 It's my privilege and honor to introduce two gentlemen from Homeland Security. First, we have Rob Karris. Rob is the director of the National Cybersecurity Assessments and Technical Services, NCATS, at DHS. In his current role as director, he manages the NCATS team and provides cybersecurity services to federal agencies, state, local, tribal, and territorial governments. He is responsible for creating and identifying new services and developing the NCATS program into the civilian government's leading security services provider. Prior to joining DHS, he worked in the private sector for 12 years developing security operations. We also have Jason Hill, who's the red team lead at DHS, also at NCATS. So Jason joined DHS in 2013 to help create the nation's red team. He has 24 years of information security field experience and 22 years in the Army National Guard within the cybersecurity domain. He serves as the deputy chief of the National Cybersecurity Assessments, I want to get NCATS, risk evaluation team, and as the chief of the red team conducting red team assessments for the federal government customers. Prior to Homeland Security, he served as the red team instructor to military and federal government employees. I think I've probably said enough. So with that, Rob, for being here. All right. Well, thanks for having us here and thanks for showing up. This is my 12th or 13th year here, I don't know. But it reminds me of one of my first years when we used to sit on the floor back at the Lexic Park and we used to drink and it's nice and informal and casual. So I'm going to give you an overview of what NCATS is, the services that we do. Jason's going to go down and do a technical dive into it. And then I'm going to give you guys some election results that we've found from the customers. So what do we do at NCATS? We do assessments. And then what are assessments? Cyber assessments. We have three main programs under NCATS, first is called cyber hygiene. And you could think of it as scanning devices on the internet. So departments, agencies come to us. We have three main, actually, let me go back. We have three main constituents. We have the federal government that we work with. We have state and local governments, which are so many. And then we have private sector. So elections fall under either state and local or private sectors. And then cyber hygiene is vulnerability scanning on the internet. So we have right now 835 customers that we persistently scan. So if we find a vulnerability on a customer, we're going back and scanning that machine daily to see what closure rate is. So we believe in not just identifying the vulnerability, but then identifying what a customer does with that vulnerability and with that notification. So it doesn't be no good to find a vulnerability and say, hey, your window is open and for you never to shut it. So I tell you your window is open. How long does it take you to shut the window? Does it take you a day, an hour, five days? We had a huge problem in the federal government where it was taking over 300 days for people to close critical vulnerabilities. We issued what's called a binding operational directive. And now the closure rate on the critical vulnerabilities is about approximately 12 and a half days. So that's a big win. We want to do that with state and local and the private sector, but we don't have the authority. Right? We can push them. We can nudge them. We can say stomp up and down and say, you know, this is an issue, but we don't have the authority. We have the authority over on the federal side because we're federal government. The risk and vulnerability side is basically we have a risk evaluation program and there's three services under there and Jason will go deeper into these, but I'll give you guys a higher level. So we have the risk and vulnerability assessment, which is a two week pen test. Basically any of those three constituents, federal government, state and local government or private sector, can come to us and ask request for one. We'll give them a week where we try to break in from the outside and then we'll go a week on side and act as trusted insiders or insiders and try to break into their systems. After that, we also have a true red team capability, which Jason's built out. He could go into that a little bit, but that's more on the federal side that we operate and we have a remote pen test capability where we just test from the outside. The third program that we have is operational assurance. That's kind of more like the, if you think of a blue team and stuff, they're asking questions, going out and getting surveys and providing guidance based on that, do you guys have an incident response plan and going through that? They do a validated architecture design review where they get PCAP data and then they look at your architecture and look at it and say, oh, well, you have a firewall here and I have PCAP data. Why is data flowing from your financial portion of your company over to this other portion? So they work with that. Under that, we just built out, and this is election focus, but it's going to be all control system focus applied vulnerability assessments or EVA. That's where vendors can come to us and give us their election systems or control system and we'll set it up and we'll follow their documentation for setting up as a standard setup and then look at it and try to tear it apart and try to red team it and test it and see what we can do. We'll take the firmware off and see if there's any issues in the firmware and then any other issues inside the system. So on cyber hygiene, we have 595 customers. Oh, one thing I didn't talk about was why we do this and the legal documentation that goes along with this. Everything we do has legal documentation. So we're just not going out there and scanning for the heck of it. So there's 830 customers they've signed and agreed for us to scan them. And why we do it and what we get from it is invaluable, right? So we have a consistent data set on this so we can see trends. So we can see trends, whether it's in the financial section, it's the election sector or whatever sector it is. Jason, do you want to go into detail what a risk and vulnerability assessment is? You guys hear me okay? Yeah, because I usually don't use microphones. But one of the things that Rob didn't say about those services is that they're all voluntary. So we don't show up to people's doors and say, hey, we're doing this kind of thing. But I think that's kind of important to put out. But to go along with the RVA service that we provide, it's a two week penetration test, right? Who are my pen testers in here besides the guys that work for us? So a penetration test, we're going to try to show the customer everything we can find from a vulnerability standpoint within the timeframe that we have, right? So traditionally, a penetration test is we're running scanners. I'm running in-map. I'm trying to find all the IPs I can find in the given scope that they've given me. I'm trying to run a vulnerability scanner against those IPs to try and find that low hanging fruit. The things that Nessus or Nexpo is going to tell me that's there. And then once I have that information, I'm going to try to validate any of those vulnerabilities, right? And then after that, if there's any web applications, we're going to throw some scanners at them. And if there's any databases, we're going to throw some scanners at them, right? So how does that differentiate us from a normal traditional penetration test? That stuff is all great. It's a little bit traditional. Sometimes it's a little bit boring to just kick off a scanner and let it run. So we add a little bit of value to that for our customers. So we do do all of that, right? And then we validate everything. But then we take it to the next level. We try to give our customers what it looks like to be hacked, essentially, right? What it looks like to be attacked. I can give those results of the scanners to the customers and tell them, hey, you just had a penetration test. Here you go. Good luck and leave. But that doesn't really mean anything. If I'm telling the CIO or the CSO or some official that, hey, your Nessa scanner came back with 13 criticals and you've got to clean that up, that's not really helping, right? And so we take it the next step and we try to emulate some sort of an adversary. So what we'll do is once we get all those results from our scanners, we'll try to hit the low-hanging fruit. But really what we're doing is trying to get a foothold somewhere. It's really distracting. Try to get a foothold somewhere within that network, whether it's through phishing, whether it's through an external misconfiguration or an exploitation or a vulnerability that we can throw an exploit at. We try to gain a foothold. We try to privilege escalate, laterally move throughout the network. Try to get domain administrator in their network, move around and find what we call sensitive business systems, right? So when we're all done, if I go to the president of the credit union or the president of the water company or the electric company, I tell them, hey, I got domain administrator in your network. A lot of you guys in here knows what that means, right? Like, that's bad. But when we tell them, they're like, I don't know what that is. That's not really helping me. So we try to go after what we would think to them as a sensitive business system. Something that's going to either have them explaining what happened to either Congress or explaining what happened in front of cameras or explaining what happened to them to their shareholders. Those are the kinds of things that we're going after, whether that's PII or proprietary information in their network. Once we find that stuff, when we outbrief them, we explain to them exactly what we did. To our technical guys that are customers, we say, hey, this is exactly what we did from gaining a foothold to privilege escalation to lateral movement. We did all of these things, and this is exactly how we did them. And here's our write-up on that. And here's how you clean all of that up. To our executive-level folks, our C-level folks, we explain to them, it doesn't matter what I did. I got in. I gave all that stuff to your technical folks. They're going to go off and fix it. This is the ramifications of what just happened to you. For the last two weeks, we've been inside of your network. I got access to your crown jewels, and I was able to look at all that stuff or essentially ex-fill it out and take it. And I don't know what that means to you, but I'm trying to show what that means to you. So that's essentially what our RBA service is. I'm not sure if I missed anything. No, and one of the things that they do is, when they do ex-fill the data, they test various ways. So we just don't ex-fill it one way. So they'll try it over DNS. They'll try it over HTTP, HTTPS, FTP, and they'll give them a list and say, hey, you guys are good here. You guys are good here, but you're not good here. So what statistics and what can we learn from that? So I mentioned that we have 800 and something customers under cyber hygiene. Of those, 98 are actually election officials or election related. So what data can we conclude and look at it with 98 customers? A lot. So a lot of the vulnerabilities that we see on cyber hygiene are actually the four out of the top five vulnerabilities are the same from our broad-based 800 customers to the 98 customers. So election officials or election networks are basically look like regular business networks. So there's nothing really, really daunting there, but if you guys want the top five vulnerabilities that we know of there, I have to get my glasses on. 20 years ago I didn't. So IIS 6.0 is unsupported. PHP is unsupported. They're running a PHP unsupported version. We detected a UNIX operating system that's unsupported. There was a MS-15-034 vulnerability in HTTP. So what does that mean? So it's a denial of service on a web server, right? So yeah, we're seeing that. That's one of our top five, not only in the election, but among all of our customers. So it's easy. I don't know if you guys use Metasploit or a tool, but it's really easy to denial of service these machines. Most of them are probably default IIS servers, but we don't dig into it. We just, cyber hygiene just strictly runs vulnerability scanners and finds the statistics. But the one, the top five that's not in there that separates the elections from the others is Microsoft Exchange Server is unsupported version. Still unsupported version, but we're seeing all these unsupported versions under there. So we're trying to work with them, trying to work with them and get them to, yeah, and it goes back. I mean, I don't know if you guys were just in this last talk, but a lot of money just came down to the states in the local communities. I don't remember what the gentleman said, but it was about 350 million or so. And then he talked about resources, not having the resources to do it. So what he says, our data backs up, right? So there's unsupported devices that people aren't fixing or updating, and this just gives an attack or a vector either to cause havoc or cause doubt in people's mind. So, okay, you denial of service machine. It doesn't really affect anything, but it makes people think and wonder, well, if they could do that, what else can they do? Let's see, on the risk and vulnerability assessments, so we've done 30 of these on election-related officials, and we've done them from small counties to the hugest cities in America to states and actually to a couple private sector people. And the results are pretty similar to what we're finding on the red team side. You wanna walk them through the number one way we get in? So through a phishing and then escalators should have. We can't talk about customers, so it goes back to, yeah, yeah. Yeah, I did choose that one. Yeah. Yeah, pretty good odds. But the important thing is, well, we do sign leave agreements, and we do put out, and we're gonna work on putting out non-attributable statistics based on this and reports, so you can see what we're talking about, and we have some past reports. They're not elections-specific, but they're overall, but the trends just, the important thing is, and I'm gonna save it to the end, and Jason's gonna chug his fireball there when I talk about it. But there's one difference between elections and everybody else, but we don't wanna spoil it right now, so talk about phishing and get there. So all of you in the room help us out every time we send a phishing email. So I'm sure all of you in here know we're familiar with phishing, and it's pretty much our number one way of getting in. So throughout all of our assessments that Rob spoke about, the RVA is the red team portion, the RPTs, the remote pin testing, there's a common theme, and that's phishing. Some of our assessments, we will work with our customers and come up with a common theme or an email to break in, and we'll count up all the people who clicked on it or opened it and gave us comms back, and then we'll give them those stats. In one of our services, we work closely with the customers in a manner that we try to build a rapport with them. So I'm gonna send an email out to a customer, I'm gonna do some open source research on them and find out that they're supposed to interact with the public, right? They have some sort of public relations duty, they're expecting forms, they're expecting documents. So we're gonna work with them, we're gonna talk to them and say, hey, I saw you're the point of contact for this, can you help me out? I've got this document, I've got some questions on, and we don't send them anything, we're just sending them this initial email so they'll do their job, right? That's what we're expecting them to do. They'll respond back to this with, yeah, sure, send it over. We send over a document, and for us, it's our document is our payload, it's our way back, it's our comms, it's our C2 channel, and we do that for one of two reasons. One, if we never hear back from them, something caught it and ate it, right? Or they left, or they're on vacation or something, but so if we never hear back from them, either something went wrong at the user level or something went wrong at the network level, the security level for the email. And then we can send another email, hey, did you ever get my document? Yeah, they'll either tell us yes or no, and then we know where the issues are in that chain. Once we figure it out, and they're like, yeah, I got your document, I clicked on it, but nothing happened, because that's exactly what we wanted to do, it was nothing to happen. And then once they write back to us and say, hey, nothing happened, and we have our communication channel, then we'll turn around and close that loop and we'll actually send them the doc they were waiting on. And then we do that for one or two reasons. One, it makes them less suspicious, right? So if I give them what they're actually asking for, they feel good, they did their job, everything's great, we have our communications channel, we keep it moving, they keep it moving, they did a job well done. But two, in case we get burned out of there, that is a point of contact that we can use in the future. Hey, John, or hey, Sally, remember me, I've got another document, can you help me out? And they will tend to help us out in that manner. But honestly, sometimes we have customers that get wrapped around the axle on who clicks on the emails and how many emails were clicked on. And I try to tell folks, long gone are the days of stopping people at the perimeter, right? So we've kind of got that pretty close to short up. Right now it's more of how do we identify that there's someone there and how do we slow them down long enough to catch them and do something about it? So we try not to have people harp on who clicked on their email. So that's about email. So our number one vector, whether it's non-election or it's election, is fishing getting in through fishing. We don't have detailed stats. We have a fit, actually, I totally bypass it. I don't know why. We have a whole fishing campaign assessment that people can sign up for. We just rolled it out to the election officials a few months ago. So we don't have too many, too much stats on it, but I will tell you, I believe that they're gonna be in line with our overall stats. And this is mind boggling. So by the time Jason sends out an email or somebody on the team sends out an email, it takes 13 minutes for somebody to click on it. So that's our first presence. So Jason sends it at one, 113 on average. He gets a reply in and on. So for that person to respond to the sock, anybody wanna take a guess on how long it takes them? Three hours, three hours. So yeah, 30 days, three hours. But by the amount of damage that Jason can do in that three hours is significant and amazing. So he could pivot to other computers, get domain admin, get enterprise admin, X fill the data and be gone in 60 minutes. Gone in 60 minutes? Well, I think our last assessment was 42 minutes. From the time we sent the email to the time we had DA the entire network, 42 minutes. So next to the DA. Right, so using these data-driven stats, we need to educate the users to report it, right? If you see something, say something. It's a DHS organ, so we'll carry it on to them. But I mean, it's all seriousness. And I mean, it's not to be ashamed to click on email. I mean, or phishing, I mean, it's gonna happen or you're just not sure. Yeah, I've done it. I've been caught by a skimmer at a 7-Eleven before. So dummy me, but it happens. I mean, I've been in security for 25 years. So you do something, you take remediation actions and you take care of it. So the top two in the risk and vulnerability assessment deal with phishing, the next three issues that are consistent across non-election and election are our patch management. We have an issue with that once we're on site. We see that there's issue with patching. Admin password reuse. So if we see admin password somewhere, we're gonna see it somewhere else. Whether it's on from a local machine to a database to somewhere else, you wanna talk about any examples on that? Sure, yeah. So there's this thing in the working world where people have to work, right? So sometimes security gets in the way, right? It's, there's this scale of usability versus security, right? So I've been an admin before, I've been a domain admin before and I've had people come to me and like, I need this to work and I don't really care about that security part. And then when the boss comes, the CEO or the general comes and says, yeah, I don't care about that either, make it work and you have to make things work. You run into stuff like admin password reuse where I'm sure if any of you guys here in IT and any of you are admins, you know that you're not supposed to use your admin account as your daily account. You're not supposed to check email under that account. You're not supposed to do normal day-to-day routines under that account. But when someone needs a password change, you're supposed to log out of that, log back into your other guy and then do those things. Well, some people, I don't want to use the word lazy, but automated or efficient, they want to be efficient. So they tend to use that same username and password to do all of the things that they're not really supposed to be doing. So we run into that quite a bit. And then the final, yeah, a lot of people do it. So the final thing is insecure default configurations. So we're seeing that just everywhere. I mean, it's not an election issue, it's not a non-election issue, it's just a person-people issue. That's what our data is driving us to. So I think one of the good things is, if there is a good thing, elections have heightened the alert and the knowledge in the general populace that there are security issues and people are taking it more serious. So it sucks that it has to come to this, but people aren't going to change until it directly affects them. And now it's affecting the election community, which directly affects America, the population. So if that's what it takes, unfortunately, to change, I think on one hand it's a good thing, on second hand, I don't think it's a good thing, but we've been preaching a lot of the same things in the security community for the past 20, 30 years. I'm sure I could pull out one of my speeches that I did in the 90s and give it here and it'd still be relevant, change your password and do this, but we just gotta hammer it down and get people to really take these things serious and actually get them the resources so that they can handle this and they can do it. So I mean, if you have a list of 50 things to do and each thing takes 70 hours, how many things are you gonna do in a year? You're not gonna accomplish much. So all right, so our top observations and I'll work backwards to the top one, poor password usage. So we're seeing default passwords everywhere. We're seeing weak passwords everywhere, so. So in text passwords, documents full of clear text passwords, it's 2018 and we find those everywhere. And I have one, right? So it's really bad, finding someone's document literally says passwords. Yeah, and he'll say it right on the desktop and they'll take a screenshot of it and it'll be a spreadsheet or something and just say passwords, you open it up and there it is. So no gatekeeper or any key pass or whatever, it's just flat text files. But then the password to key pass is usually written down somewhere too. Yeah. Yeah. All right, here it is, the top observation. So the main difference though, so everything that we've talked about has been consistent between election systems and non-election systems. The one thing that we've been noticing and this is on the cyber hygiene side is the time to mitigate. So we've been scanning these 98, well, so we're scanning 98 election officials and some have come on like two years ago, three years ago, some have come on as recently as a month ago, but the time to mitigate. So I see vulnerabilities in these systems for hundreds of days. I don't mind the low ones, I don't mind the informational ones, fine, it's informational, but I'm seeing high and critical ones and they're just not getting, they're not getting fixed as rapidly as the ones that are in the financial community, in the water community, and in other communities. So when I line all the communities up, the election community ranks last in time to mitigate. So if that's one thing that I can say and I can emphasize for these state and local and these private sector companies to do is really put in some kind of a process and procedure to fix these. And we're not talking, most of them are easy fixes, it's just getting the resources and getting the processes in place. So we did it in the federal government, Assistant Secretary Mopper was here earlier and talked about how there's 99 agencies and they're huge, some agencies are huge, some have four or five people, but we got, and we changed their culture, right, to get on these and change the, or patch the criticals within 30 days. So we wanna get the word out to all the communities, but especially the election community, because we're here to actually patch those vulnerabilities. So we're sending out reports. One thing I didn't mention how cyber hygiene works and from a high level, so conceptually, so you guys can see it. So we scan a machine or we scan a network and we find a device that's vulnerable. We'll scan the critical, and the machine has a critical vulnerability on it. We'll scan that machine twice a day to see if anybody's closed it. It has a high vulnerability, we'll scan it once a day. It has a medium, we'll scan it twice a week and a low vulnerability, we'll scan it once a week. So we're really trying to track closure rate and we feel that if we can really push and push the people to close the vulnerabilities, it's a big win for us. So with that said, you got anything else? We'll open it up to questions. Great. So correct or I'll take the moment to briefly ask a few more questions to begin with. No, that's all right, I'll be very loud. How's that? There's probably a camera on here. Yeah, there you go. Okay, so when you work on election systems, are you right now doing any pen testing of machines or is it all the networks for the election providers? So I mentioned that, did you guys hear me about that? Or the camera? Oh, the camera, the camera. All right, so I did mention we have this applied vulnerability assessment program that we're just standing up. So we do have one election system up in-house and we just, a company actually donated it to us and said, hey, we want you and we're getting more and more election companies coming to us and saying, yeah, DHS help us identify some vulnerabilities, make us better, make us stronger. So right now, we're getting through the first pilot and we have it set up and we're gonna take the firmware apart and we're gonna diagnose it and do a nice write up on it. We have several other vendors wanting to do it so and we're building up the resources to be able to do that. So it's something that we're gonna build up later this year and the next year and before the 2020 election. Excellent, I'm gonna answer my second question. Okay, Derek, yeah. Yeah, yeah, it's published. Well, and I don't know how many times Jason will call me and he really hasn't done it from the election side but he's done it from the banking side and he's like, Rob, I'm sitting here with the CISO. I'm like, oh, really? I didn't know they had a CISO. He's like, well, he's really what, their loan officer? Yeah. He's their loan officer. So we're seeing that in the smaller communities too in the election facilities. The bigger counties like Cook County and LA, they have a little bit more resources but it's a tough battle. You know, they just tell people, go get this cert and then they do their day job and their day job isn't anything to do with security. I think as time goes on, that'll change but we're not there yet. I just like to add on to that real quick. So Rob mentioned the small banks where the guy's the VP plus the IT guy, right? So those things are double edged swords. Those guys, like you mentioned, they don't really have a handle on security. However, what I'm finding is that the smaller organizations that we go to, the last one I was at was 70 people strong elections place. And everything that we found as we were going along, they were able to mitigate fixed block and we retested before we left. So that's a little bit of the beauty of the smaller organizations as opposed to the big ones. I was at a fortune really high number and their CISO was on the phone with me and he's asking me, Jason, how do I, they had a local admin problem, 45%. This is after, 45% of their workforce still had local admin on their machines and this is after they had this campaign to get that reduced from 100% and trust me, when I say they were global. And so he asked me, how do we fix this? How do I get people to not be local admins? And I looked at him and said, you're the CISO. I would write a policy and tell them to stop doing it and then turn it off. I don't know how to do it. And so the point to that is, other than a joke, the point of that is, is that the smaller organizations, even though they don't have a well-honed security force or folks there to help them along or to be proactive, when they do find a problem or they do find an issue, it's usually mitigated before we leave. The bigger organizations, excuse me, the bigger organizations we'll go back to year after year and we'll find some of the same holes that were there the year past, which just means that four hours that it took to breach the network and takeover now is down to two hours or one hour because we have all the information from the last time, so. Yes. 2016, I think like what? I got to make a phone call. Sorry. I've seen a lot of the company states were breached. How many states were actually experiencing that? It's a little more clarity, especially with that third, according to how many states that they're record altered. Yeah, so that's Intel and that's a different division, but as far as I know, I haven't seen any reports where anything was altered, so. And? Yeah, I haven't seen any of that, so. So, yeah. Can you guys give us any more details about that? Yeah, we don't work in that. Right. We don't work in that arena, so. I mean, you could ask this gentleman right here. You can say anything. Yeah, so, I mean, so what we do is, I mean, we do assessments, right? And I could talk about all my data and all the data that we do and all, oh, I guess one of the worst things I should have said, all of our stuff that we do is unclassified. So, you know, we do have clearances, but the guys that we bring on don't have clearances and the customers that we don't do, because when we're going to state and local governments and private sectors, they don't have clearances. So one of the first things, when I came and started this in 2010, I said it's gonna be unclassified, everything that we do. And since 2010, since day one, it's been unclassified. So, dealing in that arena, we don't have any idea. But just think, Jason's successful 99%, 96.3% of the time just using open source and unclassified tools and his knowledge and knowing what he does. They get stuck every once in a while, but then they write some scripts and do some coding to do some evasive maneuvers over antivirus and other stuff, but everything we do is on the unclass. So, as far as classified stuff, I couldn't tell you. What do you have to say? You're looking at these IPs. Yeah, so two ways. On the cyber hygiene side, they define it. We have a form that they fill out and they say these are our public IPs and this is what you're allowed to scan. If they have a third party vendor that they use, they have to get an agreement with them and then they provide us the IPs, but they provide us the targets in the scopes. And on the RVA side, we have a pre-assessment questionnaire that we go through and I'll let Jason talk about that. Just one thing I wanted to point out is again, the surface is voluntary. So if an organization comes to us and they give us a scope and it's pretty locked down, I mean, we'll ask for more if we can. If it helps do what we think they need to look at, we will, but ultimately the customer has the final say in that. We work real close with our points, we call them POCs, our points of contact or our trusted agents on the scope that they give us, the amount of information that we get. In our RVAs, it's a white box, I guess. So everyone knows what's going on and both parties want, you know, really if we lose, they win, if we win, they win. So everybody wants to, you know, our goal is to defend the nation, right? I mean, I live here, you guys live here. We want this place to be secure. I want to keep whoever wants our data and whatever they want to do with it. I have no idea, but we want to keep it secure. So to answer your question, that the scope is pretty much dictated by the customer and we'll help them along if they're kind of lost or they need our help. Well, let me add one thing to that. So sometimes customers do come in with unrealistic expectations. So like DHS came to us. So we considered DHS a customer even though we work for DHS. So they came to us and they said, well, during this two-week event, we want you to test TSA, we want you to test USCIS, we want you to test CBP, we want you to test Secret Service. They're like, wait a minute, there's only four guys. So that's what Jason does. He talks to them and says, what's really critical? What do we want to test? So we set expectations. Your CB event, we actually, we work with the customer, right? So elections and elections, we kind of know what's critical and they know what's critical, right? They're trying to save those databases full of PII, right? All of our data in this room, right? If you're registered to vote, we're trying to save that data. So for them, we kind of know what it is and what to go after. Really what it comes down to is did they give us that information to get or are they leaving it up to us to find? So yeah. And then in other cases where the customer, like you said, we're leaving it up to them to tell us what they already know or what they think they know. That's where we'll work with them and talk to them about what it is they're trying to protect and we kind of coach them. I mean, we've been doing this for so long that we kind of coach them along until it's beneficial for everybody. Are we writing our story then? Yeah. Exactly. So my question is, behind what you were saying, if you can't do anything with it in the first case, that is kind of messed up. So we have resources, right? We have so many people that work for us. The county is free to go out to Shodan and find that information also. It's free. You found it in a matter of minutes. In America. Right. So, you know, we work with willing customers, right? So if a stakeholder comes to us and says they want to sign up for our services, we'll do more than just find what's on Shodan. So, you know, we're just not resource there to protect, you know, there's over, if you count cities and counties and states, I mean, there's over 10,000 different entities and we're just not resourced to do that. If DHS gives me the resources and the American taxpayer pays for it, I'm more than happy to build that service into mine, but that's not part of our service right now. I'll tell you, I'm not going to talk about the law, for example. Bro, you're a reshance. But I still, yeah. Right, yeah. Right. So, yeah. So, for that federal candidate, I'm an official, they're a citizen, right? So, it's the United States of America and we're different from a lot of other countries in the world, they're not forcing the government to do something for that county, even though it makes sense. I'm not going to argue with you that it makes complete sense that we should be protecting everyone, but they have to request it. But they have to request it. Yeah, but that's, yeah. Yeah. Right your congressman. Yeah. Change the law. Change the law. Have you excavated what you're saying that will be used in the next year as an architecture? What is the culture on that standpoint has it been, is it only crunchy outside the sky? Okay, so, just real quick, I know this is a small room, but what the gentleman is asking is, if people are segmenting their network properly, how has that given us trouble? Right, paraphrasing? So I did a critical infrastructure organization and they were segmented to the Hilt. They segmented off their ICS portion through three sets of firewalls, three different segments. However, in order to make things work and in order to have the least amount of admins throughout that network, the only hole they opened in the firewall was the hole to allow communication between the Active Directory servers so that they could replicate, right? And so we rode those channels through three or four different security devices until we hit the SCADA systems. So the answer is, if it's done properly, which I'm not really sure we've seen yet, let me rephrase that. It has done it properly? Well, yeah, well, sure. Yeah, there's one that actually turned it off. Yeah, so there's one that's turned it off, but actually there's one election state that actually did it right. So they had segmented so much that their registration database was offline and to update and make changes to the database, it was a manual process. You had to walk from one room to another. So we're trying to get them to write up some papers and share with the other states and share their best practices so it gets there. So. What state is that? That was one of 50. One of 50. One of 50. We have time for one more question. I would ask that it's a shorter question. It's a moment of introspection before you ask it. And it is a short question. The gentleman with the pluses, you can take your hand. I could say, if you count the network. Oh, that's pretty easy. We'd send him an email now. No. No. No. No. No. No. No. No. No. So within the N-Kick, there's several other groups. There's a hunt and incident response team that we work with that is almost a sister organization to us. We would work with the customer and tell them of the evidence that we found or identified. And we'd ask them if they want to get our sister organization, the hunt and incident response team in to come in-house and to actually identify that. And then not only find that one target, but then other machines that had indications of compromise on it. So stop me if I go too far. But we actually have a very good example of that. We just had that happen two, three weeks ago, right, face? Yeah, so one of our high-speed guys is here. His hacker handle is face. For those of you that know what the A team is, he actually ran into a system when we got on it. There was evidence of compromise. Turns out they were still on that box. Crypto mining, I believe. And so we handled that with a customer. We definitely have a protocol for that. Everything stops, comes to a halt. We contact those folks and we put them in contact with the people that Rob just mentioned. And send them an email. All right, thank you.