Threat Intelligence, And Communicating Risks From Binary To Board Members

don't I'm not gonna apologize for that good afternoon everyone thank you very much for coming to my talk and not going through the talk they were all very good talks have been to excellent thanks very much for supporting this cause so I'll start with quick introduction about Who I am what I do so you get the background to why this talk came about the concept and the subsequent abstract and my role at the moment is a security research I perform botnet malware analysis risk analysis and intelligence threat intelligence as well as risk I wake up to the UK in Warrington that's outside of London for those that not part of the UK or have traveled today I also spend

two days we hit UK set parts of the fusion so this is a government initiative so I work alongside governments offenses in a very secret office down in London I can't tell you anything so what this talk will not be about it's easier to probably cancel out what the talk will not be about than it will be to include what it will be about it will not be about Pokemon go so anyone that's not interested in what this talk will be about them has been busy taking Pokemon I've seen a few people doing already you're welcome to leave it will also not include any references whatsoever to the current ongoing presidential election in the u.s. anymore from the US do I can offend

excellent ok so we'll continue on to the serious stuff so the abstract sorry the abstract for this paper was the difficulty in communicating to board members or executives what we would probably refer to as non technical people or people who were technical once I'm no longer able to keep up with the change of pace some of these some of these frameworks are there to help us all sarbanes-oxley the SS PCI so a number of people probably familiar with these just by show of hands can you just show your hands if any of these frameworks affect you directly so that's a minority I would say less than less than the course of the room for those that don't know

the framework can you just raise your hand so a couple of people that's fine it's not it's not a test so the reason I that question is because these directives are intrinsically linked to the work that you down are they to do on a day-to-day basis so is anyone part of a soccer and weight and network operation center okay so the reason that these critical frameworks that you probably need to have a quick look at and reference into your day-to-day work unimportant is because these what matters are the board these are what monitor to see so CCOs why is that it's because those gap analysis between the sock and the people if you report into the sock or who visit

them just for some windbreaks you know those sorts of people right so effectively managing risks this is a topic of discussion properly for everybody in the room we have risk management's is everyone got a risk for everything that they know about in their business the risk register looks somewhat like this and we've protected our boundaries but right in the middle there is a way to circumnavigate those boundaries we can talk about managing risks all day long we rarely can one example of managing risk or in an inappropriate management of risk is M&A has anyone undergone any ma recently was the company that was smaller than your company potential business offerings yeah so we talked about supply chains we

talked about the risk that was essentially small when the company was pre M&A becomes a much larger risk after M&A and that's a risk which has now become a threat there is a threat there is a risk these are not the same does anyone disagree feel free to disagree that's good okay so would anyone like to set how why they're not the same or I can tell you why okay we know what risks look like we know what threats look like something has to happen in between there for one to turn into another there's a lot around me at the moment and there have to be very very careful where I stand a lot of risks so I can trip over

and fall and bang my knee that has them now become a threat it doesn't quite work that way in cyberspace unfortunately so now we move on to the perception who knows what this is close I think it's Norse and maybe maybe fine I'm wrong sorry so who's got one of these who use this in their sock or knock no I'm gonna own it to the okay so this is a perception there's nothing wrong with Lena perception down for those who are in the coalface day today this sells our story this tells a very simplistic story so we've all know what this map does it's a live attack map isn't him no it's not alive attack map

so that's the problem this is only pop map it was absolutely nothing to do with live attacks welcomes the Internet this is called if you've got a presence on the Internet you will be attacked no sore fireEye whoever developed this map saw this was an opportunity to have almost differential in this area they thought will demonstrate one attack looks like for executives to be able to consume executives love this map absolutely adore it show me the threat map show me the pew-pew are you hacking in your hoodie has anyone has anyone ever hacked in a hoodie no I don't think so so yeah it's an ongoing joke you know in all corporate slides there is one of these

images there's one of mine there's one in probably yours and I don't own the hoodie I'm ready for tea if I was seen in a hoodie I would lose a lot more respect so that's the perception we've grown this perception on the back of a lot of negative press together with these sorts of threat maps you know everyone's familiar with the threat book map that's the one I prefer because it basically poked one in the eye of threats so we'll move on from the perceptions to some of the reality multinational is any own work for multinationals large-scale multi corporates yeah so apt if you have any IPR any capabilities to develop CP ni infrastructure you're probably going to

be an apt Sagar now when you say apt say it quietly because it gets people very excited I know this because it helps get Quebec signed off if you need butcher for something just mention apt you don't even have to define us it's very very simple but I say Lee it's not-it's not everyone is a target for apt you may be a target for people like to live a macaron malware that's still a threat it's the risk so I asked before how many analysts in the people who spend a lot of time in front of a computer monitor actually doing work you know what this means just just raise your hands I just got almost okay so there's a very very fine

line between being an analyst and i'm being able to communicate risks effectively to a board member or to an executive CTO we're talking about the office of CTL here if i show this to the CTO hands on heart does anybody know what they would say would they be able to communicate to you what you know probably not and that's not their fault that's not their role they would say but having a basic understanding of these threats are critical i refer back to the previous slides above the frameworks that sort of protect us as analysts it's key that we understand those frameworks it's two-way so the reality since the analyst is this the reality to the

criminal is this they just care about money that's all I care about so we can flip that on its head the reality to the board is anyone in the telecommunications sector know that's good so we can talk about talk talk as a case of the team unfortunately case the case study is pristine it's an absolute perfect case study for anyone to look how to acknowledge risk or not acknowledge risk depend on your viewpoint so we talked about this skills gap in cybersecurity you know tell us outside chance of higher rapid7 or chance of higher we're looking for these good skilled people the reality to the board is directly impacted by the lack of skills so a teenager caused an

massive amount of damage to what is effectively a CPA market partner saw talk supply very very critical infrastructure to the UK government and this was done by a teenager I've had a question before about how old this guy was from about 13 14 15 and 16 I know he was a teenager that's all I know and he literally was in his bedroom probably where Northey but at the moment the biggest problem for you as an analyst is getting this message across you can see over a period of a number of months where numerous risks were communicated to talked or there was XSS there was sequel i he was are all publicly available and a number of times they

were informed so for whatever reason and I'm not using talk talk as a yardstick to beat with this is a case study but risk was not probably communicated and the end result was dial Harding was in front of a parliamentary committee as a result to explain why so they could have been 3040 people telling dad or Harding that we need to fix this infrastructure but the person on the end of this information receiving it probably didn't understand what it meant and that was made clear by Dido calling it a sequel sequel II didn't refer to it in a proper terminology but she was communicated wrong and that is a absolute perfect example of risks not being communicated

effectively so I'm not going to stand up here and say I work in security we're great you know we've got companies in the room at the moments who have been subject to insolence acting whoever knows about the hacking team from Italy sold traded and commodity exploits they were hacked past couple weeks we've seen some what we were referred to as cyber weapon auctions whatever that is we can't all be great we can't all be perfect but we can mitigate that we can identify risks so from a standpoint from my perspective is I can identify risk early I can communicate that risk early subject matter experts we know what we're talking about effect well I think I do

sometimes I can communicate hopefully in a way which someone above me can digest and disseminate appropriately clearly a company or sorry an entity as large as the NSA has got massive massive scope this may not apply to them so we've got dissidents inside the NSA who've moved to Eastern European countries who are now being blamed for this sort of instance so it can backfire now we move on to what I mentioned before I told you there'd be no mentions at all to the US presidential election allowed I'm sorry so we'll talk a little bit about how risk turns into a threat and again perfect case study I could I couldn't have written this you couldn't have

looked it up on the insert this is a Wikipedia article which you can almost copy verbatim for a case study so in 2010 Hillary Clinton decided that she did not need any source of security she been probably Bill Clinton's closest ally outside the security team in the White House for the DNI and was basically she did not want security from the White House she communicates very own personal device there's a there is a document online which I can share it in the slides which shows a conversation between Hillary and the effectively the IT team hello who says I don't want a blackberry because my emails got to spam you then built an email server in her

basement I don't know what it is with Americans building email servers in their basements and big basements I don't know why they're so possessed by that but it is what it is but the problem with that is she did not perceive that in a couple years time she would be a presidential elective and then become a greater target which is as effectively a supply chain a human element supply chain but the problem was everyone else realized that that was a problem particularly maybe potentially maybe an Eastern European company country sorry the attribution part I'm gonna leave that's not my talk but whatever the problem was the risk was not communicated to Hillary that cheap way one day stand to be in president the

most powerful woman in the world has an email server in her basement but the end result how that can happen is a catalog of errors from the bottom to the top no one person will be blamed clearly but this doesn't start it does come down so this is a story from the past week these stories almost write themselves in the past week this was the SEC filing someone resigned because they were to running an email server in their basement this is not fictitious the SEC filing is at the bottom I get the opportunity to use this excellent laser in the past week this guy is resigned and he was a major shareholder in this bank you can't make this off so

the most powerful woman in the world leads by example puts an email server in her basement so then someone who's managing finances does exactly the same leading by example leads to bad choices so I don't think any slide that is complete without some mysterious but well used phrase has anyone familiar with it's extra terms it is an actual phrase it is an essay written by the Chinese okay that's good so this is a Chinese essay used to illustrate a series of stratagems used in politics in war and interaction the theme of loss is key to this talk because when we identify risk it becomes a threat if we don't communicate so there's one line I've highlighted this is a quote from

the this particular stratagem there are 36 and this one's the dull because it was so cognizant sacrifice the plum tree it's preserved the peach tree which essentially means we've got greater goals it's a sacrifice we've got lesser goals of sacrifice if we all live again not using talk talk as an example but a lot of companies stood up and took notice was that this was on our doorstep this was effectively one of the biggest telecommunications company in the UK hacked by a teenager in a hoodie in his bedroom it doesn't get any more the gravity of that conversation you have with executives really does resonate to be able to say that these so-called hands sorry

underage hackers taking down millions of pounds worth of infrastructure that conversation really does resonate but the conversation does not end there because even when you tell a company where you have limitless resources as target do I'm still undid at the time this happened so just by a show of hands who knows what happens in target okay so for those that don't know this is probably the most significant untitled cyber breach in the past couple of years aside from OPM this again is a case study is that you can have all the resources you can have all the manpower but again if the message is not communicated then this will happen so I put some stats up there

this this one here stands out so does anyone manage capex or manage budgets yep so I would assume this one to you is a bit scary yeah so I couldn't afford to lose three pound for it at the moment never man three point four billion dollars that's to date that's in terms of insurance payouts and the reason for that the effective reason for that was logs were not reported appropriately so they had in line visibility of my we're leaving their network and credit card details leaving their network but for some inexplicable reason delay it was not was not raised they saw the alert and moved him I can't understand why explain why maybe they just didn't feel

like a layer thing yeah nobody knows the end result is that 11 gigabytes of data was actual traces 17 million personal records and 30 million credit card details stolen big numbers for someone that doesn't to acknowledge an alert so bloomberg did this gift I absolutely love it because it's perfect it sums up exactly what happened is that they were an easy target well that's what they would like everyone to believe they were popped to give the phrase by the supply chain but effectively when they did that ma they did not identify that risk so real threats real threats show them who uses Showdown coolers now I really love it it's not it's the worst thing on the

internet you know why because anyone can use it so your company will have a presence somewhere on the internet which is crawled by show that my company does every company I support us so that's why it's a worry that risk have you communicated the risk and I'm using showdown as a crawl and example purely because I know it's everyone should have a familiarity with it if you haven't cool to go online it's very very cheap to buy an API access token and you get a lifetime access but the problem with this is this highlights just how broken secure as he can be and I attended blackhat a couple weeks ago like out and see this work from this

this was effectively looking for VNC on the internet and we had to pivot inside someone's network I have never been so scared in my life he was inside someone's network by browsing show them and he identified the CVA a CVA science the problem a protocol used inside VNC does anyone use VNC interfacing no one's gonna admit to that that's good so we've got some less interest and stuff now but equally critical to what the whole concept of this talk is about in its boardroom views has anyone ever been invited to talk to a CTO or a CEO about cyber issues is it difficult a so happy to see your face ok so the problem that I have

or the problem that I've seen is when you approach or you have a conversation with board level members they want stats they want graphs it's very very difficult to measure risk in stats unless you can put an algorithm behind it but thankfully the most powerful country in the world have been able to imagine that for us cyber is on the number one page of the worldwide threat assessment we're all gonna be in the job for a very long time thankfully but the problem of that is we're all gonna work very very hard to get it off page one so in 2012 there wasn't much there wasn't much conversation in the DNI before DNI stands for Department of National

Intelligence by the way there is links in the bottom to go and read this comes out well it usually comes up once a year to be off the past three is I think it's a bit late this year I recommend you go and read it so as I mentioned before or droom love grass so interactive again just by a show hands where does your role in cybersecurity light in this chart is it one two or three if it's non raise your hands if it's all of them raise your hands if it's just a couple of agent okay so the right answer is all of them in my opinion I'm not going to force that down

anyone's throat where in my opinion you cover all of those areas why because risk the whole concept of this talk is about identifying risk one of the abstract asked calls which surrounds my talk was a case study on credit card data you will probably work in an infrastructure or customer supporting area where you support some sorts of storage of personal information whether it be cut the card data National Insurance numbers are you aware where that's thought and how accessor if you don't find out at some only works in compliance poke the bear there's nothing wrong with that so we talked a little bit about the human element so we refer back to what we call the elementary part

of the sock this sort of candy everyone knows this probably got it in you know in your NOx and Sox it this one is a little bit better than the fire eye stuff it's actual tangible data so what does this actually mean is that as a sock analyst and I'm talking explicitly to sock analyst here I've worked in socks have worked in numerous Sox and NOx is that this part of your job is absolutely critical why because there are no days off you may work shifts you me with rotors but when you walk out to that sock or knock do you completely forget about your job it may be a personal thing that's the last thing on

your mind once you walk over there but that is intrinsically linked to the human element of being able to communicate the risks outside your role to those at a higher level and that's not a term that I would use likely higher being in hierarchy not in status so the reason I mention this is because a prime case study would be in the past couple of weeks there's been a incident where number of zero days were dumped on Internet it was late at night UK time I don't know it was in the u.s. I use this as an example to be able to engage the instant response teams and say listen we've got heads-up of what's happening

right now this may be a problem for you guys you guys new guys can't really validate at the moment because it's you know big spit some on the internet what do I do now it's a case study in itself which is identifying risk early so again we go back to the Sox you and I love so Hollis because they're so switched on I'm solace myself a network defender I like to think I'm switched on maybe I'm not does anyone know what this is anyone used a so it's a log file Joe it's a visualization tool do you know what this say healer one is visualizing does anyone know this is a DDoS attack that's also a DDoS attack which one would you

choose to show to your board or an executive or a CTR it's the first one of course it's the technical part of you they both mean exactly the same exactly the same if someone sent me a visualization like that I'd say excuse me what is this someone sent me other one I'd have a fair understanding of what was going on and that's how you communicate a risk and how you communicate a threat you can use visualizations you can use human elements or you can just show them at an Bell page you're 100 million dollar budget that you've got sitting behind this database is offline or you can show you the one depending on your viewpoint

whatever gets the message across clearly so we move on to risk intelligence does anyone know who this gentleman is yes thank you very much this is Manso he was labeled distant by his own government so we've got some comments to apply he has been arrested he has been imprisoned he's been tagged by his own government for his human rights activities so he's a target he understands his status he's been hacked a number of times he communicates very quickly with his as effectively as incident response team which is citizen lab anyone here does it some lab okay so citizen lab University of Toronto just googling fascinating work he was able to identify this risk very very early 20th of this of August I

believe it was he received a text message which basically long story short on this path it contained three zero days for the iPhone if he clicked her he would have been pot it's as simple as that but he knew his status he knew he was a target so between the 20th and the 29th of August he was able to communicate effectively what the risk was to his what was his incident response team and be able to get that out to the public on the 29th of August it appeared on what I would call the BBC News which is where your CTO read the news which is the last place you wanted read news I've got no resonance on where

the news should be reported but if your CTO report and articles to you from the BBC someone somewhere needs to offer quiet worth in my opinion that is another case study on how to communicate news the polar opposite to Mansoor is this lady not knowing where your status is not knowing where you could be in a number of months and not knowing how to communicate risk there is one sliding scale here one is a case of the and one is one how to do there's the one is how not to do can you know one time which one is which so we come onto this path the interesting part as I mentioned before there was an incident last week a

couple of weeks ago which basically it was a tweet before so it was the equation group compromised it was for lack of a better word unverified by a lot of people it was developing over a number of hours the conversation you probably had had this face as a result nobody knew how respond there is something on the inside that may affect their all of our perimeter security what do we do that's basically the face that was pulled but therein lies the answer is that you've already communicated this risk you may not have the answers right now in 24 48 you may have the fundamental answers with a bit of research and we did we manage to flesh it out we identify our

daily risk and the vet didn't go away because obviously there's an inherent risk in this the threat is still there but that is a core principle of communicating effectively and quickly so this is the ICO in the UK these are some stats I used the word lot a lot in this one without sending much you can go and visit these and get these statues of but I've tried to use a very unscientific equation which is lot the health sector have a lot of security instance local government fax to the wrong people a lot education education excuse me lose a lot of unencrypted devices finance insurance and care that's also post and fax to the wrong people

does anyone see a theme here traditional technologies are failing and there's a human Alan's involved in the mall now this picture is one of the greatest pictures on the Internet in my opinion because it comes with the phrase it pays to understand the technology you're working with it's not real by the way I thought if you knew that they are photoshopped but the phrase that accompanies this picture is it pays to understand the technology that you're working with and that ties in slightly to the no days off real or what I perceive as are no days off that's not a literal real obviously everyone's entitled to a day off but if you understand the technologies that you're

working with you can identify risks a lot quickly a lot earlier acronyms who's a cissp okay I've got no opinion on any of these I've just used them as an example so they both use the top-down approach to security from both bodies they both believe that as a hierarchy security should be pushed down from the top and be embraced from the bottom one-size-fits-all which as a principle probably does work or does it there's nothing wrong with studying and suggesting otherwise the principles that lie in both these bodies are fairly routinely criticized for a good enough reason but for one reason or another I don't believe a top-down approach to security works in every single environments maybe more maybe not on

another but these acronyms which are associated with with the study that go with them I don't believe that they should fit everyone so what you will find is that a lot of people on board members will accredit themselves with a system or a CCR CISSP and think that this approach will work in every company they go to conversation pieces Kanka heels they can be principled but the end of the day you are a subject matter expert they're probably not not just because they've got these acronyms after the name but because you know better if you're a soccer analyst trying to explain what adidas or a UDP reflections that looks like the CEO is not going to

know what that means but we have to visualize it with the tools we've used probably we'll get them on board the locker getting them onside it's not easy but be able to show people the technical expertise that you have in whatever way it mean it is that doesn't mean hacking all the things or other mice in some cases being able to show what you can do through the board will get you on board but situational awareness is absolutely critical we use Hillary Clinton as an example we use our med Manso as an example understanding your surroundings and have a situational awareness of what goes on around you will put you in good stead because if it doesn't you can show

them this picture this is effectively what happened to Talk Talk again our caveat that by saying I'm using Tok Tok as a case study not as a yardstick because this is a effectively what happened when Sporto had their breach a lot of people will have looked and said there you go that's exactly what could happen to us now are you going to take notice or are you going to continue to put a risk around something you know the fair slide I showed you with the white eyes and the lock that's effectively what that was so you can show them the slide and say listen the house on the road is on fire please don't let it be us we communicate

these risks so thankfully help is coming we talked about these frameworks that are here the protectors a new one so in July 2016 some of the attacks that have happened over the past ten years almost between Ukraine and Russia have forced NATO is hand to identify that cyberspace is now a fifth domain of warfare this effectively means that you can go to war with someone if they perform what is they what they call a cyber attack that doesn't mean if China DDoS your firewall you can go to war with them but effectively classifiers about as an act of war so don't go home and blame me if your firewalls offline by someone in Russia I please that's another Kavitha

part to GDP are conscientious the independent data protection officer for the DPR so this is a regulation put together before a very famous vote recently which may need to be revisited I'm not going to talk about that at all because it's a political minefield but what I will say is this enforces the viewpoint that a lot of people may have so I come in on Monday morning and there's a hole in my network and there's literally a server hanging out the wall someone's broke in and stole all my data for human resources what do I do my boss comes in a half nine and says I don't worry about that we'll just get it fixed that's not going to happen any

more people that brush these sort of incidents under the under the carpet they will be obligated to inform legal entities about what happened so there's more support for your risk analysis if you identify a potential risk which is a human resources database of being passed around on a USB stick which is a open window next to the server room if you've identified this the risk and then becomes a threat six months down the line gdpr is your boy I made this phrase off of it does anyone use this phrase cybers blaming it's for when traditional security risk just want to so that one of the more secure one of the more traditional security risks are a lost

USB pen or a laptop what about these and this how many CEOs or CEOs understand either what those two are no many cats power Empire neither probably not and that's fair to say that they probably shouldn't but they should have visibility of their capabilities and the impact so actually Madison everyone understand the impact I had they were attacked in part using PowerShell Empire be able to explain the impact of that attack and some of the artifacts that were discovered so PowerShell Empire for those that don't know just raise your hands if you've never had a PowerShell Empire okay so PowerShell Empire is an attack framework used to deliver most access well effectively most access just

googling you know amazed about what it can do you can play music remotely just using PowerShell the problem with that is becomes a lot of work to be able to identify that risk but that's a whole different conversation but identifying that risk early and saying there is a new genre or a new level of attacks which don't switch disk what does that mean what are you saying to me that's the comedy that's how it goes what you mean it doesn't touch disk you've identified the risk don't worry about that put on the risk register head and say this is very important lucky Barton cyber killjoy I'm assuming everyone's familiar with this one if you're not understand the

principles because they lead into every single part of cyber security and physical security in some respects too I'm not going to belabor the obvious and talk about this you already know about it excellence because it highlights risks for you gap analysis perfect you hold turn up and poke the bear in so many different places if you follow this protocol it works excellently the question to the people in the room ask yourself this one where are your risks and threats is it inside the threat is it adversary' which could be class doesn't as inside the threat is it mistakes you know the lost USB stick they lost mobile phone what those risks are register them sorry tokens honey pots internal honey

tokens identified these people identified these risks these are all large-scale changes that need to go before change advisory boards I'm not saying go and change the world I'm saying identify these risks the impact is the same what that'd be great sorry Aaron on my screen make this your goal this goal doesn't effectively mean sitting in a boardroom having a CEO conversation it means having a presence a large number of companies are now adopting a new officer role so you have as chief operating officer chief financial officer and a new role which is exactly what we've been clamoring for which is a chief digital officer this is someone who works in a sock or someone who analyzes applications or understand

the cyber threats well enough to be able to explain them to the board this can be anyone in this room absolutely anyone if you're in this room today and you've attended this talk you understand you are a subject matter expert this can be you and there's no reason why it shouldn't be you understand the risks you can appropriately communicate the risks before they become threats so I think I'm running out of time I think it's a five minutes so I'll speak very slowly so takeaways hopefully ingesting intelligence can be challenging and then disseminating them even more so but this should help early eyes on visibility and communicating them should help but please do not run an email server in the

basement especially if you are going to run for president QA so I've got a couple minutes for Q&A and some details here if anyone's got any questions if you don't have any questions my email there that really Unser emails not about you guys I try not to answer emails because you know it's not a very good way of communicating I'm joking and but my twitter ID is there if you want to poach any questions there thank you [Applause] sorry did you have a question yes Oh gdpr so that's a regular Authority it's difficult to talk about it now because of what's happened I don't profess to know everything I know what about what it's going to do but what's going to do

is give support for people who are in the position to make changes but can't make those changes so the example I used before was that if there's been an incident which you're having resistance resistance in reporting to the appropriate authority gdpr will basically make the people in the boardroom sit up and have to report these incidents that's due to coming in 2018 but it's subject to significant change sounds that so the question was there sorry I need to be prepared it back was talk a little bit more about gdpr so if anyone's interest in that there is a European legislation called gdpr what there was one Slytherin and I didn't belabor it too much but it's going to

basically make people in positions of power acknowledge risk a lot more and communicate that risk and be punishable for that risk which basically helps all of us anymore sorry what's that breakfast I'm sorry what was that it was it was and still is so as far as I know so I won't cross all this I'll try answer is that as far as I know we don't just because we and I speak the collective we sorry we don't leave the EU in terms of legislation we've agreed the legislation with the EU to report these incidents because of breakfast I believe that will still be a case I'm not a specialist but I believe we were bound to some of

these agreements now subject to change but as far as I'm concerned that help for all of us so the question was how does a sector specific CTO or CDO deal with these threats okay so that's a good question actually so as part of my role within say UK we perform exercises so we have we have utilities exercises where we will probably test the resilience of a utility sector incident will run amok instance which will be maybe someone's tried to hack a scar the system and test the resilience that way that is it that will probably a benchmark we could then report them you know and the CTO didn't respond to numerous text messages that there was a chlorine attack on a water

filtration system we could report on that the communication aspect was wrong but that's just one element that's one specific utility I don't think the question for those that hear it was what we think of people that useful for communicating they don't need to use it in my opinion there's enough significance cyberattacks but there is enough significant cyber activity out there at the moment that if quantified correctly can get people on board I don't think anyone needs to useful I don't think I'm wrong in them and I think there's been what's been in the past 24 hours Dropbox Spotify all incidents of notes the these sorts of risks appropriate communicators are on the radar dashboard of CEOs eCos

there's always breaches almost daily breaches or regurgitation of all the breaches where they're probably quantified there's absolutely no reason to useful some to answer that question sorry is I've got no time think about useful but in the position that they are in appropriately and they're using misinformation that's my answer anymore No thank you very much ever