 I hope that I hope this talk will end up being like some sort of a rampage of some sort and so the next Seriously, I hope there's some so this next I will go. I mean well, I Guess if nobody I mean the title could not be more blonde like what the what the hell happened Ron Taylor Thanks, Ming Yeah, so I want to set the expectations really low I've got I've got I've gotten about 12 hours of sleep over the last three days like most of you So So who am I my name's Ron Taylor? I've been in security for about 20 years on offensive and defensive side doing a little bit of everything You can find me on Twitter under Gus Gorman. Does anyone know where they got named Gus Gorman comes from? Come on. It's like one of the earliest hackers in movies Richard Pryor played the character Superman yep, that's right So that's where it comes from You can also find me on my space You guys don't use my space It's coming back. I'm telling you right now I've so so I say that I've been a hacker for 39 years because my mom says I've been breaking shit since I was born It's probably right Actually, I got to update that unfortunately in a couple weeks. I turned 40 said I'm a member of the pack hacking village like being said we do a lot of work here to You know be ready for the the the talks the recent the the challenges and everything and We appreciate you guys coming out and making it set successful I also run a b-sides conference in Raleigh. So if anyone's in in that general area reach out to me We'd love to have you come or speak there So what we're here for first of all Need to give you a disclaimer So I first want to start out by saying that in no way am I bashing the boots on the ground people? involved with OPM We all know that it comes to when it comes to information security even if you want to do the right thing a Lot of times it's not possible whether it's financial reasons or You know political reasons, but you know, we've all been this in a situation where we we've been financially or politically hindered from Doing the right thing. So so if anyone's ever worked for OPM or does work for you for OPM, please don't take offense to this We all know that it's likely someone above your pay grade made the decisions that led to this catat Catastrophe it's really long week So first of all who is OPM OPM is the Office of Personnel Management. They are the human resources division for The civilian agencies and the federal government. They do a few other things In 2005 They took the responsibility on to Do background checks for the Department of Defense? Well, they took it from the Department of Defense Security service before that's DSS was who was doing it, right? So, you know that data is kind of key because you'll see while we go through this There's a lot of you know things that happen during that time frame So what was lost in the breach? a lot 25 21.5 million SF-86 forms, okay, so what is an SF-86 form? Does anyone here filled out an SF-86 form? Yeah, if you've ever tried to work for the government If you've ever just filled out an application didn't even get the job That that's in their database. Okay, that was lost It has a lot of information in there of that information about your man family members friends Psychological information Well, I'll show you the next slide a little bit more about that, but aside from that 4.2 million personnel files containing information essentially You know all of your your personal information about your military records things like that And on top of it 5.6 million sets of fingerprints. So why is that bad? You can't change that right? Yeah, you lose the username and password. You can change that you can't change your fingerprints So now 5.6 million people their fingerprint data is essentially compromised, right? So, you know, we talk about the next generation of authentication How can we really trust biometrics or fingerprints for biometrics can't So that's a big problem. No on the bottom here I don't know if you can see that but the CIA actually does not use OPM for their data breaches For their background investigation, so it's interesting But you know one of the the articles that I read kind of pointed out something interesting that The fact that they didn't You know if someone whoever has this data is essentially discerned from That information, you know, if this person is not in the in the database that I just stole then that may mean they work for the CIA So There's a there was a report that right after the breach a lot of the CIA folks were pulled out of Places like China, you know, you have a question Yeah. Oh, yeah Yeah Yeah, it's yeah, it's interesting So a little bit more about the SF-86. You can't see that read very well So to get a security clearance you have to fill out as SF-86 form I think the key things there's a lot of information on here and it's not meant to really go through all of it But I think the key things is then the investigations. They're they're designed to Identify the type of information that could be used to coerce someone All right to to find out is there a way that I can force force them into betraying my country okay, that's that's what the SF-86 is for and And But it also it asks in for it asks it asks individuals to turn over the most personal data Details about their their life, right? So I mean you can kind of understand How this information start thinking about how this information might be used against you, right? These are just some things out of the report which we'll talk about but Some some quotes from so James Comey. He's someone who is fairly well-known now But you know he said that it lists the SF-86 lists every place he's ever lived since he was 18 his family members siblings All their information of course, so it's not just that individual person who filled out the SF-86 It's all their friends and family members that are affected by it as well so bad news So here's where we're going to start kind of drawing other assertions about how this data is being used So around the same time there are a few other breaches that happen large data breaches So first of all us is it was an opium contractor that was actually doing background investigation So for opium they were breached in 2014 lost a ton of information In December 2014 the other opium contractor that they used was also breached Okay, so you know maybe there should have been some sort of indication that That opium was a target around this time, right? Anthem Primera Empire all these are all other breaches that happen in these these same companies they provide services for For the government right so more information that they're pulling together of course Ashley Madison Who was affected by the Ashley Madison breach anyone I? Know you were Greg. I know that guy was right there Well, this is it's important and I'll tell you why in a second and then of course Between 2012 and 2015 that timeframe the opium breach happened So if you look at this this was from I think the Washington Post I should have you know look into more but anyway the person in the article kind of made this assertion that What they're doing is they're taking all these data breaches and they're pulling all the information together So that they can correlate between them and say hey this person over here Matches this person in this data breach that I found How can we use that information against them right so if they the oh that's a 86 form says this person has you know a Wife and three kids and lives you know wherever this is his wife's information And then he goes over to the Ashley Madison database and finds that same guy's information He can coerce him basically by saying Hey, I'm gonna tell your wife you're cheating on her right I mean that's just one Example of how this information can be used but what they're doing is They're essentially building a dossier About each person in those databases right all that information is pulled into a database likely And used will be used in some way now We'll talk a little bit more about whether it's not whether it's being used and if we have any clues of how it's being used But you can get an idea of based on the different different information that's been stolen What's out there right? So let's talk about the report the majority of the information that that's here and I'm going to talk about is based on this report It's all Open information public information. I don't have any insider information at all But I but I think it's really interesting I started talking to a lot of folks about that who had been affected by it and they really didn't you know We talked about this report. They really had no idea the impact of it So that's kind of how this this you know this this talk came about was Yeah, they didn't realize how how bad You know o p.m. Screwed up and then that's kind of what we're gonna talk about So actually we back up so the report came out in December of 2016, right? So just last year and it was done by the House Oversight Committee This is the same group who investigated like Benghazi and things like that. Okay, so they took I think three years two and a half years to go through and investigate everything that happened And to determine You know kind of a timeline so That's what we're gonna talk about first is that timeline now When we talk about the timeline here, I don't want you to think you know that they actually This is when they found out the information most of what they found out was after the report after they did Investigation okay Because they really they weren't monitoring anything so first of all the The warnings were there Okay, the warnings were there before the breach first of all since early on I think 2007 was probably the first time when they were really talking about APT's and you know the government was warning agencies Hey, there's these there's these these threats out there. You need to be concerned about right? but going back to 2005 the inspector general Who's you know internal to OPM the inspector general was was was telling them? Hey, you or you have? You know really bad security posture. You're not doing two-factor authentication You know things like that and over and over again Over the years you can see from 2005 to 2007 and then in 2008 and 2009 2010 they continued to raise that that alert level saying hey You really need to do something here, okay? They ignored it That's what we're gonna talk about is exactly you know what happened so This all works out. Hey animations, but this was a So the fun one to do so 2000 July 2012 so this is with the first Known adversary access to the network. No, they didn't find it in 2012 Of course, they didn't realize this until they did forensics And I think that the the you know they actually found a piece of malware that they tied it tied them back to 2012 that's how they figured out that you know that was likely when they first got in between November and December 2013 I Don't know the specific information they likely had found some sort of log or Timestamp on on a piece of malware that indicated that they were moving around in the network, right? So that from time frame was was was where they realized okay? Someone is actually you know in their network now again. They didn't realize it at that time. They you know This is from the investigation March 2014 The US cert Notifies OPM and says hey your dad is out there on the internet So someone is ex-filling data from your network So at that point OPM actually did start to monitor their network, right and they identified Adversary one in the report. I think that they call it something else, but adversary one That was the first that's when they started monitoring them, okay At the same time while they're monitoring them like literally they're watching them Exfiltrate data, but they're like well, that's not information. It's not really important information They weren't they were monitoring monitoring them to see how close they got to like the background databases Okay, but they said okay. That's not that big of a deal and they were coming up with a plan to you know Kill them get you know get them out of their network, but at the same time they did exfiltrate some data But that data was was essentially the brute blueprints to their network. It had Network diagrams username fast words things like that, right? It was all the information that they needed To Continue their attack, right? I mean these this just keep them on this attack happened over many years and that's usually how You know APT type attacks work, right? I mean they get in they start moving around the escalate privileges. They try to save stealth Exfiltrate data when they can just try not to get caught So now they have enough information to continue moving through the network. They know they can they know where the crown jewels are They just need to get there. So around that same time may 2014 a second adversary Which likely is connected. We'll talk about that later. Can you guys hear me? Okay? Like I feel like this mic is like, okay Okay, you need the mic, okay, okay, I'll try I hate holding mics So anyway around that time They gained another foothold, okay now remember the contractors had been already breached at this point, okay? What OPM was doing was to give their contractors access to the network. They were giving them a username and password To VPN and connect into their network well likely what Adversary to did was use that information to access the OPM network Which they later figured out that it was Oh Sorry back up So they came to foothold got into the network. So now at this point if they kick out the other guy It's okay because they have another they have another foothold and that the the other the other point about this foothold is that They look like a normal user, okay? They're logging in from you know using credentials of a contractor So that's bad. Okay? What would have fixed that? Do factor authentication maybe well they weren't doing that they their master plan to Mitigate this issue with with adversary one was called the Big Bang, okay? And they when they noticed the adversary one getting closer to the crown jewels Then they executed this plan and you know kicked them off the network But as we know it doesn't really matter because they already had other footholds And they weren't monitoring those So between June and August of 2014 Adversary to starts moving throughout the network, okay? He gets to the point where he's found the investigation data and starts exfiltrating that out of our network out of their network and so at that point they They the data was out there, okay, and OPM has to come out and say okay. We we acknowledge that there was a breach Actually, it was more in risk league says here in response to a press report because people found out hey I think OPM has a breach. They didn't want to talk about it, but eventually they had to kind of own up to it but They didn't really say oh, yeah, we lost background data matter of fact what they did was they said oh It's just some old manuals. It wasn't you know really important information. So don't worry about it Okay Yeah, it's it's still it's still kind of unclear as to exactly what they knew But yeah, most likely they they knew that I mean after the investigation Which we'll talk about a little bit more here's the thing I should have put this in my disclaimer It's a lot of political aspects to this this situation. I'm not gonna get into that stuff I think it's it's it's worth you guys reading the the report It's only 240 something pages, but it's a page turner. Let me tell you it's actually really interesting But it's that information is in there too where they kind of make You know they talk about the political aspect of it and exactly why Decisions were made and who lied to who and things like that, but anyway, I'm not gonna talk about that Okay, so moving forward in December 2014 you know they've they've Pilfered the OPM network at this point got all the information they needed there and they finally made their way over to the Department of Interior's data center and this is where they Were started exfiltrating personnel data records. Okay, that's where all that stuff was stored So they exfiltrate date that data in March 2016 so like OPM at this point they have no idea right they thought hey, we got this guy out no big deal, right? Everything's good. They didn't mind they weren't monitoring anything. They didn't put any extra controls in place to You know to make sure that no one else is in their network at this point. They still think hey we kick that guy out We know we're doing right Well, they didn't okay, and they continued to pilfer even more information. They found fingerprint databases like we said I mean, that's that's that's it's pretty serious in April of 2015 An IT contractor essentially at the stumbles upon Something that might be interesting. Okay, they you know, they weren't monitoring anything They didn't have the controls in place to figure out, you know, is there an insider threat? So is there a compromised machine on my network dead? They didn't really know okay, so They just stumbled upon it and the way that he stumbled upon it was There was a Call-out to opm security org Sounds legit, right? But this guy actually he knew he said wait, we don't have that domain. That's kind of weird So, you know, they said that's at that point they start investigating it because they said Something's wrong here, you know and well At that point, you know, they had the oh shit moment, right and they said okay, we got a problem They're still in our network and they've been there for a long time. So we need to we need some help So moving forward April 2016 at that point they actually called in silence they had been working with silence in the past and They just decided We're not going to deploy there and for their protection tools. Okay, they could have and back in 2014 There there were plenty there There were people were saying hey, we need to put this in place, but they didn't even though they knew that there were adversaries in their network They knew that they were a target They didn't do it And like I said was whether or not that it's political politically motivated It's different And then of course pretty quickly once they realized hey, we've got a problem now We need help we need some we need to get this person out of the network. Of course, they they deployed the solution you know the silence protect and Started identifying stuff and I like this quote right here The the engineer that came in from silence He said it literally the tool lit up like a Christmas tree like they found so much stuff like within you know Without an hour is it just lit up like a Christmas tree? So of course, I'm sure they had another oh shit moment there, too And May 20 20th 2015 OPM of course now at this point they've determined Yeah, we've got a problem. We've got malware all over a network people have owned us left and right I think we have to notify Congress Because they you know, they actually have a requirement to notify Congress when something like this happens Which is likely why they were downplaying it for so long So they notify Congress on May 27th OPM briefs the media. So at this point they they come out and they say listen, we're sorry We're so sorry. We you know, we lost your data It's about 4.2 million records. Of course, we know now was a lot more than that Okay, and they kind of downplayed the whole time, right? You know, they're trying to downplay it not make it seem so serious At this point so us sir comes in and you know, they're doing their investigation as well And they also realize hey, it's not just this 4.2 million You know records. There's also background data investigation that was stolen another oh shit moment At that point the director who was director Archuleta. She says okay Yeah, we lost the background data information too So she's she's kind of forced to acknowledge that so in June after 74 days of deployment of the Silenced protect software they deployed it on 10,000 something computers they found 2,000 pieces of malware Nearly one for every one piece of malware for every five computer devices That's a lot of malware on a network and who know who knows how long it was there right now We know after the investigation the first piece they found in 2012 You know If you work in defense, you know time to remediation time of detection is is key If it if you don't find it within you know within hours likely They've already started taking your data and gaining the better foothold so Their networks completely rooted at this point It's owned What do they do? Okay? I would pull the plug, but you know at this point It's you know, what's the point? But in July OPM comes out and says hey yeah, we We need to update that number. It wasn't as small as we thought it was actually 21.5 million people compromised and of course July 10 Director Archuleta resigns very convenient September 23rd OPM updates the Estimate about the fingerprints because originally they said yeah, it was like 1.1 million fingerprints now they say no It's actually about five million, but you know give or take a couple million. What does it matter? You know? And then and then prior to testifying before the committee the CIO Donna Seymour resigns so again, that's convenient which delayed the investigation because now she's not there Anyway, I won't I won't talk I won't I won't go down that rat hole But like I said read read the report. This is more information interesting information there. Okay, so Again from the report the key findings They had First of all, they didn't they failed to prioritize their data in 2005. They took on all this background information Investigation they took on the responsibility of doing the background investigation and storing it right they had to secure it That was their responsibility But they never changed when they did that they never changed their security posture They never said hey, we have really even more important information We we need to secure it better. We need to put other mechanisms in place So that you know, that's a that's a key finding there multi-factor authentication so I think The federal government started requiring multi-factor authentication. I don't know 2005 2007 if anyone You know it's involved with like disastics and requirements like that, you know, it's been there for a long time Okay, they weren't doing it, you know the inspector general said since 2005. Hey, you got to do this You got to put this in place. They still didn't okay even after this compromise in 2015. They still hadn't done it. I mean Come on Use names and passwords get stolen. They knew that they were stolen. Okay, but they still didn't Put this in place. So that's it's a pretty serious thing. Right to me. It's negligence They didn't encrypt the database They've yeah So that's what they said they said well and actually if you you can go on YouTube and watch the proceedings from when Congress was grilling them and some of us really really into entertaining but They essentially said well Our systems are too old to do encryption There's okay. Well, that's a problem. We get that but that still doesn't mean it's okay, right? I mean This is information that that if stolen can affect lots of lives in different ways So again another major finding that they weren't encrypting anything Yeah, so sorry kind of already said this legacy systems was their excuse so like I said they They they they just didn't they didn't listen to inspector general another thing you'll find in the report is that there really wasn't a good relationship between the inspector general and the OPM CIO right which that caused a lot of political issues and Essentially, they were just ignoring everything they said the inspector general came in and said hey You guys got to do this this this and we recommend this they just said, okay, whatever. We'll do it. Don't worry about it They had they didn't even have an inventory of what was on their network Okay, if you're in defense, you know if you don't know it's there you can't defend it Okay, I mean it's key visibility on your network is key So they had no inventory of what was on their network. Okay? big problem Another key thing here, which is you know, it's not a technical Finding but what they had found was that they would look at it and they said OPM is only spending seven million dollars a year on cyber security They were actually at the lowest level of all the agencies, you know And I'm just thinking about you know this the staples commercials, you know where the guy's like hey I just saved us all this money by shopping at staples, right? Just think about that one, you know, they were probably like hey We only we only say we our budget is really low and you know, we don't have to we don't spend that much money Well, that's a problem because that just shows that they weren't putting the you know They didn't they didn't value that data. They didn't see the value in spending money on cyber security they they were essentially the biggest target of all the agencies and They they just they didn't protect it in that way two-factor authentication that was one of the Critical security controls, but there's a lot of other things Obviously if they're not doing two-factor authentication, there's a lot of other things that they probably weren't doing So this is an interesting thing If you work in government, there's a thing called the authority to operate It's essentially a kind of a sign-off where they say okay your networks your systems are up to spec They fit they meet the requirements You get a sign-off that says you can operate them, okay? They didn't really care about that. They basically were all the systems especially the The personnel investigations processing system, which is where they input all the data and everything had no ATO Right. They were ignoring it For a long time Which is I mean if anyone works in and you know duty or government, you know an ATO is really important So, you know, it's it's a big violation but that way So I thought this is a key thing. It's hard to see here, but The fact that they had no logging and they were really that essentially were doing no logging on the network or the databases There's really no way to know What documents that were stolen and What was You know the scope of the breach and another thing that they don't really point it out too much in the report But the truth is because they have that they don't have the logging How who's to say that they didn't modify any data, right? And that's a whole nother aspect they could have Entered some it's a nation-state, you know, you want to get someone implanted and Here's your here's your security clearance right here, you know you pass And they had no way to determine that because they weren't logging any of that information. So Little scary So I skipped this slide. Oh, I guess I didn't as far as attribution Oh, no, sorry back up. So The one of the indications which I like I said the report doesn't go too technical into exactly what the malware did And you know things like that but what they identified was that it was using the malware they did find was using a version of high-kit a and high-kit b and I don't think I have a slide on it But one of the one of the interesting things that I found was I almost kind of feel like that the attackers weren't that sophisticated because They were hiding it in a DLL that was the name of it was linked to McAfee antivirus or McAfee Security whatever they call it And they weren't running that right so that you know opm wasn't even running that net so that was kind of one of the indications like that You know that there was a malware problem because they found this file and they're like wait It's a McAfee file. We don't run McAfee right, but the majority of the government and DOD does run McAfee I know US Army. That's one of their you know main main Endpoint protection things right so it's kind of standardized. So anyway, they were kind of they're guessing me But you would think that they would have done a little bit more recon to Determine whether what they were really weren't running But like I said here's the other thing was we talked about this a little bit more But they were that they were watching them take the data, okay? But the truth is they were never able to determine How they actually got entry like I said no logging So they still don't really know how they they know they were there they saw them exfiltrating data Eventually they've found that they were monitoring But they still don't know even after all this this investigation how they initially got in Likely it was a compromise machine right usually it was some sort of client-side Attack over the web or email or something like that. It's not too difficult to attack clients But another thing that they you know, they realized too was later on they said okay Yeah, maybe that That the original data breach with the manuals and everything maybe that really was a big problem so You know then they acknowledged later on that yeah that data was probably used to Those man the manuals and things like that. It was likely used for them to continue their attacks so interesting stuff and you know because of that they determined in the report that They likely could have stopped this when they initially were Alerted to by cert that there was some exfiltration happening and when OPM came out and downplayed it and said hey Yeah, it's not that big of a deal. It's just some old old manuals if they had put in place protections at that point They could have stopped it but instead the They they downplayed it and of course all the rest of the data was was stolen Which you know, it's pretty serious Already talked about this one here with OPM security This is one thing that I that I talked about a little bit But though the silence tools were available to them as early as June 2014 Okay, and like I said, they could have put those in place. They could have deployed them But they decided not to okay Even after the big bang They decided not to purchase they were you know, they're kind of quoted it and they they Evaluated it, but they said no, you know, we we think we got the guy out. So we're not gonna. We're not gonna buy it Oh and so you see here the the CEO of silence said that their excuse was that there were Political challenges on the desktop. So if any of you have worked with government or in government IT, of course, you know, there's a lot of you know segmentation and This group doesn't work well with this group and political reasons for not doing things Okay, so this is one major aspect of it You know once they put in the silence tools they immediately found I don't work for silence But you know, they should probably you know, give me a t-shirt or something or talking about them But yeah, so they you know, they they implemented silence protect and lit up like a Christmas tree So as far as attribution Attribution is not easy when we hear things when I hear things on the news about. Oh, yeah, there's attackers. They came from Russia Listen We all know that it's not easy to track things like these attacks back Especially if you're not doing logging and things like that So I always think that that's that's interesting stuff But what they were able to do is they essentially they're kind of guessing right? But based on the high-kit malware They said it's likely the axiom group was was the people who put that they're just Based on the fact that it was there doesn't really they don't know that for sure someone else could have been using that malware, of course but they attributed back to that in the report and then they also said That this other group because they were involved with the well-pointed and anthem breaches and They they they attributed it back to them as well. They said likely they're working together So they essentially said hey, we think these two groups were probably working together and You know there's tie-back of those groups back to nation-states. So that's when they start kind of saying okay You know we think it might be China, you know So In I think it is somewhere Time 2015 time frame the president of China was gonna come over to visit with Obama and There's a little bit of tension about this right because at this point, you know, they're saying oh, it was China It was China's nation, you know, it's trying to run his government that hacked us Whether or not that was true, we don't know but So there's a lot of pressure and a lot of tension. So China says oh, we found them and we arrested them Don't worry. We took care of it And you know, but the truth is that China is known for throwing people in prison for Doing things that maybe they did or didn't do Or maybe they did something else and they said well, let's just blame this on them so that you know The US is happy. So anyway, you know, it's interesting So the report continues, you know, we talked about the findings but it goes on to make recommendations, of course Like any good report should I know this is like a ridiculously small or complex slide And it's meant to be because that honestly the stuff in the report most of it the recommendations are You know political type recommendations about CIOs and how you should hire them and make them accountable and make sure that they're Competent so I thought I highlighted a few words, you know in there And I thought that was interesting because they they really did point a lot of it back to You know the upper management, which is good. And that's why I put that disclaimer out there at the beginning because you know We all know that it's it's most of the decisions are above our pay grade But they also recommended a zero-trust model, you know To them that was a new concept, but we know we know it's not Accountability that was a big that's a big piece of it, right? Which you know, I thought it was funny that it was in the report because you know that There really wasn't much accountability Which is a sad part because a lot of people were affected by this a lot of people are still affected by it I mean if you if you had a clearance had your SF86 stolen You know a lot of people are looking over their shoulders You know you have to travel abroad travel to China You know and you were affected you're gonna be looking over your shoulder and be a little bit paranoid and How do you fix that? You don't I mean it's just it's just out there, right? So it's you know, it's sad that no one was really really held accountable for the what I think is in the gross negligence, but Those are the recommendations that were in the report These are kind of my recommendations of how not to become the next OPM First of all, you have to know the value of your data Okay, you know if you're hired into a company and you know your upper management That's not in 90s in security says Yeah, we need you to do this job, right? You know the first thing you need to say is okay Well, what kind of data are you holding and what we know what? You know, what information do we need to secure and based on that? That's how you kind of start prioritizing things, right? Of course, there's different regulations like PCI and HIPAA and things like that Regardless of those you you really have to Know the information that that you you're securing and prioritized based on You know based on how that is what you're gonna put in place and where you put those controls in place But regardless you got to start with the basics. I mean like we said in the report they weren't doing encryption Okay, encryption is not a new concept people You know, it's just ridiculous that they weren't encrypting their databases at all They likely weren't even encrypting. I'm sure they weren't encrypting the traffic over the network But whatever it didn't did they had they just you know had the keys to the front door anyway So they went when they went and stole it so Just you know it's information that they needed to secure to factor authentication again That's that's pretty simple You know, that's that's something that's that's not a new concept. That's really important for especially VPN type access you have a contractor Giving out giving them access to their network first of all It's something I didn't add in here, but You need to Evaluate your contractors if you're letting contractors into your network to your databases you need to evaluate their security to Don't just assume that they're doing the right thing. Okay. You need it to say hey You want to connect to our network? We need to know what kind of thing what you're doing for security and we're gonna do our own audit on your network before you connect Okay So that's an important thing visibility visibility is key. So Of course, we defend our networks. We put firewalls and intrusion prevention and you know things like that in place But we all know that eventually we're gonna be compromised regardless. Okay, it's no longer You know if you will it's when you'll be compromised. Okay, so having visibility in your network East and West traffic not just north-south. Okay, we know if something calls us out to a C2 over our Edge IPS. Well, we might see that but what about the traffic when they're traversing in your network? Once your system gets compromised the first thing that they're gonna do is they're gonna pivot and they're gonna start moving Laterally across the network pulling out data. Okay, how do you see that if you do not have that visibility on your network? You know, I won't go into the technical details of it But there's a lot of you know a lot of things that you can do that a lot of really good tools these days to be able To identify that information so and at the very least know what's on your network. Okay Address the roadblocks. Um, you know, this is kind of a Political type thing, but we all have those roadblocks in our You know in our our environments as far as How do I get shit done? Right? How do I convince my management that I need to put in these In place these security controls So you really need to address that stuff a lot of it goes back to you know In the value of your data. Okay, if you can go back to your management and say, okay, listen This is a type of information that that that worked. We need to protect and this is why okay. This is why we're a target That goes a long way towards You know opening up those roadblocks Plan for when you're after you're compromised most of the time when we spend money on Security controls and defense it's defense, right? It's it's it's We're defending our network Most of the time that money that bucket The money we spend on after you know the remediation The forensics the type that type of stuff is very low and we usually don't think about until after the fact So, you know my recommendation is You know as far as architecting your your security solutions think about that think about what what I do If I was compromised already and in building architected from there Accountability that's the last thing on there. It's really kind of complicated for it because you know, how do you hold people accountable for the fails? But the truth is you have to you know, it's really challenging It's a really challenging concept, but you have to hold people accountable for what they're responsible for and That's that's all I got damn that was perfect timing. I can't believe Oh No, I mean, I think I think you got to start with Requirements guidelines things like that, but the truth is It comes down to the your data, right? It comes down to what you're what you're securing You know to determine what the priority level how what the security level is Because of course, you know Everyone wants to put every you know the best security Controls in place and but you usually don't have the money to do that, right? So what they do is sometimes they have to accept the risk well based on the data that you're storing That determines how much risk you can accept Yeah Yeah, I mean that's that's that that's another Aspect that you know should have been on that that slide the recommendation slide, you know air gap I mean when it comes to stuff like that if your network or if your data is that that Important that sensitive you need to put it out you have an air gap network So yeah question you got a question. Oh You know they didn't go into that it's I would love to know Actually, I was hoping that I was hoping that he was here So, you know, I mean if you are like you know come tap on my shoulder over the village I'll be across the way all we're looking for. Huh? Who you're what? Who you're looking for? Hey, no, he was talking about the open all contractors. It was an error. Oh no Yeah, they didn't talk about that, but yeah that I'd love to know as well any other oh Like I said, I wasn't gonna go into the political aspect of it, but I'll give you my opinion. Yeah Yeah, the accountability part of it. Like I said, that's that was just another big fail, right? They were yeah, exactly Yeah, yep, exactly. Yeah, sure Yeah, yeah, right Yeah No, it's true. It's true. But I mean as far as you know doing the basics You know, they weren't even doing the basics. That was the point, right? I mean It's it's all it all works together, right two-factor authentication Encryption, you're not doing the basics then everything's gonna fail Yep, you know else. All right. Thanks everyone Ron Taylor everyone. Thank you so much Ron