Live Updates on the Cybersecurity State of Emergency

July 30, 2019

Phil Richards | Chief Security Officer | Ivanti

Chris Goettl | Director, Product Management, Security | Ivanti

Louisiana's governor declares a state of emergency in response to a developing cyber attack affecting school districts. Join Ivanti CISO Phil Richards and Security Product Management Director Chris Goettl as they share:

  • A breakdown of the anatomy of the attack
  • Best practices for limiting your risk
  • How to develop an emergency response plan
  • Advice for both IT security and non-IT security professionals

Transcript:

Jared:               All right, welcome again everyone to the webinar. We're doing an update on the Louisiana Cybersecurity State of Emergency. Again, my name is Jared, I'm with Ivanti. I'll be your host for today's webinar. Joining me, Phil Richards, Ivanti CISO, and Chris Goettl, our Director of Security Product Management. Guys, thanks so much for joining us and welcome to the call.

Phil:                 Thanks, Jared, it's good to be here.

Chris:                Thanks, Jared.

Jared:               All right, let's dive straight into this really quickly. If you have a question throughout this presentation, utilize the Q&A. We'll be monitoring it. We'll have time at the end of this presentation for a little bit of Q and A with Chris and Phil, but guys, let's dive right in to this presentation. So first, what we can update you is some new information on the Louisiana Cybersecurity state of emergency.

Jared:               This is the basics. You may have read these headlines last week. Out of the New York Times, severe intentional cybersecurity breaches were detected in three northern Louisiana school districts. In one case, a virus knocked out the district's phone system. That prompted the governor to declare a state of emergency last week, and one thing that Governor John Bell noted was there were a significant risk that the threats were ongoing. So, Phil and Chris, you guys have been monitoring this situation closely, what are some of the things that you've noticed about this that are super interesting that the audience should know about?

Phil:                 Well, from my perspective, this is Phil, and one of the things I think is real interesting is that, the fact that the governor actually did declare a state of emergency in order to get access to additional resources. He brought in cyber experts from state entities and state groups and things like that so that he could have the right kind of manpower. Think of it as boots on the ground, I guess, for reacting to and responding to this attack. We do expect that a lot of these attacks that were for schools, in three different parishes, were actually ransomware attacks, which means that there's a lot of cleanup work to do.

Phil:                 There are machines that need to be re-imaged and files that need to be restored and things like that. So, there's a lot of boots on the ground kind of work to do with these attacks. The governor used the state of emergency very strategically to be able to avail himself to the kind of resources that he was going to need. Just to make sure he had enough people to be able to handle the issues associated with that kind of an attack.

Chris:                Yeah, one of the things that I've been thinking about this as the number of these has been climbing, is this seems to be somebody who has done their homework. They've identified a target, and they've found multiple of these that they could basically hit back to back. It seems they're definitely looking for a pattern, and one that they'll continue to find more targets of as they continue their reconnaissance. It's most likely that the same approach was used on all three of these cybersecurity incidents, and it's not unlike other ones we've seen. If you look at not too distant past here, there was a group called SamSam, a ransomware family by the same name, and the tactics being used here are not too dissimilar from what they would use. It's very much standard. They go and identify a target group. SamSam, in 2017, started out with just government facilities, cities, things like that. The city of Atlanta was a high profile one that was hit by SamSam. They shifted their tactics later on to start targeting a string of healthcare organizations.

Chris:                So, in this case, we can probably expect to see more government entities and specifically more schools possibly be targeted by the same tactics and the same group, most likely.

Phil:                 Yeah, and to kind of go along with that, we can certainly expect that the timing of this event was not accidental. Towards the end of the school year, we can expect students to show up at a lot of these school parishes in the next two weeks, two to three weeks. So that gives the school district just enough time to worry about it and think about it and pay the ransom in order to get their files back. So the timing is actually very important. The attack was perpetrated so as to provide just enough time so that the officials in the school districts feel like they can recover from the attack by paying the ransom.

Jared:               Yeah, and Chris, you touched on this, a fourth district noticed unusual activity. This is some new updates this morning. The state of Louisiana did send a support crew that is assisting the district, but this district and others are taking precautions. Shutting down email and phone lines, other districts are backing up records as a precaution. Just a couple important things to note, some security issues and some data loss. That is a pattern that we've seen throughout all four of these specific attacks, however, not all of them had a ransom request. So, the Advocate out of Baton Rouge is reporting that at least one of these schools did have a ransom request. And Phil, like you said, we're starting to see similar incidents in Alabama, Georgia, and even a few other locations.

Chris:                Yeah.

Jared:               Chris, in this [crosstalk 00:06:59] what you wanted to talk about next. Piggybacking off this fourth attack, there have been some other recent incidents here.

Chris:                Yeah, absolutely. And that's kind of the biggest thing here, is right now, the state of emergency that was declared, that's kind of sending a wake up call to all of us real quick here to make sure to focus in on the things that matter most, but if you look back, all of these headlines are all just from the last two months. This all came out between really June and July. The now four districts, that fourth one that just came up is most likely but not officially tied to this string already. The city of Baltimore, they had a ransomware attack just a little over a month ago that the overall costs, in soft costs and hard costs, they had services and things that had to be brought in to bring online to help with getting through the crisis, but soft costs overall, 18 million dollars that they've been impacted by for that ransomware situation.

Chris:                They even had, the mayor of Baltimore refused the ransom and they ended up, the attacker released sensitive data on Twitter. Fortunately it was old, outdated, and didn't have anything too sensitive, but still, I mean, that particular threat actor was definitely threatening something real.

Chris:                The state of Florida, two cities recently had a ransomware attack and they did pay out. 500K and 600K in those two events. June 4th, this last article, Government Networks Under Cyber Attack, that's basically talking about a string of almost back to back cybersecurity incidents across state and local governments, school districts, over the course of the first part of this year. That article goes into and talks about a bit more guidance. And we're going to get into that level of guidance here, but the key takeaway from my perspective is this is not something that's uncommon. It's something that happens on a fairly regular basis. It's something that is preventable, more importantly, and analyzing attacks like this that have been successful helps us to understand and mitigate those types of attacks, those types of methods very effectively.

Phil:                 Along with what Chris is saying, the National Governor's Association puts out a significant amount of material when it comes to cybersecurity. A lot of what they provide is in the area of response planning. The National Governor's Association, the governors of states actually have access to response planning and response mitigation on a scale and level that most of the rest of us don't have. We don't have that kind of availability. As I said previously, declaring a statewide emergency avails the governor of Louisiana to quite a bit of funds and quite a bit of resource that would otherwise not be available.

Phil:                 So he's able to attack the problem from that perspective. Not to say that the National Governor's Association is not in the space of governance and putting the right kind of structure in place. They absolutely are, but they have the ability to command resources that most of the rest of us aren't able to have. They can rely on incident response and incident mitigation a lot better than many of us are able to do because they have access to a lot of those resources.

Jared:               So that transitions nicely into the next thing. We've seen in the headlines here, what are some of the recommendations you guys have for IT security professionals?

Phil:                 Well, from my perspective, and we'll talk about this in a little bit of detail, I put down three things that certainly aren't the only things that you need to be working on, but they are things that you need to be focused on and have quite a bit of resource in your own situation. When it comes to governance, to be able to nip these issues before they become massive response kind of issues, and they are patching user education and privilege management. And we'll talk a little bit about each one of those. Chris, if you want to cover patching, that's clearly one of your mainstays.

Chris:                Yeah, so when you talk about try to prevent risks or prevent security incidents like this, it really is about reducing attack surface. And there is no greater area of attack than software. OS, applications, that's where the majority of your vulnerabilities are. So continuous vulnerability management is the process of going out, regularly assessing, and remediating those security vulnerabilities. And it's a challenge that patch management has been around for a long time. Even before my time here at Ivanti, October will be 15 years for me here, focusing a lot around patch, but even before that when I worked in IT, a lot of what I was doing on a regular basis was just making sure that updates were in place, that software was patched, that servers were patched. It was one of my regular tasks that I had to do. So it's been around for a long time.

Chris:                So, the challenge that most companies have, though, is they don't have effective tools to assess and automate remediation of patches. They don't have adequate test infrastructure, they don't have the ability to pull in the details that they need to be able to effectively patch. There's a number of things you can do there. There's places like patchmanagement.org, if you haven't heard of it before, it's something that Ivanti hosts. It's a vendor agnostic space, we don't market on there or do anything else, we've just created it as an ecosystem where organizations can get together and talk through the challenges and share information about how to get more effective at patching your environment, from known issues to other things.

Chris:                And then, even other things like our Patch Tuesday webinar and other things there. Just getting to a point where you're regularly prioritizing and resolving security vulnerabilities. There's a lot more to it, but this is probably the number one most effective thing you could do to reduce your attack surface very quickly is just to plug security vulnerabilities in software.

Phil:                 Exactly. One of the, I'm sorry, there's a great question that came up online, that I kind of wanted to address real quickly. The question is, "What about other types of controls, like access management, multi-factor authentication and things like that?" We're certainly not saying that those things are not effective. Quite the opposite. There's a whole litany of things that an organization can do and should do in order to try to alleviate these kind of attacks. We're focusing on these three because they happen to be pointed pretty [inaudible 00:14:47] to customer environments that are addressed in from a ransomware perspective. That's one of the reasons why we're talking about these.

Phil:                 Let me just talk real briefly about phishing and spam emails. One of the things we do at Ivanti is on a periodic basis, about every other month, about every eight weeks or so, we will send out a phishing campaign to all of our employees. We get obviously a certain number of individuals who fall for the phishing campaign that we send out, and fortunately a lot more individuals who don't, who recognize that it is a phishing campaign. That has a couple of benefits. One is that everyone in the organization is kind of always on alert that they could become a victim of a scandal of that kind if they're not being careful.

Phil:                 When real phishing emails appear to our staff, which doesn't happen often, but it does because we try to have a lot of controls in place for that, when they do get them, they oftentimes send them back to our team saying, “Is this you guys trying to scam me again?” Which is great, that's the kind of behavior that we're looking for. We want individuals to be worried about that, to be vigilant about that kind of thing. And that's really the value of that education and some of those phishing drills is that it puts people on notice that they need to be aware. They need to not be clicking on things in their email that just show up because they happen to show up in their email.

Phil:                 So that's one of the things from a ransomware perspective. The email happens to be one of the easy vectors in for ransomware to take over in an environment. One of the other things that we want to talk about, and we'll talk about this a little bit, is privilege management. The main reason why privilege management is so valuable in a ransomware sort of a scenario, is that privilege is what allows an attack to be successful. Oftentimes attacks will use encryption to lock files, not just on the local device, but on attached network and storage devices and things like that. And if the individual who's susceptible or who receives a particular ransom attack, if that individual doesn't have adequate privilege, then it just limits the amount of damage that the virus can do, that the ransomware can do.

Phil:                 Chris, any additional thoughts along that line?

Chris:                Yeah. So, there's a good stream of really good questions that are coming across as well. So, a couple of things, one of the things that we're talking right now is prioritization of security-

Phil:                 [crosstalk 00:17:54] you want to move us forward here?

Chris:                Can you guys hear me?

Jared:               Yeah, Chris, we can.

Chris:                Okay. So, on that-

Phil:                 Right. So one of the things that we wanted to really cover is this discussion around prevention versus response. One of the things that we talked about at the beginning of this discussion has to do with the fact that the parishes, or oftentimes federal government, has the ability to have much broader response capabilities than a lot of the companies, organizations that we are might be able to have. As a result of that, we tend to focus on a prevention sort of capabilities because we're not able to drive the resources into the response kind of space. We talked about three particular types of controls, one of the things that I wanted to hit a little bit is this whole, is the CIS framework.

Phil:                 That is a framework, CIS stands for Center for Internet Security, and that is a framework that is able, that is used by organizations to handle or figure out what your information security control group needs to look like. And the thing that's nice about the CIS framework is that it is, it contains, it can include about 20 different organization groups, 20 different control families is what those are called, and they're prioritized. So, the items that are in the top 2 or 3 are more important than the items that are 17, 18, and 19, that sort of thing.

Phil:                 So, the CIS framework consists of 20 control families and the first 5 of those are what are called the top 5. And they include things such as privilege management, inventory of hardware and software assets and things like that. Some of the things that are probably more critical to an organization to be able to implement. The nice thing as I said about the CIS framework, is that it is prioritized, so you kind of have a list of things to do in the right kind of order to be able to take care of the kind incidents that you might be looking for.

Jared:               And Phil, we do have Chris back, Chris anything to add on that?

Chris:                Yeah, so the CIS framework in this kind of goes to a couple of the questions that were being asked before, if you look at the CIS framework it's broken down-

Phil:                 Jared, Chris, I can't hear you, I don't know if you're on.

Jared:               Phil, we'll get your audio ironed out in just one second.

Chris:                Yeah, so its broken down into a basic set of controls. This is what they define as basic cyber hygiene. And where the majority of your mitigation is going to occur. So this is things like, inventory and control, hardware assets, and software assets. Those are the first two controls. Application control starts to fall in there, but its really about asset management. So, they're focusing a lot around discovery and understanding what's in your environment because that's necessary to secure it all. And then you get into continuous vulnerability management, number three on the list. That's where patch management and your vulnerability assessments come in. And again, this is built around prioritization, so controlled use of administrative privileges, that's number four on the list. Number five on the list is secure configuration of hardware and software devices, laptops, servers, work stations.

Chris:                So those first five controls, that's about 85% of your mitigation or elimination of cyber threats. So when, there was a question from James about what about things like segmentation of networking, software defiant networking, and MFA, all of those things are absolutely important to building a strong cybersecurity program. If you look at the CIS framework, all of those do fall into place within the framework, but those ones, if you haven't done these basics, it's very easy to overcome them. So, in a lot of cases, like in a boundary defense is number 12 on the list. Malware defense, your anti-virus or Next Gen AV is number eight on the list. It's not that those aren't important, it's a matter of if you haven't done the basic cyber hygiene first and effectively, you're going to spend a lot of time and effort on the other things with limited effectiveness.

Chris:                So that hopefully answers your question, James, around the importance of those things. So, with these school districts that were hit there, with a lot of the other recent incidents, a lot of the commonalities between those are that the attackers in this case were able to use some of the basic tactics to get around those first six and first five controls first six controls. So, it's just kind of pointing out the fact that if you spend time and effort on really good incident response, you detect and response capabilities, the best recovery abilities in the world, you're still going to have an incident happen. It's just a matter of you might be able to recover from it better than the next company. But trying to prevent the incident all together, those basic cybersecurity controls are necessary.

Chris:                Go ahead, Phil.

Phil:                 Yeah Chris, Elliot actually has a really good question I think in the chat window. He says, “We can deal with security where it's privilege management, the challenge for our admins is when there are patch revisions that come on top of regular patching?” So this is patching patches, or version two or version three or version four of patches. That can be somewhat of a nightmare scenario for a lot of CIS admins. Chris, can you talk about a little bit about how the evolving software, and how patch management from a prioritization standpoint can help address some of those kinds of issues?

Chris:                Yeah, so in a lot of cases if a patch is replaced it's a matter of can you, do you know that it was replaced? How quickly do you know, and is it prioritized to get resolved again quickly? So when we have an issue like that, our SLA is if it's a security related issue, we turn it around as quickly as possible.

Chris:                And it looks like Jared, you popped out, and oh you're switching sides?

Chris:                Oh the CIS framework, yeah thank you, but with that you can quickly and easily see if a patch was re-released, you can quickly and easily when you do detection for that you can see the newer update available on there. If you come back around, so Phil, being on the security side, his team is doing regular vulnerability assessments. The operations team is responsible for remediating those patches. Those two teams need to work together. One of the things that we do spend a lot of time on is making sure they can bridge that gap easily. So the common piece of information there is, the vulnerability ID. CBE ID. We make sure that all of our patches map to the vulnerability ID's that are identified so that we can help prioritize those necessary updates much more quickly, much more effectively. Often times taking hours of research down to less than a minute of analysis time from our mapping.

Phil:                 Really what you're talking about is what we more broadly call the vulnerability management life cycle, for which patching is a key component of it. The whole idea is, it's not necessary that we, that you know, patching isn't the end game. The end game is to remove vulnerabilities and patching is one of the tools that we use to be able to mitigate vulnerabilities.

Chris:                Right, so another question came up about vulnerabilities that come around that are not mitigated by an update or a patch. So yeah, that's where to answer that question, John, configuration management becomes a necessary par of vulnerability management as well.

Chris:                We have, if you're using Microsoft Systems Center, that's where you want to be able to configure and push out those types of changes effectively across the enterprise there. At Amonte we have an endpoint management stack. Our unified endpoint management platform that allows us to do both patching and configuration changes.

Chris:                So, they're making sure that if you got a vulnerability detected, you would be able to put together the configuration change that's necessary and push that out through your configuration management platform, and that's why number five on the list, on the CIS framework is that secure configuration, that's going to be your vulnerabilities that require a registry change or a service to be stopped or something along those lines. Protocols or ciphers to removed.

Phil:                 Chris, it seems like a lot of organizations have a few servers that end up being special snowflakes in their environment where they're not, you're not able to patch them. You're not able to upgrade the operating system. You're not able to change configurations and things like that. In those scenarios you have to use other control mechanisms, either firewall activities or taking them off the network, or putting web application firewall services in front of them, those kinds of things.

Phil:                 It seems like everybody has one or two of those systems that just require an extra layer of special handling to be able to secure them. The bottom line is you can secure those systems you just have to be a little bit more creative about how you do it.

Chris:                Yeah, and you know one of those questions that Doug just asked, another follow up to that, too, which is, "What happens when you have a vulnerability that doesn't have a CBID related to it?" Actually, there's a lot of software running on your network where those vendors are not diligent about identifying that they do have security vulnerabilities.

Chris:                So, asset management in general becomes just the understanding of what software am I running on my network that's outdated, if there's any outdated software, it tends to be suspect. The more popular the software, the bigger target it'll become, and that's one of the reasons why to Doug's question here, patching alone isn't going to solve all these problems either. We talked about configuration management being necessary. Application control, the majority of tools that these threat actors are using, including the ransomware malware itself, are un-trusted payloads.

Chris:                So, being able to implement a good application control policy to block un-trusted payloads helps to mitigate those things, whether it's a zero day exploit that they were trying to take advantage of. If it's...Even most fall as attack methods get to a point where they will execute a payload at some point. Whether it's the ransomware software, a back door that they're putting in place. A tool like Mimikatz to compromise credentials. All of those types of application tools that an attacker's going to use can be blocked by application control.

Chris:                Privilege management is the next piece. So, Mimikatz, this is a tool where an attacker's going to run that, compromise credentials that have been used locally on that system that they've gotten onto. From there, they're going to pivot and use a credential of your own and locally available system tools, like command prompt and PS exec and WMI and power shell, with your valid credential ad with tools and utilities that you expect. Now, they're going to be able to move throughout your environment a lot harder to detect, because it's using the same behaviors and activities that you yourself would be using.

Chris:                So, all these things together are how you would have to layer on the defenses, and again, why they're prioritizing all of those that we described are all in that top five. That is going to be one of the most effective ways you'll be able to defend against that.

Chris:                There were a couple of questions that go cross platform, and I wanted to touch on those just because of putting any false senses of security at bay. Chromebooks was one of those questions. "Are Chromebooks a smaller attack surface than a Windows machine?" Yes, but with the caveat of you're still dealing with software that's vulnerable. The Chrome browser, the Android OS, they have many vulnerabilities as well, so, while Windows is more broadly targeted, the Chrome platform, the Android platform in general does have a lot of vulnerabilities, and there was another question about Linux. Actually, SamSam that ransomware group that are the threat actor that I was talking about before, one of their favorite entry points was the JBOSS development environments.

Chris:                So, they would actually enter in through an unpatched platform that's running Java applications on a red hat system. So, while less often used, again, those are commonly expected to be out of date and easy to get into. So, we can't just rule out if it's not a Windows machine, we don't have to worry about it. The Mac platform, Linux, Chrome, all of those can be exploited, and they will be exploited if they're left untouched. Just a matter of Windows obviously is the more common in most cases and easier to get at. So, that's the higher priority out of those.

Jared:               Yeah, thanks Phil and Chris for getting those questions. Fantastic questions coming through in the chat and Q&A as well. I wanted to, it being the half hour mark, I wanted to move through a couple more things that I know that we have to talk about, and we would be wrong if we didn't mention another update that's happened in the last 24 hours in the Capital One data theft.

Jared:               You've seen some of the details and crypts on security. They've charged a Seattle woman with stealing data from more than a hundred million credit applications. That's about 140 thousand social security numbers. 80 thousand bank account numbers. A million more social insurance numbers, which is the Canadian equivalent of SSN.

Jared:               And so what we've seen from this bill is that the person that is accused of carrying out this attack had experience with AWS, a former AWS employee. So, it's an insider threat. Phil, you had some more that you wanted to share about that.

Phil:                 Yeah, so, insider threats I think is one of the things that we really do need to watch out for. Again, some of the controls that we've put in place that we're talking about here today, patching, privilege management, and secure application management are good ways to alleviate or mitigate some of that insider threat capability.

Phil:                 This particular insider had some key knowledge and some key skills, so just simply putting those things in place may not have addressed this issue. Proper monitoring and alerting and things like that will also help in a face.

Phil:                 Unfortunately, we're, our environments are getting complex enough that being able to defend against every vulnerability and every kind of attack is unlikely, so a big part of what we need to be able to do is monitor, alert, notify, react, and mitigate damage when those kind of vulnerabilities do take place.

Phil:                 The other thing that I wanted to cover real briefly is as far as this goes, is this attack was actually perpetrated against in an Amazon S3 instance. The police initially, now this is all brand stuff, so the information is evolving, but at least initially the belief is that there might have been a mis-configuration of that environment that took place, which allowed the attacker to gain a foothold.

Phil:                 It is so critical that you be able to, that you follow the best practices from both AWS and Azure, as well as Google as you're using some of those cloud platforms and others, because by not following those best practices from a hardening standpoint, you leave yourself open to insiders that might not be members of your company. They might be members of or former employees of other organizations, they just happen to have insider information.

Phil:                 So, it's really important to follow those hardening standards and hardening guidelines as well.

Chris:                Yeah, and this is getting back to one of the earlier questions about what about all those other more sophisticated security controls? This is the difference between the ransomware situations we've been seeing with the school districts in Louisiana versus financial institution like Capital One. In this case, securing public facing API's and services on the AWS stack, obviously we're talking about a different level of and type of attack then the ransomware attacks that happened in Louisiana.

Chris:                So, again, going back to that CIS framework, each company, each agency, each organization is going to be on a different point of that journey. I think the one thing that I would say, and I like the dynamic that we're showing here with the Capital One breach here, the hundred million records is you've got a low hanging fruit attack that exploited some of the basic Segre hygiene methods very easily, and then you've got an insider threat taking advantage of just mis-configuration and going in through a totally different method. Each vertical even faces different types of attacks. So, as you think through how to secure your environment, all of that comes into play.

Chris:                There is one more question that I really have to answer, and that was Joey asking, “Please provide me an example of a Mac exploit.” In fact, there have been several this year if you just Google Mac exploits, you can see several that caught the news. A pair of zero day exploits that allowed a full take over a Mac that were reported back in March. A discovery of a vulnerability that allowed Mac OS to be exploited to get into the key, a key steal attack to access system passwords. There's exploits on a Mac as well. So, no platform is safe. Just a matter of which one is lower hanging fruit and more lucrative for attackers.

Jared:               Great. Just a few other questions, and Chris, you've been able to get to a lot of these, but maybe we just do, so Joey did have a follow up to your question, Chris, the question is, “Was it in the wild?”

Chris:                So, the key steal Mac exploit was in the wild. They won that, it was able to access system passwords. The zero days for Safari were at a white hat hacker convention, but yes, there are exploits in the wild that occur. In fact, I think it was last year exploits had increased nearly 300% for the Mac platform. There are Mace exploits.

Jared:               Great.

Phil:                 And Jared from me, one last question from Patrick that I wanted to address. He asked the question, “Federal agencies, including the Department of Education, are advised to use the NIST Framework, and how does that map to CIS and ISO frameworks that, specifically that we're talking about the Mist, special pub 800-53?”

Phil:                 The answer is, there is good mapping back and forth between the CIS and the NIST Framework. There is mapping between the ISO 27 1001, and NIST Framework, but it's not as robust as it is from CIS and NIST. So, if you're...NIST is, in the United States, considered to be the defacto standard. That's the blue chip standard for security compliance framework, but those controls do map very well between the CIS framework, and the NIST Framework.

Jared:               Great, Phil, thank you. Chris, also appreciate it. Just a reminder to everybody on the call, we will send out a recording, along with the slides from this presentation. You will have that in your inbox later today. Guys, thank you so much. Any closing remarks before we end this webinar?

Phil:                 There's a lot of things that you can be doing. It's real important to focus on the things that are going to provide you the most value right away, and understanding inventory, understanding your patching and vulnerability management cycle, and training your users and limiting their privileges I think are right up there as the most important things you can do.

Chris:                Yeah, so, for me I think it's a matter of if you don't already have one, having a good framework and more importantly a framework that you're looking at holistically across your entire environment, that you're marching towards. Prioritize, each company, again, is at a different stage in the journey towards securing your environment. Figure out where you're at. Obviously, we've had a gambit on this call today. Some of you are much more on the security side, and thinking about deeper into those frameworks. Others are probably just trying to fight the same fires that are affecting the most recent Louisiana school districts that got hit.

Chris:                So, strike a balance. Figure out what needs to be prioritized and just start methodically going after them, and it's a constant effort. It's not something that happens over night, but it can be achieved. You can mitigate or eliminate the majority of threats by doing these things well. So.

Jared:               Great. Thanks guys, and we are following both the Capital One and the Louisiana cyber attacks state of emergency. You'll find updates on our blogs as we get new information and feel free to follow us on our social media accounts. We're posting updates there as well.

Jared:               Chris, Phil, thank you so much, and everyone else, we'll see you on the next webinar.

Chris:                Thank you.