 So, this is our panel discussion on security strategy for small and medium business. And I'm going to give a brief introduction of our panelists. First to my right, this is Jim Nitterauer, he has Twitter handles up there for you. So Jim, Jim ran his own company for a while and then he got some experience with a company that grew from about 280 to 500 employees, which was acquired and is now a publicly traded company. So I wanted to tell you a little bit about all of the panelists experience, I think it's important for our discussion here. Next is Amanda Berlin, Info sister. Amanda has experience with organizations of all sizes, including eight years at a small hospital and she currently works at a startup. She's also wrote a book I heard. She's the co-author of the defensive security handbook, if you weren't aware. It's an O'Reilly published book. We have two copies up here that we're going to give away to the first two people who ask us questions when we start the Q&A. Not now. Once we start the Q&A. Next, we have Klaus Hauman. So Klaus has experience as the CISO for a small bank and he's now trying to implement all of his lessons learned with a much larger organization in Europe. But certainly not least is Lit Moose. And she got her start in InfoSec at a university and has experience in the weeds at everything from small companies all the way to Fortune 5 companies doing DFIR. So all of my experience, I'm sorry, my name is Russell, the Twitter handle is Smokum and all of my experience has been a small company. I've been 20 years at a small company, which I know is pretty unheard of and it's not because I'm bored. It's because I'm fortunate to work for a very good small company that invests in security and invests in their staff and we've built a great security program. And you know, I hear a lot in the InfoSec community about how small companies, you know, can't do security. Vendors, other people online are constantly bashing small companies. And that kind of bothers me and I'm trying to make a difference by doing talks, publishing things about how you can build a security program at a small company and do it well. It is possible. So that was sort of our idea for the panel today. We wanted to talk a little bit about our various experience and our different roles and what security strategies are best for small to medium businesses. Is there anything I've forgotten before we get started? So once upon a time there was, I know I'm really short, there's a reason I'm here today. There was a practitioner that was once among us here at DEF CON who's no longer with us. His name was King Tuna. Some of you know him, some of you didn't. But what you need to know about him is he lit a, he is the only person at DEF CON who has ever lit a panel on fire. So I think that's enough. In remembrance of King Tuna, I just wanted to take a second to light this can of Tuna on fire and you know, if he were here today, hopefully he'd be proud. And I'm going to try not to drop this otherwise it's going to go much like his did which was I believe at SkyTalks and he just laughed and laughed, which I would too, but I don't want to get kicked out. So thank you guys for coming and hopefully you have another story to tell now in remembrance of him. Alright and that concludes our panel. Thank you Moose. So really briefly before we get started, I wanted to define small to medium business. I know that there are some official definitions from governments about what is a small business. But thinking in terms of companies today that should have a security program in place. We talked a little bit about this yesterday and sort of landed on a company with one to a hundred people should at least have some IT person with some infosec knowledge, right? Should I think is the key word there. From a hundred to a thousand, you should have a small IT team, at least one dedicated security engineer today. And then anything over a thousand employees, you should have an executive who's responsible for security and a dedicated security team. And I put on the slide here, this is a recent report. I was looking for what do people think is a small to medium business. Did anyone go to Black Hat this week? Okay. Did anyone learn anything at Black Hat this week? What I learned is that from all the vendors I stopped by, I heard the same things, right? Same problems from the last 10, 15 or years or so, I've really been paying attention infosec. Everybody has new solutions with the blockchain and AI. But I think we also have the same problems that we have to fix. And I think that it's not really different between small businesses, medium businesses and large businesses. So we're going to touch on all of that. But this report, anyway, they were trying to define what's a small to medium business. And you can see it says they surveyed a bunch of folks ranging from 250 to 3,000 employees and they're thinking that's small to medium business. And again, this goes to my point, nobody thinks small companies can actually do anything with infosec. They just excluded below 250 staff. So we're going to talk about that. So there's a perception in the industry that small to medium sized businesses will do the minimum that they have to until they have a breach. So panelists, I'm putting this to you. In your experience, is this generalization accurate? Well, I can go first. From a bank perspective, you are under compliance regimes. And as long as you can take off the compliance report items, you will be hard pressed to get any funding beyond that. So what you need to do if you want to do more in security, you need to do free, cheap, fast wins. So what we found growing from a company of 100 people, 200 people up to 500 people and now merging with a publicly traded company is that security really depends on the mindset of the people that are leading that company first. You can work your butt off in the trenches, try to secure a business and when your C level people come back and say it's not priority, we're not going to fund that, we have other options. That's a hard thing. And we're going to talk about that a little bit later. But one of the things that we really saw was now that we're paying the price for is building up what I call technical debt. You overlook all of these things that you know you should be doing, but as your company grows that debt gets deeper and deeper and deeper and bigger and bigger and bigger and sooner or later you have to pay that debt. So it's going to be better for you to pay that debt up front. And from a small business perspective, people don't see that. They're so busy trying to make money, they forget about the things that they have to secure. And one of the couple of things that we talked about yesterday was asset management and then assessing what your risks are. So Klaus, do you want to talk about that or let Amanda talk about that since she's gotten more experience with that? Well, I'd like to add a quick comment here. Where should SNB start? And this is something we talked about. Jim mentioned risk assessment. There are frameworks out there that you can follow to build your information security program. And there's books. And there are books. I've read the book and it is excellent, it's worth reading. Has anyone heard of the Sands Top 20? Yeah, so I think a lot of small businesses fall under this, I think. But every now and then you'll see not the bare minimum, but you'll see like that one super passionate, they might not even be an infosec person doing way better than a fortune 500 because they do have a smaller amount of assets to secure. But yeah, I kind of agree for the most part. It's really difficult to get the information out to all the small businesses. There's not a whole lot of like, hey, can I just, how do I contact all the small businesses in my area? There's not really a unique, I mean, a standard way to be able to do that. So I think getting a lot of the information out there so they even know that that's something they're supposed to do before they get breached is a big problem too. I kind of have a unique case in that doing DFIR as a consultant usually when I get the call, it's already happened. So, you know, that's kind of a catch 22 for me. But I will say that, you know, usually we all come from different spaces. None of us started, well, most of us didn't start in security. We all took an interest in it. So I think that finding kind of the niches in the communities that are outside of Infosec and kind of spreading out that way, sometimes you'll just inherently find people who are at small to mid-sized businesses and I, if you're at a larger corporation at some point, you're hiring people as vendors. You're touching in some way, shape or form a small to mid-sized business. So even if it's not you, you're affected by them or you're incorporated with them somehow, all of us interact with, you know, smaller businesses and I think that just being an advocate and growing that way and finding the people who are interested is, you know, being more involved is kind of a strategy for it. And you asked how to get started and you mentioned the CIS top 20 and it is a good way to get started and especially for SMBs, you can actually move through that list and take them off and not come back to them heavily just for maintenance and you can get through the whole list whereas some of you are probably from larger corporations and you're stuck in item number three forever, right? For SMB you can do the top 20 and you can move on to other things and it's quite fantastic and to get started you need that but before that you need some kind of a business champion who is willing to get the process started that can come in the form of someone contacting a VC show and you need the advocate or as coined by Amanda, a security masochist, someone to take the beatings, the early beatings for years to start improving security. So that is what you need to get started, the masochist, a champion or a VC show, someone to get it done and get it started. So this tweet that I just put up on the slide from Leslie Carhart, you know, this goes to that point, right? It's a call to action for executives that they are directly responsible for the caliber of cyber security at the organization. Larger companies today, many of them today have a CISO, right? Or VP of security, somebody at an executive level responsible. Many organizations still don't. So if you are a security practitioner and you're pushing hard to help your organization improve its security posture, how can you get a security champion to help lead innovation? And Amanda has a good story that I hope will share with us and it could perhaps be to your benefit if you're looking for that champion. Sorry. All right, yeah. So when I worked at the, it was like a medium-sized hospital, we had 400 beds. We didn't have a security department at all. And coming into the hospital, it was as bad as you can even imagine. There's terrible horror stories. That's where I got a lot of the experience that I ended up putting in the book. The way we got our security champion to be able to get an actual budget for security items, because we had already done a lot of free stuff, was we already had advocates on our board of directors for the hospital. It seemed to turn up. And we took them because a lot of them were already advocates for EMR to kind of teach like, you know, the older nurses and people that weren't so tech savvy why it was a good thing to have more technology. So those champions that were already kind of doing that thing already were in that role. So we took them and all of their colleagues and ran a live fishing demo for them and like their little training thing. And we just phished people's emails that we found with the harvester. So we just scanned like the internet for our domain and let them just live in this training meeting, watch all the creds come in just because right away, you know, when you send fishing to a company that's never had any training and right away like they were on board because they didn't realize the free stuff wasn't everything, right? They thought that we were already pretty much covered because we had fairly good uptime and, you know, we put all this money into this new EMR software but didn't really understand there was all of the stuff that goes with all of that in the infrastructure. And the result was that you found a security champion who was a member of the board, right? And also a doctor in the hospital who helped help improve everything. So going back to the security masochist, right? I think I've been in that position and now leading teams to train them so they're not in that position, right? Everybody's been there. First everybody thinks security is absolute. It's not absolute and it's different for every company, right? So your security risk versus the company that's down the street or other people in here is going to be different. You have to figure out what that risk is and what's secure enough for you. The question is what is enough security and the answer is always just enough, right? You never want to spend more time, effort or money on security than you need to spend. Unfortunately, if you go to Black Hat and RSA and all of these places, all the vendors want you to spend all the money on one thing and they're going to provide you security which they don't even know what that is, right? So the bottom line is you have to figure out what that is first before you can do it. The other problem is you feel overwhelmed, right? You get into a situation where the CIS stuff, that's a great resource that's available through several vulnerability scanning platforms you can actually use to scan your infrastructure for CIS compliance and that's a really good tool if you do that and use it on a regular basis and there's people in the room that can help you with that. So if you do that, that will take the load off your mind. So what I'm getting at is you can't do it all. You have to find that champion in your company that's going to help you hire the expertise to do it right and do it right the first time. So I think to kind of piggyback on both of those and especially Amanda's point and Jim was talking about scanning, I think debt are the days where we're a blue team only and I know that's a very controversial thing to say in this room. So I think that kind of the merge between and I don't want to get too much into the colors but red, blue, purple teaming, what have you, a lot of these small and mid-sized businesses you'll come across people who have just been there forever or you have one person you're working with that has the security skill set or no people that you're working with that have security skill sets and when we're trying to educate them on how to better their posture, a lot of that has to do with show and tell and how do we show and tell? Well, we could show them artifacts but that's after the fact that it's happened. So if we want to make their businesses better and if we want to advocate for a better security posture, I think that coming at it from like phishing or like, you know, showing them where their vulnerabilities lie and giving them a real scenario where it's not an APT, it's us and showing them where the hole is with an actual attack is an actual strategy. So I think being more hybridized in the future is really going to lead to some successes for all of us. On that note, as for an SMB, the VC role actually makes a lot of sense and then if you can get someone with the technical job to be a purple VC so who will come in maybe once a month, point out a few things that you need to improve because security is a process. You can't do all of that overnight. I once wrote a framework for SMBs called Minimum Viable Security. You can find it online. It's everything that my team and I did in the bank over five years. So it's every control we put in place, most of it for free because we didn't have any budget in five years. So VC so that comes in now and then it does something and then pops it in the next month might make a lot of sense. So every week we have more breach disclosures, right? We've heard of a few really large ones recently and a lot of large companies that still have things like RDP open to the world leading to a breach or unsecured S3 buckets. How should SMBs approach security differently than large businesses? They shouldn't. The vulnerabilities and the risks are the same. The scale of those is different. Just look at what happened to a large bank recently, right? They have a great security team in place, but because they didn't do the basics, they didn't do the checklists against their firewall configurations and against their S3 configurations and insider had inside knowledge that they used against that company down the road. It was a simple thing to fix. It wouldn't have cost them anything hardly to do. It should have been part of their normal processes. So think about that when you're looking at security. That's that's something that most people overlook that security is pretty mundane and basic and wrote and you just have to do the basic stuff. Remember, your vendors aren't going to distribute active directory and a secure figuration. They're not going to send you the devices so they're set up securely. They're going to put that on you. They want the money. Then they want the money on the back end to teach you how to use it. So be cognizant of that. It's on the screen right now. Most security is just good architecture, which prevents other problems anyway. Everyone agree with that? Everyone agree with that? Does anyone disagree with that? Which part? What are we agreeing on? The bottom one. Most security is just good architecture, which prevents other problems anyway. Oh, absolutely. Um, so I definitely agree with Swift, um, most days. Uh, no, they're phenomenal and that's a really great resource if you don't follow Swift already, you should. Um, but I would add to the point of, yeah, we can say, we can say patch your, patch everything. We can say, hey, you know, do better vulnerability management. Um, but the truth is, uh, you know, we're going to find holes in different businesses for different reasons. Um, you know, maybe there's an old, old software out there that's only compatible with Windows XP. I've been in a lot of environments. Um, ICS environments are notorious for it. Uh, hospitals are notorious for it. You have some of these old scanning machines and they're not, they can't upgrade because of X, Y and Z reason. Um, and so knowing that, finding the mitigation in between and I will say it every day of the week, uh, defense in depth, like, have multiple triggers. Like, you know, make sure that you have eyes on, ask for logs. Like, there are never enough logs. So, and I know it costs money, so like, get more intelligent with the logs you're asking for. Um, so, so look at, you know, where, where is the vulnerability and where are you going to see it tested out? Um, and so I, I would say yes while patching is great, uh, sometimes it's not possible. So put a, put something in between that can mitigate that attack if it's going to happen. Yeah, so the, the whole patching front, who's, who's ever been a sysadmin? You can't always just patch your shit, right? Uh, you know, stuff goes down. Sometimes you don't have downtime windows. Sometimes like, yeah, I mean, in healthcare, we had a Windows NT server that was sitting there that, that department never got the budget to replace that software. That software was doing a lot of business and it just wasn't as, you know, it wasn't as high on the priority list as a new CT scanner or, you know, anything else of a million other things that they spend their money on, they're like, well it's still on, it's still running. You just need to do architecture to fix it. So you put it on its own VLAN and you segment it away and don't let it talk to anything. Um, but yeah, that's a good point. So one of the things, I, I started a business many, many years ago, 25 years ago and I wish I had started a business now because there are so many cloud based solutions that would have taken the load off of me as a administrator within the business, uh, any, you know, Office 365, those kinds of things, subscription based services that keep my security profile much better than it ever would be. So I would encourage you to take advantage of those things. Uh, a friend of mine is a CISO at Walmart and he was, um, we were talking about the security of OneDrive and the things associated with Office 365. And one of the guys at our company wouldn't let us use OneDrive to store data because they thought it was insecure. Well, CISO at Walmart goes, you're kidding me, right? He says, they have a private cloud for us and their stuff is much more secure than we are. So we use it for our stuff. So that was, that was a re, an eye-opening experience for me to look at outsourcing that sort of thing and taking that load off of my plate and our team's plate. Sorry, I was trying to find a slide I want to talk about next. So what about compliance? You know, a lot of organizations do security only because they have to meet, uh, you know, PCI a while ago or today HIPAA, uh, or GD, uh, GDPR. So has this helped small to medium businesses to think about and implement better security programs? Uh, I'll speak to his compliance in just a second, but first, commenting on what he was saying. So for your SMB, as Amanda also was saying, you can actually segment off, you can architecture those things the way that you can't fix, which means, in the hold, you can do all of the basics really, really good and better by far than any large company can ever do. With the cloud comes certain new risk profiles that did not ex, exist before. But overall, if you go to the cloud as an SMB, you'll be more secure than you ever were before. So it has a lot of potential and as long as you have that masochist who cares enough to find out that you shouldn't create public S3 buckets for internal documents, you'll be really fine in the cloud. On compliance, some companies only have one way to get a budget, to do anything, to hire, to replace a tool, to do refactoring of applications and that is get some compliance dude who's doing a check anyway, give him some hints as he's doing the assessment. I'd like to see this, I'd like to see this, I'd like to see this and you'll find report. And the items that get put in as critical and high, you may actually get the budget to fix them. So as much as I hate it and it's not security, some companies really need compliance. I would agree to that point and say that one of my earlier, earliest experiences in security with the university, the security team getting, getting particularly the medical staff to be compliant was the tool they needed in order to implement security for the hospital. So compliance was actually something that we used as a tool to get a better posture and without compliance checks, we would have, it would have fallen on deaf years, especially if, if anybody has ever worked at a medical organization and worked with doctors, you know, it's, it's a great, it's a great tool to have and, and you can usually argue for a little bit more if, if you want to, you know, just to, to, to have better practices in place and, and kind of extend it beyond and make everything better for everybody. So how many people in the room have companies that accept credit cards? How many of you have been through PCI compliance audits? Wow. So my question is a small business is why would you ever do that? Right? That is the hardest compliance to get, very difficult, very expensive, and it's all about scope with that, right? So if you're building a business, you're in a small business, you're accepting credit cards, figure out a way to offload that. You know, companies like Chase Bank, Capital One, some of these others provide payment gateways that will integrate seamlessly within your website or how whatever way you're taking credit cards and will remove your need to be PCI compliant 100 percent, right? It's all about scope in that situation, but if you don't understand what that means and how that works, you're really going to open yourself up for a can of worms that you don't want to be involved in in that case, right? Other sides of compliance. Why is compliance good? Why is it a good thing? It goes back to some of the things we talked about with the CIS benchmarks. It gives you standards, procedures and practices that should be in place in your business. One of the problems in compliance is people will bring in an auditor set up the compliance policies, but your owners of those policies don't know how those policies are supposed to work and they don't apply them. And a good auditor is going to go and find that out because they're going to ask you, take me to the owner of that process and they're going to interview that process owner and they're going to find out very quickly that you're not doing what you say you're going to do. So these things are all done to benefit your business and to take the load off so that you don't have to worry about the mundane stuff and do all that reactive stuff, you can take your time and get back to making your business grow. And so the other side of that, don't always trust your vendors that say they're compliant. We at one point in time had, you know, they take like payments at the bedside now for, I don't know, for more money I guess. And there is a credit card swipe vendor that swore up and down they were PCI compliant, we were fine, they could just checkmark the box, no worries. But every time you swipe the card it was just keyboard emulation into an HDP site on the back end. So just make sure you check because even though they say they're PCI compliant, I mean they may have gotten an audit that said they're PCI compliant. We know not all those auditors know what they're doing either. So do SMBs in large businesses have disparate threat models? We hear this a lot, you know, Analyzer Threat Model. And the size of the business being a determining factor in the threat model. I don't really agree with that but I'd like to hear what you all have to say. So anecdotally I was with the Sands Defer Summit, I think two weeks ago now it's the whole traveling thing's been a blur and presented with some very wonderful folks from Google. And part of our war game was sitting a bunch of Defer people down all from different backgrounds at similar tables and saying except the lowest viable like whoever is most vulnerable at your table that is now your security company. And we had a checklist and everybody was coming from different size companies. We had everything as big as Fortune 5 to or Global 5 to like very very very small micro businesses. And what we found at every group is they all had the same vulnerabilities. Everybody was kind of coming from the same, they all had the same pain points. And I think a lot of us don't like to admit it. But if we really started talking we would find that we all deal with the same pain. And the benefit, and I would say where it is disparate, is at a small to mid-sized business you can get a tighter posture quicker rather than all going up the chain and getting approvals and dealing with lawyers that come with the larger businesses. So I would actually argue that while budgetary issues are a thing at smaller businesses, you're actually in a better place to get more creative with your solutions and get them implemented faster than some of the giants. I can't remember what I was saying. So it's kind of an inverted threat model, right? So what's the biggest, what's the highest priority for security? It's people first, right? And they're also going to be your greatest weakness within a business because they do things that break things. They're the easiest way for somebody to compromise your business. So every business has the problem of securing its people from both the from the data perspective and from the personal safety perspective. But as the business gets larger, hopefully you've trained your people well enough to know that they're your security minions on the street, right? They're watching out. They know why somebody shouldn't tailgate in. They know why somebody shouldn't leave passwords on their desk, why they shouldn't leave their computers unlocked. But this is all a training process that you have to implement. And if you're in a small business, you're in a unique position that you can start that program right from the ground up so that now you can build your security team so that it's also an HR that it's in finance, that it's in every department within the company. It's just not within information and security. So you have to be able to figure out how to do that. Yeah, if you get to the point where you already have a lot of your defensive security done, you know, if you've made it through all the CIS, top 20, and you know, you're running out of things to do, which I've never found anybody that has, at that point your strat model becomes a little different because you have the little, you know, niches where, you know, competitors, nation state, whatever. But for the most part, it's all the same problems everyone else is having. We're going to take questions in like just a few minutes. We're almost done going through our slides here. I actually have a question for the audience. Who here at your company allows your end users to check their personal email on the work network? Raise your hands. Go ahead. All right. Who of keep your hands raised of you? Who is at a larger company? Okay. That's interesting. So smaller companies usually I find have a better chance at shutting that off. A lot of the attacks I've been seeing because yes, our users are our weakest link. It's, we, we can have defense in depth all day. If you can check your personal email on your, on your work network, unless you have a really good endpoint plan, I've seen a lot get in that way. So, I would very much encourage all of you as a strategy to go back. Those of you are at smaller business, larger, larger companies, I'm sorry, it's going to be hard. But smaller businesses, you know, if you can, if you can get that shut down. I'm, I'm actually going to go out of my branch here. The tweet you're looking at, what does he sell? What does lands from sands? What does he sell? His cell security awareness. So, of course, he wants you to train your employees. And you should. You can reduce the number of incidents you have down until a certain point. But you're not securing your organization by doing this. You're reducing your SOX workload. And that is the main reason for doing this. People cannot be fixed. We can't train the human firewall perfectly. We need technology to take up and be the compensating controls around the fact that we're human. So you need prevention and you need detection. Do your security culture. Do your security awareness. But do everything else at least that's good. Thank you Klaus. Alright, we're going to take some questions. We have about 10 minutes left. I saw a hand over here go up really quick in the second row. If you'd like to come up and ask your question on the mic, I am going to grab you one of these books that Amanda Berlin signed for us. It's the same guy. Yeah, so I would be interested to hear your take on preventive and detective controls. If you could choose just one, which one would you choose and why? Yeah, I know they close each other off, so which one would you choose? I have an answer for that. The one for a Windows based organization where you can pipe all incoming scripts to Notepad instead of opening them in the scripting engine. I don't have a good answer for that. In between defensive or preventive measures, do you have one? Yeah. So that's a conundrum, right? So log all the things, right? So that would be your first compensating control. If you had to have anything do that first. The problem is with a perimeter and preventive control, you don't know what's already gotten inside your network, right? The idea that we have this castle doctrine and we're preventing the world from coming into our network is complete crap. That's not security, right? People are already in people's networks. You just don't know it until you start gathering the information and doing those compensating controls to see what's happening. You'll never know. So that would be my take on it. I guess I do have an answer because I actually do work for a logging company, so I'll go with that. I don't think I'm allowed to answer this question. All right, next question. Tuna. So my question for the panel is how does the picture change when a company is 100% remote? There isn't a data center. Everything's in the cloud. There's a new way of working. A lot of startups and a lot of companies, subsidiaries are embracing. What would your take beyond that as far as how does that picture change for securing the kind of business? Could everyone hear that? What if your company is 100% in the cloud? How does that change things? 100% remote, I'm sorry. Yeah. I think it, you know, if we're just talking small to mid-sized businesses, I think that it just changes what you look at. So, you know, from our perspective, we're protecting, you know, getting more up on okay, you know, the instances we have, whether we're Google Cloud Azure or AWS, like, you know, where they spun up, location, like, are we exposing anything to the internet? It's the same questions that we're asking if people are, you know, in an office but just different landscape. The other thing is when you're looking at user training with remote users, I used to do a lot of insider threat cases. It gets much more difficult. So what kind of end points are you giving them? If you're giving them max, can they sync to their iCloud account? Like thinking of these things and, you know, how sensitive is the data? Making sure your user groups are very, very tight, you know, principle of least privilege. I think these things become more enhanced as we see more remote workers just because that tendency to, if you have remote workers to merge work life and personal life becomes much more prevalent. The list of the basics, the security hygiene things, it changes. So you need to enumerate it from scratch but it's still there. One thing that I've noticed when you go all cloud and all remote, and I've done that for three years, is that the life cycle management of employees and their access becomes hard. You need someone to have the dedicated responsibility of keeping track of who has access to what and granting and revoking in a timely manner, automated if you can. But your threat landscape, your threat attack surface with a Chromebook, AWS, Slack, whatever infrastructure in theory becomes much smaller. So one of the trends is going towards instead of, you know, VPN connections back to a central point and all of those sorts of things that control networking is more the zero trust network setup. And there were some good talks at B-Side San Francisco, not this year, but last year by some guys from Google that give you a good overview of how that works. And it's really something that I think is going to overtake a lot of these trusted networks as opposed to doing VPN clients and those sorts of things. So you really have several things you have to look at. Where are we in the cloud? Do we own our network? How do we control the endpoint devices? What do we allow? So it's a complex question. How do you solve that endpoint? At our company, we control what they do and how they connect to our networks because some of our networks are somewhat old school. But at that point we provide the devices, we provide the connectivity, we manage all of those things, the access control very closely for them. I would say just one more thing that I forgot that I've been, I've been lit on fire with quite often is USB management. If you have a completely remote, you know, user group, they'll plug in anything. So either, you know, if you're sending them, their, their, their laptops, you know, having that disabled will, will save you from, you know, a lot of pain. No, I wasn't going to bring up that. Okay. Any more questions? Yes, sir. Do you mind coming up and asking? You can always can I repeat if you want. We're going to give you a T-shirt for the question. Yep. So I'm here, I'm here sort of representing NIST and I wanted to put in a word for the, the cyber, the cybersecurity small business corner website that NIST has published, which has a very long list of resources from all across the government and internationally. But I wanted to ask the crew here, what, what are the regular resources you go to podcasts and so forth to keep up to date and get new ideas? Yeah, I can't believe we didn't bring up NIST. I recommend it all the time. They have made, they have, they have, yeah, yeah, they have so many resources. I mean, from policy and procedure templates that you can download to just everything. I absolutely love it. Can you remember? Oh, I mean, I hear breaking down security is really good. NIST, and I mean, a lot on Twitter. I mean, I pay attention a lot to different things on Twitter. There's a lot of really good security podcasts out there too. I'll go ahead and plug some of my favorites. So David Cowan's deeper lunch of all of his stuff that he does. I keep up with that. I keep up with a lot of the Sands folks for educational materials to keep up with vulnerabilities. Honestly, I still go to Twitter for everything. I find it usually first there and having a good network there. And then for Intel, you know, if it depends on what you're looking at, I still very, very much advocate if you don't know what it is, go through Passive Total first rather than tip your hat. But, but otherwise those, those are the main ones. I must admit that I keep up with the break safe podcast on a regular basis. I also listen to the purple squad podcast with John Snot here. That's his Twitter handle. I use Twitter for keeping abreast of anything that's going on. I use Peelist when it's something I don't need urgently, where it will be elaborated over time by a lot of communities that will make the answers better and better. And I don't use LinkedIn at all. It's poison to me. So, so one of the things you can use too is the thing you're at right now, right? There's some amazing people here and everyone that I've met is very friendly and you never know who you're going to meet. Ask questions. You can't know at all, but you meet people here. You'll get to be friends with them. Link up with them on Twitter. LinkedIn if you want to for some people that use it, some don't. It's a pain in the ass because sales people troll it and will call you, but there's also a lot of good contacts in there. But use those contacts because for me, the networking that I've developed with people has been just irreplaceable. I couldn't have done what I've done at my job without the people that I've gotten to meet at these different events. So. Thank you, Jim. I think that's an excellent note to end on. I would agree 100 percent. Actually, you stole my answer. Participate in the community. Participate in your community. At 10 conferences, most major cities now have a B-Sites conference. If you don't, there's probably one not too far away. Go there and learn. So I think we're done. We're out of time, but we'd love to hear more from you. We'll be around. Please feel free to come ask questions.