 Hi there, my name is Ken Mayer. I'm going to be your instructor for this course on Security Plus. Now I've been back working in this industry and business in some way or another since 1983. Of course, technologies have certainly changed from times when we had very closed systems, mainframes, to getting into the world of actually having a little more open network operating system to everybody discovering the worldwide web, to being able to have to worry about routing and switching, about different applications that are running web applications, identity theft, the works. And so I've been obviously staying with these topics, working with a lot of different areas of security through those 30-some years that I've been in this business. I'm hoping that I'll be able to give you some of that extra knowledge that will help you make you a better security professional throughout this course. In this lesson, we're going to talk about security fundamentals. And so what we'll do is we'll, kind of like it says, fundamentals, give you that foundation. We'll hit that information security cycle. Then we'll talk about the information security controls. And when we talk about controls, remember, we're going to be kind of, we'll feel like all over the place when it comes to security because there are a lot of different things to think about. We'll take a look at least from the 30,000-foot view, the authentication methods, some of the fundamentals of crypto systems or cryptography. And we'll also talk about some of the security policy fundamentals, which by the way is where I say that's about the paperwork, where we actually write out and make those policies that we use as a guideline for setting up our secure systems. So let's take a look at the information security lifecycle. What we're going to do is we'll talk about what information security is, some ideas of what you should be protecting, the goals of security. We'll throw in some of the words like risk, threats, vulnerabilities, intrusions. We'll also talk about some of the types of attacks, some of the controls that we can use, types of controls that we have to use. Again, all trying to mitigate risk really when it comes down to it. And then we'll look at the security and management process. So when you ask the question, what is information security? Well, you can probably give it just on these basic definitions, the protection of available information or information resources. Now, when we talk about information, I guess you could say we're talking about, for some people anyway, data. It could be data in a database of customers, maybe their credit cards that you, like so many stores these days don't want to lose. It could be other types of resources of information. Literally, it could be information that's on a paper form that needs to be securely locked or stored, files, think about medical records and those types of things. So it's important that you understand what really is important for your company or your organization. And our goal is to provide that protection. Now, it is necessary for the responsible individuals or the organization to have a way of securing confidential information. Just in the United States, we have a number of regulatory laws for a variety of different types of organizations, such as HIPAA for medical records, medical patient information, what we call Sarbanes Oxley or SOX for financial institutions, banks and those types of things. That those laws actually say that in order for you to do business without getting a huge fine or possibly even going to prison that you must need to meet those requirements and be able to document that you've at least met the minimum requirements, especially, let's go back to the bank. If SOX tells us what we need to do minimum and that bank loses your money, do you think maybe somebody might sue that organization or that organization says, oh, we weren't in compliance? It really doesn't look good for those organizations. So anyway, it is necessary, as I said before. And when I say responsible individuals, well, that starts right at the top, whether it's a CEO, sole proprietor, who's the owner of the business, who whatever the type of setup is, director of a different agency, they're the ones ultimately responsible. Anyway, when you think about this, our goal is by looking at some of those documentations plus following best practices, our goal is to minimize the risks and other consequences of losing any type of your critical data. So here's where I was talking a little bit about the ideas of what we're trying to protect, the data, the resources, whatever's important. In fact, one of the things I'm gonna have to put up here is when we ask the question, what to protect, I'm gonna say whatever's important to that organization or company. We go back to what's called business needs. Now business needs means that we need to protect whatever's gonna keep that company, assuming it's a for-profit company in business. If they make widgets, their resources may be for supply line information, or if they're, let's say, a credit card processing, then they're gonna have to have a resource that lets them connect out to a variety of different bank buildings. And so we have to be able to protect those connections. And then, of course, internally, like I said, we could have paper files, we could have digital media, or digital storage of our files that protect information crucial to how we do business, like it says bank account numbers, or in the U.S. social security numbers, or any other personal information. So how do you answer the question? I'm asking it like a question, what to protect? Again, what to protect is what's important for the business, what makes that business run? And when we are talking about protection, and you're gonna be seeing some ideas of what security is, but I'm gonna draw just a little bit different idea here about one way to look at security. And that is this idea of CIA, which is not the spy organization, but stands for Confidentiality, Integrity, and Availability. And somewhere in here we have some data, some assets that you want to protect. Now, I just wrote it in the middle of this little triangle, and one of the things that you're gonna see is that, you know, when it comes to how to protect, and I'm way ahead of where we're gonna be coming up to in just a bit, one of the things to remember is that we can protect information through confidentiality by encrypting our data. In fact, we'll often tell you that you should encrypt your data whenever it is in motion, or it's at rest. At rest means it's stored on your hard drive, it's stored on your laptop, encrypt the files. In motion means you're connecting to your bank and doing online banking. Don't do that in clear text, right? We always look for those HTTPS connections. We also want to know that the data has not been changed either while at rest or in motion, that's the integrity or the I. But at the same time, if you were to imagine that, you know, where I placed this little dot where my data is, if I start moving my dot a little closer to confidentiality, I may move it away from the ability to do integrity checks, and certainly move it away from the A, which is availability. Availability means, can I get to my information? I mean, we could secure information so much that hardly anybody can access it. Well, if they're customer records, and that's your business needs to access customer records, you're gonna have a tough time here. So there's a balance in between all of these that it'll be appropriate to, again, to what did I say, the regs, regulations. There'll be a balance that you want to meet there. And the other one I said it would be best practices. And then from there, you can determine based on your own risk assessments, we'll say, of how you want to set up the policies coming up with this balance of security choices. But anyway, take this to the resource. Now, under resources, I made little connections like these are servers connecting out to other banks from a credit card processing center. You know, the resource is the equipment itself. I mean, if that equipment is not locked in a secure facility, then anybody can walk in there and potentially walk away with your servers. Let me just say this about servers. You might go through all of this work here, confidentiality to encrypt your information, which is very important to you. But, and you may say, well, I've got the best of, let's say, Windows security set up on this thing. And I've got antivirus that, you know, if I can steal your server, and I don't even have to take the entire server, all I have to do is take your hard drive because technically that's all I want. So what's stored there? And if I can walk into that room and I can just pop a hard drive out, then, you know, I own your data. I'll take the time to decrypt it back at my evil hacker shack or wherever it is I'm doing the work from. So resources are more than just thinking of data. It's also the equipment, the hardware, everything else that's important. And so again, going back to what to protect, there's kind of a small list that I've just given you and plus a little idea about how to decide what way to protect that information. Now there are some goals of security and I already mentioned my CIA triangle as kind of the idea of really dealing with actual data. That was more for just data. But when we said what do you protect and what we're doing with security, well, we were talking about data, we were talking about paper files, we were talking about actual server hardware, you know, even protecting your personnel. I know of a company that does a lot of financial work for some of the bigger credit card companies around the world and they tell me that they often have to have security in the parking lot at the quitting time because they'll actually have employees who as they're walking out to their car get hit up by people trying to bribe them to get them special access or to get them information about other people's, you know, financial situations. So I mean, when you think about the goals of security, one of them is prevention. How do you prevent these different types of breaches and security? I mean, again, we've probably all heard, I'm assuming, at least for most of you watching me, that you've all heard of antivirus software, maybe intrusion detection, firewalls and things that we do to prevent, but you know, security goes beyond the transmission of those little ones and zeros. It does go to the personnel, it does go to the equipment, to the resources, supply chains, you know, another part of your security is power supply. I mean, what happens if the power grid goes down to where you're at? Do you have backup generators? I mean, all of these things, we could say, well, we can put them in to try to prevent a security flaw. And yes, the loss of power is a security issue because if you can't get the business to run, you're losing money. Of course, detection. Now, detection is where I'd be talking a little bit more about your use of scanning software, like I said, antivirus and intrusion detection, obviously just in the name of that IDS, right, intrusion detection. But it goes beyond that again, physical stuff, right, motion sensors, sensors on windows, you know, having a way of auditing who accesses the server room. And of course we have to have a recovery system. Recovery is important because the loss of downtime for some organizations could be so monumentally hard on that company that they may never recover. In fact, I remember reading, I just wish I could quote it to you, so don't take this as pure 100% fact. But I've heard that for small businesses, if they were down for a week because they couldn't recover their information, by then their customer base will have found a new supplier of whatever widgets they're selling and they might not recover. So, you know, we wanna be able to say in our recovery parts of our goals that we can bring data back right away, that we can recover if we have power outages, that we can recover, right, all of those things go together as goals of our security. Now, the actual idea or definition of risk is, I guess you could say one, the likelihood that something could happen. And if it did happen, what kind of damage would it do and on a way of doing a rating? There are very simplistic methods of analyzing risk. If you think about it, you could simply draw a little box and you could put the, what I would call the threat here first and I'll make my box pretty big. And let's say the threat was a virus to your operating systems. Then of course, what do we say? The likelihood, so I'm just gonna use an L because I don't wanna respell that word. And maybe you might say, you know, let's have different people do their own ratings of say from one to five or one to 10. And this would be end users, they'd be your security managers, they'd be your router switched people, they'd be your firewall experts, they'd be all these people from different parts of your organization who would all have their own opinion on the likelihood of that occurring. And then of course, the next thing we said is the damage. And the damage could be in time, could be in money, could be both. And so you just come up and say, let's take a look at this. I mean, what about burglary, right? Somebody coming in, what's that likelihood of that occurring? Like I said, I always wanna think more than just electronic or technical terms when it comes to these threats. How about flood or fire, right? Again, likelihoods and what kind of damage would it do? And that's important. I mean, you know, if you ask me about a virus, I might say, hey, there's a good chance that my end users might download some garbage. So I'd give it a four out of five. I might consider that we have, you know, maybe armed security and outside TVs. And so the chance of a burglar coming in might be very low, unless I'm worried about an internal employee. Flood and fire, well, you know, you can look up what flood zone you're in to know if that's a high likelihood. You know, maybe I'll say it's a three, maybe a four. Really? Four? Do I wanna work in a building that has that high likelihood to catch on fire? All right, so anyway, you're getting the idea, right? Viruses could be pretty minimal. You might get a little bit of disruption. You might have to rebuild or re-image some machines. This could be medium, depending on how much a burglar could pull out. And, you know, a fire or a flood could be catastrophic. Right? See if I can spell catastrophic. Can't use words or can't spell, right? All right, there you go. So anyway, you know what I mean? Cause, you know, once you have a flood or a fire, we're talking about a building that usually can't be occupied for a while and that's a lot of downtime. So as I said, you come up with a way. There are plenty of documented methods that you can use to do different types of risk. And the idea here is you then have to make some decisions with your risk. You have to say, okay, you know, something catastrophic with a high likelihood that I've put in here, seems like that'd be the first thing I'd wanna address out of my risk, more than buying antivirus software. I might be saying, hey, we need to put sprinklers in here, we need to update the fire extinguishers, you know, all that sort of stuff. You know, and then maybe I'd say, okay, well, the virus looks like it could happen a lot, which is something we wanna deal with. You know, so it's helping you also kind of focus your energies. Now, like I said, when you look at threats, I wrote some down here. We've got one here that can be very common, unfortunately, disgruntled former employees. Now, you know, I'm gonna take out the word former because you also have a risk from disgruntled employees who are working for your company and your corporation that might not have the best interest of what your company does, as I said. And, but either way, the idea was that they may, because they've worked there or are working there, that they might try to get improper access to information. You know, I've got a person I'm working with in the small town that I live in who just had their sales manager hired by the competition. And, of course, what happened when that sales manager left for, I guess, greener pastures, they try to take all of their customers with them as well, right, could be a major idea of a disgruntled employee. And by the way, that had nothing to do with technology, other than maybe the database of who the customers are. But we look at that as risk. Now, the idea of threats is the fact that something could happen, right? The risk is, you know, for us to identify the threats and how likely the threat will happen. But we have to identify what those threats are because we don't know what the problem is. We're not gonna have a good chance of trying to prevent it or even know that we should detect it. So, let's talk about just changes to information. The first one here, changes to information. Okay, so changes happen, right? We update our customer records. You know, I move or get a new phone number, whatever. So, some changes we expect. But there could be the time that somebody made a change to a record, like maybe deleted a customer, not wanting to do it on purpose, but that would make it unintentional. And then we have to ask, what have you done in security to be able to bring that customer's information back? That would be part of your recovery options that we just mentioned before. It could also be something intentional. I did read a story about a lady who was an architect, right, who would draw out plans for a million-dollar jobs and saw that her company was advertising for somebody with the exact same job requirements that she had, so she thought she was getting fired. So, she intentionally destroyed all of her work and then went and resigned the next day and said, you know, you're gonna fire me anyway, so I'm just going to resign and yeah, I destroyed all my stuff. And that's when the employer said, well, you know, two things, we were actually hiring somebody to help you and now we're gonna prosecute you for destroying our stuff. You know, that's again, changes to information. Interruption of services. Sometimes we call that a denial of service on the binary side. When I say binary, by the way, I'm talking about the data transmitted from one place to the other across, you know, radio frequency or physical copper cables or fiber channel. It was sending a bunch of ones and zeros and sometimes our goal is to try to stop that. Again, interruption of services could also have been, as I said, somebody damaging the power grid. You know, there's so many things that we can do to interrupt services. Interruption of access, that's also, I would put as a part of this, what we call a denial of service, where sometimes we'll purposely have a hacker try to take your server offline. How? Maybe send it a virus, maybe send it some pre-known types of data or information that would cause it to crash. Again, if they don't physically lock these things up, could be damaged to hardware. By the way, could also just be that you don't have the right type of heating and ventilation and air conditioning that can also cause damage to your different hardware out there. So all of these, right, damage to facilities. Again, fire and flood, the rest of it. All of these are threats. As I was just saying before, when I talked about risk, we would look at the different threats that could interrupt our ability to work and what is the likelihood that that threat could happen. A vulnerability is often something we would say could be a bug in a system, whether known or unknown. And that happens. I've never met a company, and you can name any of the big ones that have ever put out perfect, perfect software. It could be a bug that's in the hardware, just the way the hardware chips were encoded with their instruction codes. There's a lot of different things that could be a vulnerability. A vulnerability could be an open window, or a window that doesn't lock, or a door that doesn't lock. You know, all of these, again, trying to get away from just the technical aspect could be considered a vulnerability, a known weakness. And that's what's important, is that often we know what the weaknesses are, and that's where people are gonna try to take advantage of the weakness. I mean, if I knew that some employee was sneaking a smoke inside the office and left their window open when they went out at night, hoping they didn't get caught, so they could blow the cigarette smoke out the window or something. And I was paying attention to that while I was watching your company. That to me would be a vulnerability, a way I could come in. And so we want to try to patch a lot of these vulnerabilities. We want to fix them. Bugs, when they're detected, usually will have a fix or a patch or an upgrade to fix those things. Hardware, sometimes we can rewrite the firmware and some of these chips. Open windows, again, you can have security guards walking around the outside. I mean, so our goal is to look for these types of vulnerabilities. Now, some of the tough ones, when it comes to the world of your operating systems, and how we exchange information, are these ones we call zero days. A zero-day vulnerability is one that the manufacturer does not know exist, one that nobody except for certain groups of hackers would know that exist. And even if the existence of this vulnerability is known, it also means that it's one that doesn't have a patch. And this is your big thing that is affecting us today. Because if we don't know those of vulnerability and we don't know to patch it, then we have people that are going to be able to take over your networks no matter how good you try. And that's just a true statement about security. So again, in this little example here, a attacker hitting what looks like an unsecured router. So I'm gonna mention a vendor that makes these wireless routers, not because they make poor ones, or I mean, you'll understand, I'm not saying anything bad about it. But I was with a friend at a Thai restaurant. I'm not even gonna tell you what state it was, that advertised free Wi-Fi. So he opened up his laptop, because he was gonna check his email, and he found that this router's SSID was Linksys. All right, nothing wrong with this company, by the way, makes good products. But the problem is, is because the SSID was Linksys, which is the default setting of that router, then he took the guess to say, well, let's see if I can go to its management page of 192.168.1.1 on its IP address, and the management page opened. And so then he said, well, I know that their defaults are username admin, password of admin. So he tried those out, and lo and behold, he had full control of that unsecured router. Now, like I said, not an issue with Linksys, because I can mention a number of different routing companies who every single one of their products out of the box without you doing any configuration are gonna be just as unsecure. And we all know that, and unfortunately, so did my friend. Now, he was not a hacker, he was really just curious, and actually brought it up to management and said, you know, I ought to do something about it. Maybe he was looking for an extra consulting gig, I don't know. But you know, once I'm into a device like that, you know, I can change the way in which your traffic goes out. So, or I can use that to, you know, as I said here, to come in here and get into your, inside of your network and your information systems. Because if I can change that, I could, basically I could have made this a firewall, and I could have stopped all your traffic from leaving. That would be a denial of service. I could have redirected your traffic to me as a web server instead of, you know, to your regular Facebook or social media. I mean, so many things that could have been done to really just take care of things. So that's just, again, an example of a vulnerability. And so one of the vulnerabilities, I guess I didn't write it down here, is default settings, right? We, they all are there. And I could probably just keep going on and on with this, but I'm hoping that by now you understand what I'm referring to. It's a weakness in a system. Intrusions are, again, gaining access into an area that you shouldn't be able to get to. Well, notice this one right here, talking about a door. What's in that door? Could it be files, file storage, that are paper? Could it be a server room? You know, how is it secured? Is it left unlocked? Is it easy to get into? Right, that's a type of intrusion. You know, in some of my advanced hacking classes, we actually taught students, and it only took 30 minutes, by the way, how to pick any standard Tumblr lock or to use a shim to get past any regular padlock, which, you know, I'm just gonna tell you, those things aren't secure anyway. That's where we start seeing the magnetic key cards or at least a password encoder device, something a little more than just a Tumblr lock for people to get into. But we have to consider that that could be a destination as a place of intrusion. Of course, it could also be what I'll call electronic, which is just the way in which we speak to different devices. And again, that could be my trying to break in or hack into a system. That's what a lot of us keep thinking about when we think of the word hacker. If somebody's breaking into a server to steal your files or your other data. And you know, if they're successful and able, let's say, to take over one of these systems, then they're what I would say golden. Because once they're inside, I mean, even if I had to go through a firewall, once I can take over any system on the inside, there's an idea of trust, that once you're in the network, we trust everything else in the network. And so I can then just, from there, start what I call a pivot point. Where I take this machine, then I pivot to the next machine or pivot to the next machine and try to own them and then just continue to have my way inside of your network. So again, another example of an intrusion. Now an attack to me sounds like somebody is trying to basically follow through on this threat or vulnerability. And again, we kind of want to give you this, sometimes people call it a little bit like it's a mile wide of information and maybe not quite as in depth of information. In other words, we want to make sure you are aware of different types of security issues and problems and have a good, at least if you're aware of it, you know that it's something that should be looked at. For example, you might work solely on firewalls, yet here we are talking about physical security attacks. Again, is there a weakness, a vulnerability? Is there a likelihood, a risk that it could happen? And so it could be theft, as I've mentioned before. It could be sabotage. It could be somebody just destroying your facilities. There's a lot of things that can go on. Especially when we see a lot of that kind of news reported more and more often. Social engineering, probably easily. At one point I used to say to people that this was almost 50% of what hackers did. Social engineering attacks are where people are trying to get information out of other people. Now there's a number of ways that can be done. It could be that somebody is just watching with their eyes while you're typing in a password. They call that shoulder surfing. Or maybe you're just being nosy, who knows. They could be calling you on the phone and asking you for your password, trying to impersonate somebody from IT and they're trying to fix a system. It could be somebody eavesdropping and just listening to a conversation. I mean, I have learned passwords for at least one airline by just listening to somebody that works at the airline said, hey, I need the password for the computer and baggage claim. And I heard on a walkie-talkie no less and I heard it back and so I'm hoping they changed the password. I was at a cell phone store and I heard one person say, hey, what's the manager's password? And the other person who wasn't the manager knew. So again, lots of weaknesses there but eavesdropping is another great way of doing that. And it just goes on and on. It couldn't even be dumpster diving, looking in the trash to see what you've thrown away. That might help me better fool you. Now, a lot of us, at least me, seems that I'm spending a lot of time on network-based attacks. I say that because I've worked for so many companies who have their variety of routers or switches or that was a pretty bad-looking switch there or firewall or something that does all in one. It could also be some of what they call this next generation firewalls that might do AV and IDS. And so a lot of people are spending a lot of time in trying to secure those types of networks. And that is, like I said, probably one of the big ones. Of course, I do like to do a lot of social engineering as well. I'm not so much into breaking into things. I just showed people how to pick locks. But anyway, so network-based attacks, they seem like that's the one we hear a lot about, right? You hear about the big warehouses and retail stores losing all those accounts. Well, they all kind of came based on somehow across the network. Another great way to break in, though, of course, here is through webpages. You'll see people trying to take care of a poorly designed page by doing sometimes what they call SQL injection, which is taking advantage of somebody forgetting to encode security, either at the web page or to the database server that sits behind the web page that delivers the information back and forth. So it could be certainly a web-based application or to me, software-based attack is still pretty much trying to say the same thing as a web application, except for we could probably throw in all the operating systems in here and say, what are their weaknesses? And again, I know that some people out there love to make jokes about Windows and not being secure. Windows is a great operating system. It's got its flaws like every vendor. I mean, you can't tell me that you're gonna use Linux so it's more secure because it's really not. You can't say, oh, my Mac is, you know, all right, everybody has a weakness. There's no perfect operating system or program. And sometimes the operating system might be the strongest operating system you have out there, but there's an application running like the one you use to check your email. And so that person will attack the application because the application is trusted by the operating system and therefore there's a weakness. So anyway, I'm trying to just give you a number of ideas of the types of attacks and what we mean. And I hope that you see again a little bit mile wide because we went from physical security to eavesdropping, listening, calling on the phone to hitting you through the network or if the network's good, going through an application or you're going through a webpage, you know, lots of different types of attacks. And none of those are actually even on people, on your personnel. Again, that could be a very dangerous world out there for people who might be in a place of authority for a company worrying about getting kidnapped or those types of things. All right, so controls, I mostly want to talk about kind of the way in which we could classify them. But a control is what we call a countermeasure. The idea of a countermeasure is to basically mitigate or lessen the amount of risk that you have to worry about. And it's something we would do or put in place, as I said, to make that risk less. Obviously, we could say that a bunch of them are preventive. All right, so, you know, in this case, a preventive control would be locking things, locking doors, but I've already told you again, you have to be worried about the types of locks and where, you know, you can access that lock from, you know, so that's prevention. And even by the way, the best control systems can be easily thwarted by the people that are working there. Maybe I have too many stories and you all don't want to hear my stories because you don't get a chance to tell me yours. But you're my captive audience, so you're gonna listen to mine. I was at this, basically, worldwide multinational company, I won't say which one it was, doing some consulting work on a network management system that they had. And, but I didn't have access to the network operations center, the knock. So one day I was bored and I was walking the hallways down in the basement area and I saw one door that had no label. You know, like how doors would normally have a label and tell you what's in there. Well, this door didn't have any, so right away I knew it had to be the knock because somebody once said, you know, in security you shouldn't put that information on the outside of the door. And it had a little window right here, a little window that I could look into. And when I looked into that window, it showed me there was another door. There was also a podium, which looked like a fingerprint or palm scanner. And I could see that it was a keypad for that door. So they basically were being forced to have a magnetic key card to get to the front door. You know, palm print, I mean, perfect, right? And so here's Ken. All right, I'm not the skinny, but anyway, here I am looking in that window, trying to see what was in there. And some guy walked up behind me and said, hey, can I help you? Scared me, made me jump. And I just told him, you know, I said here's who I am, I could have lied because my tag only said visitor. Anyway, so he takes me in, shows me the network operating system, best security in the world. He just let me ride in, which is nice, but I didn't do anything bad. But I just want to throw that out there. Detection controls, all right, detection. Well, all right, so what do we have here? Close circuit TV as an example. You know, again, it could be an alarm on a door, an alarm on the window. So if somebody opens it or breaks it, that there's some sort of detection. And of course, hopefully some of the controls can correct things. You know, like firewalls can drop packets or intrusion detection can drop those packets. They can send out emails. The alarm company could be calling the police when they detect something. Right, so that's part of the correction. That after we, well, we try to prevent it, we have a way to detect it. And from there, have a way to correct it. Hopefully our control can help us with all of those things. So as a review, when we're talking about these controls, and I hopefully gave you a big enough breakdown there, that we do classify them as prevention, detection, and correction. And if we're lucky, our controls can help with each of these aspects. But remember, they usually have a primary function. Like I said, a lock on a door is generally there to prevent you from getting in there. Detection would be an alarm strip on the door so we know when it's open. And that device, hopefully relaying it to a machine or to a person, would be the correction. And again, that's just one example on a physical security side. When we take a look at the idea of the management process for security, as a process, it means it's something that kind of, I almost want to look at it instead of just a circle, as kind of a spiral staircase. I mean, we're still going around. One thing leads to another, but we're always getting better or higher up the staircase as we're approaching it. And then, of course, for those of you who think the glass is half empty, you'll say, oh, it could be going down. Well, all right, you could be, but take my analogy. Anyway, one of the things, of course, that we want to look at when it comes to security is knowing that we have to have a way to identify what those issues are. And from that identification, right, to be able to report this and to monitor it. And depending on what we see, having to go back through this entire lifecycle of being able to know what it is, how to implement a security control, monitor the control for success, which is a part of auditing. And from that, maybe have to make new recommendations so we keep going through this process.