 happy to introduce the next speaker. Now it's the other way around. Like a couple of days ago I introduced him to this angel job being a Herald and now I have the pleasure to introduce my favorite angel vision to you. And in the context of his talk, I would like, like, this would be an instant response about how to prepare, how to work out what to do up front and after it's already too late, I believe. So I would like to find out who is in danger of having a heart attack. So, like, watching the talk, therefore, raise your hand if you haven't tried to replay your back ups in the last 12 months. I haven't. So I'm especially nervous about this talk. Please give a big round of applause for Oscar or vision who is the chief of security officer of the Dutch health ministry and right here to speak to us, not only as an angel but also as a professional. Thank you. Thank you. So let's start off with talking about crisis but in a light hearted way. So with a lot of colors and having fun because crisis are more complicated than you think and this talk is meant for, I think the people here, not so much if you work in a sock or if you work with things that I'm going to tell you, it should be just a repeat of things or if you work in technical areas of the company, I think this would be very interesting to see, okay, what can you do to assist or help a cyber crisis and what's going on in the company if you have one. Now, obviously, we don't want to have one because typically, we all work in a very happy situation. Everything is nice and dandy. We're creating stuff and we're making, yeah, we're running a business and we're having a cool time. But sometimes you realize and sometimes you see it on TV that, well, you could actually end up into a situation that is slightly more stressful. So how do you deal with that and what kind of things are going into, yeah, basically dealing with the stress that you get. So one of the things that I want to emphasize is that I'm going to talk obviously about a timeline. So I'm going to tell what's happening in time with respect to what an attacker is doing, what you could be doing, what you think you should be doing or, well, could have or could know about. And yeah, it helps to know that you have certain situations. Well, it will become more clear in the next few slides. Let's lose time. So some infinite amount of days before the hack, we're still working in a very happy environment. Nothing is happening. Everything is cool. Looking at the bright sunshine and we watch into oblivion. But several days later, things happen. What would happen? Oh, my God. Somebody is actually looking at your internet ports. You're looking what kind of services you have online. Could be cloud stuff, could be internal. This is not really the more important thing. Oh, I thought it was this show that was beeping. Anyway. So somebody could do an internet scan. Now, what does that bring you? Hackers or attackers, crime fighters, I don't know. All kinds of people could just scan your infrastructure and see if there are vulnerabilities. Now, they would look for the vulnerabilities and they could break in. Obviously, we know that some of the situations are not that complicated because, well, some of the attacks actually end up into the starting point of just sending an email even more easier. I mean, why would we hack a system if you can just send a message, people click on it and then poof, things happen. For example, if you look at the Rayuk malware infestation, it starts with the malicious email as a dropper. So you get an email, hey, please click here, do something. And then the attack starts already in deployment on the infrastructure. So your laptop gets compromised, your account gets compromised. An attacker could then consider using at least build it in the malware that it moves to another system into your network and so on. So basically, they're digging around in your network and you have no idea what's happening. Particularly for Rayuk, it starts locking your files and then suddenly you have a problem running a business. Because if your files are locked, you cannot read them, they could read them, extort you and all the shit happens. You just got hacked. This is what we call day zero. This is the time component. This is what we try to think about. Okay, what is the actual day zero? I would always say the day zero is the day that you get hacked. But did you actually know you get hacked? Do you? Let's split the timeline. You have companies that on one hand have no idea that they actually got hacked already. Because in Rayuk, it might be very obvious that the files get compromised, or at least encrypted in this case, and you do not have the key in this case. And yeah, in some of the other malware cases, it's really pretty silent. And you can go on with your business for quite a while. They're just nesting in and then going in for a kill later in time. But if you have a very active sock, then perhaps you can spot the attack in time, or at least in near real time. That's what you hope. That's the ideal situation. Unfortunately, the ideal situation is always a very good hope and we work very hard in actually getting there. But we know from a practice that not in all cases, all the new ways of getting into your infrastructure gets analyzed properly. You're always a step behind with respect to the newest developments, of course. So unfortunately, most companies are in the top timeline. You don't know that you are hacked until it actually gets exploited or visible somehow. So the attacker is trying to keep it as silent as possible that they are on the network. They could try to dig in. And perhaps if you look at the news, I think it's always very interesting to see that the time states, okay, the attack entered in, and it turned out that the hack already happened months before the first sign of actually that malware infestation emerges on your machines. So I think that's always interesting how much time does it actually take for you to see that you are hacked. It's an interesting tactic. I've seen quite some of some of the malware that actually just, well, wait as much as possible, because then they can go around into your network and see what your business is all about, what type of machines do you have, and then go for the actual kill. So that would be day one, or at least to end, because you don't know how long it actually would be that they would do stuff. So when it actually emerges, and that your organization actually sees machines go offline or services offline, I would always count that as they end the amount of days that you got hacked, plus that the organization actually now finally realize that you are hacked quite some time. I mean, the amount of days that you, I mean, how do you tell your customers that you didn't know that you were hacked for so much time? Companies have a big problem there because, yeah, media and people who are not so tech savvy always have the problem or at least the idea like how couldn't you see this for that much time? How could you not see that you were hacked for, I don't know, even a year? I've seen that happen as well. Some of the operations are even longer. Perhaps the bad guys are in this case quite lazy, perhaps they hop from one organization to another. I'm always quite intrigued on why it takes so much time for the actual exploit to emerge. So then it becomes the panic situation. The company now suddenly realizes, oh my God, I need to do stuff. But what do you do? What do you need to do when you are in this particular situation? You could start running around and flapping your arms and then think, okay, I can't do anything because hackers got me, or in this case, criminals got you. But, yeah, you could take it more structured. Now, it could be a crisis plan somewhere. I don't know if you actually know what a crisis plan is, but it would describe all kinds of things. And I will go into that details even more later in the talk. But there could be a crisis plan somewhere in a drawer in your company. But where? I find it's quite amazing that some of the companies have no clue that somebody already thought about it, but now isn't working at the company anymore, and there is no crisis plan or is quite old. It's quite amazing that sometimes people miss it. Now, emotionally wise, what does this do with the company people? First, what happens is the shock effect. If you look at the stages of grief, the shock is very, well, depends on how much you actually accounted this, of course. If you're a security researcher, or a search person, or a C search, you've seen this effect more often, and then you perhaps go through this cycle more quicker and more relaxed. Some of the companies try to do something else and try to ignore that they are hacked. Can we hide it? How much times did we actually see that happen in the past? Can we actually hide that you were hacked? Well, if the company cannot run their services anymore, ultimately, it will come out. But a lot of managers try to manage it away that you got hacked, which is interesting because how do you manage the hack without touching the technology, without doing anything? Just reboot the machine and hope that the fires will go away? Unfortunately, that's one of the illusions. Realizing after that fact that we cannot deny it, the first reaction that I typically see in various companies is that they get angry. I cannot get hacked. I got hacked, but they don't really address the problem. They just get angry and are nowhere in any business in getting a structured solution or towards a structured solution. So it's a very common thing to see that people get angry and where does this anger lead to? Unfortunately, the poor IT people. The people that actually have to deal with this situation typically get the rage of management. And I think that's quite a pity. Sometimes you cannot do anything about the situation, but you do get the rage and the anger of the company for the poor souls that are actually running the infrastructure. Think about the situation where you already stated to management, look, we need more defenses, we need more investments, but it's not coming. But when it actually happens, unfortunately, you're taking it on the wrong side. Companies can then go into a depression mode. So with that emotion, you still are not dealing with the situation, but trying to hide it. And in this case, trying to hide yourself. Ultimately, the realization that management or other people in the company couldn't do anything about it, and they just stop and yield. Unfortunately, this is a very common emotion, a very common effect in a lot of companies trying to just hide it away, and again, try to ignore the facts. Successful companies try to accept that they got hacked and try to deal with it, and then they try to move forward. And ultimately, you try to work together. And that's the most effective way of actually dealing with such a situation. Now, what I mean with that last one is when you have a company that is hacked or got hacked, and they're trying to be, well, not so much as open as possible because you're trying to control the story, but at least you ask for help. And that's a complicated thing. You got hacked, you have a problem, but now you have to ask for assistance, either by your suppliers or by partners. And it's interesting that some of the people are actually good-hearted, and even on the Sunday morning, people try to get into a car, go to your company, and assist you with your business. It does happen. So I hope that people would move quicker to all these emotions and move towards the integration part because it really is a thing that companies would say will deal with all the administrative things later. Let's help you first. Now, on the optimistic side of the timeline, the stock would actually see the thing, would actually see the situation. And the former way of dealing with this is that they actually described a use case. And a use case would be a preparation, you prepare a function, a description with the formula. I want to catch Z, a following situation. This requires the data Y, and you need X as stuff in your network, perhaps, and it needs to be enabled. And after that, you can execute and do W. So what are the pitfalls? Z is not even clear sometimes. It's interesting that sometimes you say, oh, we want to catch the attacker, but you have to clearly first define what you actually want to catch. What does the attacker look like? How do you define malware? How do you express it in such a way that you can actually detect it into your network? And with what gear do you have to do that? And how does this look like? What do you want to catch? You want to catch a fraud case. It looks quite different than malware that spawns from a macro, from word, for example. You have to define it first, because otherwise you don't know what you're dealing with. Another problem that I've seen, which is actually a common pitfall, is that if you have data, for example, you have a system that creates logs, but somewhere the logs need to be shipped to a SOC, to a SIEM system, for example. But if the data is then moved through a few systems, the log file could be neutered, in this case. You cut pieces from the log file because Shideu transfer, you change it to JSON, for example. You have a log file. You want to be modern. You change it to JSON, but you leave out certain elements that were needed to actually get the entire use case. It happens a lot that you then lose data in translation. It's just like, I think it's called in English, a birthday game, that you have one person talking to the next one, talking to the next one, talking to the next one, and the entire story starts first with you have an apple, and suddenly you're in America in an hotel, which has no relationship whatsoever, but sometimes that happens too. Now, the X would be if your data is not being delivered at all. What if you do not have an IDS system? If you don't have an intrusion detection system, none of this will be even detected. And the bad thing would be if you actually have an IDS, but you didn't pay for the license to actually activate it. And you have the IDS, and in some cases, some auditors would even state or mistakenly claim you're compliant. But unfortunately, it's not doing anything. Luckily, modern auditors actually do check if the effects that you intend for actually end up. But, yeah, it happens a lot that the machines are there, but it's not doing anything. Or not at least the things that you would intend it to do. W would describe which steps are needed to be taken after you've actually had a detection of the use case. These things are called playbooks, and they need to exist, and they need to be followed. Now these are two important things. I've seen a lot of cool situations where they have everything described, they have a sock, they're detected, everything is turning red, there's an alarm, but no follow up. And in some cases, you obviously have the alarm fatigue, this is not this. This is when you have an alarm, you have an alert, but you have no clue what to do after that. Now you're a cool security guy, but nothing is taking place with respect to actions. Now these playbooks are used to tell each other what to do. So who do you need to communicate to? How does your use case escalate to management? Whom else should know about what you just detected? Operations, networking, certain people. If you have an alert that goes off, how do you ensure that the right people are now starting up with some kind of activity? And consider also what to do out of office hours. I work at the government, I'm very transparent in that, otherwise you could have looked that up on LinkedIn anyway. But I know that having services out of office hours is something that you really have to discuss and bring to the table, because it's not automatic. It's also something that is with commercial SOC environments. It's something that you have to pay for if people are actively on duty looking at the screens and looking at the alerts and then having a discussion, OK, what should I actually do and how should you deal with the situation after office hours? And do you need to trigger suppliers? I would always say yes, because you always are engaging with suppliers, but how do you do that? Did you actually create a mail list for that? Do you have phone numbers for this? How does this work? This is something that you have to describe as well, because otherwise you will end up that your company knows about it, but you're completely dependent on your suppliers and the suppliers have no clue that you are having or seeing a problem in your environment. And last but not least, regulators. If you are working in vital infrastructure, for example, you need to contact the regulators if certain cases apply. And how do you know that this applies? Well, this definitely is something that you also need to figure out first. What does apply to you? When do you have to actually call the regulator on what notice? And then, of course, who is going to do that? And how do you prepare the person to do it? I'm not really sure if you could think about a CEO, for example, talking about you got hacked, OK, but the regulators also ask for particular information to be shared. If you then have just your CEO stating, I'm the important guy, I'm going to have a talk with this regulator, very cool, but then you have to prepare for that and train him properly, because otherwise it will be a very interesting story and your company will be hurt by that. Another pitfall and idea and the thing that you actually really need to do is log everything that you encounter. Not just physically, like, OK, the technical things, you have log files and you log stuff. No, no, log your personal actions and activities. And timestamp them properly. Who did what? And the important thing is stuff could get out of hand very, very quickly. And it's quite common that somebody would ask you, wait a minute, what did you do five days in the past at a certain time about topic X? Do you have the recollection of that while you've been stressed out many days trying to save your company, but somebody asks something very particular, very technical, or very detailed, and you don't have a log about that? That's really complicated. And think about how to structure this information. There are tools to actually help you. You could just use a template that creates a markdown file, for example, and make it very easy for you. But there are also tools that can actually help you. OK, what kind of decision was made by whom and what kind of information do we have to pass through? Or should wait? Also think about the situation when you are collecting data, and perhaps you are man in the middle somewhere, and you have to wait for other teams to answer the actions or information that they're trying to gather. So think about the situation where you have a team. Other teams need to communicate. And, well, who's doing what? And if you have multiple threads of activities going on, things will get complicated in that dimension, too. So the hint is create cheat sheets. I just talked with the Herald here. I also got definitely the hint, the cheat sheet matter. And I would definitely recommend in a stressful situation to focus a lot on all the details that could happen. Include basic things. It sounds stupid, but if you're running a crisis situation for multiple days, please, on the first day, think about the food and drinks and snacks for all the people that you have there. It's the same thing that we have over here on the camp. Drink sufficient water. It's something that you actually should push for everybody who's making lots of hours to actually do that, because you can have fatigue. It's not uncommon that people get burnout based on a crisis situation in your company. And a burnout typically lasts for at least five to 10 years after that incident. Think about that. Person is trying to save your company, but you didn't take care or shift it to another person. That first one got burned out and now has a health issue for many years to come. Clean it, this checklist, and fix it regularly. Make it something that you put into a monthly or quarterly or yearly. Well, yearly would be quite long. Let's say quarterly. Monthly, quarterly thing to clean it up, because phone numbers change, contacts change, regulations change, and your company changes. It's really important to do this. Now, some of the pitfalls that could happen is that you only focus on just and only the technical things. I have a crisis. My windows machine got hacked. Oh, shit. It's also the Active Directory and the storage, and blah, blah, blah. But what does that actually mean? Perhaps this is an isolated environment and the entire company doesn't really need to know that you have this problem. Only the crisis teams, perhaps. But if you do not talk beyond the technical level, if you do not talk, OK, what does this actually mean for the organization in those kinds of terms and effects, then also it becomes very complicated to talk with management about the situation that you have. If you talk or need to talk to management, please do that as quickly as possible. Do not hesitate to inform them. At least I know from experience that it's quite common that you have a technical team and they're hesitant to talk all about the technical things that are happening now to a management team. Because, well, let's face it, we have a different way of expressing problems. If you only use technical terms, the management will never understand what's going on. It doesn't know about Active Directory. It just has problems with logging in. This is something that you have to evolve quickly because then you can also train them and tell them, OK, this is actually what's going on. Perhaps even teach them some technical things. What if your company doesn't even have a crisis team or know about it? That's also a problem. What if you have people designated for the crisis situation, but the problem is that the technical people don't even know whom the crisis team is because this was decided by management but never communicated? Again, don't forget the regulators, for example. How do you deal with that? Perhaps you are obligated to actually tell them quickly within a certain amount of hours that you have a problem. But this is, again, it depends a bit on what country you're in and what the actual laws and regulations are. But sometimes for some of the hacks, for example, vital infrastructure, it's not uncommon that you have to involve law enforcement quick enough. And if you don't do that, you might be sued. Crisis teams need to be formed. And unfortunately, that also doesn't really happen that often because typically a company would say, well, that's not something that I should think about. The CEO will be the chief and the chair of the crisis team and then we'll move on. And typically you have your management people doing it. If you have a larger company, a dedicated crisis team might be formed and people from the company might get selected for crisis situations. If you even have a larger company than that, you have a dedicated crisis teams and people are getting trained continuously because that's their duty. But yeah, so does it actually make sense that you're actually selected to write people? What if the crisis increases in informed? Do all of the decisions make sense that you actually took? I've seen situations where a decision increased the problem for the company. How do you deal with that situations? So if you don't know about the results of whatever effects and whatever decisions you make, you'll be in a problem. Create a feedback loop, for example. If you have technical people that know what the consequences of a decision will be, I mean, let's face it, how much of a time did we have a problem, see it, and then figure out, okay, you've now made a decision and we know that this decision is the wrong decision. See some smiles, okay? So one of the things that I could see is that if you have a situation where you know this is gonna be really bad, you're just screwing it up if you continue with this. It helps to at least inform them at least once. Hopefully have an intermediate person, and this is something that I stole from Bert Hubert, for example, at least a term for it, the nerd Fluis Terrain, or nerd Whisperer in this case, somebody who has, oh, hello Bert. Somebody who has the capabilities of actually making the translation between management and the technical things, because, well, people are not talking about it, about the same problem with the same language and the same words and terms, you may need to make these translations. Actually looked at that thing, it's really important, and the successful crisis teams and crisis situations were assisted because of people who make these jumps between management language and the technical guys. And ultimately, if you make the decision or make a bad decision, bad is a relative term, I've put here, sudo do it, shell script. And what I mean here is in some cases, management might have the total overview of the company, while you know, okay, this entire business will die, and perhaps the management will say, well, let it, boggles my mind at times, because, well, I would try to save the entire company, but sometimes, parts of the company might be, well, just sacrificed for the greater good of the rest of the company. This is something that it needs to be communicated well between management and technical teams, because this doesn't really add up because you're trying to save the rest of the infrastructure. So we're dealing with a thing, let's call it a digital crime scene, and you have to take care of your infrastructure, but did you train yourself, not just as a sys admin, but as a forensics and e-discovery expert? How do you save evidence if you want to go, if you want to ensure that you have evidence to share to law enforcement or some other company, or some regulator? Are you certified for this? And I really take this daily because I've seen at the companies that I've worked for that if you are certified, you know that there is a certain degree of skills that goes into it to actually get the certifications. I know that the forensics and e-discovery trainings are quite tough and good, and it really helps that you don't wing it, because if you wing it and just throw away a virtual machine and just reboot it, and then obviously the malware is gone, but also the evidence is gone, now what? This is something that you have to take care of. This slide should have been a buildup into all the pictures, so let's just emphasize the pictures that you don't see because they overlap and I screwed up. This is a Chinese meal, this is what we call at least in Dutch, a Chinese meal, I'm not really sure how do you translate this, it's about food. Ensure again that you take care of nourishment for all the people involved. This is a picture, a part of a picture is almost like, well it's almost like a game, what is this? Well, this is a hotel room. Consider putting your people into a hotel room close to the company and give them rest and air. The picture that's really gone is you pay for the taxi cab to actually get them to the hotel and the flowers are not meant for the technician just per se, but also for the man, the wife, partner of the technician because if the technician is making hours like 12 hours, 14 hours a day to save your company, that also adds a lot of stress to the household of the people that are saving your company. Oh look, taxi cab. That part worked. Screwed up in file versions, okay. Communicate and be honest. Be like the Boy Scouts, let's take some inspiration from the people that are here or just left the fields. Be honest to customers, be honest to your own teams, to the company, to management and any other organization that could help you. The most successful situations where a company or other organization ended up with is how they can control the news. Denial is one of the worst things that you could do. Ultimately, somebody will unintentionally, intentionally talk to the press, spill some information and now your company is one step behind and you do not have the control over the storyline anymore. Customers will know that you have a problem. Services are not delivered, goods are not delivered, who knows, who cares. They will find out you have a problem within your company. Be as transparent as well to all the people who actually work at the company, that you have a problem. Also try to be as transparent as possible that perhaps not everybody has to be in shock or at least knows what to do. Because that's also a thing. Sometimes they say, okay, we have a problem, the who's huge problem and everybody in the company is now involved or at least stressed out. Please control how you communicate this, but be honest. Be honest to management as well. This goes from everybody within the company because if the management is hidden away from the problem that you face, they cannot allocate additional money for the things that they, I mean resources and allocate and help you with that. Because, well, somebody needs to pay for the taxi cabs in the hotels, for example. And with respect to the organizations that can help you, yeah, there are a lot of, think about suppliers, think about other companies that could assist you right away. If you are transparent towards either suppliers or people in the supply chain, they can assist and be at least on guard for you as well or even help you with resources that they have and can offer. So I'd like to close my talk with, believe in the happy ending part of the story here, because you can actually influence a lot about how a crisis is developing, regardless of what type of duty you have, either from the security team or from the technical teams that you have a responsibility for the infrastructure itself, suppliers, management, CISOs, everybody can pitch in and have a big part in how you deal with a crisis situation. Do not underestimate your position in that. And in that, I'd like to conclude. So, luckily we do have plenty of time for a good Q&A. I think this is a good opportunity. Just line up at these microphones. If you are watching in the stream, you may Twitter your question or you put them in the IRC channels. If you don't know where they are, look up the wiki in the wiki.mch2022.org. You can find the information where the IRCs are. On the IRC you can ask the channel and we have a signal angel in the hall who will then, yeah, repeat the question here. Signal angel, do we have a question already? We do not. So please, the front microphone. Hello, thanks for the presentation. My question is about companies helping each other because I've been working on that with one of my customers and really looking towards who can help us here. Problem often is legal and I have been working with legal companies trying to get this set up, but it's really hard. So yeah, you preferably want to sign some things and do this when everything is like your first life, when it's a happy picture with the sun shining. But then there's no priority. Do you have any experience or tips on how to get there? Yeah, so it depends a bit on what the relationship is between the companies, of course. But for example, in any of the fields, either crisis situations or this, you can have parts of a contract, for example. So I'm not really sure what type of interaction between the companies do you mean? Are they equal or peers? Yeah, equals, peer groups. Yeah, so that's quite interesting. Do they also, yeah, well, try to get into the same, do they have the same customers? Yeah, yeah, it wasn't shipping, so it's either one shipper or the other for a company, so yeah, they're really competing, yeah. I would then focus on the fact that you are trying to offer services and not so much focus on the crisis itself. I want to offer services, can we negotiate in, okay, I'm having resources to offer for you. I can also offer my resources to the other company and actually could, yeah, well, share supply lines, perhaps. Right, yeah, maybe some kind of commercial way of thinking about it. Yeah, well, ultimately, it boils down to what kind of contract and how much you then pay for each other to save other people. If you take a DNS, for example, for DNS infrastructure, I know from, at least from the older days, probably to do it still again, still now, that you share the name services and facilities and that if one goes down, the other one can take over. This is something that you could also do with more physical supply lines. Yeah, thank you. Yeah, let's talk after too. Yeah, thanks, yes. Where will you be hanging out after the talk? Will you be able to be approached after the talk by people? Thanks. Yeah, I will be probably, well, on that side to have a talk. On that side of the tent, very good. Yeah, because this is where my bicycle is. Buck blue, front microphone, please go ahead. Yes, I have two questions. The first question is, what is the largest pizza order you ever did to take care of people running an incident for you? Sorry, can you repeat? What is the largest pizza order you ever did to... Well, I didn't order that set of pizzas. Somebody else ordered the pizzas. I think if you count pizzas, not really sure when it was, but we, 16, decent amount. And my second question is also somewhat more serious because you talk as a company, at one point you get hacked and you get into the unhappy flow. If you have an outside attacker, you report the problem and the company immediately spins into denial and send lawyers on you and does legal threats. Can you help the company? So you just write directly to the CEO or what do you recommend in that case? Well, hack the system. I've seen situations that it actually worked to send a comment or a direct message to the CEO of the company on Twitter. That, well, depends how active the person is on Twitter because typically it's the communications team on behalf of somebody else who's on the social media. But if the person itself is on the social media and managing its own messages, then definitely you will be on some kind of, yeah, your email or your message will definitely be lifted into a company mail which states from the CEO, fix this because this could get out of hand. Okay, it's not the best way of doing it, but it definitely works. Thank you. Are there any more questions? I believe it's a very unique opportunity to ask the Chief Information Security Officer of the Dutch Health Ministry some more topics. Oh yeah, they're over there. Yes, also the next talk will be from a different CISO. It's interesting, it's like a lineup here. Please go ahead, front microphone. We're very open here. My question is about when the hack comes through the front door instead of over a computer network. So how would that make the situation different? I don't think it would with respect to how you deal with the crisis. It's just that you need different steps to take. For example, if the example would be a USB stick enters the front door, then you have the malware on the system. Basically, it starts more or less on the same page. The only thing that is different is it's USB stick triggers, now malware is on the system and you now have to deal with that. But it's almost the same as the email starts a process and then you have things on the same network in the same systems. So I wouldn't really see that much of a difference. I would definitely have a talk in all the preparations. Look, a virus could indeed come in through the front door physically. It's something that happens, yeah. But I don't see the big difference. I would just treat it the same because it's more easy. Thank you. Yeah, all the well-known Ethernet port in the floor tank of the waiting area that is in the same VLAN, everything else. Yeah, that's something that's actually an interesting thing. I always walk around the more open premises, like for example, the restaurant of a company might also accept visitors, right? I always take a look at the Ethernet ports in the wall and then, well, I'm not doing it anymore, but it might have happened that I just put in and see, do I get an IP address, do I get Ethernet, is link up. That would be interesting. There are some surprising things to find if one does that regularly. But this was an awesome talk and I would think he deserved a huge round of applause.