 Okay, we are going to get started. Welcome everybody and thank you everyone who has joined us today for the first session in what is going to be a 10 part series called Become a Cyber Security Ninja. Today's session is Digital Security Strategy or Risk Assessment and Threat Modeling. These sessions are going to occur every two weeks for the next 10 weeks. We're going to end on, I believe it's May 30th is the last date. Next week is going to be, or that in two weeks, our next session will be Basic Network Security and our guest will be Ken Montenegro of Asian-Americans Advancing Justice. And if you want to view information on the entire series, you can of course visit at ninja.rtt.nyc and we'll be updating that site with additional information, resources, everything we have through the course of this series. So here's our ninja plan so to speak and this is very much subject to change just so everybody knows. Today, we're of course Threat Modeling, Threat Modeling and Risk Assessment. In two weeks, we're going to do Network Security Basics. Our plan after that is to cover authentication on February 21st. We're going to be talking about passwords, password managers, two-factor authentication, other ways to authenticate two systems. On March 7th, we're going to be talking about encryption, document email device encryption. On March 21st, we're going to be talking about phishing, social engineering and ransomware, it's called Gone Phishing. On April 4th, we're going to be dealing with mobile security, so smartphones, laptops, working on the move, joining wireless networks, that kind of thing. On April 18th, we're going to be dealing with digital privacy, we're going to be talking about virtual private networks, the onion router or tour, reining in your kind of social exposure, the amount of information that's available publicly. On May 2nd, we're going to be reviewing security tools and services. So we're going to cover probably 30 or 40 different security tools and services. So it'll be a very quick overview of just some of a bunch of tools that some of us and our colleagues have assembled that work well for them. On May 16th, now what? We're going to be covering incident response. And then the last session is going to be a general question wrap up. We might, again, this is all subject to change. So if there's a lot of questions along the way or there's other topics that emerge, we might reserve that session for that. And then of course, there's a ninja certification quiz at the end of this, we're going to offer a quiz. It's not going to be a cakewalk by any stretch, but if you've attended all or most of the sessions, it should be something you're able to complete. And for those of you who are able to get the quiz, we're going to not only send you an official ninja, cybersecurity ninja certificate, but you'll also be eligible to win a whole variety of prizes that we're offering. They're all kind of security related things, all right? So hopefully that will help everybody. We've got a bunch of folks here now and I'm just going to make sure I can see the questions in case things are coming in. I have somebody saying they can't hear anything and someone saying they're having trouble going to Ninja.RTNBC. Well, I will correct both of these things at the end of the webinar. It sounds like the audio is fine now. Okay, thank you so very much. And I'm going to continue on, excellent, excellent. All right, so I of course, I'm Joshua Pesky, Vice President of Technology Strategy. I will be with you here for all 10 sessions and today is hopefully the only session I will be doing by myself. I have guests lined up for over half of the remaining sessions and I'm working to get different security experts for each one of those. So we'll have a variety of voices and we've got Ken Munch, Negar next week. I've got some other folks lined up as well and we'll be presenting a variety of voices for you round table technology. We are a team of dedicated technology professionals. We operate out of Maine and New York, primarily in New York City and we help hundreds of organizations achieve their missions through effective use of technology and we're hoping that this series is something that everybody finds helpful. So we're going to start things off. So today we're covering digital security strategy, risk assessment and threat modeling. We're going to dive right into what we mean by that. All right, and our learning objectives are to learn how to perform a basic risk assessment. So first of all, decide what that means because there's a variety of different things that a risk assessment could mean. We're going to review different approaches to risk assessment. We're going to understand different types of risk that your organizations may face and how they might impact you in different ways. We're going to introduce a whole bunch of resources to help you undertake a risk assessment and we want to learn about your biggest concerns and we're going to ask in a few different ways, what are the things that are kind of keeping you awake at night or worrying your staff or worrying your folks and we're going to start off with a quick poll here. We just want to get a sense of, has your organization ever performed a technology related risk assessment? So people can go ahead and just give some answers to that and I'm just curious, we're going to be kind of collecting some data along the way and we're curious to know of the attendees of this, sort of what their history around security and risk assessment and different things are. So we're going to ask these questions along the way. We'll leave this poll just open for a few more seconds and see what additional responses we get here and let's take a look at what folks are seeing here. So let's share the results here. So just under half of the audience has never performed a technology related risk assessment. 4% want to know who's asking. 31% have done it once or twice so it's little or no follow up action. So that gets us well over 75%, three quarters of the people here. However, they've never done it or have done it once or twice but never done anything with it and under 10%, 8% of us have performed an annual risk assessment and good for you guys, those of you who are doing that. So thank you very much. All right, let's go back to our deck here and thank you all for your answers. So let's cover risk assessment. I'm going to, and I apologize in advance. I'm about to show you two different slides, one with seven steps for risk assessment and one with five and I'll explain why I'm going to do that because there's a lot of different perspectives here and while I certainly didn't want to show you all of the points that I've encountered over the years and as I do risk assessments for organizations and by the way, I should at this point probably give you a little background on myself and my history doing cybersecurity and risk analysis. So for the last probably three years I've been engaged by a variety of organizations to perform risk analysis or cybersecurity work or threat modeling or different things for their organizations. And it's increasingly becoming something that is the primary sort of work that I'm doing because a lot of more organizations are asking for this. And while I am not an entrenched cybersecurity expert in the sense of working in cybersecurity organizations for a long time, this is work I've been doing for quite a while with a variety of organizations and I would say I approach it at the kind of high level common sense level as much as I can explain that and that's where we're going to start here. So when organizations ask me, is our security okay? And that's kind of where they start a lot of the time. I generally say, well, to answer that I have to understand what sort of risks you're worried about because I don't know whether your security is okay until I understand more about your organization and what would be the consequences of different kinds of bad things that might happen to you. All right, and so there's these sequence of questions and this is a framework from NIST from a NIST publication around risk assessment or risk analysis and there's a bunch of different names for it, but essentially first, what information do you have in your organization, right? That's a good starting point. A lot of organizations actually have a little bit of a difficult time answering that, especially larger ones. How much do you care about that information? And I'm gonna give you some very specific ways to think about how much you care about it as we come up. What could happen to the information? So what are the bad things that could happen to it? And it's really important to understand that we're not just talking about hacking or just talking about information breaches, which is where everybody leads to, but something like a hard drive failing is a bad thing that could happen that could cause you to lose information or not have access to information, which is actually a security problem in many instances. So it's important to understand not just kind of hackers or deliberate malicious attempts against your organization are things that you're thinking about, but you're also thinking about things like, well, what if the power goes out or what if a hard drive fails or what if our staff accidentally delete a bunch of information? Those are equally things that you need to consider here. How likely are these things to happen? How bad would it be if it happened? Well, we'll help you think about that. How will you know? This is one of the hardest things, especially around breaches, is how do you know if your information has been breached, if someone has accessed your information and taken it? Sometimes it's really obvious you can't find any of your files because they've been lost or you can't access all of your files because ransomware has encrypted all of the files, right? And sometimes you may not know or there may be some signs, but you're not really sure. And then lastly, and this is a really important one, is how are you going to respond, okay? So here's the second one I did warn you about this and this is threat modeling, okay? And this is a different word for risk assessment, okay? They're kind of two different names for similar kinds of activities. And this is from the Electronic Frontier Foundation. So my kind of summary of the NIST risk assessment framework was seven basic questions or seven things to think about. EFF breaks it into just five, all right? Which is what do you want to protect? Who do you want to protect it from? How likely is it that you will need to protect that information? How bad are the consequences if you feel? And here is I think my favorite question that the EFF asked and this is not one that's in that NIST framework that I put up before. Because this is kind of a fundamental question, right? How much trouble are you willing to go through? How much effort are you willing to expend, all right? To prevent those consequences? That's really the fundamental question. Because again, we had, I think it was 30, some odd percent of people who'd performed a risk assessment, but not really taking any action, right? So the risk assessment showed them that there was some gaps or some risks that they had, but they didn't act on it because they decided they weren't willing to go through that much trouble yet. And by the way, this often can change quite, sometimes quite radically, immediately following something bad really happening, right? So you might have not a lot of willingness to make security changes or put forth a lot of effort at your organization. And then the day after something really bad happens, all of a sudden there's a massive amount of effort. And neither of those are really good things, right? No effort before you have a breach is not good. And massive amounts of effort that are probably not necessarily appropriate are also not great. And when you put all of these things together, you arrive at, and this is, I'm more just sharing this with you because it's a term that you'll hear. And I think that's useful when you start talking about security at your organization is the idea of your security posture for your organization. And I think this is relatively common sense for most of us, which is that if I'm a theater group operating in New York City and I do children's theater and a few times a year we put on some plays and some families buy tickets to our plays. And the only information we have are people's names and phone numbers and email addresses and their credit cards go into something. And we have a website where we just promote the acts that we're doing. Our security profile from a cybersecurity sense is not very high, right? We're not targets in a meaningful sense for a lot of different kinds of bad people. We don't have any personal health information so we don't have to deal with HIPAA compliance. We are collecting credit cards but in a very simple kind of basic way that's relatively easy to safeguard. And we don't have information on anybody other than emails and phone numbers. Maybe we have addresses and that would be maybe bad if it got breached. But overall we have a pretty mellow security profile, right? On the other hand, if I'm an international human rights organization and I have staff in Iran and Syria and China and other countries where their governments may be actively looking to access our communications, possibly arrest our people as they go across borders, possibly scan, take their mobile devices and look for any information on them. And if they find information on them, our staff could wind up in jail and our clients could wind up in jail. Well, that's a very, very different kind of security posture. And organizations by the way that are like that tend to be very aware of this, but not always. Okay, so you kind of put these things together and you arrive at this idea of security posture. And I think that's a useful way to think of security posture. And here's the biggest thing that I find about security posture is that people are really inconsistent about it. And that consistency I think is a hugely important thing to try to make consistent, sorry, that was a very awkward sentence, make consistent for your organization. Because I see, I was dealing with an organization just a couple of months ago and they wouldn't let me, I needed to download an application for a project we were doing and I couldn't even get to their website to download the application because they would only allow whitelisted network addresses onto it. So they had me go to a proxy server that they would provide me so that I could download it to that proxy server and then use that proxy server to upload it to some other place where I could grab it. And of course I needed a login to the proxy server. So then they just email me the IP address to the proxy server, a username and a password all to log into that proxy server just in plain text email. And I was kind of confused from like what's your security posture? Is it extremely secure where only whitelisted IPs can get to the server or is it not secure at all where you're emailing credentials around in plain text which I considered to be just in case anyone's curious, a very bad practice. Okay, let's talk about categories of risk. So I talked a little bit earlier about how I was gonna give you a little bit of a framework to think about how bad would it be if something happened, right? So what information do you have and how bad would it be if something happened to it, right? How much do you care about that information? So I would submit to you that there's three ways while I wouldn't submit to you. This is kind of a standard in the industry, NIST and other entity stands use this framework. The CIA, which of course is a lovely acronym, it's easy to remember. So confidentiality, which you think about how bad would it be if the information was exposed to someone who wasn't supposed to see it, okay? And that's the one we all jump to when we are thinking about security and cybersecurity, we all jump to the someone breaks in using some sort of hacking tools or using social engineering or one of my staff emails it out or somehow someone gets access to the information that we have and now does something with it, right? They have our confidential information and they can go do something with it. But that's only one third, right? Of the things that we're actually concerned about, right? Integrity is how bad would it be if the information was lost and I couldn't recover it, right? That's something that is probably pretty bad for lots of types of information that you have and might in fact be a lot worse than the exposure. And in fact, most organizations that I work with would probably much, if they had to choose would much prefer that all the information was exposed rather than all of it being lost if they had to pick one or the other. And then the third one is how bad would it be if the information was not available for some period of time? And this is something that people get kind of freaked out about with let's say email, right? So most of us are on cloud platforms now like Gmail or Office 365. We don't experience a lot of email outages but I think most of us can probably remember five, 10 years ago when email servers were more common and not having email for a day because there's a problem with email server was like a catastrophe, right? Everybody kind of couldn't function. In reality is now we'd probably be grateful if email stopped working because we could actually get some work done but that's a separate issue. Anyway, so these are three different things, confidentiality, integrity, availability, okay? And then we think about the impact. So if the integrity of the information was compromised meaning we lost information and we couldn't recover it, how bad is that? Okay, so you can think about the impact or how bad, right? In terms of how much time would it cost you to recreate the information, to recover the information, to get back to an operating state. How much money would it cost you to do that and how much money, there's a variety of ways to think about money. You could think of lost productivity for your staff as something that costs you money. You could think of the time that it takes your IT department or a consultant to recover that information and if you're paying that consultant then how much time that costs if you have to pay some sort of data forensics person or organization to pull data off drives or pull them off something that that could cost. And then there's reputational damage. It's much harder to quantify in like a dollar sense but it is an important thing to think about which is if you lose all the information for all of your clients and have to tell your clients, sorry we lost your email address and that kind of hurts. And if you lose all of your donors' credit cards and have to tell your client sorry your credit cards were exposed the same as they happened to target that's pretty bad. That's a pretty bad reputational risk and could cost you quite a bit of money. So we're gonna throw up another poll now. I'm curious now that we've walked through those which category of impact most concerns the folks here in the audience today. So which category of impact most concerns the folks here today? And I'm just interested to see. I'm only letting you pick one, I understand. And it's interesting. I'm gonna show the results here in a minute as we get other responses. And by the way, feel free to keep putting in questions. Remember I've got plenty of time at the end for Q and A. I'm playing stick around for a little bit. All right, let's go ahead and show the results. We got just a couple more in here. All right, let's take a look. To over half of you, that confidentiality number is high. So there's obviously, and this might be a self-selecting group of people who choose to come to a cybersecurity ninja training, right? Where you have information that you're worried about being exposed. But about a fifth, a little over a fifth of you, integrity is the thing you're most concerned about. And another fifth of you actually availability is the thing you're most concerned about. So thank you all for jumping in on these polls. We have only one more to go. And let's go ahead and jump ahead. So I'm gonna show you a couple of templates that we have. All of these are available to you as resources at the end of the webinar, so at the last page. And by the way, everyone will get an email tomorrow with a link to the slide deck and a link to this recording. So you'll get, and that'll be true for every single one of the sessions that we do. You will always get the slide deck and the recording a day afterward. And any resources that you see in the slide deck, you will, all of those are hyperlinks. So you don't have to worry about trying to quickly grab any of those while we're here on the session today. So this is a Google doc, a lot of the, or a Google sheet actually that I'll share with you. And this is something I actually use in my risk analysis project that I do with organizations where we put together all the different sources of information that they may have. And we actually ask them to classify it on confidentiality, integrity, and availability. I generally encourage people to reserve, by the way, if you do wind up using these tools yourself, to reserve the classification of high for threats that are potentially kind of organization ending, you know, that go back to that earlier slide that I have. So I kind of have the joke there, but that's the existential threat, an existential threat. So in this sense, I kind of mean this almost literally. If it's an existential threat to your organization, then it's something that I would consider to be a high threat, right? So if it's something that, if this happened, you might not be an organization anymore. Sorry, I skipped ahead. Then save that for high or very, very bad. And then everything else is gonna be moderate or low, and the reason for that is if you have a ton of stuff that's high, then going back to this idea of how much effort are you willing to expend to resolve this, you might wind up with too much work to do, and I'd really want people to find things on which they feel that they can take action, right? And so you wanna limit that kind of scope to things you can actually do. Some things to keep in mind, all right, as you go through this. Okay, number one, threats against confidentiality. All right, can be the most challenging to address. And one of the reasons for that is you have to safeguard essentially every possible arena and any weak spot in your organization is a potential path through which a breach can happen. And that is most often a person, but it could be a firewall that isn't patched up. It could be a server that isn't patched up. It could be a single computer that has an older version of Adobe running on it. And of course, there's all kinds of zero-day threats that can happen. An employee can accidentally expose information through email. There's so many different ways that information can be exposed. That trying to keep information really feel tight is very hard. If you have any doubts about that, reading the news, I think pretty much should put those doubts aside, right? There's really hardly an organization that we could think of, the NSA included that has been able to effectively keep their information under wraps. And you can go down the list, you can go with Sony, you can go with Chase, you can go with Target, you can go with Home Depot, you can go with Yahoo over and over and over again, right? It's tough. And these very big organizations really struggle with it. So it's gonna be harder for you. Now, one of the ways to do it is to reduce scope, which we'll talk about in a little bit. Threats against availability can be the ones that most impact productivity. So again, if someone can't get access to key information or a key application, that keeps them from being productive and that is a cost to your organization, right? You probably have information in lots of different places and what do I mean by that? You probably have most of you, probably have a file server still. You also probably have information in Dropbox that's whether you know it or not, your staff are keeping some information in Dropbox. Probably also have information in Google Drive. You probably have a CRM application like Sales Forest or something like that. You have information on your website. You have information in your email marketing tool. You have information and tons of it in your email system, whether it's Gmail or Office 365. You probably have an accounting system. There's information there. You also, you know, on and on and on. So there's information in a lot of different places. So starting to get your head around all the different places where you have that information and where there's sensitive information that you care about in this place is a really important starting point. You can't eliminate risk. Going back to that earlier point of all the different breaches that are there that should be clear. All right, the goal, all right, is again thinking about the security posture idea is to find the right balance for your organization. And over the course of this whole 10-part series, that's something that I wanna remind people of again and again and again. We're gonna be showing you so many different things you can do. Doesn't mean you need to do all of them. It's up to you and your organization to figure out what's appropriate for us. Here's another template that we'll share with you. This is a risk assessment report template. This is again based on, I believe I pulled this from this, although I can't remember. This is based on like a 80-page report, but this is just a little risk and mitigation matrix. And what we're showing is that we've got a file server just looking at the top row here. So we'll say, okay, we've identified a vulnerability on the file server. All right, that's risk type. What is it impacted? It impacts all three areas, confidentiality, integrity, and availability. We have a brief description, which is that the server is over 10 years old and running Windows 2003, which went under life in July of 2015. Still a lot of those out there, believe it or not. We're calling that risk level high. We're saying this could die, could be breached, could get malware on it, and this could potentially really damage the organization to the point of the organization not existing. So we have some recommended mitigations, which is to look at moving it to a cloud-based document management system like Google Drive, Dropbox, et cetera. And then you go down in Salesforce, which we don't believe impacts availability because Salesforce, the availability is managed by them, but the passwords don't have enforced complexity requirements or expiration. We view that as a risk, so we suggest increasing the complexity. This is actually done a while ago. Right now I would certainly have the recommendation to implement two-factor authentication with Salesforce has supported now for some time. Again, this is a template that you'll get. You'll have access to all of these. Another thing you look at as part of a risk assessment when you're trying to figure out is what are your existing safeguards? So what safeguards do we currently have in place? And the main reason that I wanna show you this table is to make the point that backups don't really safeguard against confidentiality or against availability. Backups protect against integrity if they're done well. So if it's a good, quite cloud-based backup or something that's using different credentials than the server, the basic server credentials, if you're backing up servers because ransomware otherwise will encrypt your backups as well and it only safeguards against integrity. And it can even be argued that backups worsen confidentiality because they in effect create a copy of your data that is now in a different location with a different set of protections around it. So it's expanding the scope of that information that you're trying to protect, right? So integrity and confidentiality in some ways can work against each other as you try to safeguard both of those. But you'll see that a lot of these other things that you do, having robust policies if people are adhering to them, having a response plan, managing your access controls well, having IT controls such as antivirus and firewalls, providing security awareness training to your staff, which is something we're absolutely gonna be talking about in future sessions, performing a risk assessment like what we're talking today. These can help across all the different areas. As we kind of get to the end here, some of you, if you're having to kind of talk to executives about risk assessment and they're not very excited to work on it, I just want to point out that a $5,000 bad thing that does not happen because you identified that this was a risk and mitigated it or safeguarded against it is just as valuable dollar for dollar as a $5,000 good thing that does happen, right? So if you avoid some disaster or some very expensive problem that would have cost your organization $5,000 that you hadn't planned on spending, that is just as good as if someone wrote a check to your organization for $5,000. And if you take into account the cognitive bias of loss aversion, which is a different webinar and it's actually worked quite a bit more almost twice as much. But unless for those of you who are not cognitive bias nerds, that joke is lost in you but it's true, all right? That takes us to our last poll. This is the one I'm kind of really curious to see what the responses are, all right? So what are the biggest obstacles to addressing risks at your organization? So you can choose as many of these as you want. This is the first one where I'm letting you make multiple choices, you can enter other ones into the questions field if you want. And one of the questions that came in are a comment around the EFF in terms of how much trouble you're willing to go through is how much money you're willing to spend, right? And I'm interested to know how much money really is an obstacle to people and I guess we'll obviously find out here. And again, that ROI hopefully helps you understand if to the degree that you can start to monetarily quantify on some level the risks that you have, that's where I think it can start to make sense to invest into these other things. All right, so let's take a look at the results here. 60% of you said skills, so great, okay? So this webinar series hopefully will start to give you some of those skills that you need. Hopefully today feels like a good start for folks. All right, money, I can't help as much with. I can say there are some pro bono resources out there that can help with this stuff. And Taproot Plus is one, Catch-A-Fire is another, you can use your LinkedIn network and there's some potential other groups out there as well but those are all places where you might be able to get some pro bono help doing risk assessment. Time, it's always a tough one, right? And how do you prioritize that? Leadership buying, hopefully the ROI can help with that. And again, I think just education of leadership as to you have to earn integrity by not yelling fire when there's not really serious things going on, okay? And questions are starting to come in, I really appreciate that. So let's just get through a couple of slides. So here's the list of resources from today's deck. That top one is something that we'll be keeping throughout which is selected digital security and privacy resources. We're keeping kind of a curated one page list of what we think are some of the best things we've seen and that'll keep getting updated throughout. And on the ninja.rgt.nyc page, we will also keep some useful resources there. It's actually a really great one that came out today from ZDNet, got in Zach, something that was a kind of, more for individuals, but very helpful. The information identification classification template that we showed you, the risk analysis report template that we showed you, access controls template, which I didn't show you, but it can also be a useful tool. A primer on backups, disaster recovery and business continuity, kind of talks about the difference between backups and high availability, which is something that I find people often don't understand well. The NIST publication, which this risk assessment was kind of based on and then some sample policy. And I'm a little bit over. Next session coming up in two weeks, February 7th is basic network security. For those of you that have already registered for this or any future sessions, I owe you a huge apology. I'm going to have to delete all the sessions recreated that go to webinar thing. I didn't understand the way they set up their series. They're designed to basically be different versions of the same webinar. And I did not understand that when I set it up. So I'm gonna have to delete all those and re-add them. The link here is to the correct one and I'll be updating them on the way. Well, if you, most of you I believe found out about this via emails. So we won't send as many emails going forward for each webinar, but you will get emails. So you can sign up for any one of these. You don't need to attend all 10. You're certainly welcome to. We'd certainly love to have you at all 10 of them. But you will send a nice old description for each upcoming webinar series or each upcoming webinar, who the guest is and things like that. And with that, we are at the Q and A. Oh, oops, I'm sorry. I forgot that I was still showing the poll results. So let me, here's the resource list that I showed you. Right. So sorry about that. Everybody missed a couple of slides. Here's the resource list that I ran through. Sorry that that was in front of you while I was talking through resource. There it is now. And here's our next session, basic network security with Ken Montenegro. And now we're at the Q and A. And with that, I'm gonna open it up for questions. And if people do want to unmute, you can raise your hand. And if I can, I will attempt to unmute you. I believe I can. Yeah, I think I can do that. So for those of you who are in via the web and have microphones and stuff like that, I can unmute you if you want to raise your hand. And other than that, I'm going to just start answering the questions here. I'll read them off. And then I will ask them. Hang on a second. Okay, so let's see. Will I list out the pro bono company somewhere? Yes, I will. And I'll just type those into the chat for everybody. Okay, so taproot plus is one. If you just Google these, I think you'll be able to find them. Okay, catch of fire, which catch of fire does cost $200 a month or $2,000 a year for nonprofits, but they do have some different pro bono projects that include some risk assessments and cybersecurity related things. So that's another one. LinkedIn for nonprofits. And just using the LinkedIn network of your nonprofit is another, if you're a nonprofit organization, and there's a number of private sector organizations here. And all of these are for nonprofit organizations. Okay, if you're a private sector organization, unfortunately these resources are not available to you. So I apologize to that. But those are the three big ones that I know of, okay? And let's see. All right, oh, sorry, everybody was seeing stuff about the quick poll. I did hide the poll, right? Everybody's seeing the slides again now. I think we should be, yep. Okay, we will send the email. So here's the question. What is the best form to protect the confidentiality, integrity, and availability? I'm not sure that I understand that question well enough. What is the best form to protect confidentiality? Do you mean like Google Forms versus SurveyMonkey versus something else? If that's the question, I actually am not sure off the top of my head what's the best form tool to use to protect confidentiality, integrity, and availability. If that question can be elaborated on or if you wanna attempt to raise your hand and I'll see if you wanna have your hand up here. Did you unmute it? Nope, okay. So another question, a firewall, is it enough? Short answer is no. Just having a firewall for your organization is certainly not sufficient for all security needs, right? And firewalls can vary a great degree depending on whether they're updated, how they're configured, a number of things along those lines. So no, just having a firewall is certainly not enough and firewalls themselves can vary a lot in terms of their, how well they work, how they're configured, whether they're updated and firewalls definitely need to be updated in order to be. And now we will cover that somewhat more extensively next week in the Basic Network Security where we will definitely dedicate some time to talking about firewalls. So hopefully that'll help people. Okay, I'll stick around for a little bit. If there's any other questions from anybody, again, you can raise your hand. You could let me know in the chat if you want me to unmute you. You can have a conversation. If anyone has anything to contribute or anything to share with the audience, I would also invite you to request to be unmuted and I can have you come on and you're welcome to share something or share a story or something like that. These little extra time is going to be dedicated to people sharing information for as long as people want to stick around. But it looks like we are done with questions. And if that is the case, I think I'm gonna go ahead and wrap up. So thank you very much everybody for attending today. Hopefully we will see a lot of you back in two weeks on February 7th. We'll send some emails around about that. And thank you all so very, very much. All right, bye everybody.