BSidesKC 2018 - Britney Hommertzheim - Selling Security

today first talk here on track 2 we got babies we got puppies we got cars we got exercise we have freedom guessing games I don't know what all this has to do with selling security but whoever already here is about to tell you so take it away Aborigine all right so I think we're going up I want to make sure that this is moving maybe not so first I want to give a kind of a warning this is going to be very participatory so and you are not interested in participating I will not be offended now's the time to get up and move to another track or maybe things might be a little bit less

exciting for you where you can kind of relax for your morning so with that being said I first need also if you're really scared of yelling out stupid answers once again another track when I need someone who really is bad whistling with any bad whistlers all right sir you're now my whistle person congratulations any time that you see Otis on your screen your job is to blow that whistle time to show your whistles whistle skills now I need someone that eats candy to people here you go in German is back so these are our candy givers for people that participated you won't have to be lobbied you do either you have really really bad athletic

capabilities for anyone you they were movie then I think number ra7 their skills are lack thereof yeah like I said it's gonna be a little participatory so don't be afraid to yell out of interiors I'm gonna be expecting you guys to answer questions as we move through this so over talking about our cell insecurity and guess what we're not actually going to be selling security we're going to talk about the five basics and actually probably sell that to your business how do you get someone to fund them a lot of times we have problems getting the company to buy in so we're going to briefly kind of go over five security basics then transition into how you're going to make

an impact and let's be honest this is the only reason companies care about security right in these positions we usually see a lot of CIOs starting to maybe investigate the benefits of early retirement co-hosts are crunching numbers because the business can actually keep its let's and stay viable and in this case usually Luciano's effects are your CEOs or generally your face man right they're out there in spawn saying we're going to do the right thing this is how we're cleaning it up please don't take your business elsewhere trying to make sure that stock prices don't fall this is the main reason why that we're all here today what's unfortunate these companies have had to deal with the word breach

last year and this is just a little subsection right in my investigations I've looked at these and 90% of the companies that sell victims to breaches last year but because they didn't do five basic things five basic things now like no means and I think the basics for their bases finished five things to start your security program we'll be talking a lot a lot a lot of deaths and security here right security can get very very advanced but we're gonna stick to the basics I use this quote all the time it's probably one of the best quotes and then it's security knowing will actually determine the success of your program now I'm not talking about

knowing the latest security event or the your threat landscape or what's out there in the wild are all the details about the threat actors once again we're talking the basic step we're talking things that you signed up to protect we're talking about things that energetic if you're you're responsible for overseeing so over to start with the king in this game I'm going to show you some pictures and we're going to do a countdown for five we're going to start with number five security people and work our way up to the most important security control so I'll show you some pictures and your job is to guess the security control all right so once again candy people get ready

people yelling out theater and people that are sitting by people that are yelling out answers watch your head watch your general space so we have a gentleman up here with some next we have a gal with her hands in the cookie jar super cute kid could could not be related to me now we've got people with access to things very close friends management so we're talking about so essentially tracking monitoring so forbidding some things that people with advanced permissions can do on your network and this could be a multiple system of multiple systems ability agents so step one is to minimizing control so what are some ways that you can minimize access these privilege so

only giving you one you need to get it what about how are some ways that you can restrict it so I've given you privilege right how can I restrict that access barriers

[Applause]

[Music] [Applause] that you can minimize access which is looking at times that people are allowed to log in different locations that they can monitor what systems that they can log into right and then when you go to monitor these you want to look for anything anomalous essentially are people starting to log on it by x our people starting to load on the system they didn't normally log into so you're trying to figure out what looks different to go to monitor just at my first control has testing steps and so long just wanting it through it all right so whenever you go to inventory you some automated tools if you're in terms of stuff and trying to figure out

who your admins are it's not your word do yourself a favor if use automated tool so what would what types of devices have administrator privileges on hurtle I think so again just about everything everything has editing controls on it so let me ask you so we're giving away these administrative privileges you should authorize

okay so actually we're looking for us McFarland business side so you're against service service others change management leadership

so business owners I would suggest have an executive sign off of them someone that's interchange business effectively to sign off on that and well whenever you go to that business executive you make sure you have the business justification why does this person need access not just once but continually in order to do their job this is the reason why this guy over here which is kind of in the corner or night I'm hanging out you know these access on a continual basis to do his job that should be reported put it in your ticketing system that you have a business reason why which can be reviewed later so stop littering manage devices this is really really strange to see under

privileged management does anybody want to guess why devices would be with management yet it stolen

on board intolerance any time you get a new device they usually have default price right those default credits usually have the same levels of access as an administrator so as you start to pull on and all these devices you could go through make sure you're not accidentally giving out administrative privileges to essentially anyone so in any device can have these right most devices do they have a default estimate to make sure that your tech next you want to under in early your guys that have this advanced permissions so know when your admins are changing you want to know when they're adding you don't want to know when they're taking off anybody guess anyone want to guess why

you care about when they're taking off throw your boys

so it's all of a sudden someone gets into your system and they want to be the only one that can control that system I'm probably gonna start taking off people I'm probably going to make sure that I am the only one that used that system so make sure that you're reviewing that you're getting notifications and then periodically on it so if you have systems that following are some kind of federal regulation you're probably going to have the other periodic basis your administrators but as a general principle try to do it is the best security practice just given the routine of ordinary quarter you have a business justification center in your system if someone's no longer with you

they should no longer be on that list it's a pretty easy process to follow now we want to aware hotelier meaning if an event is continually failing we want to be notify about it why do we care brute force so I feel like this is kind of a yeah that totally makes sense it's we want to know if people are just failing failing failing on our most sensitive counts but how many people are actually doing it how many people are actually getting notified when that happens going back to those 90 percent of the companies that fail to do the five basics this is pretty basic if someone is ramming your system with administrative privileges over and over

and over again and you're not alerting on it chances are they're eventually going to get there right so back to basics best basis and lastly Skepta number six is using multi-factor authentication so what are some ways that you can multi-factor yuvigi by oh yes smartcards certs tokens you name it by oh and there's a lot of way that you can multi factor the let's face it your business is probably not going to put multi-factor on everything and in some cases your businesses might actually eat multi factor so if for some reason you can't multi factor and here admins are not going to use multi factor to get into their systems I would suggest trying to get your business to

sign up on with this standard passwords so does anyone know the correctness standard for passwords that's great

forty characters and change when it's compromised do things to no I didn't say complexity and then say uppercase lowercase numbers special symbols 14 characters the other thing I said is change when it's been compromised so if you have a mechanism in place that tells you when it's been compromised great good for you otherwise you may need it when it's time that makes sense to rotate their password if you're using something like 14 characters you can probably get away with the year one caveat on that if you're adhering to any federal standards they may not have updated their standards you can talk to them about that it's usually depending on whose audio to you so on other

Derrick and hazard from the canyon and another auditor so check with your honor before you can do that if you have some federal requirements so these are the six steps we just went over really quickly and then has a monitor and in torreón justify manage your devices know who your admins are make sure that you're learning on failure and then secure authentication so moving on to number four here we go again we speed this gentleman so it is probably not privileged management all right now we see this very very helpless bird I heard it already vulnerability management so it's the word identify necessity for mediating vulnerabilities good news as discussed in this one three steps first step is to

scan to correlate stating that your honor gate its ends I would suggest doing these every week if you can do them more than weekly you have a awesome team and a drink with those people that are where to go once you skin and you get those reports and you're going to clean them off to your system administrators by our system administrators they're the ones that are the engine and they're going to be the ones that remediated this doesn't work this way in all the companies my unit should if you own this assembly be responsible for maintaining that system you're responsible for maintaining the security of the system our security people are responsible for reporting on security and advising and

assisting where needed everyone should start taking ownership with their devices that breach once you have yours your findings go back to your loves and start correlating what you're actually seeing in your traffic and look at your vulnerabilities are those vulnerabilities being exploited or is what you're seeing your attack that correlates is some activity that you're actually seeing on your network this is really really hard to do for especially if you have a small security team you're probably not going to be able to get him to speak but if you have the depth and you had the time we good security because members make sure this is a really really good set to take if I'm

actually learn a lot my process so next and what I've seen over and over again and it just drives me crazy as when you're doing scanning make sure authenticated scans so what that means is when you scan the account that you're using to scan the system should have ridiculous to see inside the system if you can't see inside the systems you don't know it exists on the inside your systems so you're not going to see software vulnerabilities you're just going to see on the outside of your system right so if you're starting to look at one of the other ports and you don't see any kind of software on there that should be your first trigger of a

this is not a credential skin with that deep set now we have all of these service accounts that can log on the system so let's revisit privilege and privilege management okay so if you have service accounts that are logging on to all these systems you probably don't want the same account to have that set to all of your systems so start writing up service accounts to see what they can get access to so same thing with privilege management you want to narrow the list of people that had access to one system the same thing with your service accounts that are going to have access to your systems and then make sure the people that are running these

tools are authorized employees so probably interlock you know them in the same way that you would your system admins number to stay current we know that our abilities change every single day we're going to see some zero days a year so your honor abilities are gonna change we know this the only way that you can be effective is Mustang up-to-date so where's the white Lincoln Center are the institutional Issac juicer thread Intel so there's a lot of ways that you can get together collaborate without that information so you got better Intel general updates with your sisters pulling this information and make sure to throw up to date with the latest alerts pageants and so on and so forth

make sure that you're keeping your systems essentially patched and on today and then lastly once you catch they're going to compare so do your skin get your balloon Hillary report hand it off to that's--it's Advent give them time to do this thing and then on your next and go back to see didn't actually get patched and what you're providing them something that they can actually action on maybe if you can get patched to they didn't have time maybe a team to get patched because they tried it and it broke something and they had to go back so your job is security come on let's get out feel that relationship go and talk to that system administrator

understand what's going on you may not be able to catch everything and in those cases you're going to take it put it into your take advantage you system your change management control make sure they have a record of that and then you go back and relook at those things you can AskMe know it could be just a very low-risk patch that you ask this amount but now three months later new vulnerabilities have come out and this is a very very high risk if you start talking about other controls that you put in place there or maybe you have this guy so there may be a reason why they're not patching but make sure if that is the

case that that's reported and you are going back to relook at these things so here's real quickly that those three we went over with and we're going to move into control number three here management we're getting good at this not a true figuration management you guys are getting pretty good at this so essentially we're going to look at the way our systems are configured here this could be anything on pretty much any server device that you have to kind of prevent exploitation of the way that the system is set up so the first thing you want to do is is the kind of obvious to set your standard determine what that standards going to be and then use it

when you build that image use that image you'll have to go back which already talked about vulnerabilities or abilities change you'll have to relook and make sure that you're updating that image there's a whole lot of prescription on how often you should do this but for me in the best answer is no your business know what your risks are and make some make a decision based on what makes sense for your company okay don't try to pour something because then this will never happen so your image break some stuff when you start to roll it out what do you do fix your image okay you fix your image and bracele 10% minutes ahead documented exactly the

same thing that you would do with own abilities you're going to take it figure out what's wrong with it if there's additional controls that we need to do for the place they're great we're doing a security exception and then we'll go back and on it so same things that you're doing very vulnerable to management you're doing here next you want to do some file integrity monitoring that's family so store your master images somewhere that's safe and secure and you want to do some violent ever do stuff on that if you are giving out an image to every device in your company you want to make sure that that image has good integrity that those files can be trusted that

when you're rolling them out so once you have your image and you're using your image make sure your image is clean if it doesn't change you also may want to do this if you have any critical files that everyone's using that's across the business and once again if you get into some federally regulated data you may have to do this on on those systems anyway so what are some things that you think that you should look for and never would catch crypto signage so I was looking maybe a little bit more high-level I'm looking for any unusual changes versus routine changes so if you know that something is happening on that system you're catching on the system that would be something

that would get inspected you can probably try that tie that back into you a change management report right you some loops and a haven't changed and you have a record that it was supposed to be changed you could look for clinician changes owners Anja's and you would it would be nice if you could see who's making these changes and event over time as you move forward so you can see if they're actually value changes or something is less enough next our configuration checks so this is another tool that you're going to need to have is this actually going to go out and make sure that your system is set up like you see it should be usually GPO is

for Windows is used here for UNIX systems you may want to use something like public ideally it's gonna go out it's gonna set your configurations it's going to go back and check this configurations and every so often change them or it can push them manually so if you have a standard that's pushing it it's updating it and this is the last one for this control configuration management is remote access this one is is pretty easy you're probably going to need to access all of these systems remotely you're probably people running all over the place so when you are reaching out and talking to the systems make sure you're just doing it over secure channels don't use RDP

over something that's water free use a TLS connection ssl something that we provide you something personal Authority so here's the top floor that we have kind of hard to see but establish that you stand there do your context do your config checks and then check for remote access all right so we're going to take a break you quickly went through three we've got two more left but you've been sitting in your seat a while so why not get moving so here's how we're going to do this you will stand up if you have ever done these things if they do not pertain to you everyone understand the rules of game I all right now what are going have

you ever been called to teach your parents or grandparents computer

have you gotten two years families are friends social media account and posted something on their behalf have you ever gotten to your ex's social media account ask what you have you ever bring called someone ours pretty sure this is going to show your age or sta honor people out there I'm impressed I can't reflect on a phishing email

and we ever insisted that you have you ever played a job my partner Kenny my real job have you ever planted a random beeping device on my office so this is if you haven't done this this is amazing especially during a military operation and you might 24-hour ops I never told your boss no have you ever installed malware just to see what happens

have you said have you ever set your password over email or text to your friend I totally had to do this and then I changed my password at 19 and he ever told him when to turn it on again if even better what you have to say are you sure it's plugged in have you ever accidentally pricked your computer Oh proudly secret number of users my child is actually done full disk encryption on my computer and she's a PI so that was amazing have you ever physically assaulted a computer or network device all right you guys are my people all right going again we can get back in action and answer some questions so quick recap these are

the top five that we've got have our privilege lyrical ability configuration management so moving on to number two Oh

inventory of software so essentially it's exactly what it says so it's got the one what should be in yourself there in the trailers minesweeper authorized that is authorized software anything else that you'd like to do with that and then there was a lot of life Stoppers we free software should be on plastics development orders developers so if you have owners that are associated associated with that piece of software great versions of software is very very good to have a you know hero today if you had a critical type of software we should absolutely have cinema while not this list of software doesn't they have to have family on it if you're securing it somewhere that's it for this

video but if you actually have a piece of software that is critical make sure that does have family all right step number two you this is a sore subject for some people and probably unrealistic for a lot of companies so where it makes sense whitelist I understand that your business is probably not going to be able to whitelist all applications across their business but if you can in specific areas whitelist where you can and will make your life a lot easier step number three is visibility so you software inventory tools if you're doing this by hand you're probably missing a lot of things saying to me you aren't admins use this I'm going to let me help you out with this

and you want to tie your software to your hardware when you can so why do you think it's important to tie your software to hardware vixx's so locate Rayman Origins you can do systematic what if you have a device that's unencrypted that's lost it would probably be easy to know what type of software that they were had on that system so when you can tie it to your hardware and that's air-gap what does Eric at me not connected so essentially there's a break which we achieve the rest of the network it's usually done on the network and it's not touching anything else these are where you want to have your very high risk systems so

not in the location where everyone can access these so here are the four quick things that we went over for software inventory we're going to roll quickly on your number one inventory alright so once again back to automated tool to do this if you're a to a teeny-tiny company maybe you can do it by hand but that's usually just really unrealistic to do when you're using this tool if you guys have are using DHCP you probably are make sure it can do you keep server lying because else we're going to throw it off and you also want to make sure that it's detecting unknown systems a lot of software will be able to give you

some hints about what it is to people that can verify that you probably have a lot of stuff out there that you know what it is once you have that list inventory so what goes on your inventory list for your devices organizationally owned assets anything that stores data so I would suggest the type of asset that's on there and um you see the machine name if you have that any kind of network addresses that may be associated with that machine if you have an owner include that and other things that are very very hopeful is noting whether that system if you allow personal devices events whatever is the first one lights or it's portable so you

know to go missing absolutely I would to include IOT devices I absolutely would [Applause] and in this tool that's fully Kanaya art where it's super advantageous that you can get a tool that automatically updates and let you know when it finds the time okay so our strict access keep all the devices off of the network so if they're not authorized to be on your network don't allow them on your network how do we do that yeah so certificates or attitude up connects something that says you do not have the authorization to be on your network and not allow it so that was with the three visibility and Ettore and restrict so it quickly gone over the security basics

gonna renew your Norfolk so the top we're entire inventory of your software in your glasses I like to say when they come together they make that zero and that's your goal zero unknowns on your network I also sat on the two strongest fingers that are under network and in the last three are all about management you can't manage what you don't know and that's why software and hardware inventories are so important right so if you get these five things this basically gets your visits to a cocaine standard right this is the key so 99 your basics and you've explained that to your company right and this is what happens no but maybe the company doesn't really understand your version

of security or your vision may be that you're just not using our wipe the right words you need to get someone to find this program right we know the five basics because these aren't doing the five basic and companies are getting preach so how do we educate how do we influence how do we start to sell security a lot of Excel secured by doing this we talk about it and we say it over and over again and we yell it when we get to the point where it's like I told you to do it if you don't wanna do it fine if you get breached I told you to do it but that isn't some of your

program does that make your company and you stay for this that makes your company safer this is the leg before guy that gives people to turn on and look have you ever had someone bring their little get into the audience I mean to the office and all of a sudden people start standing up overdue and looking well that's up to you this is what you need to be you need to understand that art of influence so that's what we're going to go over here there's actually five principles and influence the first is being likable everyone loves puppies and I'm curvy I mean when you have to do to be like Morris it just likeable like a

puppy I actually pulled this picture from a popular science article last year where I left over sixteen and the title of this popular science article was puppies are the culprits behind a 12 state diarrhea disaster puppies are so likable but it can spread this over 12 states that's how like little puppies are so what do you have to do to be like well there's actually two characteristics electability the first is being similar and the second one is being familiar so having common interest and having a common presence have you ever worked with someone where they show up you send them an email and you get like the gift back and you're like is that a yes

is that I know is that I have no idea what you're talking about and can get kind of annoying and then after a while they start sending some pretty funny gifts and you find yourself laughing every now and then you may respond with the gift and then you get someone new and now the yaks popped a chain I sent her a thing she just sent me back a gift in your legs yeah that's Jenny jr. just become a likeable because she's found the common interest you guys are sharing the same type of gifts now and you're interacting with her over and over so when you're going out there talk your security talk be relatable and then

go back and talk to them again and again and again the second principle is scarcity which sounds pretty weird but this is how the fashion industry you can tell she's for twenty five hundred dollars are by a Louboutin bags for 55k but maybe you choose the persons aren't they're saying maybe it's this nice book guiding to point nine mil you're the only one there's only one of your anything has one of these right it's very exclusive that's the idea of skiers that we get something influenced you to buy now this is particularly difficult I know so you see this one are going out traveling right and we're looking folks there's only a couple more left at this

price or a few seats left or maybe I wanted that but that's a really horrible out of it you might be the get scarcity use this to your advantage whenever you're talking about your security things you can say that hey this is what the really cutting-edge companies are doing or I'm going to do this information because you're the person that I expressed you this information you're making the source of exclusive they still implement the business building next stressed trust me I kind of wanted to make sure that we don't confuse this is quid pro quo food pro quo is is if you go out and buy the entire human race reciprocity is the idea is if you do something good for me

I'm going to want to do something good for you so someone's coming by my desk every Thursday to pick up my trash on their way to the trash man and Thursday they aren't there when I'm going to take out my trash I go I should probably go over there around their trash bag it's that feeling of obligation because they've done something nice for you I don't know if anybody got these in the mail but their surveys these showed up at my house they're like going online here's a one dollar bill when I first got em I was like ooh should just throw this away with them one dollar bill like I feel really bad about taking this one dollar

bill and not doing anything in return for the one dollar bill and then I thought of it these people are trying to ticket blowing to me they're trying to get over on me thank you for this one dollar bill is through the web but this is the idea of reciprocity they've given you a one dollar bill so now you feel obligated to do something in terms for them so normal the story is get out when you're meeting people if you can help them out show them a tip maybe there's some security tool that you know of that my health and state passwords whatever you're doing maybe they're kids doing something that's kind of off the wall in the good piece of

advice because they're going to want to return that favor when they can next is consistency this can be very very influential if you think about going if you have a friend that you go out to the movies to all the time you know that they may or may not show up then you have a friend that's always shows up they usually text you when they're on their way if you have a problem who are you going to it's the person that you know that you can depend on so when you're saying you're getting answers that are consistent and based on some sort of fact your actions so we're those people that said no to their boss hopefully you were basing it

on something that was consistent a policy that was in place when people go to you they need to know that they can get a fair shake you're not just going to say no you're gonna listen to them and understand what their problem is when they make a decision based off of that and then lastly this is social proof this to me is the most powerful tool this is the idea that we make decisions based on what we see other people doing and you can see the see children right this is how they learn this is how they grow this is how this actually finish your spreads all of a sudden people start showing up and

high-waisted pants and I got to go get a pair of high-waisted pants but we also see this have you ever gone to a restaurant you got your food you sit down you're starting to finish it up and you start thinking do it I'm supposed to go and drop off my food before I leave what do I do so you start watching other people right and you do what they do this is the idea of social proof so if you can get one person to buy into your idea and then another person to buy into your idea once you get that culture going other people will naturally follow them what they see and that's that I use so

children so you have your principles of influence right we talked about likeability which is the familiar having similar interests and fiercely reciprocity you do something for me I'm going to want to do something for you and this idea of consistency and finally social proof making decisions based off of what you see other people time so we know the five basics we went over this my basics they're not easy some of that stuff feed we went through them like oh yeah I absolutely know that but are you doing it in you do it this is what companies fought for each year so you know this five basics you talk to your company now it's time for you to

become that influencer that can sell your security plan so that's all I have for a day um please rate the conference please rate this group does anyone have any questions yes ma'am it's really aware that comment then back to that likability we need to stop labeling our users as losers are stupid because it's not their full-time job to beat security people and we've found into the habit of god they're so stupid they clicked on that fishing line their job is to open resumes - our department so we need this we need to start being better at how we treat the end users in security and I think this this goes a long way to helping

shape those so yes I enjoyed this and I just wanted to throw that comment out there so there's actually two things I know that absolutely likeability you're praying those relationships right you're learning that throughout your business which is how we employ this second is as a security professional your job is to secure the company and if you don't know what the business does if you don't know what the person in HR does you don't know when to your guy in tax or contract is doing what he has to do every day to do his job so that's why we're building those relationships are so important I know what 42 actually sure so neither of us are in a position to say whether or

not an is dis correct and their new recommendations but I don't know about y'all's users but ever since that nist recommendation that password change recommendation came out my users love tell me how complexity's done I shouldn't have to have an uppercase and number and and that's fine because this did release that publication if nothing else I think I should be happy that at least my users you know are paying attention to that I guess is what I am curious to pick your thoughts a lot or let's be real a lot of our users that given the option they're gonna choose all the work case letters it'll be long which is good but consider that we're in

a world where at point mining rigs are somewhat regular and commonplace right now I I guess I have trouble thinking that there shouldn't be a rotation time on these passwords because the whole reason why we have in the first place is to prevent a offline password cracking attack I feel like if your hash pad mass is going to be you know all lowercase letters you're cracking time could be very reasonable on a Bitcoin mining rig so I guess any one of your thoughts on that and B what can we do what we know that our environment may not be conducive to that NIST recommendation based on you know this that or the other thing okay so

your first one I'm going to get a little bit mathy on you so if you're right if you're only using lowercase letters your entropy is going to be a lot smaller small your average entropy the easier it is to crack and with that being said you probably will have some password crackers that are saying hey I'm just going to use lowercase or I'm going to use on wearing lowercase and that's a little bit of Education there like I mentioned if you don't know when your passwords may compromise then it's hard to change it when it's been compromised right so you have to come up with something that makes sense so if you're having a very high intervene as word and

it's long and it's using multiple characters then look at that you can crunch numbers you can run them against entropy checkers figure out how long it actually takes to crack that password and pick something a little bit slower a little bit lower I would suggest you hear if you're having 14 and you're hasn't high entropy and I would suggest you here and then your question around if your business won't support a new standard password some businesses will accept that risk I've told my company my job is not to make you the most secure company in the world my job is to educate you security I'm going to let you know about security what I think that your security

posture is I'm going to tell you the risk around that and my risk is to pass that off to the business if the business chooses to accept that risk if that's their risk tolerance then that's what the business has chosen they make a decision at that point boom boom boom oh man hold up that first slide that showed all the organizations right before you shut the breech store so say go to the sea so at a company and you're doing your doggers on security you're trying to they are Ana CEO of points to that slide and he says all these companies had a breach and while there may have sustains the temporary evaluation another moment out of

business lost any money long term why should I care by the illness yeah what's that so I approach because there's a lot more than just monetary loss right there's there's absolutely monetary loss there's lost of the brand and if you're CEO you're saying hey I'm okay if we get breached and we lose all our money you people don't trust us anymore that's your company sir that's your company if you don't feel okay with it and security personnel and accept members go somewhere else so you've talked about divestment lawsuits if you know users that are exposed those of rephrasing right now your business between so can you go back to your five different areas for the yes so I noticed

if you didn't have cloud vendors which is an interesting I'll call it change especially in the cloud service area what you looking at cloud I'm falling into the software area so cloud syncing marker lenient all of these principles apply to wherever you have all of these apply all and your vendors would be the same absolutely absolutely when I'm assessing offender I'm looking at these things on what they're doing in their environment alright so everybody is getting ready to transition off to your next track you were top hey guys [Applause] buting around captain fact if anyone's got other questions people can talk to the Khan