate network account to perform backups this actually made a whole lot of sense to me as I was doing research for this talk today the taking of privileges or the exploitation of privileges via phishing emails for

example if the person who's exploited happens to be an administrator then there they can use administrative privileges to to actually reach into the backups so you want to avoid that you want to make sure that there is a separate Network account preferably checked in through something like cyber-ark etc that performs those backups that it's not a specific users network credentials or administrative contentions that do that to prevent any kind of compromise of those credentials then compromising your backup activities especially unbeknownst to you you want to automate backups using the RPO and RTO policy parameters on automation is the way to go most of these things are if you go to the cloud you can you can

set it and it'll go off like clockwork it is a whole lot better than having and somebody put something on their calendar and manually go back something up people get sick people leave the company things happen when you have a manual schedule of backups if it's not something that you can automate for cost reasons you should have more than one group or were more than one person responsible for a manual backup schedule I happen to know of a hotel chain that had an issue with this for example on a New Year's Day clock over the person that had taken over the front desk was also responsible for backing up the computer overnight from the previous year to the next year

as a part of their duties well something happened with that backup and they lost the better part of that calendar year again when you're doing manual backups things can happen you know you know there's a human error component of that that really should be listened to so if you can automate automate automate and also that legitimizes as well that you're following specific rpoud RTO policies per your conversations with your business owner you want to make sure that you locate and store encryption keys certificates and passwords also separately off-site doesn't help you if you put them in the same location obviously as where the backups are being kept you that's again is something that is a good best

practice goes without saying that you want to make sure that you do encrypt your data both at rest and in transit to its backup location so making sure that you have those encryption keys available and that your digital certificates are up to date is very important you want to perform a tabletop exercise at the initial launch or implementation if you will of your backup strategy you want to perform a tabletop exercise to simulate a loss whether it's the fact that you can't get to it or you want to build up completely in parallel a complete failure to see if you can you're gonna follow that recovery play route and the communication plan with the business

owner in the know obviously I'm not asking you to you know spring this on them but at the same time you should perform that tabletop exercise to prove that you can recover the system completely back to the recovery point that you agree to and during the recovery time box window that you thought you could you want to confirm the actual time to full recovery with an application they may think that or even technical a nurse might think hey we could probably get this thing back online give us the file we can have it back up online and probably about you know three four hours ok well let's test that let's see whether or not that

that's true in many cases if you don't have a solid playbook or you've never had to do it before it can take up to three days in cases and that's kind of an eye-opening experience to a business owner who feels like oh well my tech guy says that he can get things back on and in three minutes in three hours well you need to you need to prove that out I'd hate to make an example of anybody but part of having a solid recovery is understanding what it's going to take to make that solid recovery happen happen in setting realistic expectations around that recovery timeframe if it needs to be better than that then what are you going

to have to do or what are you going to have to spend to make that happen and again if it's a do and spin the proposition it's not a year it's not your proposition to answer it's the business owners to accept and that is where the rubber meets the road in situations like this so confirm that actual time to full recovery with application and business owners you want to update the playbook with any lessons learned that you identified during the tabletop exercise or any gaps that you found during testing maybe you found out that there was a key password or there was a key configuration that was not part of the initial playbook that needs

to be there for example something as silly as well our templates for our email automated emails didn't didn't come over in the backup so we know next time that we're going to have to copy and paste those into a file and then redo those ten configs as sipar bringing this back online right might be something as simple as that but it may not come across with the backup I know that's true with one system particularly that I work with that those templates are are only good for that particular installation so you want to update your PlayBook with lessons learning gaps during found during the testing and then the next phase once you get that all documented you're going to move

into what's called a monitoring phase and this is where risk management really comes into play it's not a set it and forget it thing it's very important you put in a lot of time and effort to make sure that you can not only back up the appropriate information but actually restore from it as of the tabletop exercise date but again things happen right people change systems change the environment itself could be breached during that time backup failure notifications should be monitored for now in some cases those backup failures notifications may fail themselves okay and if they do you need to have a backup for a periodic file review on your calendar to go and look on a on a set

basis is the scope and size of the files that were being backed up consistent as to your baseline is the data integrity there can you open the file is it readable is it truncated is it has anything happened to the data integrity of the file not necessarily you want to go through everything to restore it but open the file and make sure that it is that it is readable you know it seems kind of silly but it's a basic thing that can be done in two seconds but identify a major problem and then of course delivery if you're not getting a failure notification but you know it that notification piece has failed and you go in you look in where it should be

being delivered on a let's say weekly basis Sunday at 3 a.m. then and there's no file there for the last three weeks and you haven't gotten a notification failure you have maybe more than one thing wrong right so some of this is spot checking to make sure that you know that things are working according to that plan on some kind of routine basis if you have had a back up failure notification and you want to have a procedural document ready for the team to go in and say what do I do about this backup failure what caused the backup failure was there a collision was there a problem in the network transmission when can we redo that backup kim do we need

to communicate that we have a gap in data if that's something that happened during transition can we go back and rewrite to that point in time based on our current situation or not so what are your options those are the things that should be outlined in the procedure document for a backup failure and you should be following those rules with your business owner and yes they should be notified if there is a backup failure and what you did about it and then finally backup the support file change review as well on that same periodic basis if there's been password changes you're going to rotate passwords every so often if you're doing that manually versus systematically you're going to

want to make sure that this file change is updated encryption keys are still valid Digital certifications are still active and then the other thing you want to do in at least an annual basis you see who's actually been accessing the backup files other other than yourself obviously in double-checking things you're going to have an access control list for the individuals who are authorized to look at those backups in utilize them for recovery you want to see if those individuals have gone in you want to see if anyone that's not on that list has gone in or anything you don't recognize obviously all of those would be indicators of compromised so you want to make sure that you're doing

the basics on on the user access review to ensure the confidentiality integrity and availability of those files and then lastly once your you've got yourself on a good monitoring foot you do want to establish that the whole back-up plan it or the whole tabletop exercise if it's more than one system is tested on a routine basis so that there are no issues when not if an event happens typically this is where you start running into resistance with business centers they get a little burned out that you're monitoring their stuff you've shown them that you can perform the backup they don't really understand why we have to have a tabletop every year or every six months

if it's a super critical something and it's important for them to understand that once you've established that footing with or maturity with the application and the backup processes it's important that you maintain it and the only way you can maintain it is to exercise it and make sure that you are catching any changes or problems that have happened many applications establish a maintenance window if your client is resistant to you performing an annual recovery test because they don't have time for it do it yourself schedule a test during a maintenance window and do it I guarantee you you will be held accountable should something happen so if you can't if you can't get them on to participate do go

ahead and exercise the application with notice during a maintenance window to fulfill that requirement it is the only way to maintain 100% assurance that what you have is recoverable and you can live up to what you have agreed to in support of the client so a few last words and then I'm going to open it up to the floor for any questions first of all it's really important to dispel assumptions with clients up front one of my clients in the last year and a half has been a group of attorneys and their assumption has always been that no one no one is ever going to knock back something up and the reality is in a

business that's been open more than five years not backing up everything that thousands of employees or transactions that are millions of transactions that have happened over that time period is not realistic we do have to set data retention policies we do need to be good stewards of our resources and if there is a reason if there's a critical legal or compliance reason then we will do our best to fulfill that commitment however that commitment is for things that deserve it not for everything just in case which was actual wording that one of the attorneys said well what if we need it just in case you just can't build you know an operational practice around just in case to some

extent you have to start being judicious and a good steward of your monies so that's where you have to kind of dispel assumptions as you know I t's going to save you no matter what is not a good assumption setting realistic expectations with the client is extremely important not only from set from the beginning where you're setting requirements with them they have ownership of those requirements but then showing that you can deliver to those requirements so that you have a realistic baseline is extremely important and then finally reinforcing all the hard work you've done only matters if you continually do this in to end that's what will equal success in the end so it's important not just to

talk about it not just to set it up once and forget it but to to talk about it to set the policy to test it and then to retest it on a routine basis so that you are assured that you can back up and perform to the level to which you are being entrusted as an IT partner so those are my last words today I'm going to give it back over to the presenter and if there's any questions or anything I can share with you in the way of best practice I'd be delighted to do so does anyone have questions for Robin

I think you blew them all away I kind of doubt that I'm sure they'll think of 15 other things it's a it's a lot to take in at once and I was watching another presenters presentation this morning on password cracking and it was amazing I know my brain was blown watching there's one of the things that I feel like that I can offer up to this audience and to my colleagues in general is I've done a lot of what I would call consulting with people to get them around all the text speak to actually get done what is meaningful and thoughtful in their space and I'd really encourage you as information security professionals you know to take that tact we get geeky we

all get geeky on certain subjects but really when it comes down to it our business partners want someone who knows that in their heart they have their best interests in mind and will be their partner when something terrible does happen and it will there there will be times that that there will be something that happens that obviously was unplanned whether it be a failure a BCP situation or god forbid a ransomware one but if you can get a basic practice stood up around your critical applications use this recipes this checklist I encourage you to use the the NIST publication I have a link to that in the notes section in my presentation so if you want to download that feel

free to do so aisaka also offers a variety of free resources in this area there's a lot of things available and then our is C square East Tennessee group I'm the membership coordinator for it and we have some terrific people in our is C squared East Tennessee chapter and one of our pillars of our mission is to inform and educate around security awareness and in building security culture and partnership and I take that very much to heart so join us at is c-squared East Tennessee and that can meet up with you there thanks Robin we're gonna take a short break and then we'll hear it we'll hear from her deke