Andy Jenkinson is the Group CEO of Cybersec Innovation Partners (CIP), the United Kingdom’s PKI and cryptography governance and management team of experts. Jenkinson is also a member of the International Advisory Council HHERF. He has been an authoritative voice in the space for 25 years and has managed a large team of IT and cybersecurity projects for companies like British Telecom and Virgin Media.
Jenkinson, while working with CIP, has found an alarming number of flaws and misconfigurations in websites and webservers run by some of the biggest players in government, healthcare and even cybersecurity. Speaking about this pressing issue and the frustrating ignorance, complacency and complicity that he’s seen, Jenkinson remarks:
“Misconfigurations of websites do account for a very large percentage of issues. But equally, I would guess we find 15 to 25% of websites not secure because of invalid certificate. … And [this] means there are huge exploitable vulnerabilities today in the ecosystem.”
In this episode of Cybersecurity Unplugged, Jenkinson discusses:
- The correlation between the increase in website numbers over the last 20 years and the increase in cyber losses;
- Why governments building offensive security capabilities incentivized ignoring defensive security;
- How some of the biggest players in industry are their own worst enemy when it comes to security;
- His thesis for how we can get out of the seemingly insurmountable web of vulnerabilities.
CLICK HERE for a full transcript of the conversation.
Steve King 00:04
Welcome to cyber security unplugged the cyber theory podcast where we explore issues that matter in the world of cyber security. Good day everyone. I’m Steve King, the managing director at CyberTheory and today’s episode is going to focus on one of the primary causes of cybersecurity breaches. Joining me today is Andy Jenkinson, the group CEO of CIP. That’s the United Kingdom’s PKI and cryptography governance and management team of experts. Andy’s also a member of the International Advisory Council, HHERF. Andy’s been an authoritative voice in the space for 25 years. He’s a very real cybersecurity expert. Also raced an Aston Martin, and was the owner of a motorcycle mountain racing team. And Andy has also managed a large team in excess of a couple of 100 folks on a variety of IT and cybersecurity projects for companies like British Telecom and Virgin Media. So welcome, Andy. I’m glad you could join me today.
Andy Jenkinson 01:14
It’s my pleasure, Steve. Thanks for inviting me.
Steve King 01:17
Let’s start with talking about the apparent growth of non secured websites. And then, if you give our listeners a little background into what CIP’s about, and then how exactly in your opinion, does non secured websites contribute to breaches? And if you give us a few high profile breaches over the past few months, and where that was the entry point for the bad guys.
Andy Jenkinson 01:44
Okay, great. Let’s make a quick start. CIP was set up on the back of a NATO military installation infiltration that was found to be utilizing the same methods of attack that Stuxnet used and as in as much that it was using malicious code laced within digital certificates. And as we all know, public key infrastructure (PKI), is something that no company actually has full visibility of. Hence why it’s was first used for the first ever digital weapon, and right up to date to the SolarWinds attack and the upgrades and the digital certificates that also had malicious code Sunburst on. So we were invited to, our team were invited, and Dr. Alex in Germany was invited at NATO clearance level to look at this for them. And he did the rounds with a number of companies that we all know and love that are certificate lifecycle management companies. And the challenge they had, Steve, without being too technical is they were looking after fractional management of X.509 certificates. They weren’t looking at the full suite, they certainly weren’t looking at PGP keys or SSH keys. So they were doing fractional management and they lacked the discovery capability. This is the real key differentiator between white form and anything else in the market and what we do. So they actually sat down with the people at NATO, and they decided that they would actually start building their own. And because they were PKI experts and data experts, they built the most incredible tool, which is white form. I was invited to set up CIP to evangelize PKI the importance of that. And although it’s been around since the 90s, when it first was globally accepted, after the world that the NSA and GCHQ had done on encryption and decryption and certificates and keys, all stemming right back all the way to the Enigma machine type of things, which people will be very familiar with. But this is the digital equivalent. It authenticates everything. That’s users and devices. And unfortunately, it’s been abused for nearly as long as it was actually put in place since the 90s. Stuxnet itself was in 2008-2009, as you know, and all the way up till December last year, when our friends at SolarWinds were breached. And as we know, the malicious code Sunburst was put into upgrades and certificates. So that’s how it started. If we look at some of the high profile cyberattacks that we’ve witnessed, particularly ransomware I think I sent you an email earlier today. There were two major health care sector companies that were breached this week. One I’m not even sure how to pronounce but it’s Eskenazi Health and Stanford Health. And what we do constantly and we’ve done this for over 1000 companies that have suffered a cyberattack or ransomware attack, and both you and I and Matthew and others are quite vocal about this. We use the word victim quite loosely without too much empathy in this day and we’re getting quite hardened to the attacks. The reality is a lot of these companies, and all the ones we’ve researched over 1000, have had sub optimal websites or web servers. When I say sub optimal, that’s a polite term for saying insecure and not secure websites, the two variants there just to put some icing on the cake for people’s an insecure website, for the casual visitor may looks secure, it may demonstrate and display a little padlock in the address bar. But through misconfigurations, which is the normal situation, and there are a dozen, two dozen metrics to actually ascertain that from cross site scripting all the way through to content, third party content to many, many other metrics. One only has to look at OWASP’s top 10 to see the vulnerabilities of websites that can be abused and exploited. So that’s what an insecure website, it looks secure, but possibly is not. But then you get to the other extent, which is like schoolboy error when a website is not secure, and it actually displays not secure in the address bar, which means the SSL is invalid, expired or incorrect. And typically behind both insecure and not secure websites are a plethora of vulnerabilities that are easily exploited. Why is this important? This is a real case, and this is a bit people are not still understanding. And you and I bat this around constantly, two reasons. One, post 911, the terrorist attacks, the government’s decided they wanted to have better controls on the digital sector. And they did everything they could. And revelations that came out in the Ed Snowden book sometime 2012-2013 actually shared some of those tactics and methods, that’s absolutely fine. We understand the rationale behind it, whether it was illegal, whether it was right, wrong or indifferent, doesn’t matter here. What we do know is that blueprint of infiltrating websites and exploiting vulnerabilities, I’m sure you know this, but you can actually get a certification in offensive website security exploitation. Actually, a lot of governments look for that certification as part and parcel of a prerequisite to recruit from. The very same tactics and methods are now being deployed using open-source intelligent (OSINT) technology, to identify as part of reconnaissance from cyber criminals, organizations that have these vulnerabilities that can be exploited easily. And on the dark web. As you know, you can go and buy these things left, right and center, you can even group up with a gang of cyber criminals who will actually do the ransomware. Typically, we find the attack isn’t sophisticated, but the malware may well be. But it may be also repurposed and used many times over the access is the part that we focus on.
Steve King 08:05
Accesses is kind of our new perimeter now, right? I mean, the ability to identify folks who are visiting is the key to at least figuring out what the entry point for what’s going on. You recently investigated the TSA DHS role with CISA and US both, as you just mentioned, along with HackerOne Research and Intelligence. What does that look like in terms of the effectiveness and validity of the TSA and DHS, and then the whole US government’s overall security position and capability?
Yeah. Thank you, Steve. I’m no shrinking violet, it’s fair to say, people say, you know, “Why are you calling some of these things out?” Reality is, we’ve hardened, as I say, a lot of us in the industry to say that victims aren’t victims, they’re actually creating their own opportunities to be breached. We’ve actually looked two cases at the moment, because we work with the legal side to Steve and it’s really sad that it’s easier to show in negligence security negligence than it is to get companies to actually take security seriously. That’s a really sad position. Because a little bit like the Chinese electric cars article you wrote earlier today, you know, all roads lead that way. Because if we’re on the slippery slope, we’re going to run out of money, people and resources to actually fight this thing. Because one thing I always say is, if you think it’s expensive to get a professional to do the job properly, wait until you do, see what it costs when you’re done. And the reality is we will run into real trouble at the present time, a belief and I’ve not been shy about writing about it. The NSA and GC HQ obviously Five Eyes heavily weighted in the US favor for foresight and debt etc. The NSA and the government there have been very, very prominent in their offensive capability building. And they have done for nearly 20 years, you know, billions and billions of tax dollars have been paid to build 10s of 1000s, if not hundreds of 1000s of people capable of offensive digital attacks. The challenge with that is everybody has seemingly forgotten to defend themselves. I’ve got this firm belief, and I stand on a parapet will often say the same thing.
All the while offensive capability has been built, defensive capability was being ignored. And because governments were actively building offensive capability, utilizing the very methods and tools that we’ve already touched on IE, website, web server infiltration, through vulnerabilities that could be exploited. It was never in their interest to tell everyone to shut the digital doors. Consequently, I could show you website after websites, even universities that have been awarded hundreds of millions of dollars to teach cybersecurity whilst maintaining totally not secure websites. So one has to ask the question, What are people being taught? Now this could go all the way to the seaso. You know, I wrote recently on the cyber insurance report, the governing body of the insurance world is running an F and zero rated website. And when I brought it to their attention, FM zero being the worst possible insecure website you can have easily exploited. When I brought this to the attention of the CEO and the seaso. The seaso said, Andy, I don’t think you’re right. And I said, Why do you say that? He said, because my SSL qualis scan says I’m a rated. So which I then brought his attention to the fact that the MIS configuration of the website was not redirecting the HTTP version of their website and the content that was compromised to an HTTPS website. So the barrel of the certificate had nothing to do with the overall rating. This is a major concern. I believe, Stephen, it’d be interesting to hear your view. I believe that a lot of experts security high level people may have come one, from a risk and compliance background, not necessarily technical, too many are relying on SSL scans for security, when it’s maximum a 10th of the overall screen security posture of the website and web server. That’s a major major challenge, I believe that we face today is this education. But websites and web servers, the junction between internet connectivity and a company is where the vulnerabilities are being exploited on mass. We did another thing recently, Steve, and I’m not sure if you saw this. we plotted we took two graphs, independent graphs, we plotted the increase in website numbers globally. And it’s now around 1.2 billion of domains. Not all active, but nonetheless, it’s 1.2 billion domains. we’ve plotted that over the last 20 years with the increase in cyber losses, guess what? They absolutely are matched to perfection.
Steve King 13:48
That shouldn’t surprise anybody. We’ve created a ecosystem that is so complex that I don’t believe humans can deal with it any longer.
It’s interesting though, Steve, because I won’t name the company because, you know, I often get told you shouldn’t name the companies and that’s fine. But they’ve embarrassed themselves enough anyway. But this is a big four. Okay, one of the big four. So it could be PwC KPMG, y or delites. I’ve been in discussions with them lately. And they actually started doing a project for one of the world’s largest vendors, they got 500,000 staff so you can limit who they might be. They actually put a website up. And they ran that website for the adequacy of the senior professionals around 50,000 of these guys to put in their personal information to actually capture it and to give them a computation of their liabilities and tax and adequacy for their various part of the world. This website was commenced in 2019. And until five weeks ago, they didn’t know that it was misconfigured. Okay, I shared this with their manager partner, he runs 12 countries. And he put me in touch with one of their cyber team, their cyber team. So it’s got nothing to do with anything to do with our security. And this website was displaying, not secure. When we went deeper, we found a whole shitload of security issues that this website was running. So they argued and debated that it had any relevance to their security posture, or their clients. Don’t forget, this is a big for that bill billions of dollars a year for cybersecurity advice to their customers, many of whom will have been affected by cyber attacks. So we sit there and we debate this a little bit further. Eventually, they send a letter from their solicitor, don’t forget, we wanted the good guys, we’re just trying to help. They send a letter from one of their solicitors who was actually Freshfields major player saying, You must expose this, you mustn’t do this, you mustn’t do that. To which I said, either your customer your client engages us, or this is this is open information, I understand what your issue is. Within one day, they shut the website down. So they were saying it wasn’t important. And the next day they shut the website down, we got a real distinct issue of people understanding what is real and what is not real and taking the appropriate action. That’s the issue.
Steve King 16:29
Yeah, of course, there are so many reasons for that. What do you make of giants like CNA, you know, enormous insurance company? How does cyber security and cyber insurance as well? What do you make of them paying out that $40 million ransom fee? And how In your opinion, will that impact the future? Specifically, the future of server insurance?
Yeah, we did a great question. So thank you. We actually went big players actually get hit like CNA, we do full research on them. And we write reports. These reports, you know, we’ve got pretty much a report on every company you could name has been cyber attacked over the last two years. And they’re pretty much in very, very in depth use in some of them. CNA, they were their own worst enemies in as much that we’ve written extensively on them. We’ve reached out to them, but they’ve not come back to us yet. CNA actually published the date escapes me, but I believe it was sixth of may or something like that. They published an announcement to the public to say we have suffered a sophisticated cyber attack. We’re going through these things, and we hope to be back to normal soon. They actually publish that Steve on a not secure website. Okay, so they sent out the information that they’ve been attacked on the very website that they’d actually been targeted by, and noted by cyber criminals that they were Open Season Two an attack that this was this was a major football. And for me, I have to ask two questions when that happens, either they are incredibly complacent, or is somebody being complicit. You and I both know the size and scale of cyber losses and costs. And there’s a lot of companies that are using Emperor’s clothes, making an awful lot of money. You’ve only got to look at the shareholders solar winds that dumped the shares two days before the public announcement of the cyber breach. And then most probably bought them back sold at $24 bought back at 12. Now there were 23. Again, there’s a huge concern that finances are driving cybersecurity. You don’t necessarily get any more security. You just get more money thrown around. So CNA we looked extensively at CMA, and we rated the entire websites as FF zero, we identified several websites, sub domains, which are part of the domain that are connected as we know, a number of those were not secure and a whole plethora of what insecure, much the same as we did with solar winds. You remember a solar winds breach, we actually went out on a limb I wrote a white paper for the Senate Intelligence Committee, say in January of this year, within weeks of the initial breach being found, saying this is how it happened. And blow me down. I’ve possibly got the only screenshot in the world Steve and it’s actually in the first book of the AV sb macleod.com. website. Okay, it was only scanned twice in a year. The second time I was the person scanning it, I think most probably the first time they scanned it themselves, to make sure it was doing what they wanted to do. So CNA, their own worst enemy. They are still like solar winds. FM zero rated which is horrific. The question has to be asked one if they don’t understand it at the outset and get breached. That’s that’s negligent, complacent, call it what you will, if they continue in the same vein, and have the same insecure perimeter defenses, we call this defensive perimeter defense. If they maintain that position, two things have occurred, one, they’ve certainly not identified the root cause. And two, they are maintaining the insecure position, possibly ready for the next attack? Right.
Steve King 20:37
Now know, if somebody just dropped in from Mars and and they listened to all the stuff we had on this podcast, they would conclude that, you know, we’ve created this, like, insurmountable mess that there’s there’s just no way out of, you know, this is like giant, putting drama day in, day out day in day out. Nobody, none of the players look like they have any idea what they’re doing. And that’s, that’s embarrassing to me. But you mentioned and and as you’re describing the CNA debacle that you wrote a book about all of this, and, and so I wanted to probe a little bit about, you know, what is your thesis in this first book? And where can our audience find it?
Thank you. There’s two things I want to touch on first. First one is there is a way out of this, Steve, and I understand you, your Martian coming down and go, Oh, my God, these guys created a monster, and the monsters turned up against the Creator, I get that. And I actually agree with it. But let me hypothesize this to you. Because you know, I like to think as much as I can think of a search engine optimization company. And think as large as you want. And I won’t name one, but we’re talking to some at the moment. As we all know, in 2018, they turned around after talking about it for four years and said, any website that no longer actually migrates to HTTPS by ETS, but Esper secure, will be flagged up as not secure in the address bar. Okay, that happened in 2018. So we’re coming up for three and a half years, what’s to stop them. And this is my thesis, what’s to stop them to say, if your website actually comes up as not secure, we call it halfway halfway effect. If it comes up is not secure. It will not be able to be accessed. We will stop people accessing your website because they don’t know better. And we’re going to protect the billions of people that are casual visitors to websites, as opposed to trying to chastise a company five years after the event, like ba or EasyJet or whoever, instead of chastising them for not doing their job properly. We’ve got to protect the greater public. There’s nothing to stop that happening. Steve today, nothing. Yeah, yeah, I
Steve King 23:09
realized that nd The problem is you never get it? How are we going to get to the level where you can actually have enforceable law underneath us?
Well, I think either we’ve got to try and protect the masses, or we can put to the minority. And that’s the reality. So what I did with my first book is to touch on that quickly. And I still believe it’s very possible if people have got to come to the table, you’ve only got to look at the ransom Task Force who are all running insecure websites. And you go what what are people learning? You know, what, what is the leadership, telling people, it’s certainly not to shore up your perimeter defenses, which is a big error. However, the first book is called steps lead to some burrs 20 years of digital exploitation, and it takes you from 911 all the way through to I finished writing the book in February of this year, all the way through to the sunburst and the solar winds breach. The I’ve missed a lot of things that have happened subsequently, and I think most probably $2 trillion had been lost to cybercrime subsequently,
Steve King 24:16
I have no debt. Well, the second book gets easier, right? Because we just take the last three months, and you’re you’re
doing well the second books, Dave is called ransomware and cyber crime. And, you know, we, as you know, I think, you know, we were the guys that expose the vulnerability and exploitation of the Vatican, amongst many other things. And consequently, there is still this question around, is this complacent or complicit? The question is such a deep one that you have to stop and think about it and like you, I’m one of the good guys I will cross the world, if it means my integrity but at the same time What’s happening and what we’re witnessing is either people are, the word is too forceful or ignorant, they don’t understand, or they’re not being protected. And as we both know, in classflow actions, you cannot plead ignorance to insecure positions. It is your job as a multi billion organization to protect your visitors and customers, much the same as if they walked into a high street shop with a 30 foot pit that was covered with a carpet and they fell down and broke their ankles. It’s your responsibility when they go on your website to make sure they’re secure. Companies are still not understanding that, consequently, and then throw in the insurance experts and people saying I’ve gotten an SSL certificate that’s valid. It doesn’t matter if it’s misconfigured misconfigurations of websites do account for a very large percentage of issues. And I’m sure you know that. But equally, I would guess we find 15 to 25% of websites not secure because of invalid certificates. Yeah, I sent you one just literally an hour ago, on the TSA DHS. Yeah. Which means if that’s connected, and trust me, I know it is the US government’s infrastructure connected to the website of that particular one that I’ve shared with you means there are huge exploitable vulnerabilities today in the ecosystem.
Steve King 26:34
Now, of course, we’re Enya journeys really just presented at blackhat. Yesterday, I think in Vegas, and you know, she was talking about the new coalition between private and public and named all of the agencies are involved, you know, all of the in all the private folks. So
let me just confirm, Steve, we reach out. And we liaise with the FBI, the DHS, TSA, etc, there still seems to be and ceaser is another one, there still seems to be disconnect within these internal organizations and the people within each of the organization’s. And I’ve written open letters to a number of them, as you’re aware, to say, Hey, we could really help you. You’ve got 1000s of websites that are exploitable, that are vulnerable. This is what we do. You know, we do this day in day out, we can do it. One has to question that somebody asked me from Singapore today because they want to work with us in Singapore. They said to me, why aren’t other people like you like your company? in those positions? Whether it be the DHS, TSA or anyone else? Why aren’t they doing this? They use pen testing they use they’ve got their own team, they’ve got armies of teams doing this. They said they simply are not looking?
Steve King 27:58
Well, and and there’s so many drivers there that, you know, as you point out complicities one and complicity wears a lot of different masks. It’s very, there’s a lot of complexity there, especially when you have what is it you know, 35 different federal agencies, all of whom have their own siloed cyber insurance, cyber security units. And
let me confirm this. I empathize with these guys. I really do. We’ve helped the FBI, we’ve helped a number of organizations, but they’ve got to listen and see what’s going on. You cannot bury your head in the sand. I understand the disconnect. But we have evidence and it’s damning evidence and we just want to help. Yeah, it’s a major difference. To conclude with that. I would say this 25 years ago, organized crime would go around with a gang of people armed with guns, etc, and do whatever they wanted to do, whether it be drug trafficking, whatever, right? These days, those very same people are going through a generation and coming out and going well, with cybercrime. We don’t even need to put our face in the in the frame. We don’t even need to be involved. It’s a far more lucrative, there’s no attribution and nobody’s getting caught or been in prison for it. And they’re walking away with, as you say, CNA $14 million just by causing a problem that CNA said, hey, look, we’re going to show the world we don’t look at security. We’re just leaving it open season. Anyone who wants to have a go can have a populace. And that’s what’s happening. I’m really concerned about that because we are not making ourselves strong. We’re rattling sabers at Biden’s level and around him, but then not taking action.
Steve King 29:53
There’s a lot of irony or worse. So listen, I’m conscious of the clock here and I want to keep this if we Can’t get as close to 30. So my final question today, from your point of view, look, you know, across the pond, as it were, did the recent moves within the various security agencies that we’ve just been talking about, combined with the Biden executive order of, you know, a couple a month ago now, shift the balance between the attacker defender dynamic. And what what in your mind is the future of state sponsored cyber attacks look
like? Really great questions, I will try not to be cynical. The Coalition’s The Five Eyes the grouping together of a number of agencies, I’m concerned that we will see a replication of what we’ve seen for the last five years to 10 years of increased cyber attacks and ransomware. I read the other day that there are tax breaks for people paying ransomware. Now, I don’t know if you saw that. It’s, it’s a really bad precedent. Consequently, My belief is that the disconnect between the agencies and the experts, and again, these silos that you’ve touched on, there are experts that are in favor with government, because they do what they asked to do. And there are experts that are not in favor in government, because they are radical innovation, innovative, and they’re actually coming up with ways to make things better. I was told this, off the record by a very senior mo D executive recently, in a meeting, who said, Andy, we, as the mo D, desperately need your skills and your solutions, we desperately need it. The reason we’re not buying it at the moment is because not enough people are dying, and there’s not enough losses. That’s an incredible statement to make Steve. Right. But as shows, that’s the truth, if you will. Absolutely. So then if we roll that out a little bit further to your last question, state sponsored attacks, I think it’s a free for all, to be honest with you. And I will be cynical to the point that I will say this without fear of contradiction, or replication. I believe none of us know who the cyber criminals really are. And I think there is so much money being made from it, that there are certain people within certain parts of the world that have control on various elements of cyber security and various elements of overall security, that they are turning a blind eye because it suits them. And I think we don’t have, we need a digital convention, the Geneva Convention for the digital realm is not going to happen. It’s not gonna happen for many, many years. But even when it does, everyone needs to sign up to it. So for example, if I speak to the World Health Organization, and I speak to, you know, the DHS, and then I speak to the ncsc, here in the UK, they all need to be aligned and understand that website, web server, internet connectivity needs to have a minimum standard at the moment, none of them do. Right. Okay. That’s the challenge. So it was not that long ago that I shared, you know, and it’s open season, I’ve done it as someone to go, it’s been done now. I shared the number 10 Downing Street website that was not secure with the ncsc. Okay, it couldn’t be much worse. I shared with the World Health Organization and many other bodies, insecure websites that they will maintaining only to be thrown out and literally run out of town, because I’ve actually announced this issue to them. As if I had, you know, something that was wrong with me.
Steve King 33:58
Yeah, well, you know, we don’t we very frequently don’t don’t actually want the truth. Do we
know? Absolutely. So with the DHS, unfortunately, the guy are dealing with a DHS and the email I sent you, which is redacted. Just to let the audience understand is redacted. Nobody can identify which websites are not secure that we’re sharing with the DHS, the guys on holiday this week. So this week, it’s all not secure for an additional week. And you know, you can beat your brains up. Steve I in the first book, I’ve written an article and you’ll be more familiar with it because of your side side on on the personnel management, the Office of Personnel Management that will reach to 15 and 16. The FBI agent that actually worked half a mile down the road from the offices of the Office of Personnel Management, which is every United States person that’s worked for the forces in any way shape or form, current or previous was breached as you know, the FBI agent Adrian, whatever reselling was trying to alert them for six months. They ignored him. They thought he was a loose cannon they didn’t want to know. He never wants jumped in his car and drove the half mile to the office, which is really quite interesting. But nonetheless, this is the challenge. People want to debate. It’s a little bit we use the term here. People don’t want to be told they’ve got an ugly child or an ugly baby. Of course they don’t. And you can be as fluffy and woolly as you want. But if you’ve got a not secure website, hello, the house is on fire. We need to put the fire out.
Steve King 35:34
amen, and amen. So listen, I were we are out of time, but boy, we could talk for hours. Right. So I want to thank our guests here, Andy Jenkinson again, for taking the time to share with us this morning, and I got to get you back in a month or two, which I’m sure we’ll have tons of more fodder.
Sadly the case the certainly the case, but it’s been my pleasure. Thank you very much for your time. Sure.
Steve King 36:03
Thank you. And thanks to our listeners for joining us and another one of cyber theories unplugged reviews of the complex, very complex and frightening world cybersecurity, technology and our new digital reality. And until next time, I’m Steve King, your host signing out. Thank you for joining us for another episode of cyber security unplugged. You can connect with us on LinkedIn or Facebook at cyber theory, or send us an email at social at cyber theory.io. For more information about the podcast, visit cyber theory.io forward slash podcast. Until next week, thanks again.