The Importance of Tabletops from a Firefighters Perspective - John Hollenberger

and without further Ado we have John hollenberger presenting last Talk of the day go ahead John all right thanks so much can everyone hear me okay awesome so uh my name is John hollenberger I work for secureworks uh we're a consulting company we also have an xdr solution but I'm on the instant Response Team there uh more importantly the proactive incident response team so my job entails essentially anything before an incident occurs so I teach a number of courses teach folks how to collect and preserve evidence I teach I I do tabletop exercises on the regular throughout the last year or so I've been in about 50 of these so I've I've been through a number of them and then I also

work on instant response plans uh just show of hands how many people actually have an instant response plan for their organization all right so not too bad almost everyone all right so who is this guy uh so this is me um so I am a volunteer firefighter I've been in the fire service for 20 years now uh served as the company president for 15 years I've been a fire officer on and off throughout my career um currently serving as a sergeant for the fire department so I do a number of fire trainings as well as facilitating table tops um other than that I'm married that's my wife there we love to be outdoors on the

water uh hiking mountains doing all kinds of fun things anything to get away from our four crazy kids so we've got four of those two boys two girls from six to twelve pretty much keeping us pretty active so when I'm not doing instant response when I'm not fighting fires I'm running around with the kids I'm also a runner so I do a lot of Charity charity work and charity running so a few years back I actually ran the Pittsburgh Half Marathon in my fire gear so that's a picture of me running uh on that I've been doing it security for 15 years a lot of my time has been spent doing instant response doing vulnerability assessments I dabbled in

PCI compliance for a bit that scared me away from security I went and was an I.T director for a few years because I didn't want to do compliance anymore and then I moved on to secureworks where I'm at now so tabletop exercises how many people know what a tabletop exercise is and actually does them in their organization just about everyone how many have done one in the last year okay and how many in the last quarter man okay awesome thanks so um we're going to talk about four things today four key considerations when talking about table tops and I'm going to compare those to firefighting and how they um compared and contrast to firefighting uh so before we really get into things I

want to talk about the types of tabletops that we often do cross-functional table tops are probably the most um most prevalent ones that I do with with companies cross-functional really pull in everyone from the organization they're going to pull in your technical folks your it teams your security teams database teams basically anyone and everyone from the it function but it's also going to pull in your business side so your HR Finance legal physical security so the folks responsible for your Access Control Systems um technical table tops are also uh pretty common technical it's really just going to be your technical folks that you have in the room the topic itself is going to be more technical in nature

it's going to be how are we pulling logs from systems um how are we going to segment our network if we need to so if we need to segment part of our Network in the middle of an incident how do we go about that if we need to isolate our endpoints what's the process to isolate our endpoints do we have a solution that we can quickly isolate those do we have Auto isolation turned on on our xdr solution can we quickly and easily isolate those systems or do we have to basically jump through hoops also do we have the authorization to just go and isolate systems or isolate the internet we're going to talk about all of that

during those technical types of exercises um executive tabletops those are really focused on your executive level executive management your C Level the folks that are going to be making the decisions about if we're going to pay ransomware uh if we're we are going to disconnect from the internet if we're going to stop our business for a certain reason uh talking about various things that that executive level that they're going to have to make those decisions and then a unique type of exercise called a functional exercise this is really a tabletop exercise but it builds in some Hands-On components where you're going to actually pull logs you may have a laptop that you need to isolate you

may need to pull some something off of a server maybe someone plants a fig piece of malware out there and you want them to go and grab it so it's going to have some Hands-On component during the actual exercise where you get to actually test and practice what you're doing during the exercise um so during a tabletop and during fire training having a white hat um buy-in is critical so when I say white hat in the fire service you see the chief officers usually the guy wearing the white helmet usually the cranky guy with Outside the Fire not doing anything looks like he's holding up the truck that's usually your chief officer but you want to have their by enduring

fire training the reason for that is they're ultimately responsible for our safety so at the end of the day if something happens during that fire they're going to be the one held responsible and it's going to come back to them it's the same thing with our with our tabletop exercise with security in our organization those Executives at the top ultimately are responsible for the security of our organizations so we want their buy-in not only is it critical for the safety of the organization but also it shows support for your exercise you want to have attendance in your exercise you want the organizations to know how important these exercises are so you need to make sure that you have the executive buy-in

or an executive sponsor for your tabletop it's really going to help during that exercise and get the support of the organization all right so going to talk about uh when we perform tabletop exercises uh so I asked earlier about you know how often you do these people have done them in the last year in the last quarter um highly recommend having these tabletops at least once a quarter I know that seems like a lot but the reason being is the more we practice this stuff the better we're going to get at it the last thing you want is to be blindsided by an incident something that you're not aware of something that you're not quite

sure how to handle so by doing this on a quarterly basis we can practice things that we may be weak at there may be something that's keeping you up at night keeping management up at night that we need to practice and work on so we're going to have that in our tabletop exercise as as a topic so that we can practice with it uh firefighters you know we have weekly training activities for the volunteer service which I'm in we have a weekly training that we go to it's usually two to three hours the topic changes from week to week um you know as as a volunteer organization we don't always get everyone there every week but we do what

we can with who we have so we're going to have those weekly trainings there's also 200 plus hours of basic training in order to be a firefighter in PA you have to go through 200 hours of basic firefighter training and then there's additional training on top of that that's just to become proficient at or learning the basics really of firefighting it's really the same thing with instant response you're not going to be able to go in day one and know exactly what you're doing how to respond how to do your job in incident response you're not going to know where to look for what to look for you're not going to know what logs you have you're not going

to know what systems you have in place so we need to practice this on a regular basis um the more we practice the better we're going to get at it I have listed there from the firefighter perspective the additional classes for various skills we do things in the basic training it's you know basic firefighter training how to score the hose how to put out the fire and things like that those additional classes we're going to learn things like basic vehicle rescue where we're going to learn how to extricate people from vehicles from from vehicle crashes it might be a chemical spill so we might have a Hazmat class to go through how to properly maintain contain that Hazmat

situation how to properly contain The Spill and what have you and clean it up and also goes into the different types of chemicals and how far back you need to stay and how far upwind you should be and what evacuation needs to be and whatnot so we have those additional classes for the various skills it's a similar thing with our instant response so if we we go through different types of scenarios you know we might have ransomware era that we practice one quarter we might have a stolen laptop the next quarter we might have a data breach the next quarter so it gets us to practice different types of incidents that may occur within an organization

certainly want them to be relevant we don't want to be walking through a tabletop for some application or tool that we don't have but we do want to make sure that we are practicing on relevant topics and doing the various skills and tools that we have in place so when should we do tabletops there may be a regulatory requirement for it so some organizations have some regulatory requirement around needing to have a tabletop annually I highly encourage you if that is your case don't just check the box don't go through the basic steps make it relevant make it work for the organization bring in as many people as you can to that exercise a good exercise

has about 10 to 15 people in it you can certainly go more than that you can certainly go less than that but 10 to 15 is a great kind of average to have in the room it really gets the engagement going it gets those folks that may not necessarily be familiar especially on a cross-functional tabletop gets them involved in knowing the risks to the organization um so regulatory requirements are one anytime you have new staff members whether it be on the business side if they're going to be involved in instant response or the technical side uh if it's especially if it's their first time an incident response in an incident response capacity um walk through a tabletop exercise with

them it could be just a very basic one but get them get their feet wet get them help them to understand what the instant response plan is what it's like what's in there what they should and shouldn't do shouldn't and shouldn't do and what they can and can't do our incident response plan I mentioned that so that instant response plan really should spell out the steps that we should take during our tabletop exercise it should have everything we can do as an instant response team and everything we can't do realistically it should say whether or not we can disconnect the internet without having to go up the chain if we have to go up the chain it should it

should say that in there so we really want that uh instant response plan to be spelled out and our new staff members to know what that instant response plan is and a tabletop is one way to test that anytime we update the incident response plan we should be holding a tabletop exercise so we made a change we want to make sure that change is effective so we're going to test and perform a tabletop exercise and then if we have new tools and processes in place especially for new tools we may have some new Tools in place so we want to practice with those using a uh you know functional exercise so we can actually grab some some disc images

grab some memory during those exercises we're going to test those new tools and processes key thing to remember is consistency unless you're not doing them at all don't consistently not do them um so who designs and runs the show um so I'm using two terms here designer and facilitator different organizations are going to call these different different things but for the purposes here the designer really is that person that is creating the tabletop exercise you want that Designer to be someone that knows the organization and knows the organization well so once you you have a topic in mind you're going to select that topic you want that Designer to know what business functions and what

technical folks need to be in that tabletop exercise it needs to be someone that knows what tools are in place it needs to be someone that knows what technology is in place What new technologies are out there what um what risks there are to the organization so I mentioned this earlier but you certainly want to make it something a risk that is out there for the organization and not something that's non-existent so I'll use the example of G Suite so say you have G Suite in the environment you certainly don't want your tabletop exercise to be on an exchange vulnerability that's not going to be relevant or useful for the organization it's really not going to be

helpful at all you might have some takeaways from that but ultimately you're looking at a risk that doesn't exist for your organization uh you want this person to be experienced they don't necessarily have to be a person that's done a tabletop exercise before or ran one before but they certainly should have ex expertise and experience within the I.T and the security field you don't want someone just coming in blindly running the show or building this exercise without any experience without knowing technology without understanding technology without understanding the network so someone that is experienced within the organization you want them to know the incident response plan and also no process guides and playbooks um so I mentioned playbooks and process

guys if you're not familiar with those terms essentially it's an add-on or extension to your instant response plan where it's going to walk through a specific type of incident and basically inform you how to respond to that incident it's going to give you action steps and steps to take throughout that incident but you want this designer to know the incident response plan and know those playbooks and process guides so they can think ahead hey this is how they're probably going to respond to this that way they can build that and try and Throw Some Loops in there throw some something in there to throw throw the the uh the responders or the people in the incident um in the table top off so

you want to you want that person to know those items uh the facilitator the facilitator may or may not be the same person as that Designer um so the um you usually want the facilitator to be a neutral party uh so for for me I typically go into various organizations um as the neutral party so the information I get from them is what they give me I've walked into tabletops where the company is very forthright they'll give me the information they'll let me know everything I ask you know I'll ask about the technology about the landscape about the network those are great tabletops you can really build out a great tabletop for them and and really make it relevant for the

organization I've worked with other organizations where they don't like to give you any information they want you to come up with a scenario on its own your own it makes it a lot harder for us as as an instant response third party because we have to try and develop a tabletop in a basically in a chamber but we come in as a neutral third party and that neutral party can be someone in your organization or someone outside but someone that is really not going to be biased during the the tabletop exercise um you want that facilitator to take notes throughout the exercise one of the end goals of the exercise should be to point out what went well during the

exercise what strengths the organization organization has but also and more importantly what weaknesses there are so we talked about having those quarterly tabletop exercise exercises when you find weaknesses something you can do in the next quarter is exercise those weaknesses so you can take a look at what those weaknesses are and build the table top around those weaknesses to see if you've improved over the last quarter um so that facilitator should be taking those notes and helping to point out the strengths and areas of improvement from a firefighting uh perspective the training officers are usually going to be your Captain's lieutenants and then at the very end the chief so the chief is typically going to be the

person overseeing everything making sure everything's run safely but oftentimes those exercises are going to be run by your captains and lieutenants they're going to be designing the incidents and designing the trainings and also running the trainings themselves captains lieutenants in the fire service they're usually the people going into the fire uh responding doing the Hands-On work with their team so they usually have depending on your company you're going to have if you're a truck company and an engine company in your department you're going to have a truck captain and an engine captain and then a truck lieutenant and an engine Lieutenant so these are the people that oversee the Personnel going into and responding to the fires so these are

people that are going to know a lot about the organization a lot about the fire service a lot about responding to incidents they're typically people with a lot of years of experience they really know their stuff and they can teach teach others within the organization oftentimes if you've do we have any other firefighters in the room I should ask that other than Mike up here but when you go to fire training one of the first things they teach you is that first and foremost the priority is your own life safety so the captain's lieutenants there not only concerned with their own life safety but then they're responsible for everyone else on their Cruise Life Safety

so these are the people that are going to be helping out with with the trainings um sorry let me go back real quick that last part there um the the training officers they like the tabletop leader they really need to know the standard operating procedures in the pre-plans similar to tabletops and similar to our organizations our standard operating procedures are basically how we're going to operate you can think of that as your incident response plan you then have your pre-plans which are specific to various types of incidents they may be pre-plans for high-rise buildings they may be pre-plans for specific businesses in your District where it's going to be exactly how you're going to hook up

where you're going to hook up the hoses to where you're going to attack from if there is a fire in a certain part of the business if it's a high-rise or or an apartment building what the evacuation routes are for your P for the people living in those buildings so our pre-plans are very similar to our playbooks and process guides so who's in the room um it's really going to be dependent on the type of tabletop exercise you're running the ones listed here on the screen are for a cross-functional exercise so your it and security staff are going to be in that room and your business operations folks are going to be in that room from a business side

it's going to depend on the type of incident that you have or the type of scenario that you're going to be walking through I've recently worked with one organization uh where they um they've got a few business units that don't believe security is their issue or their problem and they always Point everything back to the security team so we're actually building an exercise specifically around an issue in that specific Department being the HR department so we're building a scenario around the HR department it's going to affect HR data it's going to you know be a compromise of that HR data so we want those HR people to be in that room the reason we're doing that exercise that

way is to really show that security is not an I.T problem only it is more than that it is also affects the business there's been plenty of talks today talking about how it security really needs to be involved with all aspects of the business it's the same with tabletop exercises especially the cross-functional ones we want the business involved we want them in those training one for a learning opportunity uh but two so they can understand what their role is during the incident and then for cross-functional having the c-suite in the room having those c-level executives be able to know and understand what the risks are to the organization for that specific incident type or that specific

scenario it's a great learning opportunity for them they may not have an idea of really what it and security does so this is one opportunity for them to learn what you're doing if it's a technical exercise you know having the right technical folks in the room you want to make sure if it is an exchange issue that you're going to be exercising make sure your email staff or an exchange staff are in there make sure your active directory staff are in there make sure you're getting those right and relevant people in the room for that exercise um this is where that the white hat or the senior executive level approval or sponsor comes into play

um you're often or not often but sometimes you'll get pushed back from from members of the organization says hey I don't have time for that I you know that's a waste of my time I'm not it's never going to happen it's not going to involve me having that executive sponsor you can help they can help to push this exercise in and push the importance of it they also may have the pool with with that that person's management and you can have them offload some of the work to make sure that they are in there for the exercise realistically these exercises shouldn't be long I've had tabletops that have been an hour long I've had ones that

have been four hours long but usually it's not a full day event you can get enough people in the room and and really schedule that time to get people available for that um from the firefighting perspective it's very similar we want to have the right people there so the fire department is obviously there oftentimes we'll train with other fire departments though in the volunteer service um in Allegheny County alone there's 296 fire departments and we need to cross-train with those other fire departments a daylight call you know day like this middle of the afternoon you're probably going to have five or six stations responding because you're not going to get the responses necessary so we need to work well with

these other departments around around us um also EMS and police EMS and police are often at most fires that we go to whether it be a car accident a house fire even a false alarm they're typically going to be dispatched on these calls with us we need to work well with these other organizations if it's a mass casualty incident we need to know who's going to be responsible and who's going to be in charge of that scene same thing with our table tops or with our incidents we need to know who's going to be responsible and who's in charge of that scene if you will so one way to determine who's going to be in

charge is one our instant response plan should dictate that but having this tabletop exercise you know one thing I like to often do is have that incident responder or that Incident Commander be out of the office and unavailable they're on a vacation so who's going to take the place of that incident responder that Incident Commander to run the scene same thing with with the fire service oftentimes we'll pull people out and say hey you're you're not here that way we can practice determining who's going to be in charge and who's going to run that scene good question

no yeah so they're they'll still be in the room they'll still be able to listen in uh oftentimes they'll still answer questions if it comes to that but I like to have them not be there for not be they're physically present but not answering and responding to questions um that just really gets it's it's usually one of those those topics that comes up where no one really knows who's going to be in charge of that single person is out it becomes a single point of failure it's something that we see often as a single point of failure within the organization one person that knows a lot about a lot and then no one else really knows what's going to happen

if that person's out so that's where you know one of the one of the things we can point out during that exercise is hey we need to have backup points of contacts for these specific roles within the organization it's the same thing with the fire service if one person's out who's going to be taking that taking that spot all right so we know who's going to be there we know what type of exercise we're going to be doing we know when we're going to be doing that exercise we're going to start getting it created um mention this we want to make sure that it is real and realistic for the organization so oftentimes we'll have it

be some vulnerability or some software that is within the organization so it should be something that can actually happen to that organization some piece of software some piece of Hardware that's within the organization something that is realistically or could actually happen or is more likely to happen so what are the risks to the organization a lot of the times when I'm starting the process I'll ask hey what's keeping you up at night what is the what is the biggest thing biggest worry for the organization or what is keeping management up you know what are they worried about and sometimes it comes down to hey the um the board of directors is they're worried about this you know another

organization in the same field had this just happened to them and we want to be prepared if that happens to us so a lot of the times the scenario is going to be based off of something that's happening either currently or has happened to someone else um take solarwinds for example when solar winds happened um you know that that affected a lot of organizations a lot of organizations weren't sure what they would do and how they would respond to that uh what we saw right after that was a lot of organizations wanted a compromise similar to solarwinds so if a piece of software that affect a lot of companies were using got impacted how would we

respond to that how would we handle that as an organization so oftentimes we'll use that as a as an example or use that as a scenario um making it relevant so how can we make it relevant you know um it's it's one thing to be you know just you know everyone's doing a ransomware scenario so because everyone else is doing it let's do it but we want it to be relevant to the organization make it um something that is actually going to or could actually happen so um one scenario that that I recently developed it was a ransomware scenario where um the person came into the organization it was actually a malicious Insider that that assisted with it and they plugged a

USB into a random server within the organization um the impact there was then it then took down the access control system and allowed physical access into the building the type of facility that this was if this actually happened in the door system actually did go down if they didn't have enough physical security on site and threat actor or physical actors wanted to actually come in and do something they would actually they could easily get into the building and cause physical harm to people or processes or technology so you wanted to be something that could legitimately happen to that organization or to your organization from the firefighting aspect some things that we do you know will fill fill a

building with smoke we'll get fog machines and just fill the fill the building with smoke uh we'll use real victims sometimes it'll be another firefighter sometimes we'll have you know someone that's interested in joining or that they're interested in the fire service they're trying to learn so they'll come in and be victims for us you'll often see on the news right around prom time there'll be vehicle axes whereas DUI so we get students involved and they'll you know be the victims for those specific scenarios those type of activities are great PR for us but it's also a great way for us to learn from one another and and work together with with the other teams in

the order in the surrounding Community it's one thing I've forgot to mention is that when we are doing tabletop exercises it is a great way to network with our organization a lot of times you may they interact with these folks occasionally especially the business side but the tabletop exercise gets you in the room and gets you to talk one thing I like to do is especially for in-person tabletops is have a lunch break in the middle of it that way you get to interact on a more personal level you get to know the people a little bit better get to know them folks you're going to be working with during that during an incident if

one occurs so it's just another way to to build rapport with the organization um we use live fire scenarios so we'll actually set things on fire um I know it's probably doesn't give us a it doesn't make us look that great but um you know a lot of times people will say that we're just a bunch of pyromaniacs which might be true um but um so we do live fire scenarios a lot of times they're going to be at burn buildings if you're out in the North Hills there's a burn building just behind Ross Park Mall it's called a fire tower where we can actually we can use it it's just a concrete structure which

we can set up scenarios there North Park there is the fire academy where you could go out to and they have a barn building there as well it's really meant for you to get Hands-On with fire it allows you to watch how the fire has developed how the fire grows and ultimately how to extinguish those fires um and then mass casualty incidents are big you know unfortunately we see them all over the news uh something that we need to be prepared for um as as First Responders but you can consider mass casualty incidents you know they're similar to in our organization if we have a high scale uh incident you know rain somewhere incident where everything's encrypted

we're going to need all hands on decks so we need to practice with everyone and anyone so a few fun fun facts PA has the most Fire Departments of any state so there's 1799 fire departments in the state of Pennsylvania with over 90 percent of those being volunteer fully volunteer fire departments and then 96 of the Departments are actually almost fully volunteer and by that it means there are a few paid paid drivers usually but the rest are volunteer uh so with that that really takes me to the end um this fire here uh this is one of those uh times that we had acquired a building and basically used it to train in and then uh the community wanted it

gone so we burned it to the ground uh anyways any questions

four letter would be prepared people in the absence of your apartment isn't there or whatever so that or is that just a bad idea to get people who really aren't qualified to take the first initial steps that's a great question so help desk I'll use help desk for an example typically these aren't people that necessarily know a lot about security but they're a great first line of defense for us the help desk for example they need to know what to look out for so oftentimes most organizations the help desk if you have an issue especially with a Windows system you call in and they tell you to turn it off and back on again which in most cases

it's going to fix the problem but from a security perspective when it comes to memory a lot of our malware and whatnot is running in memory so if we turn it off and back on again we're going to lose any evidence that was on that system so we want everyone really on that front line to be prepared and know what to look out for so having them with the ability to to know what to look out for and know how to respond are we going to let them you know if if we do have an issue and we suspect it's an incident do we want them remoting in with admin controls to that box box maybe maybe not

if they do remote in what's the chances of those credentials being compromised because they logged in with a plain text username password over RDP or do we have some other tool that we can use also if if we've gotten EDR solution in place where we can isolate our endpoints having those help desk folks know exactly how to go about that where they can quickly isolate those endpoints for us when it comes to ransomware that could make or break the incident if it's the first or second endpoint that is impacted with that ransomware and we could stop it right then having those individuals know what to do in that case is certainly going to help stop the

spread we certainly don't want anyone and everyone in the organization um you know you're not necessarily going to want your business folks responding necessarily to to do I.T and incident response functions but having the organization as a whole know what to look out for and when to report an incident I use this as an example you know we've had incidents where it's Friday afternoon and computers acting funny person doesn't really know what's going on and they don't really feel like dealing with it so it's a desktop computer they leave it on over the weekend which is you know usually what they do anyways but that was you know patient zero with ransomware or some infection which ended

up spreading throughout the rest of the environment over the weekend because the organization had no end point response in place they had no visibility into the endpoints so that incident escalated quickly because that person didn't report the incident up to who they needed to so we really need to have the organization aware of what to look out for who to report it to and what to report and when last thing you wanted someone just holding on to information that could have ultimately helped does that answer your questions okay

terrible

uh yeah so from a firefighting perspective um it's it's not good um like our company that I belong to you're lucky if we get out during the day we don't have most of the people work nine to five so the engine just doesn't get out and people are are afraid to join you know there's that 200 plus hours of basic firefighting requirement and in most fire companies you have to complete that Essentials before you can actually go into a building and actually fight the fire so it really turns people off because they have to do a year plus of training before they can actually do anything and help out um there are some school districts that

are helping with that I know the North Hills School District they have a program that's going to be starting up to get um get more volunteers firefighters in place they'll actually end up graduating with I think it's firefighter one which is um you have your basic firefighting and then firefighter one which is the next step so you end up graduating with that which is which is great for us but as far as we're too retention and recruitment it's it's not not great we uh Pennsylvania used to be have the most Volunteers in the nation but I know that number is is dwindling and dwindling rapidly I think in in the company I'm in um we've got two junior members which

basically means they're under 18. otherwise everyone that is in the department has been there for 10 plus years any other questions fire related or incident response related

yeah so um good question so one one thing we do in the fire department and it's a great thing to do after tables are not tabletops but actual incidents is it's called a Lessons Learned where you're going to take what went well and what didn't go well and really evaluate that so from an incident response perspective you're going to look at the people processes and Technology so what people responded to that incident did we have the right people in the room did those people know exactly what they were supposed to do or was there some Gap in knowledge that they didn't know that they were supposed to do or they didn't have the correct training

or just weren't sure what was going on if that's the case you know having tabletops and having regular training is going to help that person processes so where the process is correct that we had in place so did we follow them all properly so did we isolate first or did we just go in and start collecting evidence before we isolated those endpoints was there some process that that just didn't work for us um and then technology um so did we have the right technology in place the right resources in place from a technology perspective something something that we've encountered as an organization is the organization thinks that they have all their endpoints covered with an EDR

solution turns out there was a segment of their Network they didn't even know about that was impacted you know all the alerts are coming in it looks like we have all the data but there was a whole section of the network completely missing so we were completely missing all the data off those endpoints so maybe the solution there was getting that eer solution rolled out on everything turn it to the fire department side it's really the same thing um you know what went well what didn't go well from the response perspective you know did the police show up and park right in front of the fire hydrant probably because that's what they do um you know but

um just joking aside did we um something we see often with with I mean I won't even say with new firefighters is did they just drop the hose in the front yard and then it's just Tangled mess and then you're trying to run into the building with a hose that is just completely Tangled so then you're wasting time there um did we do everything safely one thing we unfortunately don't always do correctly is safety um so was there something we should have done better from a safety perspective in the U.S For Better or Worse something we often do is run into the burning building and try and put the fire out if you go over to Europe unless there is

someone's life at risk oftentimes you're going to stay outside of the building so we need to wait weigh the pros and cons there is there a need to go in is is there something we could have done better we've gone into fires where unfortunately there is a person inside and did we find them quick enough is there something we could have done better to find the victim so there's a lot of things that we need to evaluate after that fire or after that incident to determine if there's something we could have done better great question

uh the the police officer yeah um yeah I don't actually know him but um that's usually what they look like when they're when they're at the scenes and there's no police officers here right if not uh don't follow me home but no I uh I just use the stereotypical picture there uh usually police are great to work with at least where I'm at but um we have had issues with them parking in front of higher fire hydrants if you go on YouTube I think there's a video up in New York uh where the fire truck actually pushed the uh push the police car out of the way with the with the apparatus any other questions

yeah no that's a good question um I would say from for the most part fire while regulated it's not it's not too bad we don't uh there's not a ton of oversight unless something goes wrong that's when fit hits the Shan if you will um yeah yeah I mean usually usually it's pretty hands-off um and our regulation regulations are coming from the government but as long as we're doing everything properly then then there's no issues if there is an incident there's going to be if there's an issue something happens God forbid someone gets killed on a fire scene there's going to be an investigation into that to determine what happened what was the cause all that stuff and

then ultimately whose fault is it um incident response it's it's a lot different there's a lot more regulations uh there's different you know there's PCI Phi HIPAA you know all those gdpr so you've got a number of balls in the air that you have to watch out for it's really uh if I could say anything about regulatory requirements is go above and beyond don't just check the box I know it's easier to just check the box but really go and do your due diligence make sure you're mitigating the risk fully as opposed to just doing the bare minimum I think there's a parallel there to to like with security air this distraction from the business

until something bad happens and then you're a necessary evil right similar with the fire service like until we get to a point where we take it on the road during the day because we don't have enough volunteers

there's a that's an interesting parallel as well yeah I think for in PA I think you're going to see it change it's going to be a slow change but with 96 percent being volunteers still um you know something's going to have to give and unfortunately it's going to be that worst case scenario that's actually going to change the minds of people to actually move to paid departments but

um so my contact information is up there uh there's a chance to win some money over there or might be a random Youtube video um I figured you all probably get your phones out right now and scan that right just like during the Super Bowl all right if nothing else thanks for your time appreciate it [Applause]