Small-town street scene in Illinois American flag flapping in breeze by huge painted American flag fading from brick wall
 

Episode #29 - Social Engineering: Minimize the Exposure of Human Error

This week, the guys discuss Social Engineering - the most common way cyber criminals get access to their targets. They discuss the controls smart companies are implementing to prevent their staff from falling for cyber-criminal scams and how to minimize exposure resulting from human error.



This week the team talks about social engineering in cybersecurity. Is phishing social engineering?

Find out on this week’s podcast. Pick up your copy of Cyber Rants on Amazon.
Looking to take your Cyber Security to the next level? Visit us at www.silentsector.com
Be sure to rate the podcast, leave us a review, and subscribe!

Headlines: 

Proofpoint’s Voice of the CISO 2021 Report Reveals Two-Thirds of Global CISOs Feel Unprepared
Microsoft Warns: Watch out for This New Malware That Steals Passwords, Webcam and Browser Data
Executive Order on Improving the Nation’s Cybersecurity
All Wi-Fi Devices Impacted by New Fragattacks Vulnerabilities

Millions Put at Risk by Old, out of Date Routers
App Tracking: Apps Plead for Users to Press Allow, but 85% of Apple Ios Consumers Are Not Opting in 
U.S Intelligence Agencies Warn About 5G Network Weaknesses

Microsoft Outlook Bug Prevents Viewing or Creating Email Worldwide

Transcript

welcome to the cyber rants podcast where we're all  about sharing the forbidden secrets and slightly  
embellished truths about corporate cyber security  programs we're ranting we're raving and we're  
telling you the stuff that nobody talks about on  their fancy website and trade show giveaways all  
to protect you from cyber criminals and now here's  your hosts mike rotondo zach fuller and lauro  
chavez hello and welcome to the cyber ants podcast  this is your co-host zach fuller joined by mike  
rotondo and lauro chavez and today we are having a  conversation about social engineering uh some call  
it human hacking manipulation of people to get  into uh their network environments their sensitive  
data and so on so we'll dive into that topic but  before we do mike you want to kick us off with  
the news yeah and just you know the dovetailing of  that here's a good headline for you proof points  
voice of the cso 2021 report reveals two-thirds  of global csos feel unprepared to cope with cyber  
attack uh that should make you feel good uh 66  percent of csos feel that organizations unprepared  
to handle a cyber attack and 58 consider human  error to be the biggest cyber youth vulnerability  
proving that the work from home model and that's  necessitated by the pandemic has tested csos like  
never before so that kind of maybe dovetails  into some pipeline that may have had a problem
humans don't screw up never it's the machine  it's always the machine id would be great if it  
wasn't for the users so so easy yeah microsoft  warns watch out for this new data according to  
microsoft there's the phishing emails distribute  a loader that delivers a revenge rat or async rat  
this campaign uses emails that spoof legitimate  organization which lures relevant aviation travel  
or cargo from yesterday they came out with a  new executive order on improving the nation's  
cyber security i started to read this and then  fell asleep hit my head and forgot all about it  
it's about 10 12 paragraphs long typical  bureaucratise but long story short the feds  
are getting more involved with how we're going to  do things from a cyber security perspective i do  
definitely recommend that you read it if you deal  with the federal government in any way shape or  
form especially if you're in the forest or d4  space so um or if you have sleeping problems  
or if you have sleeping problems yes it's great  at 2 a.m i fell asleep this morning again reading  
that so it's great at 8 am too microsoft outlook  bug prevents viewing or creating email worldwide  
we've identified the underlying cause of  impact or applying a fix according to microsoft  
um basically you need to restart your email  client to apply the fix in some circumstances  
microsoft just keeps having a bad what 20 years  shining light on dark side ransomware operations  
mandiant has identified multiple dark side victims  out there they're the ones that did the colonial  
pipeline these guys have been around for a while  but they function mainly as a as a ransomware for  
sale so what they've got out there is available  for anybody to use so really tracking them down to  
who did what may not necessarily be dark side  doing they're just providing the service so  
something to keep in mind that that that is  still out there and there's some very serious  
people doing dealing with us so this is a little  scary all wi-fi devices impacted by new frag  
attacks vulnerabilities this basically includes  every wi-fi device since 1997. so uh there it  
and that includes wpa3 um but it's basically  there's a flaw design flaw in wi-fi 802.11  
in the frame aggregation so needless to say every  wi-fi device is potentially impacted by these new  
frag vulnerabilities look into it though it's  pretty hard to exploit uh but it's something to  
be cognizable at least um hacking kerberos with  as rep roasting that's rep uh kerberos developed  
by mit is a network authentication protocol used  in active directory if you didn't know that runs  
on port 88 and basically there's a hack out there  for it sorry i didn't do enough research on that  
one to explain it adequately this one i like app  tracking apps please for user to press allow but  
85 of apple ios custom consumers are not opting in  and good for you 85 percent of apple ios consumers  
don't let them track you uh basically ios 14.5  uh allows you to opt in or opt out of allowing  
apps to request you to be tracked and so far  only 15 of people worldwide have done so so  
um and that's good news because there's far more  too much control over us from a tech perspective  
and with that that's all the headlines so  laurel do you have anything yeah i got a  
couple things from the exploitable space and  cyberspace today mainly talking about epic  
games again so if you remember last week we talked  about the anti-cheat vocal privilege escalation  
now we've got another stack buffer overrun for  rocket league why why are you messing with the  
games that we like to play why i don't know so if  you've got kids out there playing rocket league  
um make sure that you you've got them updated on  the most current version typically the games will  
make you update but sometimes without an internet  connection you could be playing these games on a  
local area network it could make you vulnerable  to this um to this type of uh of buffer overrun  
but that's all we have today for exploits in the  wild outstanding well let's talk about social  
engineering it's uh one of those things that is  very very relevant because the human element is  
almost always the weakest link in a  cyber security program so it's important  
for listeners to understand the people building  cyber security programs to really take this  
seriously i think a lot of people take a kind  of check the block approach like yeah we did  
some training and and checked that block this  year but really our aren't as effective as they  
could be and as a result attacks occur but first  of all let's talk about what it is uh social  
engineering is the uh i i i wouldn't like to call  it manipulation so much right because it can be  
used in a lot of good ways right people use um  social engineering basically to elicit response  
in different ways from different people right  and so it could be a doctor or a psychologist  
working to get certain information out of a  person it could be a salesperson through the sales  
process trying to collect information in order to  hopefully help make the best decision for their  
client or prospect so it can be used in ways like  that but it can also be used in harmful ways right  
and if we can pull on the emotions of people and  get them to reveal information that they wouldn't  
otherwise we can collect sensitive information  that could be used for bad for harm right and  
that's what cyber criminals do each and every day  we see probably the most by far the most common is  
of course your phishing emails that come through  right it's supposed to look like something that  
is legitimate something that you would click on  your fedex package is delayed or your office 365  
username and password need to be changed  there was some problem you know that the it  
team is telling you about things like that  are very very common so of course i think  
most of us are familiar with phishing emails it's  common but there's also vision right so over the  
phone essentially voice fishing a  variety of other ways even in person  
social engineering happens constantly right so you  can you can even take this back to um different  
realms in the uh government right in in the  intelligence community with elicitations with  
interrogation that sort of thing um getting  access and placement places you couldn't have  
without it so that's a high level overview  there are a lot of different definitions  
depending on who you ask what social engineering  is but in essence just think of performing  
some sort of acts that get people to perform in  a way that maybe they wouldn't naturally would  
wouldn't otherwise and reveal uh information  so it's not good or bad but today we're talking  
about it in the bad sense right from the cyber  criminal perspective so a couple things to watch  
out for and then i will shut up i promise but  familiarity is a big thing right they say i  
you know i know so and so or so and so in it  told me to reach out or they may act like they  
know something about the inner workings of  the company maybe they're acting like a vendor  
something like that that's very very common  urgency is another emotional string that they pull  
we have to have the answer by tomorrow we need  this information quickly because the big boss is  
requiring it um you know authority people taking  over the position of a leader in an organization  
maybe by spoofing their email for example saying  that they need certain information the list goes  
on and on i won't go through all of them today but  those are some very very common approaches that  
cyber criminals use to pull the emotional strings  of their victims and collect sensitive information  
so hope that's a good overview mike lauro you  have anything to add about what it is anything  
that i miss that you would like to cover before  we dive into the rest of this i think you got it  
all in the podcast yeah thanks for doing all the  talking dude that was great and we're out of time  
then we're out of time want even more cyber rants  be sure to subscribe to the cyber rants podcast  
get your copy of our best-selling book cyber  rants on amazon today this podcast is brought  
to you by silent sector the firm dedicated to  building world-class cyber security programs  
for mid-market and emerging companies across the  u.s silent sector also provides industry-leading  
penetration tests and cyber risk assessments visit  silentsector.com and contact us today that's great  
we talked about what social engineering is now  let's get into the meat of this why are we here  
the purpose is to help people understand well what  do we do about it we know it's out there we know  
it's prevalent the vast vast majority of attacks  happen because of some sort of social engineering  
manipulation uh especially through email but  certainly through other ways i think to start off  
you know what's what's the obvious one as far as  preventing these attacks right probably training  
right staff awareness man just being grounded  you know i mean yeah staff awareness is helpful  
you know things like know before are helpful but  my gosh you know just i think if people like just  
take a moment longer to digest what's happening  instead of kind of having that emotional reaction  
when they see the message um that would be i think  that would help everybody and and real quick let  
me talk about something real quick because you  know if you didn't know out there in the community  
i am a very big target okay i get smishing and  phishing and email crap sent to me all the time  
it never works all right and and the reason it  never works is because a i'm expecting it and b  
i look at all the original i show the original  text on the email i look at the email root  
of you know message so i can see where the sender  is where it came from the mx record the whole bit  
of it right and and one thing i think is  interesting that i've seen recently that  
i think is a a pretty sophisticated approach to  social engineering was on social media instagram  
so we have to on instagram facebook keep keep in  mind okay there was a little thing going around it  
was like hey fill this out and pass it on and it  was like your favorite color your mom's made name  
um your maiden name before you were married the  street you grew up on and i kind of looking at  
these and i had a friend of mine send it to me  you know and yeah i was following whatever so i  
showed up on my feet it was like hey complete  this and send it back out to all your friends  
when i started looking at those questions they  they became very familiar to me i was like that's  
interesting those are the same types of questions  that security questions typically are worded like  
right when you have security questions enabled  for your bank or whatever right um as a method to  
verify who you are right that that that identity  factor so they're using a very sophisticated form  
of social um engineering right on social media so  it's it's it's like social engineering on social  
anyways i like saying that so um be leery of that  okay when you see these things come through from  
your friends and they're like hey fill out the  stuff and you know what's your favorite color  
what was your pet's name right what year were you  married that sort of thing it's like to build like  
a little profile on you it sounds like it's a  fun game to play with your friends so that you  
kind of know each other more i guarantee you cyber  criminals are fronting this and they're taking all  
of that data back and they're profiling everybody  and so now they have you and they have all the the  
particulars about you right your favorite colors  your pet's name things that you might use for a  
security questionnaire and so that's probably  one of the more um kind of camouflaged fishing  
campaigns that i've seen shortly during  campus i've seen come up in in recent days
a long time ago too though i mean it would be like  what you know what star trek character are you  
figuring out throughout this quiz right or what  you know what's your personality traits fill out  
this quiz and i think facebook use that as social  engineering to develop profiles on people as well  
oh absolutely it's not absolutely criminals that  are doing it it's also businesses that are doing  
it in order to develop you know profiles to send  you ads and and provide that sort of thing to  
you um in order to manipulate you or get you to  buy certain products or just determine what ads  
get shaped to you as well um just  a dovetail on what lauro said about  
him being a target anybody in cyber security  right now um is a target and starting with ig  
yeah we started with google's threat  group um that got hit up with uh you  
know just some malicious stuff and i think we  talked about a news story a week or two ago  
uh but yeah anybody in cyber security is a target  so be very careful out there about answering that  
sort of thing and be careful what you're putting  on your social media so something i get i get  
text messages it's like oh hey lauro i see that  you're an author you should um you should try  
to uh you know write a book for us and then  they have a obscure link and a text message
don't click on links and text messages unless  you know the question you know there you go i  
don't even know links that you guys  send me so whatever noted i noticed
you know what what this brings up is an  excellent point i think i think we should also  
explain very quickly before we actually get into  the the how-to part of this but um what you're  
what you're referring to is is basically putting  all this information out there and cyber criminals  
and and others law enforcement such use ocean or  open source intelligence to gather information  
about their potential targets right and so the  more information that people are putting out there  
the easier it it becomes for anybody to really  collect that data and really build a profile so  
it's pretty amazing how freely people are posting  on social media and such because they think it  
just goes away or it's only shared with their  direct friends or whatever but it's amazing how  
easily you can bypass these systems and get to  get to photos and what you can pull out of those  
photos in terms of metadata information about  where they were taken times and all that uh all in  
there and even types of devices um so it's uh you  gotta be very careful about what you're readily  
putting out there because again most people  can build a complete most people that do this  
for a living whether you know legitimately or  not can build a very very robust profile off  
of somebody even people that think that think  they're not using the internet very much or not  
involved in um some of the stuff online social  media and that sort of thing there's still a  
lot of data out there to be collected so anyway  segway um into you know one of the worst things  
you can think is that i don't have anything worth  stealing yep absolutely well let's talk about  
let's talk about we started um and you know  all excellent topics but staff training  
and cyber security awareness i mean i'm happy  to share our approach and kind of generally  
what we see which is in a nutshell repetition  is far more effective than doing a one long  
drawn-out presentation once a year right so we're  usually down yeah it just it gets when people are  
having to you know set aside an hour or two their  work once a year or just kind of sit through this  
powerpoint it's just it just does not work but  um there are plenty of great platforms out there  
by know before and wombat and barracuda and  all these different companies are now have  
their own fishing and training platforms with good  content um videos are you know high quality they  
gamify the content you know they have quizzes  and all that but you really need to have a  
security awareness training platform within  your organization because it also makes life  
a lot easier as far as tracking and compliance  you understand who took the training who did  
not anybody that gets onboarded and added to your  you know active directory will automatically get  
their training you know all that can be set up and  automated so it keeps it much much easier and the  
content is out there so you don't have to develop  it yourself but with that you also want to keep  
people on their toes as far as doing phishing  emails test fishing emails right if people are  
you you'll start to see when you're using  these platforms that you have repeat offenders  
and certain people are more prone to  clicking on phishing emails and others  
and so they should get remedial training and all  that but that's the recommendation um if you're  
still doing it the old way or not doing training  at all just know that it's easier to set up than  
you you might think and you can have a really good  program in place customized to the audience to the  
type of people in the organization the roles all  of that um and they're much more effective than  
they they've ever been well keep in mind it's also  indefensible at this point to say i can't afford  
a cyber or cyber security training program they're  not expensive anymore yeah we're talking no you're  
spending you're spending more money filling your  vending machines i guarantee you yeah you know um  
you're right zach and you know repetition is key  here and and here's here's what i i want to point  
out is that the last um forensic investigation  we did was due to a ransomware attack right they  
they were asking for about three million kind of  the same thing as this pipeline situation and the  
way that those individuals got in was through a  hundred dollar amazon gift card email clickbait  
clickbait your people okay they're they're they're  humans they're gonna see something that they're  
like man that's a hundred dollars that i needed to  buy the thing that i wanted on amazon okay and so  
if if that repetition of training for those um  for those types of emails aren't aren't being um  
driven weekly monthly however on a tight schedule  they're gonna forget and they're going to click  
and and you're going to be in the same situation  that you know hopefully not but you're going to be  
in a very similar situation as anybody else  has been in a ransom attack um and it's not  
a good place to be and so that repetition that  zach's talking about is key you have to have that  
security awareness training program you have to  be invested in that program and you've got to get  
every one of your people trained and the cool  thing about um as zach was alluded to there's  
these reporting platforms that come out and so as  you know we we used new before okay whatever it  
doesn't matter what you use but they all have  similar capabilities right and so you can see  
that peggy in sales or bill and sales  doesn't matter right is repeatedly clicking  
on everything you send them so you get like a  clickers report right and so we can talk about  
the five people in the last campaign that we  ran out of 50 people these are the five people  
that tended to click on stuff and we can send them  remedial training now to say okay look you clicked  
we know you like to click but let's not clip so  quickly but let's kind of look at some things  
so we can send them now extra training right  to say okay you've got that you know click  
machine go far but you need to stop with that  and kind of digest the contents of the email  
you know if it's too good to be true it  probably is right so if you don't see this  
just like counterfeit money right or i like to  call it like fake antiques if you ever watch  
pawn stars right i know you have mike right where  the guys come in with like this old firearm he's  
like this is from the french revolution oh yeah  it's worth a million dollars and they're like  
no this is a reproduction from like 1980. it's  worth two bucks right right but but those those  
guys um at the pawn star right you know these pawn  shop owners would if they didn't see the stuff and  
and converse and and and research with  experts they would be vulnerable every  
time because technically that's a form of social  engineering right that now the person may not be  
purposefully doing maybe they truly believe  that this is a french revolutionary weapon  
because their grandpa gave it to them or something  right so they're they're trusting that word  
and that's what this is that's really what social  engineering is right it's abuse of trust yeah  
very much so yeah it's pretty interesting well  you know you you can implement a good training  
policy you know and and peggy and bill are  clicking anyway so um that you need to give them  
what what's that this is a family show what  peggy and belle do in the privacy of their home  
yeah so clicking on emails man clicking on emails  okay why why are peggy and bill clicking on amazon  
gift card emails at work anyway that's not that's  seriously so so speaking of which let's talk about  
policies right i mean that's another big thing  is you have to have people understand what they  
are uh supposed to be doing and not supposed  to be doing in the workplace so what types  
of their work computers yeah exactly exactly yeah  so be in the workplace being their their couch at  
home or whatever it happens to be these days but  what types of policies would you put in place to  
prevent prevent social engineering threats that's  a good question the exact acceptable use policy is  
the first one yep acceptable use yeah i echo that  absolutely and it's got to be it's got to be very  
well it's going to be very concisely written and  here's the other thing is you need your you need  
your humans to read it and sign it yeah and uh one  of your one of your security training platforms  
will probably allow you the capability to put that  policy in there as part of your security awareness  
so when they're done getting their security  training they have to read the acceptable use  
policy and sign it before they're finished with  their training which makes it really nice yeah  
yeah it's it's it it's amazingly how i mean you  have to just get so granular anymore these days  
and you have to specifically talk about social  media especially on company owned devices um  
and you know you want people to be able to  feel free to you know if they're especially  
if they're traveling and they're traveling with  their laptop yeah you want them to be able to go  
check on facebook well i personally don't but  you know normal people probably do um they you  
know so you want to give them that freedom to  a certain extent but however you really have to  
define what they can and cannot do and it has to  be granular and there have to be consequences um  
and that's one of the biggest things that i  don't see you need the carrot and the stick  
um you know yeah enforceability is a big deal  and and now the policy statement should have a  
violation of apollo violations of this  policy statement right if you violate  
this policy you're subject to you know  not only prosecution if you break a law  
right but you're going to get fired too right  and if they don't read that and understand it  
they can't really be held it's hard to hold them  in in a court of law right when they're like  
we didn't know about this you guys didn't train  us and the attorneys would be like is that true  
you know but you didn't you didn't train him at  all well he you know and to your point mike you  
know it's a cultural decision right some companies  are like oh our people can do whatever they want  
on their company own devices and i'm like we  have companies like that we're like okay okay  
let's just hope you've got really good endpoint  protection and good security training because  
something's probably going to happen if you  let them do whatever they want and then other  
companies will lock down web filtering so  far that you can't do anything but business  
related websites right and so it's it's a  cultural decision that the business needs  
to make it's like you want do you guess you want  your employees to be happy and you you kind of  
inherit some risk with that letting them you know  be happy on the internet do whatever they want  
um there's something great about that but you also  incur as a business and a level of risk when you  
do that versus cutting everything off and then  you've got kind of a more containerous work group  
but the risk is lessened right so it's  like it's one of those weird decisions that  
every business kind of has to make yeah  you've got other risks this yeah employee  
turnover and and all that it's staff you know  effectiveness if they're miserable is going to  
decrease so yeah but you need a policy acceptable  use policy just like mike said and you need to  
have a security awareness and training policy  probably right and you can put it in your data  
security policy doesn't matter where you put it  but you need to have a statement that the company  
um acknowledges that security awareness and  training is required to to build a a strong  
security culture in the organization a very wise  security culture would be better and um you you  
you have that in a policy to basically say that we  as a business have decided that this is important  
to us and we're going to train our users and then  out of that comes at acceptable use right that you  
say okay now these are the acceptable things that  we expect with our equipment that we issue you  
and you have to make that user sign to that  and then you've got to give them the training  
yeah and the other thing that that really will  hammer that home is teach them how to do it for  
their home and make them understand that this is  valuable not just at work but at home it's good  
at home practices not to click on phishing  email not to click on the stuff at home  
because your target at home as well and let's talk  briefly before we wrap up here about technical  
implementations right i mean obviously if you  know so for example people maybe they can they  
can't access social media on their work computers  but they can on their phone that they bring to the  
office right obviously you want to have a separate  network segmented out from everything else  
in order for them to do that if you're going  to allow them to access facebook on their  
breaks or whatever for example what types of  technical implementations would you recommend that  
will prevent these human mistakes from allowing  an attacker to get too deep into the environment  
so segregation of and so you know you so go into  the policy in there right bring your own device  
policy you know if you're gonna if you're gonna  allow users to operate their own equipment  
usually phones within your corporate network you  should define that byod policy so that you kind  
of understand what risks are there and what what  actions are required by you and the user and then  
you've got to have the architecture to support  that type of risk right and so zach's alluding  
to if they're going to hook up wireless  on their phones you should have a guest  
network for them um or a privatized corporate  network that allows them to connect their mobile  
phones but only only provides like internet access  right because those smashing attacks were going  
to come to the phone right those malicious text  messages the links are going to come to the phone  
as well as to that computer right and so  you you don't want them clicking on a link
exactly and and you know that byod policy  has to be pretty bulletproof and it also  
has to address any data are they allowed to access  corporate confidential corporate data or anything  
of that nature from their phone and if so what  happens when they leave is there a white policy  
do you is the you know what if they leave under  not so good circumstances and they're working  
remotely how do you get that thing wiped  how do you get that thing dealt with and  
um that should all be part  of your byod policy as well  
a bidet might reach i anyway so yeah yeah  and you have to make a decision right do you  
want it and and i think a lot of organizations  will say oh it's cheaper for us if we just let  
users use their phone and you know that that  may be true but now you there's this whole  
kind of loss of centralized management and  device management that you don't have now  
when you when you let them bring their devices  because you can't use mic stated right there  
maybe there's you have to let them download an  app or so you can do some remote wiping right  
capabilities minimum things like that if you issue  the device you have 100 control over the device  
control over its configuration control over  its updates patches security the whole bit  
um that you don't get when you allow a user to  bring in a personal device so i think that you  
know that's something you know like mike said  that that byod policy has got to be very concise  
it's going to be very well thought out  because it the the whole idea of bringing in  
uncertified uncertified hardware into your  certified architecture it you know can cause  
risk and you you know as a business you need  to you know first understand that and then have  
something in place to at least try to mitigate it  a little bit and then byd is a great idea for that  
um a better idea is probably not allowing that  type of activity if you care about inherent risk  
to not allow the activity at all which i'm sure  a lot of users will be mad at me for saying that  
i think it depends on the industry right depends  on the business if you're a nuclear power plant  
you're not allowing cell phones to come into  sensitive areas right i mean i'm pretty sure  
if you're a marketing you know small marketing  uh firm you know then that's a different story  
so yeah and then one of the other things  that you have to add to the byod which is not  
necessarily a social engineering thing but  as a risk thing is we will only allow you to  
use devices that are you know still supported  you know you can't pull out your apple eight  
iphone eight and you know put that on our network  you have to have uh you know 10 11 12 or whatever  
the last three are um that sort of thing so that's  an important key as well and no androids period oh  
that's okay i i can bring my blackberry  though right because i have one of those  
that's fine that's fine well well hey we  are uh running past time here but um this  
is a interesting topic and it goes very very  deep there's some great books on it out there  
i'm sure we'll talk about it again in the  future but the main thing is just know that  
social engineering is out there people are using  manipulation of the human element in order to  
be successful in attacks and it's happening  every single day and criminals are successful  
every single day with it so we need to be aware  of that most important thing is understand what  
you can do about it and there is a lot you can  do about it there's no such thing as perfect but  
can go a long way so mike laurel any final  thoughts before we wrap up well yeah just keep  
in mind that you can go through all this and be  100 dead-on have everything wired tight and you're  
still gonna it's still gonna happen at some point  or another so yeah but it doesn't mean don't try  
oh no yeah well yeah i was gonna say um i i you  know a real wise man told me this once folder  
um what was it imperfect action is always  better than perfect in action so do something  
right do something do something and when you  do something if some if a breach does occur if  
something happens at least the chances are it  will be mitigated much more quickly and a lot  
less damage will occur if you're doing something  and being proactive so get out there be proactive  
make it happen but if you like our podcast please  hit subscribe let us know topics of interest  
and uh reach out with any of your ideas or  suggestions on what you want to hear we will be  
happy to cover those thanks a lot and have a great  day