 Jay Fidel here, it's a given Wednesday morning. And we're on security matters with Andrew Lanning, it's really his show. But he's appearing with me, and we're gonna talk about Russia and how it hacked our government agencies, whatever happened there. And what we can do about it, really important question. It's a revelation. We haven't figured out exactly what happened or what we could do, but we're gonna start that conversation today with Andrew Lanning. Hi Andrew. Hey Jay, how you doing? Thanks for having me on this morning. I think I was on yesterday on my show. It's good to be a guest once in a while. We'll try to treat you nice. Thank you. So Andrew, what happened here? I mean, this is a bad thing. It's in the transition and one has inevitably led to the possibility that somebody was taking advantage of our transition. And I guess the paper said it was all about Russia. And the papers also said something very interesting is that they had done it by way of compromising at Texas an American company that was selling tools to other software companies. So it's hard to track that because you think it's an American company but it was a Trojan horse of some kind. Can you talk about what we know? Sure. So let's talk about SolarWinds. For SolarWinds is a ubiquitous product out there. SolarWinds is used. They have a variety of tools but in point management, in point monitoring. So literally probably all of the Fortune 500 and down. I think a half a million customers globally, right? So you're talking about a product that's used everywhere and trusted for that reason that they've got a great track record. What happened, what we know happened is some of their, one of their updates, right? Companies are constantly updating their software pushing that out. What we know is one or some versions back in, looks like back in March, April, March through June, a few versions. I'm not sure how many they released during that time. The adversaries, some criminals were able to gain access to that code and then inject some malware into that code. And then the real nice is probably not the best word but the interesting thing that they did is that they were able to hide that injection in a way that made it look like valid code from that manufacturer. So that manufacturer's own code-checking mechanisms failed to detect this in their build. So they of course issued that download out there and everyone, or some, I think they said about 18,000 companies applied that. So that tells you there's a whole bunch of companies who aren't keeping their software up to date but the ones that were keeping themselves up to date, unfortunately got this malware and they're called it Sunburst. Sunburst is really a dropper. What that means is it lets the command and control software that it's talking to, it beacons out to that maybe in some period of time, let's say a week or two goes by and let's for example, just say it calls home. So it's gonna go out back out the firewall and let the command and control software that it is communicating with. It's programmed already to communicate with this. Let it know that it's there. It will have done some initial scanning of its environment ahead of time to let the command and control software know what it has found, what it's potentially got. And then the adversaries will just decide, based on the type of information that they get back, what's the best way to start to move laterally, what type of other tools may they need to go in and continue to assess that environment that they're in or to learn more about it. All the while, these guys in particular are trying to be very, very stealthy with this activity. They don't wanna be known. So this is a remote sort of long-term attack, what you call advanced persistent threat. And I did wanna say that although I've seen some media talking about that this is attributed to Cozy Bear, which is APT 29. I've not read of any formal forensic attribution. And I don't think any, I think people are saying it looks like those guys. It looks like those guys, but no one's attributed this to anyone yet. So for right now, it's an unknown entity. Does that mean it's not clear that it's Russia? Not clear. And there's an interesting thing. The techniques are very good and very Russian, but Russia doesn't tend to see our technology. That's China. So China would love this to look like it's Russia. You know what I'm saying? Those guys do that all the time to each other. So, you know that we just have to be attribution is just not something that's been done yet. And everyone's very cautious about attribution because it's very difficult to prove oftentimes. So the, some of the hallmarks in particular why they're saying that is because these guys were able to use the Outlook Web Access tokens, tokens probably from one of the administrators of the software that worked on the software to actually gain access to it. They had to compromise someone inside that organization. And these organizations are, you know, they use multi-factor authentication, something that we recommend everyone do. But this particular group has a way to get around multi-factor authentication related to the Outlook Web Access, OWA, so a token. So, you know, that's one of the reasons why in this group that was studied before was able to do this to a think tank. So there's been some forensic analysis. And so some of this forensic analysis, and it's early on, looks like that analysis. So that's kind of why there's this thinking that, okay, these may be the same guys. But again, it's not been proven yet. It seems clear, this is brilliant. This is not some kid in the basement in Serbia. No, criminals today don't work that way. The kids can't even keep up anymore. Crime, cyber criminals today are definitely nation-state funded. They're nation-state hired. They work with nation-states. Many of the nation-states will let them do their crime as long as they'll be a partner in crime when that particular nation-state wants help with something. So there's a lot of that, that blending has occurred with a lot more frequency in the last, you know, 18 months. So that's a problem for everybody, right? So this attribution problem, is it a criminal? Is it a nation? Is it both? You know, are they in cahoots? So that kind of problem is what all the law enforcement agencies in the country or around the world are facing with cyber crime. I think cyber crime is the third largest gross domestic product today in the world. So that's kind of what- I have many questions for you. So I suppose there's an investigation going on about this American company that had an inside person. And ultimately, you know, it sounds like if the nation's a fair chance they'll find that person. Because, you know, he had to be in a position to receive the instructions, act on the instructions, insinuate the code necessary to give the nation-state a hook inside that particular software module. But I guess what I don't understand is why? Why this? And why the government, the newspapers are talking about, you know, a half a dozen government agencies or more in the United States that all got hit and had their data ripped off. And the question is why wouldn't anybody go to this kind of trouble? And was it limited to government? From what you say, it sounds like it was way beyond government. So what was the purpose and scope here? Yeah, for sure. So government's just a victim in this case as anyone else. So, again, SolarWinds is used by so many different organizations, right? Just if I said Microsoft Word, right? Every company probably uses Microsoft Word, right? So it's that ubiquitous as far as endpoint management goes. So they are out there, they have different types of products. So not everyone uses all of their products. This particular Orion suite is very popular, obviously. So, you know, it was brilliant to target them. This is another thing when we talk about the amount of resources that it takes. I'm just gonna go out on a limb and it's only my sort of thinking that this particular attack probably was worked on for a long time. So that takes a lot of resources, a lot of money, a lot of patience. You're going to have to work to get someone's credentials to compromise them. That takes a lot of research on social media and it just takes a lot of work, right? So- Yeah, but the work you're talking about is compromising somebody. It's almost like finding an agent for espionage rather than pure technology. Well, it's not finding a person. So a person's credentials were compromised. So they were able to take a person's credentials and then emulate them. So it's like, I became you to the system. Just for example, if you were the administrator, now I can act upon that system with your authorities. And of course when they get in, they work to escalate that privilege till they got to the level that they needed to where they could actually work on the code base itself. And again, this type of supply chain problem, right? So there's a lot of concern. You hear the term supply chain risk management today. You're starting to see that in bid proposals in fact, where we have to explain the supply chain risk management infrastructure that we have behind our offerings when we sell things to the government, for example. So for software supply chain risk, this type of product and our product for that matter really isn't regulated. There's a lot of protections that go in. No one wants to make bad products, right? However, we would love to see a product like this built in a, let's just call it a white room where it can never be touched by the internet. Therefore, no system compromise can ever occur from outside that could allow something like this to get introduced. It would have to be code that somehow walked in the door like on a USB drive, for example, right? Which would also not be allowed in the white room. So there's ways to sort of prevent this type of thing from happening. And they're known, they just aren't regulated. So industry doesn't, isn't forced to operate oftentimes at these higher levels of assurance that we would like it to because there's no one really, you know, there's a risk, solar winds may surely run a risk of being sued or something like that as an outcome of this. But, you know, the doing the building of the code, building a white room, having a lab, having it audited by third parties to make sure you're doing everything proper is very expensive. And so companies don't go to that expense because they're not forced to. And that's a real, go ahead. Do we understand exactly what the mechanics are here? Do we understand what, you know, what this code does? I mean, you've described how it got into the system and how it got into the software supply chain, I guess is what it is. Sure. But do we understand what it does? I'm assuming in a gross sense, I'm assuming it allows a foreign actor to come in and find things and take them out again, take out data. Does it also allow them to screw up the system and bring it down? Does it allow them to modify the code or modify the functionality as to get a wrong result, for example, in calculation? Do we understand it? Well, there will definitely be more research as we find out what these actors have done. Again, most of those systems, so the right now they're Microsoft, SolarWinds, FireEye, several of these companies have put out what are called indicators of compromise. So you need to go look either at your firewall logs or your system logs, your identity management logs. And if you find any of these indicators of compromise, the first one would be that initial dropper, right, got reached out. You know, the first one would be if you have any of these versions of the bad SolarWinds software, did you install that? If you did install it, there's no doubt that that dropper was installed on your system. Now, the next things to check is see, they already know which command and control, or they know some of the IP addresses that the command and control called out to, the dropper software called out to that certain IP. So you can look on your firewall log, for example, and see, wow, was there something inside my system that reached out, okay? If so, then, you know, you've got, you probably need to offline that system. You need to at that point presume that it's inspected, right? You've got to presume that they've come back in and done something else. And then you've got to go look, and it just depends on what type of system you have and how, you know, how in depth and how connected it is with other systems. Is it a cluster of servers? Is it an isolated system? So, you know, all that forensic work is ongoing in a variety of systems. So we'll start to learn more about, you know, potential exfiltrations of data. Obviously, if anyone has command and control capability inside your system, they can use that system for whatever they want. You hear DDoS attacks, right? So you'll hear like a botnet. A botnet is nothing more than, let's just say 100,000 computers that someone has command and control software installed on. And they take those and it's one moment in time. They call them up and use all of them to go to a website, for example, to start to ping a website with a bunch of packets. And that dynamic denial of service DDoS attack could happen. Because the IP address that they're pinging on cannot handle that much traffic at one time. So yeah, for sure. So your system can be used to do other crime. Obviously, if you have the keys to the castle in there, those can be stolen from you and sold on the black market, you know, on the dark web. Or, you know, they could be used against you perhaps in a media campaign. Very embarrassing to have your tools stolen. I commend FireEye for coming out and letting everyone know that's how this got found. They had some of their tools stolen. They are one of the preeminent red team companies in the United States. And they use, they have tools, they built a hack into your system. Tools that are proprietary to themselves. So they've now had to go release indicators of compromise that would show that their tools are also being used against you, right? So that you could detect them. Those types of companies don't like to have their tools known because that's basically the keys to their castle. That's how they're so good at doing what they do. Well, it's just looking at this as an outsider. So an outsider. So you say, okay, we know that these certain products in the supply chain were kidnapped. And we're just gonna change them. We're gonna say, okay, the suspect module is gonna get switched out now. And we're gonna have another one we developed from scratch and we're sure that this one doesn't get through the firewall and allow bad actors to get into our systems. Okay, so would that solve the problem to switch it out? What are the challenges about doing that? Because you have all these downline companies already using the software that's been compromised. You have to reach them, of course. You have to reach everybody in the supply chain. But how hard would that be? Well, so that's a normal thing. Anyone running that software ride is going to get an update. Typically those are automated. Some companies may not automated, but it is out. The HF2 was supposed to be released today. Hotfix number two for that SolarWinds Orion. And so that is available for everyone. And you must go do that. But if you're running Orion, you need to go do that, right? Now, that doesn't solve the problem because you've already had the dropper installed. The dropper's already potentially called out to the command and control software and installed something else, right? So that it's sitting there waiting to be used or waiting for the command and control to access it. So that's the problem that you have is that you've got to go get rid of that dropper that's there. You've got to go find- Can you block it? For example, go to the firewall and say if this suspicious activity happens and port this or port that or in a certain way, just don't recognize it. Sort of neutralize the dropper, as you say. Can you do that? For sure you could. And that's a good idea, but there may already be other stuff installed that's calling somewhere else. So while that's a good practice, yes. Then that's one thing you need to go look at because it's been there more than a few weeks, which it probably has, it has called out. And if it called out, then you have to presume that other tools have already been installed and they may be calling to other places. So again, some of this forensics that we're learning, there are some things we do know. I believe Microsoft is gonna block that entire domain today so that no one can call the known ones anymore, right? So that even if you've got software and you haven't had the time to clean up your system or do it, it can't call that particular command and control, the one that we know. But if I'm a criminal, as soon as I started getting penetration and I got my command and control software contacted, I would have started to prioritize the places I was in. And immediately gone back in, I wanna go hide this dropper, I wanna go hide those firewall logs if I can, and I wanna install something else that no one is looking for. Some other type of advanced persistent threat that's going to do something else for me at some point in time, maybe tomorrow, maybe a month from now. Most of their time is spent gathering, they've gotta gather a lot of information. And then it's not a trifling thing to exfiltrate terabits of data from someone, it's a lot of time. And so that needs, because your firewall will see that. Everyone watches for that type of activity, right? And so, they've gotta take it out a little bit at a time which takes a long time. So their remaining in stealth mode is critical. And now, of course, if the fire I found them, the world's looking for them and now they'll be, in particular, they'll get rooted out, but a lot of people probably aren't capable of doing this forensic work. They'll just hatch their solar winds and the APT will be sitting there and it'll sit there for a long time. There's no way to necessarily stop that if you don't go find it and find out what's been infected within your system, right? Even to that end, and nobody should think this is hopeless. This is work that we have to go do. When we know what we need to do, we go do it, right? It's part of- Why didn't we do it before Andrew? We have a huge industry of cyber security and security software all over the country, the world. The world. I mean, every country that has the internet has this and the software everywhere, every country in the world. So couldn't anybody see this coming? Couldn't anybody figure this out? Why is it such a surprise? Why is it a newspaper headline? Well, because it sells papers. I mean, the people don't know. I mean, for IT people in general and security people for sure, everyone's well aware of this, right? This isn't new or anything like that. Droppers aren't new, malware isn't new. Infecting a supply chain has happened before. This is not, you know, a new event. It is, I think, sensitive because it's solar winds. This is one of our security vendors that we trust and they've been compromised. And the depth of the compromise, the size of the compromise is just a testament to how vulnerable we are because of our supply chain dependencies, right? Again, if I said, if Microsoft were, you know, we've had sequel worms, right? Because SQL, Microsoft SQL is everywhere. Those are very, very effective. Is that the injection attack? Yeah, sure. Yeah, exactly. And there's ways to prevent that. For example, there's the part of the UL program I talked about, they do fuzz testing where they intensely take your software and inject it with gibberish or inject it with super long strings or inject it with certain types of packets. And it can cause it to act erratically. When it acts erratically, sometimes you can take advantage of that and then inject code or cause it to run, go into an error operating mode, which allows you to then use it to do something else with. So, you know, when a system has anomalies, right? Those anomalous behaviors can create outcomes that no one had thought of before. And this is when we talk, you hear the term like zero days and things like that. So there are people that are constantly researching this type of stuff. When they find them, hopefully they're the good guys, the white hat guys and they sell those compromises back to like Microsoft and Microsoft will fix them. Had someone found this one in SolarWinds before it got obviously, you know, found by FireEye, you know, they would have hopefully offered that too. And these companies offer what are called bug bounties. So they'll offer white hat hackers a lot of money to report to them these vulnerabilities so that they can fix them. And that's a good system. We find a lot of things that way, but you have to just go to MITRE, keeps the common vulnerability enumeration, our critical vulnerability enumeration CVEs. You can go online and look there right now, just Google CVEs and go look at those. Those are all the critical vulnerabilities that haven't been resolved, right? So when I wanna attack something, I can just go look up, okay, let's go see what kind of Cisco CVEs are out there today for routers, for example, right? I can go look and there's half a dozen of them there. I can take those, there are already attacks built to detect those particular products like you've heard of Shodan. So there's tools available where I can just go and go find where these routers are in the world and then start to run those attacks against them. So the vulnerabilities are known, the attacks are built. There's no cost to any of this, there's just time. So getting into someone is really just a matter of effort. There's not a, isn't that difficult, but this software hacks a little different because they were able to get, compromise an administrator and then use that administrator's credentials to get into the code. This is by a developer who writes code and then they were able to insert this through his credentials, right? So that- I thought the US was ahead of the game. I thought we kind of- We are. That's where it started with us. And we have not only Silicon Valley, but if you look at the country now, there are experts in software all over, including in Honolulu like you. And so, did you see Halt and Catchfire? A fantastic series about the development of some of these things back in the 80s. I didn't see it, no. There is a series on Netflix. Anyway, my point though is that with all of the expertise that we have, query how did these guys in nation states that are ostensibly behind us, get so far advanced that we can't stop them and that they relentlessly keep on going and we're in this kind of tennis game with them with they always seem to get a leg up on us. Why is that? And what are we missing here? What is the government missing? What is industry missing that we're not ahead of them? Well, I would just venture this for your thinking. I would say we're well ahead of them. We just don't advertise it, nor do they, when we break into their stuff, they don't talk about it. We have freedom of speech here. So the newspaper says, oh, the Russians are attacking the government. Yeah, maybe. The Russians attack solar wind, right? Everyone uses solar wind. So the government's a victim also. Along with all the other victims. But the stuff that we attacked, you have to remember, we took NSA put our defensive and our offensive capabilities together now under Paul Nakasone, right? So I would just venture to guess, you really, really, really don't want to be in our radar because we bring an absolute nightmare when we want to. And where we want to, I believe that we do. That's for top secret conference rooms that I'm not allowed in and none of us will know about, right? But our defenses are very good. Now, that's government defenses. So a commercial defense, right? We see the vulnerability here in the supply chain where a commercial vendor who's been compromised hurt us all. And so that's a difficult issue. And again, you have to understand, when we say government, it's very unlikely. And I don't have visibility on this, but I'm going to say it's very unlikely that any of this breach would have gotten anything into any of our classified or above systems, right? Those are maintained differently. They're monitored differently. There's a lot of other work that goes on there. So, I think that one of the bigger breaches that government had was the OPM. If you remember the OPM breach when all of our, I'm a former veteran. So my details were lost in that event as well. So, that was a massive breach of PII, personally identifiable information. But by and large, I can't imagine that they got very far. Well, you saw the list of government agencies. Forget the private sector for a moment, just the United States. Half a dozen major departments in Washington and our government were compromised. A, how much, and let's assume also they never got into classified information, military secrets would happen. But how much damage? I mean, it seems to me that we are a huge bureaucracy. We need to talk to each other. Those agencies have to function. And these were, it's all about software. How much damage have they done either now or so in the future using these same, what do you call them bots that are inside government computers? How much damage have they done to the government? Is this just a step one of a multi-step process where later we're going to hurt, not necessarily in secrecy, but on data and functionality? Potentially, I mean, now that we know the IOCs, fortunately the government does have resources. It's called our taxpayer dollars and they're going to spend them cleaning this up. There's a cost for sure. But that's this particular attack, right? Which is a good thing. We need to go clean this one up. Again, it doesn't mean that there aren't other APPs already resident across our telecommunications infrastructure, our energy infrastructure. We know they are, as a matter of fact. So many of these systems have been penetrated what we call critical infrastructure. And we're all working to protect them, to find them, to lift them out. Forensic auditing is brutally hard work. Not very many people on the planet are that good at it. We talk about cyber experts, but there's a few groups in the United States that specifically will work, will fund your education. If you happen to have the skill sets to be able to do forensic auditing, they need you. Alan Power came out to Hawaii, worked with our governor. He's worked with many of the governors to try to, they built a game that actually high schoolers can take. And it's not STEM related. This is your ability to be persistent and to have certain tenacity and just certain things you've got to have in you to be able to stay after it and really go find these things in our system. Well, let's assume for a moment, that private industry spends the money and there isn't a lot of money in some sectors these days. Private industry spends the money, brings experts in and they close down the holes. And the federal government brings the resources and they close down the holes and do damage control as necessary. But of course, there's this whole industry out there. I guess it's mostly in government that's supposed to give us security. So you would talk before the show about how, what they do is not necessarily known to the public. A lot of it is, classified may not be the right word but it's not available to the public. And my question to you is, so let's assume all of this gets somehow and it will fixed, it'll get fixed and the holes will be plugged for now. What is the, it's a hard question, what is the next one? What is gonna happen? It's like I asked about COVID, what's the next virus, what's the next hole in the boat? And are we prepared for that? Are we working on that? Do we know what it is? Do you know what it is and can you talk about it? Well, sure. I mean, we know it is this one we know was from March. So there was probably one in January and probably one from last year. And there's probably a lot of undetected advanced persistent threat tools installed in a variety of subsystems in critical infrastructure. Will they wait, when I say they, will the adversaries wait to use those to take down the electrical grid in the Northeast, for example, will they use them to take down the banking system to cause financial disruption to an economy of some country, our country or another country, who knows. You know, we have to presume that we are already compromised. And that's the way we function, the way I function anyway. So if you know that, you must take your really valuable assets and make sure that they're not connected to those things that are probably already compromised. Does that make sense? And so if they are, and if they are, you've gotta keep them encrypted, right? You gotta use strong encryption. So that if they're taken, then it takes an extra, you know, a really big effort to get them decrypted, right? You've got to change your tokenization of your credentialing, right? Your identity management for who you are and for who your devices are. You gotta rotate that stuff out. You can't ever use administrators of any type to do anything else. This is a, this compromise of Outlook web access tells us that probably this administrator had an email account associated with that same account that he worked on the system with. That's a bad idea, right? Because it can be compromised. You don't wanna, an administrator, someone who's working on the code, for example, that is all he should do. He should go in that white room, sit on a computer and that's all it does. It doesn't do anything else. He can't Google, he can't do anything while he's sitting there working on that, nor can he communicate from it. He's gotta go use a different system. But you've gotta have, yeah, you've gotta have that segregation to keep your assets protected. I mean, it's a standard practice classified and above. It's just that below classified and out in the commercial spaces, it's expensive to do. And so, it doesn't get done properly all the time. Well, business is collaboration these days and the bigger the collaboration, the more effective the business is. You can't grow without growing in software. But let me just, as a final thought here, let me talk about the ordinary Schmo. The ordinary Schmo is loading all these utilities on the internet, he's getting this and that. And you know, of course, he is likewise compromised. There's stuff, people can crack his system and they can take his data and all that. We know that, identity theft all over town. But here's one, and I won't mention names because I'm not sure that the name I have in my mind is the one that could do this. But there are various utility software manufacturers that feed the private computer, personal computer market. And you can download them in a minute and you have them on your system and they do all kinds of things. And they're very helpful and they're very good. They're very good. But when you look a little further, you find out that these companies are owned by and programmed in Russia, for example. Sure, okay. And I say to myself in a paranoid way, I say, because I think you have to be paranoid about these things. And your industry is loaded with paranoia, it has to be. I say to myself, you know, if this is leaving some kind of tracks on my computer and it's meshing up with millions of other computers, because it's good software, it works well, can't complain. But if there was some kind of Trojan horse in there that connected by the internet to other people, millions and millions of other people and somebody pulled the trigger on the far end, say in Russia, they could bring down the entire personal computer industry and beyond in the country, maybe the world. And I'm saying, you know, is this unlikely or is this, am I being paranoid or is this capable of being a legitimate thing? It's a full-blown business already. So when you want to do something like that, you just go on the dark web and purchase it. I can buy two terabits per second of DDoS attack right now. I just buy it. It's already built. There are already millions of, not only PCs, but devices, IoT devices that are compromised. And so the people who own them lease them out to other criminals. Does that make sense? So this is business. So if I want to DDoS a company, I just, I wouldn't, I'm not going to go inspect 100,000 computers. I just go pay the guy who already did it, schedule myself a two-hour DDoS attack on my competitor and when he's trying to have a conference or something and make him look bad or something, you know, for whatever reason, that's a done deal. That's been around for a long time. Well, suppose I want to bring the country down. Suppose I want to stop all commerce, I stop all productivity, I really wreck the economy and I have a handle on every single personal computer, Mac or PC, what have you in the country? Cause I have very good software living on there and they like it and they use it and it's open to the internet. That would be a business of another kind, yeah? Nation-state. Yeah, well, yeah. So there's still going to be command to control infrastructure, right? That the major providers are going to see that start to happen. They already start to hair down DDoS as a matter of fact. So they built out nodes to push all those packets off so that they're not all hitting one gateway and closing it down. So there's the major providers that built out infrastructure across the US already to help us mitigate some of these types of things when people try to do them, they still try to do them and they're still quite effective. I think the biggest DDoS to date is about 8.1 terabits. That is phenomenally huge. I can't imagine how many devices that was working on that particular network, but that's what's been recorded. And I think Verizon just released their report, these companies put out on these reports, CrowdStrike and FireEye and all them every year about all the stuff that they've seen. And so the smart guy like, gosh, you're sitting at home, they're doing that with your computer. You just think your computer's running slow. You don't really know. It's not like they took the whole thing because they don't really want you to kick them out. They don't want you to, oh, this software makes my computer run slow. They don't want you to take it off, right? So they just want to use 30% of your processing power, not a hundred, you know what I mean? Well, we're just about out of time, Andrew. I really enjoy this conversation. I hope other people do too. I think the word has to get out about this. And that's my last question. What message would you leave from your end of the security industry? What message would you leave with people? How should they approach this, handle it, think about it? Should they be worried? Should they be confident? What mindset should we all have about it? What comes out of this newspaper headline? So for sure, if you use the SolarWinds product, you need to get a hold of the IOCs, right? Which SolarWinds has published them, Microsoft has published them. You can go get a look at those now, run scans on your systems, look for these IOCs to see what you've got. Obviously you need to update your SolarWinds to the new hot fix version, which is supposed to be out today. That'll take care, so you won't have that, but you've got to go look around forensically. And then you definitely need to be monitoring your firewall for outbound calls, right? And look for outbound exfiltration of data. Again, there could be something else installed that these indicators of compromise don't see, right? There could already be another tool that's been installed that they're using. And there are a lot of IOCs. Most of these tools are looking for all these things that we know about. It's the stuff that's unknown that we don't know about. If it's there, there's nothing you can do, but except watch for, you know, why is all of a sudden, you know, five megabits of data flowing out some port that never happened before on my firewall, right? So there's things like that that people need to look for. And that's your intrusion detection, intrusion prevention systems, right? But the small guys oftentimes don't have that. So they can at least do the Windows updates, the Windows defenders looking for these IOCs that's gonna quarantine them on your system. As of today, I believe they were gonna load the binaries in there. So, you know, there's, you gotta do the normal good computing. You also, you need to be aware of what's going on. And then, and also try not to spread like fear, like we know what to do to fix it. So you just do what you gotta do. Do good computing habits, use multi-factor authentication. You know, do those things that are smart, separate your valuable assets, don't have them on your network. You know, if your network's on the internet and you're playing games or whatever you're doing, you know, if it's not safe or not secure, you don't wanna have assets on there. You know, that's just good computing, good cyber hygiene, we call it. Yeah, Andrew Lening integrates security technologies. The host of security matters and a principle of the Security Industry Association as well. Thank you very much, Andrew. Really enjoyed talking with you. Thanks for having me, Jay. I hope the audience likes it. Stay safe, everybody. Aloha. Aloha.