Differences Between European And Canadian Approach For Cybersecurity: Tony Dong

our next speaker will be Tony and um he will be taking us or speaking on difference between European and Canadian approach for cyber security and um I'll quickly go through some brief introduction of Tony just to give you um an idea of his background um so Tony has um good number of certification course in Etha AA and is currently working with um the first company here in Canada solely focusing on um Red AR offensive um attack and um so Tony previously responsible for working with a dedicated red team um for etica aring U with the Dutch Healthcare Network yeah and um just as I said is an offensive security satisfied professional and um also offensive Wireless professional

certified and um so is a privilege to honor Tony and I hope we're going to learn greatly from him and yeah joined me once more to welcome Tony as I hand over thank you thank you all for coming here today um it's nice to see so many faces and uh it's the sun is out everything is great you know it's a beautiful day and today I'm going to talk to you about some of my experiences uh and as a comparison between European approaches and Canadian approaches for cyber security some of the trends that I've noticed for example this last year um You probably have heard of some of the major notable hacks that's happened in

North America such as Ticket Master MGM and London Drugs all of which have incurred very very significant damages to the companies as well as costs um a lot of hidden costs reputational damage insurance rates are probably skyrocketing is also uh in particular I want to talk about like MGM in Vegas um because you know when they suffered a hack they shut down absolutely everything right and imagine a big operation like MGM all their Resorts all their casinos everything was shut down like not moving at all imagine how much money they were bleeding per day right so just from that alone I could tell as a cyber security professional that uh they did not do any

network segmentation because and that is one of the key basic principles for cyber security if you separate your network into smaller and smaller chunks so they're all separated from each other if a hacker compromises one of them you don't have to shut everything else down they're all isolated right so that's just one of the examples that I see that I'm like you know hey started looking more into other companies in Alberta other stories in Alberta and then I started noticing somewhat of a trend uh that the differences between Europe and Canada So today we're going to talk about I'm going to give you a little introduction and we're going to talk about actually look at some statistical

differences between Canadian companies and European companies and for Europe I'm particularly going to choose uh the Netherlands as my example because that is known as the digital gateway to Europe so there you as you can say a little Step Above the Rest compared to the average and uh also statistically it's easier to get clearer numbers if it's just one country instead of like every country uh we're also going to look at some cost benefit analysis as well I will give you some basic introduction to some really popular Frameworks and standards if you are ever interested in enforcing upping your cyber security game but you're not sure where to start and for those most of you

did show up I know this is not a part of the description but this is a nice bonus I'm actually going to go through one of the actual targets that I pent tested and I compromised from start to finish I'm going to show you how a hacker thinks what a hacker looks for typically throughout the whole process of an actual hack so then hopefully that can be somewhat interesting to to you pe people as well so this is Catered uh this presentation is Catered for everybody whether you your personal background business background or like a technical background uh I'm hoping that you can all benefit something get something out of this presentation and then at the very end I'll have a Q&A

session I did allocate time for it so if you have any questions feel free to ask I'm also available after this talk so if you want to come up and talk later we we can talk outside you know so me I was um pretty much raised in Alberta um I spent uh most of my youth and adulthood in Alberta I graduated from the U OFA in 2015 uh actually I studied civil engineering back in the day so I wasn't even in it but um my passion has always been in computering and especially when it comes to anything related to hackers like it's always fascinating to me like how are these people finding all these exploits and getting into these places

so due to practical reasons I chose engineering as my original path but I finally decided to take the plunge and um you know make the career change because that's where my true passion lies is in cyber security and coding related uh but as a result of my engineering I did do many years of project management which gave me a lot of valuable skills for the business side of things of how uh company and projects cash flow and all that operates and uh when I went to Europe uh oh I'm just just going to give you a quick intro on Red Team Versus Blue Team um basically if you're not familiar with the concept uh blue team is essentially

more or less about defense in cyber security setting up firewalls good antivirus good log monitoring all that's considered Blue Team and Red Team as a contrast is all about attacking like basically you're simulating cyber attacks you're like okay how do I attack and penetrate and get deeper into the system so in Europe I went to some cyber security uh conferences there and I've noticed that about 20 to 30 of the companies there they did nothing but red team and Pen testing I it's all they did like they did not do any blue team work right and then after I moved back to Canada I was a little surprised to find that that pretty much doesn't exist in

Alberta as far as I can tell all the cyber security companies in Alberta pretty much entirely do just blue team some offer some pen testing and red teaming services but the vast majority of companies here just you only blue team and I also started to notice after talking to some companies and some professionals that it's actually kind of rare in Alberta for companies to employ any sort of red team exercise so that really Drew my attention I started digging in deeper to see you know what this all means and why is there such a difference between Canada and Europe for example and uh here are my some of my findings now I was raised in Alberta so

in in a way I feel very attached to Alberta I like to see Alberta do well right that it it raised me and now I want to see it succeed too so some of these stats that I found was rather alarming I would say like for example this one um you can see just at a quick glance there's a huge difference between Canadian companies and Dutch companies when it comes to Red teaming and Pen testing and there's a multitude of reasons that contribute to the difference in these two numbers and there are also sources if you want to take a look there are pretty pretty recent um statistics and um I would say the biggest reasons are

partly government influenced and culturally influenced overall speaking I've noticed that in Europe it's a more planned proactive kind of culture compared to what we have so they like to take proactive measures on absolutely everything they like to go over on the planning aspect instead of waiting for something to happen and then deal with it whereas there's pros and cons to both ways of handling things whereas we feel like I feel like we're a bit more chill like we're for more like let's let's just see what happens until you know she hits a fan then we'll look at it and we'll we'll see what how to deal with that right so and also because the Dutch

companies are um their gateway to Europe so a lot of European countries use software from the Dutch government right not this the government uh Dutch companies and as a reason the Dutch government has tighter grip on what is required what are the um the the steps necessary to m sure that everybody's data is handled in a responsible manner so there's bigger push on the government there's bigger push from the culture and as a result we're seeing that right now like 12% of Dutch companies this 12% I put a star beside it because it's 12% of Dutch companies don't have a policy in place requiring pentests so it doesn't mean they don't use they don't do pen tests it just

means they don't have a required policy stating they have to do this so only 12% of companies don't require pentests but a lot of them a lot of this 12% are still doing pentests it's just not a part of their company policy so the real number is probably less than 10% for Dutch companies now why should you care that can Canadian organizations and dut organizations are so different um because unfortunately for a lot of companies they only take cyber security seriously once something goes wrong once an incident happens and this is why this should tell you a lot about the differences between Canadian organizations and Dutch organizations this is the average cost both taken one

from 2023 and one is within the last year from the Dutch Government website the average cost for Canadian organization during an actual Cyber attack or a cyber incident cost a company roughly $7 million and an average incident for a Dutch company a Dutch organization is less than half a million in Canadian it was €300,000 EUR so I had to do a little bit of conversion and this is ultimately your like which bill would you rather be paying right like you look at these two like and the average cost for a pent test a quality pent test is anywhere from 5,000 to 100,000 depends on the scope depends on the company complexity of your network and so on so forth this

is just the average the industry average for a pentest for any organization in Canada this is also your Roi comparing to this this is the Roi you're looking at right and quality really matters for a pent test because you could be out there hiring some Joe from the internet right and they'll do a pen test for you they'll write a pretty report for you that says everything is fine your system but are they actually did they actually find everything that need fixing so a quality pin test really matters and this is the cost for Quality pentest there's just no cheap ways around it now I have an oscp certification and whether you get it through me or through

someone else I highly highly recommend you look for at least ocp for your next penetration testing the reason for that is because in the ocp final exam you're essentially given 24 hours blind and you don't know what you're getting into and they give you six targets and you have to hack all six targets to pass this exam and you have to write a very good detailed pent testing report showing you step showing step by step how you got there that's the only way to pass that exam that's also why it's one of the hardest exams for pentesting and if you ask anybody that does pentesting red teaming you know this is not easer to get

so between pentesting generally speaking there's three types of pentests there's black box white box which from as the name implies a black box is somebody something that keeps the pentester completely in the dark this does the best job mimicking a true Cyber attack because the tester has no idea what they're getting themselves into and they have to do all the poking and prodding and and everything to figure everything out on their own the issue with this is that it could be very timec consuming and you it's likely for some vulnerabilities to get missed and the reason for that is let's say you have very very good initial access control so the pentester never even got through

never even got access to one of your machines right so fantastic job like you're initial access control is great and uh there's no the report is all clean but what if you have privilege escalations exploits so that if one of your computer gets compromised the hacker can exploit to higher privilege users and do more damage from that point on so stuff like that a black box may not always find whereas a white box is the polar opposite where it's complete open book uh all credentials all logins and even sometimes Source codes are all released to the ethical hacker uh this you get the most comp apprehensive and usually the best coverage for everything but there's a lot of information needed

for this and there's a lot of communication and that also could end up being a time consuming process what's most popular popular for pen testing and this also applies in Europe is a gray box so a gray box simulates essentially limited access to machines and information for example giving you access as if you would uh to one of the low lowest privileged user users on your network on your company so it's like the lowest low and you just give them access to this one computer or a one IP address from there then the testing begins it simulates as if what would have happened if one of your employees clicked on something they shouldn't have and

compromised their computer downloaded something they shouldn't have and somehow managed to get one machine compromized and then we can look at the extent of the attack and where it all goes um and so on so forth now combining uh all the technical skills that I've have and project management uh I can write a very good detailed report that's like more business focused compared to just technical for example one of the tests I did was actually a physical Access pin testing where I found out that the entire office tower of 30 floors or so um they were using a key card access system that could be copied in 30 seconds so that was fairly simple to

copy like and anybody say in a company Gathering or somebody's house party could have easily copied the key card and then access the building so but in order to upgrade all their key cards they also have the option to upgrade their key card readers but that cost a lot of money it doesn't make any sense at the time because their key card reader was good enough to get a slight upgrade from their current cards and if you're just upgrading cards not the C card readers it's a lot less a lot lower in cost right so that's what we suggested because the next level upgrade was at the time now it's copyable but at the time it wasn't possible to copy that

so that's just one of the things we did and um just to show show the client you know what what is the value in doing this basically now would you do this um pentests typically like would you do this before we get into Frameworks you know pentest a lot of companies think you know there's never like a good time because I need to set time aside I need to set time for the IT department everybody needs to prepare for it you I'm I'm just going to do it when when it's convenient for me but the thing is you know does hacker ever hack you at a convenient time right so it's also something to think about um so and if

you're new to this right you're you're new to the whole pentest red team this is something you haven't even never even heard of and you're wondering where can I start these are some really good starting points if you just want to get your foot on ground like get it going uh I'm not going to go too deep into these um because but I will talk about talk them a little bit about them so you can know uh where you stand and this is the this is something that your it Department if you're it manager or if you run an IT department or have an IT department is is something really worth looking into for them um the difference

between framework and standards is that the framework doesn't tell you that you have to do this framework simply goes this is what you're currently have and this is what we think is best for you to do right now so there's no legal requirement for you to follow those and it's easy to pick up easy to to incorporate into your current company system you can do as much as as little as you want and standards however is something that's a bit more paperwork focused for example you need to get uh regular Audits and it's like you have to have the ab and C checkboxes everything goes off you know everything needs to be perfect in order for you to get that

standard get that certification the nist 2.0 actually is if if any of you is one of one of the earlier talks you probably already heard a little bit about it but I highly highly recommend this because this to me is um and they recently came out with this 2.0 system and this was just like in the last year or so um before this um they had an older system that was still good to follow but this is like the most popular system that uh North American peoples follow and this is something that I'm not going to do for you this is something that's for your it dep department manager and for um for them to be looking into

because this is a whole ID Department type of thing and this goes into a lot of different sections uh including uh for pentests that would be mostly falling under the detect identify and uh those two categories so that's where my expertise are in this uh oasp is another very popular one this is also these are all internationally like well recognized good standards and Frameworks this is another framework so you don't have to do what it says but there's a lot of open-source resources for this one so essentially the top security researchers of the world top coders they all get together and they constantly up in this database to show you what are the top 10

most likely vulnerable security risks for web applications this is entirely just for web applications so if you're running any type of web applications I highly recommend that you look into this the iso 270001 is international this is a standard and this is pretty serious deal to get this there's a lot of paperwork I would say this is not suitable for beginners and small companies this is something that you probably want to start looking into as your company becomes really more and more complex because to get this there's a lot of controls and uh measurements you have to put in place and audits necessary before you can finally get this but once you get this it really

does show that you take cyber security very seriously to the next level that a lot of companies simply couldn't and it also allows uh you to be able to advertise this and potentially get get discounts in Insurance on uh it shows you're more trustworthy to all your clients all that kind of good good stuff but it is something I wouldn't recommend for smaller companies this is very very involved process okay so that concludes the first part of my presentation and next I'm going to go through the actual hack that I did performed myself this part is going to be a bit more technical so uh I I hope you enjoy uh the hacker perspective so obviously I will be

redacting a lot of information because this was an actual Target so you're not going to see everything but you'll see enough to know what I did generally speaking when a hacker begins hacking on a Target the first thing is a port scan that's like one of the most basic things um there are a lot of tools for it m app for example you might have heard of and uh there's a lot of different ways you can use an map you can make uh Port scans uneducable completely undetectable doesn't matter what kind of uh software firewall or you know log monitoring you set up you can do Port scans in a stealthy manner that you know doesn't reveal your identity in

any way doesn't reveal questionable traffic generally after you find out what ports are open the next step is to dig into it and see what services are running so from this scan uh you can't really see it but the third one the third white bar from the top it showed a particular service that I've never heard of before and I was running on a weird port number too so then I started looking into that I was like what is this right and from a very simple research it didn't take me long two minutes max I found this GitHub repository specifically with an exploit for this service and it was a python script so I downloaded this saved it

locally I just called M test.py I didn't even modify the code and generally speaking a lot of the exploits involve you having to edit the code a little bit before you can run them this one I didn't have to run I just ran it straight against the Target and then bam it told me it got me a Shell it got me a Shell so I was like oh interesting and I tested it out through that link and sure enough I had a webshell just like that it was very surprising very fast the whole this whole process took no more than five minutes I had the webshell going and from the webshell I could tell that they're

running Windows 10 so now I know I'm dealing with active directory and so on so forth so the first thing I wanted is to get a full access shell from my Cali machine uh that's my own personal like laptop so that I I can have a full interaction with the target computer from my computer so that's the first thing I did I started a reverse shell um on the top right you can see I just use netcat I started a simple HTTP server to prepare a little reverse shell virus is very very small doesn't take much much space and then I executed this command on the webshell which basically downloads the tries to download the virus from my

machine and then executes it and then when that happened bam I got a connection so suddenly now I'm connected to this client computer now in Windows computers there's four level of privilege of access this is level two so now I have level two access to this target after that I immediately started running to see if I can any way escalate privilege so I ran some vulnerability scanner scripts I have quite a few in my Arsenal one of them turned out and it shed that it found some unquoted service path and for those of you that don't know what this is this means one of the path for a system running program is not enclosed in a

quotation and how Windows works is that if you don't enclose it in a full quotation it will actually try to look for that executable uh in the directory in the first directory like in this case C drive it'll try to look for it there and if it doesn't find it and then it'll go into program files look for it there and so on and so forth until it eventually finds that executable and execute it and because of that all I had to do was create this virus another simple reverse shell just to get another connection and I called it the same name as the executable I put it in the folder before the actual folder and that's how I did

and I started another netcat listener waiting for this to catch and all I had to do was reboot that computer so when it tried to load this system program um it would try to execute my virus instead and sure enough I got another connection and who am I reviews then I now have level four access which is the highest level access to the system so now the first target has been fully compromised and I basically can do anything I want to this computer with basically it's open it's all open up to me now so the first thing I did obviously is stop all antivirus stop all firewalls I ran all these commands to absolutely disable

everything so then I can have free just free control over anything I want to this machine and I also changed the using that user I changed the administrator password so then just to make things easier I can have an RDP session as an administrator to this machine administrator by the way is level three but it's good enough for most things um but yeah I already shut everything down using level four so level three was good enough to just to be able to have a a working interface so it makes everything just easier from that point on so the next thing I did was to upload this program called mimik cads and some of you who are technical might know about

this uh it's a very popular well popular powerful I guess uh tool that you can use to extract hashes and what not interacts with Cur Roos and all the windows 10 authentication system and again try to attract as many hashes as possible uh for anyone that has ever used that computer for example so from that um I would ran the program and I managed to find this one user with this password hashes and I found that I found that she was a domain user for another computer this computer is hidden from me only the internal company Network can access that computer so I couldn't directly access it but using this first computer is Pivot right I was able to uh

see at least see the second computer and now I have this domain user and her hashed password I tried cracking it and unfortunately this person used an unsecure password so I cracked it pretty quickly so that gave me access to a second machine in the network and this is further into the internal Network that I don't normally you know I can't I can't ping it say for example from my c machine so I started another RDP session as this user and I connected to the second machine now I have level two access to a second machine in the internal Network and this one is more hidden than the first one because it's not public it's only within the internal

IP from there one of the things that I found that was interesting was that um in c/ users I was just looking around to see what's interesting and I found this one username inside c/ users that I've never seen before so the first thing I did is I looked up this username and I did a search uh using command prompt and it told me that this person is a domain admin that suddenly became my key Focus for the rest of this engagement because the domain admin has the power to set privilege for all users so they're the top boss so I saw that I was like oh my gosh this is the guy I need to focus

on and immediately I started doing the same thing again I started checking to see if there's any way I can escalate privilege on the second machine uh so that I can try to extract some password hashes for this domain admin right and I did everything eventually I did manage to find um I did manage to find a modifiable b binary that should never happen by the way but there was a user modifiable B binary that was run by system so that's a level four so because of that I copied this binary file and basically I add it I added a virus essentially a tiny tiny virus so this program would still run as normal that you know it would still

behave pretty much exactly the same you wouldn't even notice the difference but I added the tiny little reverse shell virus into it and so the file is slightly bigger than the original file and I basically uploaded that and overr the old binary file uh did the same thing did a reboot and I used the first computer uh I you know also uploaded netcat to the first computer because I have I can do anything I want to that first computer now so I started reverse shell on that first computer because they're in the same network just to make things easy uh and I was able to catch a shell a system level shell level four to

that second computer after this and after this uh obviously I just went straight for password hash grabbing and everything and I did find a password hash for this domain admin I was I got so happy be so excited I was like oh my God I'm this close to being like totally dominating this entire network right but the Stow May admin is a bit more skilled in it he has a good password I tried for hours I couldn't crack it I kept trying trying and trying I couldn't crack this password I even looked at their company policies for their passwords I try to come up with custom word lless couldn't do it it was just this guy is is good he

made a good password so good password really did make a difference I couldn't get in right so I started having to try other things but this don't I know so because there's a domain admin I know there's a domain controller somewhere on the network I found what this domain controller's IP address is but it was so well hidden I couldn't ping it I couldn't even pay it using the internal Network nothing was it was responding to nothing I was trying so I couldn't see any open ports I couldn't see anything to it man I was like what do I do so I just kept trying different techniques after this techniques eventually I tried this technique called

overpass the hash which also uses a program that's publicly available it's called PS exac and it allows you to execute a command or a program on a remote computer this is something that you can find PS exac is just a free utility program you can download from the official Microsoft website so using this program and a combination of couple other things uh as you can see after all these code suddenly it said PS exact you know execute process and everything it looked like it did something and then when I check who am I again suddenly I'm the domain controller and I'm on the domain controller computer and I've just fully compromised the entire network so guess now that I have full compromise

like to the entire network because I've thought the domain controller I can control any machine I want I can give myself level four access to any machine I want essentially if you think about it I can do I can extract all client information banking information I can just crypto lock the entire network if I wanted to and then demand a ransom to unlock it I could even just go screw it delete everything I can delete everything on every computer if I wanted to and did I do any of this no obviously not what do you think a hacker would do if a hacker found this right so instead of doing any of that I wrote a very detailed report

highlighting all my findings and ways to fix these because every one of these vulnerabilities are fairly easy to fix a lot of these vulnerabilities you find it's it's it's actually really simple to fix it's just some minor misconfiguration that's something that could take less than a day for the IT department to fix it's just a matter of finding it in the first place now what do you think you know unethical hacker sees this right you know simp stuff like you know unsecure passwords and uh using you know some sort of Niche service without prior first checking to see if that service as vulnerabilities stuff like this is what we call like really low hanging fruits

and hackers ethical or unethical doesn't matter we love low hanging fruits we absolutely love them because that just makes our life so easy on everything and you know um but if you do get these low hanging fruits fixed then you're going to become one of the higher highest hanging fruits and that is what I that's what my company do I run a startup company uh we focus nothing but just red team and pentesting uh specializing in this only and uh whether you go through us or go through someone else we can make you the highest hanging fruit in the pack so that the hacker sees your network they're going to be like ah this is not worth my time they're going to

move on to the next lwh hanging fruit typically that's just how how it works and there's a lot of signs for low hanging fruits a lot of signs for example something like um seeing a website that's under construction or uh seeing a link uh or a certain service somewhere that you're able to access and get a response back like a some sort of a backhand server that's like uh testing obviously looks like a testing environment or default Pages if we see any sort of network or Services set up that's just got a default page open let's say uh engine X default page or uh um even Jensen or you know whatever default page we see a default page hackers get

excited about that because default page can mean potential default credentials that hasn't been changed yet and stuff like that we love seeing those things we love proing at those thing to see where we can take that so that is everything I have for you today uh we covered some statistical comparison as you can see that you know we're looking at somewhere between half Canadian companies versus less than 10% of Dutch companies and how that translated to 7 million versus half a million dollars and uh you know there's just companies after companies in the in the Europe landscape just dedicated to just red team and nothing else and I figured you know Alberta we could use

that too and uh the numbers show so um and I've shown you the demo so any questions this this is your time okay start from this and then see over there the second uh one thing I found uh having tried doing consulting in in uh Alberta and such the reason you're not finding a lot of pentest companies in Alberta is because geographically we're huge and very small population uh most of those companies tend to be in Vancouver or Toronto and uh that because that that's near the head offices for the companies y the the companies that are in in Alberta are usually like a field office you know headquartered in Toronto yeah you know whoever is procuring in Toronto

hires somebody there sends them on a plane rather than hiring somebody who's like just down the block you know that would be cheaper yeah uh and also are you hiring I actually um I am looking for a sales and marketing partner that would not be me but I am also if you have SCP certification uh I do have a couple clients right now um but as the work becomes more if you have any sort of ocp certification I'm interested in hearing from you so that is the next step yeah and for um yeah as as your point um your question was um is a comment okay yeah that's fair yeah I also feel like you know we

were kind of raised as uh we we're started out as o gas heavy right we were never the tech Central of Canada and that yeah the field offices exactly yeah so I think as result of that you know they're we're a little bit behind when it comes to Tech on some aspects and this is one of those aspects and I strongly believe that you know now there is more money coming into Alberta people are taking cyber security more seriously I confident that we are on the right track to evolve and become better and that some million is going to start dropping like year after year I'm sure about I'm sure of it so next question

hello yeah okay so um during your demo right you were able to do you able to disable um the antivirus solution yeah and then you able to use um certain um tools yes to you know like pass pass the pass the hash yeah um for a standard Network or an Enterprise that has um all the security controls in place like mde like um um like um Sentinel yeah you know would you be able to confidently say you'll be able to run all of this you know in it because I don't really know the kind of network you yeah maybe is a small as SMB a small business yeah so I don't I not think you know it's possible for you I

I'm just thinking perhaps or maybe if so what I'm trying to find out is was there an absence of that that those security controls that allowed you to be able to you know exploit some of the vulnerabilities that you you were able to you know yeah no these targets they actually have antivirus and firewall set up in place so when I first gain level two access I couldn't do much except looking for ways to escalate my privilege okay so I was try trying to get to level three and four right that's the first thing I try to do as soon as you get to level four you can disable anything okay so at that point of

disabling was there like a trigger on the MD solution did they have like an MD solution that saw that the antiw was disabled CU for some MDES yeah trigger the alert that somebody has disabled something and send it that is possible yes you could set it up to that uh as a blue team that's part of the blue team exercises to see what do you detect what you not detect right absolutely yes so you're correct yes you can set up controls in place to detect those kind of things thank you uh next yeah so question on the differences between the the 7 million and the half million dollars between Alberta and and Holland and yeah so do

you think there's a difference in uh the number of breaches that get reported as maybe the lower value ones in Alberta are less reported so we only get yeah I think that there's you know there's definitely these statistics are not going to be absolutely precise perfect um so I think smaller breaches may not get report as much but this report was done by CDW so they are pretty big organization they're pretty reputable uh I I think even if there are numbers that weren't reported this should give us a general idea because the number that's being reported in the Dutch government is they have the similar struggle right like not every tiny incident is reported they can't guarantee 100% import rate

but there's still a huge huge difference right between them and US H hi um do you think uh it's just a question of maturity between the Europeans and North America because you look at the gdpr for example is kind of the latest version but they've had some pretty severe penalties and protections on privacy which probably has an effect on companies investing in this kind of stuff yeah um sorry so then your question is um because of that has an effect on why they're more mature and why they're further along this than than some of the other factors um I think yeah definitely um but I think mostly it's probably stems from they the Dutch being kind of the pioneer for Tech so a

lot of countries other organizations in Europe started using their software service and because of that you know regulations both local government and foreign government and you know all that needs to be in place so there just tighter controls and everything so I think that's probably the bigger main reason and then what you mentioned also I would I would think is another reason for it as well I think I saw another question there yeah yeah hi uh Dave Malone uh program manager City Edmonton C so just a question on your red team uh startup company how do you um limit your liability on your testing because I mean North America is pretty litigious right yeah well fun the basic thing is

obviously there's basic insurance and the second thing I try to do that is the scope of uh engagement Rules of Engagement for example we'll never do DOS right we'll never do anything that could potentially shut down the whole network and if we do find some sort of exploits usually if there's like a 5% chance this could crash something he usually says so in this exploit as well and stuff like that will be like communicating back and forth before we run anything risky right with the IT department going hey there's this we found 5% chance something could go wrong you know how do you want to test this you know just communicate maybe you can set up like a temporary Docker mock

environment or something where we can test the script and see if this generates something interesting and so on so forth just to try to do a lot of communication and try not to touch anything risky and also have insurance as a final backup thanks yeah um okay okay I think this is time for me yeah thank you once more Tony thank you for the wonderful presentation yeah thank you any other questions I'll be outside and we can CH chat more yeah we can meet him outside thank you um on behalf of the team thank you