Our cyber resilience experts look back over the cyber events and challenges that shaped the year, review some of the insights that our incredible guests have brought to the show in 2021, discuss how to be cyber resilient across the holiday season, and peer into the crystal ball to make some predictions on what the new year will bring us.
The Get Cyber Resilient Show Episode #84 Transcript
Dan McDermott: Welcome to episode 84 of the Get Cyber Resilient Show. I'm Dan McDermott, and I'll be your host for today. As you may notice, today is a little different. We are currently streaming live on LinkedIn, as well as recording to release the episode on the usual podcast platforms later. Also, this episode is different as, rather than just focusing on the hottest topics in cybersecurity over the past fortnight, we'll take a look back over the cyber events and challenges that shape the year, review some of the insights that our incredible guests have brought to the show in 2021, discuss how to be cyber resilient across the holiday season, and peer into to make some predictions on what the new year will bring us.
One thing that is the same is that I'm joined by our resident cybersecurity experts, Bradley Sing and Garrett O'Hara. To say it's been a big year in cybersecurity would be an understatement. Let's kick off by reviewing the hottest topic of the year, ransomware. This year saw an explosion of high profile ransomware attacks across all industries, and we've seen governments respond by joining together to fight back against the threat. Brad, how has significant has the rise in ransomware been in 2021?
Bradley Sing: Okay. Thanks for having me, Dan. And hello to all our listeners and viewers there in our LinkedIn Live or, or whatever the platform is called [laughs]. It's, it's lovely that you could all join us at the end of the year. I felt like last year was almost the year of ransomware, but I think the reality is 2021 was absolutely ridiculous in terms of volume of breaches, high value breaches. And I think we've all still got the, the stories of colonial pipeline kind of stuck at our head. I think if anything, it's definitely been a crazy year, and I look forward to reviewing with you today.
Garrett O'Hara: So funny one though, ransomware. We, you know, we've, we've talked about this this problem and it's been on kind of LinkedIn actually in, in sort of side chats that you have with the sort of cybersecurity professionals, it's come up a few times. And I've been thinking about it a lot in, in terms of the FBI data that says it's 164th, the problem of BEC. And I think it's like flying a plane versus driving a car that, you know, ransomware, and it hits... it hits really bad. And it's the kind of thing that makes the news all the time, because it- it's gonna close the doors of a business, potentially. Whereas BEC, the money goes out the door, but generally, you know, there's a little bit of shame and feel its silly, but you know, ultimately everything keeps going.
So it sort of feels like from a risk perspective, you know, people feel fine getting in a car, even though it's much more likely that you're gonna have an accident and, and bad things are gonna happen versus getting in a- an airplane. If... it feels like that, but I mean, it... talk about a... talk about a tsunami. It feels like every single day... it feels like it is. Every single day who open the, the news, there's, there's another brand, another big name that's been popped.
Dan McDermott: And I also think Brad mentioned the fact of, like, colonial pipeline has been maybe the highest profile, but we've seen lots of attacks around critical infrastructure across not only utilities, but things like healthcare. And I think that one of the takes that we've seen throughout this year as well is, is that the fact that ransomware not only impacts the organization that's been targeted and, and can have an impact on their finances and their wellbeing and their staff, but also has that ripple effect more widely across the community reaching more than just the, the original targeted organization. So how do you sort of see that playing out as we sort of, you know, continue to battle with this, like know, like you said, the tsunami on every front?
Garrett O'Hara: Yeah. So I think the ripple actually goes both ways as you've described it then. So certainly, kind of downstream to the, the smaller organizations, but it goes the other way too. And I'm actually thinking back to Dmitri Alperovitch when he was on and, and him as his... as the director of Silverado, you know, the policy kind of uh, organization over over in, in Washington. And one of the things he spoke about at length was we have a lot of those sort of smaller organizations providing services into critical national infrastructure. Uh, at some some point, we're gonna have to, you know, have an adult conversation around how do we make sure that they are secure? Is it some sort of a certification yet another certification, um, or sec- sec- you know, external security audit to make sure that if you're the, the people providing some service into a water supply system, or energy grid or healthcare, that your systems are protected and are up to, to scratch.
And the, the thing that came up, and I sort of pushed back on was does that then eliminate many of the SMEs or smaller organizations from the ability to do business with those larger kind of, you know, federal programs or state programs when it comes to CNI? And he made what I suppose is the, the correct kind of come back to that, which is, well, maybe, but you know, like, if it's gonna be the water supply gets cut off or somebody dies, then you know, that- that's potentially what we have to actually do. So to your point, Dan, like, it goes both ways. We saw that with even the commercial pops were, you know meat production was impacted and shipping was put on holes, you know, jobs are actually affected.
But then it goes the other way, too. So you know, that it comes back to the, you know, the thing we always talk about the digital interconnectedness, everything is connected to everything digitally, and to steal Bruce Nach's quote, which I do all the time, you know, we're, we're forced to trust everything and we can't trust anything. I'm probably butchering the quote, but, you know, that's the spirit of it [laughs].
Dan McDermott: And I think you touched on there, I think with Dmitri and the work at Silverado, but we've seen it around the world where governments are taking... having a response to this, right. And I think it is like you say, well it maybe 165th, the size of the monetary problem of of BEC, it is the thing that's gaining everybody's attention.
Garrett O'Hara: Mm-hmm [affirmative].
Dan McDermott: Seen it locally through the federal government's ransomware action plan and what's happening there. Obviously Biden and in the US are doing things particularly off the back of colonial pipeline and what they were looking at. And obviously, in the UK for a long time, they've been looking at this and, and how they can actually respond as well. What can you tell us about sort of the, the government responses and, and where is that at, and what will that mean for us as we sort of head into 2022?
Garrett O'Hara: Well, I'd... to, to start with, there is a government response, and I think that's the thing we're probably all celebrating from the sidelines is that, and, and, you know, that's probably a little bit unkind. I mean, certainly we've been looking at this stuff, but you know, I'd say since Scott Morrison stood on the podium and said, "We're under sustained attack." It feels like there's a shift in the zeitgeist. Um, And we're seeing you know, orcus uh, uh, the ransomware task force discussions around mandatory ransomware reporting. There's a lot of energy behind what I think it was Tim Watts originally described as the retail politics of what has become the retail politics of cyber security.
And that feels like the biggest shift stuff is actually happening. We... that, that to me is probably the biggest thing. Like, we're, we're seeing the taskforce for set up, we're seeing both kind of collaboration at a, a sort of national level, but then also the international level for broader takedowns of, you know, and we... I think we're gonna maybe talk about this a little bit later, but that- that's the important thing is the, the kind of ships are raising in, in multiple countries and, and then starting to kind of work together.
So not that I've for a second think that ransomware is gonna go away, [laughs] um, and, well, look, I, you know, we saw how innovative they are. We, we spoke about this in one of the news episodes, where from an encryption perspective, if you guys remember, they- they'd sort of tweaked it. So they were on encrypting, like half of the files and being able to then get across systems much more quickly. So one of the things I'm sort of thinking about more and more these days is that if you look at sort of Silicon Valley and tech in general, how it just takes one sort of delivery service to do well, or one gig transport service to do well, and all of a sudden you've got 50 of them, like, why would... why would cyber crime be any different than that?
And given the talent in technology, like, that's what we're seeing. We're you seeing, you know, Silicon Valley, you know, innovation applied to cyber crime, and I think that's gonna continue.
Dan McDermott: Yeah. And I think it has raised, I guess, one of the questions that sort of remains almost, I think there's an answer, but almost unanswered, right, throughout the year. And, and Brad be interested in your thoughts on the notion of, of if a company does get it attacked, what is the response? Do you pay or not to pay the ransom?
Bradley Sing: I think we, we can't keep feeding the ecosystem. Like, it's not a sustainable in the long run, unless insurance is willing to cover it. I think anyone here pays for cyber insurance or is, you know, lucky enough to have to be involved in the... that discussion. As soon as the insurers aren't covering it, then it starts to pose the risk that who's willing to take on the risk? And it seems like no one is. Garrett made a really good point there early in terms of the shift towards the mindset, I think, of, of the country of, of, of allies and stuff as well. I think Scott Morrison even said the phrase resilient or cyber resilient almost. I remember that seeing that on TV, and I was like, "That's pretty cool."
But I, I think for organizations, unless we have strong guidelines in terms of to pay or not to pay, so it's a really hard decision. And I remember I've, I've spoken to quite a few critical infrastructure providers. Like, they might provide water or electricity. And I believe the advice that they've sought from the government has said, technically, it could be illegal to pay because the money could be going to a terrorist group or a criminal organization. However, if they were to pay because it were to save a life as an example, and maybe somebody needs water, I think to Garrett's point earlier then technically, it's okay. And again, if we think back to the colonial pipeline one, they did pay. And then they went back after them. So maybe that, you know, that was almost like a, a warning being like, "Okay, you've had... you've had furry rain up until now, but we're gonna take this seriously. We're gonna try and hunt you down, you know, if you're gonna pay the full extent of the law."
But also, we know how cyber security works, and we know that you can be anywhere in the world. So when you're sitting behind a VPN or hiding your IP address, yeah, a lot of thoughts on that one, but I think, yeah. My, my opinion would be though, if, if you can avoid paying, don't pay and do good backups. I think we're in a world where you need to make sure you're back up.
Garrett O'Hara: It's a super important point though, Brad. 'cause I think there's a lot around this where if you do the basics, well, it's not that you're gonna be immune to, to ransomware, but I think you remove a lot of the leverage and the pressure points when, you know, when that horrible attack does happen. And I also think, like, part of this is just good instant response.
Bradley Sing: Mm-hmm [
Garrett O'Hara: You know, knowing what the plan will be if this stuff does happen, and not making an emotional decision to pay or not to pay because, you know, you're... and as you probably would be, you're freaking out in the moments and excos freaking out and you know, everyone's kind thinking, "Oh my God, what, what do we do? Let's just pay and, and hope that everything works out." you really want to be sitting down in the cold, you know, calm moments, writing the plan. And then when the worst thing happens, worst thing happens, you know, execute on that plan. And ideally, get to third-party for advice in the moments. And that, that weirdly, you know, we, we talk about insu- cyber insurance so often in terms of, "Hey, we'll, we'll just get the thing paid and that's, that's the point."
And think they were actually part of the connect, the connect earlier in the year, we had the, the cyber insurance team on, and it was brilliant hearing about how they've access to people who are incredibly good at negotiating in terms of what the ransom might be. And being able to make the very clinical decision based on their experience with maybe an attacker their pedigree or the attack type, et cetera, but being able to make a much more rational decision on what the best course of action would be.
And it sort of reminds me, I'm listen- listening to an audio book on negotiating at the moment from a guy who's in the FBI, pretty good book. Um, I think it's literally called Negotiating As If Your Life Depended On It. But one of the big things I took from that is not how to negotiate, but how valuable it is to have somebody from the outside who can kind of remove the emotion and then, you know, execute on best practice. And what's good for the outcome rather than what... Well, I mean, I'm pretty sure what I would do is just freak out and go, "Well, let's pay, you know, hopefully everything works out, you know."
Dan McDermott: And Garrett, I think there... what that reminds me of is, is probably some of the best advice I think around this that I've heard it's, it's not on- it's... having the plan is one thing, but it's actually putting that a stress test, actually, pressure testing that because everybody can have it written down and on a piece of paper and it seems fine until it happens. And then it's like, then the CEO's calling and saying, "How come I can't get my email? What's going on?" The CFO's saying, you know, we've got a ransom to pay this amount of money and the clock's ticking." you've got media calling you to say, you know, "Your site's down, your brand's being impacted, what's happening?" Under that scenario, and that situation when you're actually in it, I think is very different to sort of the calm notion like you say, you actually writing the plan.
And one of people that, like, we know in that gives us advice, Nick Abrahams, around the notion of having sort of a bridge coach and actually is, like, to come in and test that plan. So one thing is to write it, which, which is obviously the first step, but to actually create that scenario and put the executives under that stress in that sort of test environment to actually see how people respond, because that's when you truly know, you know, that you can actually hold up, do what you do, test your systems at the same time, test your communication processes. There are so many aspects, right, of when this happens of how that needs to be coordinated and how that needs to be coordinated in a remote working world as well, right.
You know, so not everyone's necessarily an in a boardroom has the attack, you know, impacted your, your Zoom connection and your... from your corporate account. And therefore, how do you get everybody on board? Like, there are so many little gotchas throughout that process.
Garrett O'Hara: Totally agree. Anthony Carano was on couple of months ago, he's from MediaWhiz and we spoke at length actually about what you... what you just mentioned there, Dan, is that, that plan for the communications side of, of all of this and, you know, part of what they do is smoke, jump into those organizations where the really bad thing has happened. And then try and make a plan in the moments based on their experience. And Anthony's big comment was it's so much easier to build that plan before the attack happens. If you wait until the, the thing goes wrong it, it just puts you in a really bad position. I keep having, you know, the, the quote that feels like everyone's saying at the moment it's Mike Tyson, you know, the, "Everyone's got a plan until they get punched in the face."
Dan McDermott: Yeah. [laughs]
Garrett O'Hara: And it sort of feels a bit like that.
Dan McDermott: And what we've also seen from research conducted is, is that you know, paying doesn't necessarily mean that you'll... you actually get everything back.
Garrett O'Hara: Yep.
Dan McDermott: And I think the other factor that we've really seen is, is the multiple ways of extortion happening. So it was, you know, "Okay, you pay the ransom, you might, you know... we'll restore access and your files and you get everything back." but they've already taken it. So what's stopping them from then selling it for a second time on the dark web and actually still selling the data? So just because you may get operational again, doesn't actually remove the risk of what's actually happened to, to your data as well.
Bradley Sing: I wonder if we have the stats on that and we, we probably don't, but, and I, I don't wanna suggest that there's honor among thieves or, or we should, you know, be trusting ransomware providers on, on dodgy dark forms. But I think there is a thing to be said about reputation. I think goes back to Garretts's points in terms of understanding who you're negotiating with, who you're kind of working with, like, the reality is, like, I think some of these services, like, they live and die on their reputation because they do give customer data back. But I think it would be very naive to think that that data wasn't backed up and they probably backed it up better than first got breached in. They probably backed it up, dumped it on an AWS somewhere, an S3 bucket, and it's just sitting there waiting for the future. I don't think you should pay, don't pay.
Garrett O'Hara: We- we- we've talked about it before Brad, but you raise what I think is a really important point about the economics of this as a business, which is, if the ransomware attackers never, ever you know, restore the data, no one would pay because you just know there's no point. So I suspect there's a really fine balance, you know, where they've employed, maybe the best brains and business analysts to figure out what that sweet spot is for, you know, paying out ransom so that the, you know, the, the cash care or the golden goose keeps on laying these these eggs.
Bradley Sing: Yeah. I kind of put it akin to... it's probably a terrible example, but, like, maybe, maybe a drug dealer, right? Like, they're selling somebody drugs, but they obviously want their client the person taking them to buy more. So they don't want to kill their client, but they still need the revenue. So hackers are doing exactly the same thing to, to us, I guess. Like, they, they wanna get money out of us, but they don't wanna piss us off too much um, because yeah, they... otherwise, they'll get no more money out of it. And I think some of the commentary we had orig- originally around colonial pipeline and some of the others is, they've poked the bear, you know, we've... they've gone too far. And then they even... I think they even went out to say that they don't wanna cause any loss of life. Like, you know, they're trying to come across innocent.
Garrett O'Hara: Yeah. They said they would moderate the the people who are gonna use their [laughs]-
Bradley Sing: Their PR, right?
Garrett O'Hara: Their ransomware.
Bradley Sing: Like, "Don't worry, guys. We'll be okay. Like, we'll make sure they're trained the police checks and stuff," but crazy.
Dan McDermott: And there definitely is research on the fact that, you know most organizations seem to get their data back and that, you know, there is that honor, but more than a third of the time it actually isn't returned still. So they paid the ransom, and they still don't get, you know, the access key as, as well. So I think that there is... you know, and I think it is depending on the different, you know, I guess nature of the attackers as well, right. I think that's what we've seen as well is, is that that there is ones who are just, you know, fairly opportunistic, you know, it's a short term financial hit you know, gain for them. They... So they don't really care, right, 'cause they may not even, even do it again. So it's like, they'll just maximize a payment at that time.
Then there's the ones that are more organized, right and, and becoming that way. And then we're seeing sort of the rise of things like ransomware as a service, that's making it easier for people to actually access this as well. And then I guess then you're getting also a high variation of, of who's deploying it, right. So the people, like you say, the people who have maybe created the ransomware as a service want that ongoing business, right. So they might, you know, have some integrity in terms of honoring, you know, what they say they're going to do once the ransom's paid, but other people who are using that service may not have that intention at all.
Bradley Sing: Yeah. I mean, you're effectively giving tools or keys to, to a kingdom to do a bunch of stuff. And then ultimately, I don't think the ransomware provider, whoever it is, really cares who they're selling it to. And look, we've seen that from, you know, potentially state-sponsored groups. So in Israel, you know, Pegasus and stuff, and how that was used uh, in... against various countries, and against journalists. And you have to wonder, what's the difference between that and, and some of these groups hanging out in dark web forms? And they probably chat on all the same forums anyway. But I think you're 100% right there, Dan.
Garrett O'Hara: Yeah, I mean, you can sell a gun to somebody. Um, And that really... lets be honest, that- that's happened internationally where, you know, arms deals and trades have happened where, you know, behind the scenes, like, lots of money's made and no one ever signs a contract saying, "Hey, we won't use these weapons against text Y, Z." And, and you know, this generally huge outrage when it does come to like, you know, where those deals have been done and what that actually means.
Bradley Sing: Like the British government or any government in the world, I think, sorry, not to speak on them, you know, selling bombs and stuff. But yeah, 100%. Hopefully, though, like, I think we should see a decrease eventually. And I think that for me, I think it's cryptocurrency has been the number one factor in terms of why the ecosystem has become sort of profitable. Like, we used to hear about people stealing iTunes gift cards, but to go down and, and I grab hundreds or thousands or 70 million worth of iTunes gift cards was pretty hard, but to receive 70 million in Bitcoin, I, I believe it takes just a couple seconds or a couple minutes. So I think that has been something which the gov- governments around the world have failed to control. China have been very harsh on it recently, which may have hurt them, but it'll be interesting to see policy around that and regulation around that if that's somehow ever affects the payment mechanisms and the ecosystem.
But I also fear it won't because I think where the health is in at the moment, it's in a very evolutionary phase, and we don't even know how big or how small some of that market and how normal some of that stuff is gonna become in our everyday lives. So I think as long as cryptocurrency is around, unfortunately, it- it's gonna make it an easy method or mechanism for these groups to, to make money basically.
Garrett O'Hara: And it kind of feels like the toothpaste out of the tube on that one. You know, it distributed ledger by definition, that's kind of like, it is resilience and you can make it illegal. And then all you do is drive it underground. But if you're, you know, criminal organization, well, you're already underground. And, and I think there's... when you look at the, I think it's, the IMF came out a couple of days ago saying they wanted to look at sort of global regulation of cryptocurrencies. And because outside of cyber, it's, it certainly has like pretty big impacts in terms of, you know, sovereign currencies in their value. Like the US dollar, for example. You know, you could say that's potentially under threat because the crypto become, you know, maybe a new global standard or some other digital currency strange days ahead.
Dan McDermott: Indeed. So let's broaden the conversation a little bit beyond ransomware, which obviously has been such a hot topic, but we've also seen that 2021 was a bit of a perfect storm for cyber crime. We saw the pandemic continue to, to ravage in terms of having lockdowns and a distracted public and workforce. And we've had high profile, zero data attacks, and very high profile vendor attacks such as solar winds. And just, just last week, the log for Shell critical vulnerability on Apache. So how have these factors impacted cyber security in the past year, Brad?
Bradley Sing: I like log for Shell... I shouldn't say I like it because I think it's a good example of kind of all the things we've been talking about over the past year or two on the show coming, coming to kind of together, right. Interestingly enough, log for shell. So what it is, it's... I believe it's a Java-based exploit, which is kind of a core fundamental in Java, which allows you to basically do coding around logging. So if you think about any system out there which may use Java, a lot of web applications backend servers, if you use Java out of the years, just because I'm so lightweight.
Interestingly enough, in, in log for me though, it was Minecraft. So Minecraft, which is originally a Java-based game I guess it was players or hackers, I'm not too sure, they were using logs for shell to send test messages to each other, or basically sent messages to each other in a video game. But since it was discovered in Minecraft, it's now rapidly been excluded over the world onto various different other platforms. I think it's interesting if you think about also the psyche or the profile of the, the people and where these hacks are coming from, because I don't know, I guess there're a bunch of people sitting inside playing video games and hacking at nighttime. It only makes sense they'd probably do the same kind of in their personal lives as well.
And then on the point of around kind of platforms and vendor, if you go, Garrett, you made an interesting point earlier around saying that smaller providers, you know, they need to be accountable to a certain degree before they potentially work with their critical infrastructure, et cetera, but for a customer or for a buyer for a board, I'm looking at the news, I'm hearing Amazon getting popped. I'm hearing Twitch getting popped. I'm hearing Microsoft. Like, every big platform around the world is getting popped right now. So do you actually trust the big ones who are meant to be very secure or you maybe with the more bespoke ones, which again, then maybe not have the same maturity? So I think for a, for a buyer or consumer or anybody listening the sh- to the show, it's, it's very hard to figure out where to put your eggs, like what basket.
And the only thing I can think of is you wanna try and diversify your wrist or degree. But probably, you know, probably don't wanna maintain too many vendors as well because it just becomes far too difficult to manage.
Garrett O'Hara: It points to, for me, this is an example of secure by, by design, and how that impacts the kind of the way development is done these days, where you know, when, when people think of development, they often think of somebody sitting down and writing an entire thing themselves, where actually what you're often doing is writing code to call something that somebody else has already built because it per... you know, in theory, does a job perfectly. And that is a very complex tangled way above, you know, code from lot of different places, generally. You know, you find an example of code and you can go, "Well, you know, that does what I, I needed to do. I'll have that." And in the rush to get code out the, the door, which is anyone who's ever been a developer will know, you get these just really hardcore deadlines and you have to deliver on something because, you know, a bunch of other things depend on it.
And that's what happens, you know. You're, you're focused on unfortunately, quite often features functionality and then security when there's time. And I think one of the things that worries me about this, I mean, this score to 10 on the CVSs, like it's, it's, it's a Whopper. Um, You know, it's, it's not a "Okay, that's interesting. This is like bad, bad stuff." and luckily, in this case, was fairly easy to remediate. I actually, came off a call and the person on the... on the call had a brilliant analogy with this, where she has just spent the entire weekend and the last couple of days trying to figure out what it means for their organizations. And, and she described it as a, you know, if you imagine making cakes, and there's a bad egg, and you make the cake and then you've gotta try and figure out where exactly in the cake, first of all, the egg is, and then-
Bradley Sing: Yeah, [crosstalk 00:25:16].
Garrett O'Hara: ... where are all the other cakes [laughs]. But yeah, it's that complex trying to figure out where does this thing... like, where does this impact you know, where are we affected and then, okay, let's get to remediation as quick as possible. And actually over the weekend, I, I really 'cause of some stuff that was going on, spoke to quite a few organizations, and this was the, the hot topic. And luckily for many of them their sort of web primary security systems were picking up the traffic, this, you know, the sort of they call the IOCs or whatever for this activity. So they were able to kind of protect themselves in that instance. But yeah, an absolute whopper.
Bradley Sing: I think the big thing here is it seems like I... Sorry, I'm not sure if it's Apache who developed the original part of it, or it's just a part of Apache web server, but for anyone who doesn't know web development or kind of web servers and hosting, Apache is probably the... It used to be the most widely used kind of base web server, right?
Garrett O'Hara: I, I think it probably still is. And-
Bradley Sing: Yeah.
Garrett O'Hara: ... the log for J is the library that's used. It's, it's part of Java. So Apache foundation developed that and then, you know a bunch-
Bradley Sing: Open source or something?
Garrett O'Hara: Yeah, yeah. It's a... it is open source, yeah. So, and, and they're... Therefore, people will run out and use it. And because, I mean, let's be honest, open source tends to be pretty good and pretty secure because it's got lots of eyes on it. But every now and again-
Bradley Sing: That's a problem, though, right? Because, like, now these technology's been up so old, so long. If you have so many eyes on it, eventually somebody's gonna crack the code and find, "Hey, there's an exploit." Like it's gonna say, yeah.
Garrett O'Hara: Of sophistication is never security, I reckon. Like, you want... you wanna stress? It's like you know, encryption algorithms, the best ones. You could publish the algorithm. And it shouldn't matter that everyone knows how the algorithm works because it's intrinsically secure.
Bradley Sing: I agree. 100% agree. I don't think you should hide your code to, to any degree. And I think open source is the right way to go. But I also think, to your point earlier, you need to be careful on, especially when you're developing or you're coding or you're building something, you need to be very careful on who you call and to make sure that that's up to date as well. Because I think, like, one of the worst things I've seen over the years related, again, back to kind of web services, is probably WordPress websites, right? Like, the amount of WordPress websites out there, where it's not that you don't really develop if you make WordPress websites, but you just go and select a bunch of plugins, put it together, and then bang, you've got this fully functioning awesome website, which is comparable with Metas, Metas, facebook.com or something.
But as soon as those plugins go outta date, and they go out date all the time, you know, suddenly, you're opening yourself up to a world of pain. So maybe there also needs to be more of an accountability on, on the ongoing maintenance of this thing. But I also think in a weird way, we need to... stuff like this needs to come out. It needs to happen. It needs to be rated 10 outta 10 to your point earlier, Garrett. Like, it's a... it's a very serious thing. And I'm just surprised it took a so long to find out about it. 'Cause it kind of reminds me of that Intel chip was that very interesting kind of vulnerability to chip sets. I think it was about a year ago now. And the problem was all the scaring thing at the time was it was like, oh, basically affects everything with a chip in it.
And we're looking around the room, I'm thinking everything here has a chip in it, almost. It kind of feels like that almost all over again where it's something which is that intrinsic and that related to everything, but it needs to be called out. I, I bet you so many people patched their Apache-based web servers who hadn't patched in years. And, and that alone is probably gonna help with a great reduction in, in breaches.
Dan McDermott: And one of the other things that we... I think, you can't do a, a year in review without looking at the, the ongoing impact of the pandemic and lockdowns and, and the fact that we've had multiple guests come on over the year, Garrett, and talk to us about, you know, creating this cyber secure culture in a time where everybody is more stressed and more distracted and more burnt out and [laughs], and you know, and more online than ever before. So all of those back to is how do you actually start to achieve, you know, that, that cyber safe and positive culture, when you've got that environment that's, you know, upon us every day.
Garrett O'Hara: So many people talked about this one. I think it's, it's an incredibly important topic because it's the messiest one of them all, you know. You can go and spend money and set up security controls and it's technology. So it's fairly generally fairly binary, you know, you've set it up well, or you haven't. You know, there's a little bit of gray in the middle, but you know, best practice tends to be a back- best practice. Humans, we're, we're all over the place. Some days we've had coffee, some days we haven't. We've got different personality types, introverts extroverts like, all, all of the stuff that makes up the, the glorious world of corporate and any kind of organization, you know, all of us coming together to, to work. A bunch of people talked about it. [inaudible 00:29:57] was probably the most recent.
And you actually did what, what to me was a very interesting breakdown of, of something called Carter's framework for uh, change. And I'm a big fan of those. Anything that's step by step. I don't know, I just feel like that resonates with me because I'm maybe procedural, let's say my, my brain in, particular, is way it's wired. But he, he had a really good run through of that as a model to approach getting deep cultural change. One of the things that stood out in that conversation was I, I think, and actually Phil Zago quite a while ago. I think Phil was one of the first people we had on, but he... I, I still remember 'cause it stuck in my mind.
He talked about having setting realistic expectations and timeframes. So not, you know, falling into the trap of coming in as a CISO and saying, "Hey, within six months, we'll have everybody doing the right thing and you know, no bad behavior." But actually saying, "This is longer term. It's it's behavior change. It's not education, it's not information transfer. It's actually deep seated cultural organizational change. And that, that takes a long time. And, and Andrew actually talked about this in terms of, like, years; five years. And I love that 'cause that's, that's the reality and that means you're not gonna get disappointed in the short term because you're actually, you know, you're looking five years down the line to something much more significance. And Bruce McCully talked about it as well.
So he's, he's from a Galactic Advisors. He's actually, I think he was on last week. And specializing in MSPs, but had some very interesting stuff to talk about in terms of communication. And obviously, that's a very critical part of this also. Jay Hira who he he's been on. And, and, and sort of talk about this. I suppose the point is, I could probably throw a dart at the print out of the people who've been on as interview guests and pretty much guarantee that we would have talked about the, the cultural or the human side of cybersecurity in any episode.
Bradley Sing: One of the things I think we've probably struggled with in security over the years is measuring success to a degree, right?
Garrett O'Hara: Mm-hmm [affirmative].
Bradley Sing: Like, what does success look like? It's not getting hacked, it's not getting breached. And then we still hear stories about the companies, which, you know, did really well in that aspect suddenly when it comes to budget time next year, "Oh, do we really need that? Oh, we haven't been breached for a while. It's okay. We're gonna cut that from the budget." So one thing I think I struggle with, at least in my head, is how does somebody come to a business say as a CISO, So say, "Okay," how do they actually set their goals? Like, what, what is achievable? What are we gonna look like? And, and maybe to your point, Garrett, is more about continuing the narrative and making sure that over time, culture changes, because I think that's a very good point. Like, even if you come in tomorrow, fix everything, you're not immune from the risk of cybersecurity. You're not immune from the risk of breach, that's gonna affect everyone. It's gonna only grow in the future.
So I wonder if any of the guests spoke about goals or kind of expectation-setting. I think you kind of almost said it there, but yeah. Kind of you hear about any insights you- you've had with the the guests around that?
Garrett O'Hara: Yeah. So Bruce McCully did talk about this and, and your spot on, Brad. I reckon that's one of the more tricky things to establish. And no, I don't think it's controversial, but there's definitely discussion in, you know, in the cybersecurity leadership world about what's meaningful as a way to kind of report progress to a board and to get budget. So you probably wanna be doing those [laughs] two things. If there's no progress, you're probably gonna be looking at your personal budget in the short... the shorter term in a way that you don't want to. But you know, a board would wanna see what's, what's meaningful to them. And so many people have talked about this over the last couple of years. It's great to be actually able to say that about the pod the last couple of years that, you know, one of the things you wanna do is move away from, I'm gonna say it, like nonsense metrics.
No one cares about, you know, the number of emails blocked, or the number of model where things blocked. They care about things that are actually meaningful to the business. One of the, the things that we- we're starting to see more of Marco here, who's our uh, CISO in this kinda region and, and myself actually been talking about this a fair bit and actually, so is Dan. But the, the view of risk at an enterprise level is, is starting to become more formalized and almost like an academic breakdown using models like fair which starts to take some of the I suppose some of the... Not, not... I mean, yeah, I suppose moving away from humans, putting their finger in there and, and saying, "Well, I think it's kind of like here, you know, in terms of a risk," but actually being much more mechanical about how you break down risk into a very detail level and then parlay that into web, is that acceptable or not, and then okay, if it's not, we need the money to fix it.
The human side of things, I think that's where the, you know, the, the rubber leaves the road, because how do you measure humans? I mean, we do things like fish campaigns, incredibly useful at a points in time for one behavior. And yes, you could probably say that that's a proxy for all the other security behaviors that make up good cyber security culture; passwords, not leaving your laptop open you know, not talking about business in the cafe, et cetera, cetera. But that one to me... like, I've heard people talk about it, but I've never heard anything where I'm like, "That's the answer. There we go. Like, we've, we've found our way." and I also think we mistake knowledge for things like engagements, which is a huge problem because Dan, for example, might know that he what's a good example? Might, you know, shouldn't leave his laptop in a café, and go to buy the coffee. But if Dan doesn't care, and I know you do Dan, like, probably terrible example, but-
Dan McDermott: I'll take it. [laughs]
Bradley Sing: Gonna call my CISO, Dan.
Garrett O'Hara: Yeah, seriously. Mark is already, he's already writing the email.
Bradley Sing: I hear the phone's ringing right now. [laughs]
Garrett O'Hara: But but if you... if you're... if you don't care, if you're not engaged, then that's all for not. And having the information means nothing if you're not actually as a human being doing the right thing in the moment. How do you... Yeah. So I think that's other thing we need to focus on is that cultural side of things engagement.
Dan McDermott: And again, it's, it's, it's fine in, like, you say, even under a simulation, like a Phishing attempt or something like that, but the social engineering side changes again. And it's a bit like we spoke about with the boards and executives practicing for our ransomware. Like, how do people sort of practice under stress for social engineering? And Jenny Radcliffe, the human hacker [laughs] um, you know, provides you know, insightful and, and frightening [laughs] guess narrative around that as well.
Garrett O'Hara: She, she really did you, I think, I can't remember exactly what she said, but it was something along the lines of, she just wants to make it about the human because she knows she can beat them pretty much.
Dan McDermott: Yeah.
Garrett O'Hara: And so, so, so many stories where you, you hear her walking through the, the process of getting through organizations that you would assume the people have been trained and would have been trained to do the right thing to check badges, but because we're all humans, we all have those same hot buttons, those same things that somebody as, as clever as Jenny is able to push and manipulate people. It's... I... you know, funny when I, I think about Jenny Radcliffe, first of all, I absolutely love the conversations. Brilliant. Just amazing storyteller, just so, so good. So, so good. And and then I think if we're like, almost like a David Blaine or David Copperfield, like it's, it's magician stuff, you know, it's that level.
Bradley Sing: Yes. Actually engineering and [inaudible 00:37:12]. Do more of it, guys. Like, if you've got a consult on a third-party, I think that stuff is usually the... can be some of the most impactful things, and it might sound a little bit evil, but if you get somebody like a Jenny to walk into your office, fuller CISO even, or, you know, fuller sea level, and they can start to understand how real this threat can be. I think something like that can be very meaningful because unfortunately, a lot of the times, this stuff is just... it's not visible, right. But as soon as you have that physical presence and maybe that helps change the conversation a bit, but I would do more than just phishing tests. Phishing tests, we've been doing them, you know, for four or five years now, I think we need to make sure we start doing some of this more exciting stuff as well.
Garrett O'Hara: And, and that stuff definitely, I mean, we do, like you hear about pen testing at a tech level on all that, but yeah, the, the, the thing I love doing Jenny Radcliffe's episode was that could... you could see the facial expression of the overly confident execs and boards as she kind of handed them their password or something that they assumed that she could never get to. Like, that's... I, I wish there was a... yeah, there was a photo, collection of photos somewhere of those faces.
Dan McDermott: Indeed. And I think taking it back from the, the very individual human level and something that we discussed earlier around sort of governments and where things are at, and the notion, Garret, that we are in a cyber cold war, right?
Garrett O'Hara: Mm-hmm [affirmative].
Dan McDermott: And that, you know, that times have changed. What can you tell us about this new battleground of cyber for nations seeking to influence their rivals?
Garrett O'Hara: Actually the perfect guest for that one Dr. Chase Cunningham who was just a, a very, very cool guy in terms of, like, knowledge, but actually just as a human being just a lovely, lovely guy to talk to you know, ex Navy had spent time with a bunch of the three letter acronym agencies in the US. So, you know, proper real deal and also author of a, a couple of books as well. So somebody who is, yeah, like I say, from a cyber perspective the real deal, but we got to talking about yeah, cyber warfare. And and, and as I said, Dmitri Alperovitch also talked about this. I think we're gonna end up talking about this more and more actually because that really is where the battleground has moved to.
And I think we're all psychologically still wired to think F35s and submarines and people in fatigues running across a landscapes and, you know, kinda shooting at each other. But actually, this is all shifted. And in the background, there's a huge amount of suppose, interstate shenanigans happening at a, a cyber level and that, you know, that, that stuff is overt as attempted attacks on se- critical national infrastructure. I've spoken to government agencies here who describe constantly seeing probing from our... some friends of ours um, who are not a million miles away. And I think that's it right? That's the world we live in more and more and more. And there, there was a comment made actually on a call this morning. I was on, sorry, it was last night, actually. And, and they described how there- there's a couple of nations that are kind of wagging or swaging around, like you know, angry drunks, ready to fight, and, you know, and we all know who those, those folks are.
But it is really shifted to, to there. And one of the things that Dr. Chase Cunningham said that I- I've sort of latched onto is that he, he sort of described how, if you're firing live rounds in today's day and age, you're, you've already lost, you know, that's so much of this stuff has shifted uh, to, to cyber, whether that's direct attacks, like I say, on CNI, but also things like influence attacks, which we saw out of the US, where, you know, you see direct direct evidence now of influencing elections. And that, that is huge. And it's incredibly hard to deal with because it's so... it's so kind of surreptitious and in the background. So, like, there is no threat intel feed you can subscribe to, that's gonna tell you, "Hey, our elections are currently being compromised because a particular nation is paying advertising or has a- an army of bots that is doing what Chase calls, you know, influence attacks."
And I fund those particularly in, like, kinda nefarious, because I think half the time, we won't even know that they're happening or we might suspect, but it's really... like, who do you point at?
Bradley Sing: I think there in terms of political influence as well. Like, one thing I've observed is, you know, whilst, you know... I think America's been the, the use case we've talked about, or, you know, the, the elections over there. But if we look at countries like India, Israel, Armenia, Ethiopia, like, in a lot of these more... I guess, more developing countries to do agree, a lot of individuals that don't have a computer, they might have a phone, and they might only have WhatsApp or Facebook on their phone. Like, that's their one key way of connecting to the world really, or in terms of media information. And there's been a lot of evidence to suggest that I believe in some instances like you know, political groups going up to like Facebook's offices or WhatsApp offices and demanding, they delete or remove content because it's anti-government or whatever it may be.
And that concept's really frightening, but also very unpoliced, I think, in the developing world and in other countries outside of like, you know, Australia and America. Also just quickly on the... on the concept of, I guess, combat fatigues and thinking about kind of the interlay of, of, of, of warfare and cybersecurity, if we look at traditional and conventional warfare, there's, there's a big shift at the moment towards new night vision technology. And that's because I think 20, 30 years ago, American and all of us were really danced with night vision technology. And that's why we've screwed all night raids, I guess. But over the years, night vision technology has definitely gotten a lot smaller. And now in Afghanistan, as an example, I think they've got a bunch of night vision, but anyway, so the American government are working towards upgrading all their kit.
And it's really cool. But basically, they can see a lot further, they've got this really heavy thing they put on their head and it connects to all of the other troops in their spot as well. And they can like a heads up display and even, like, mark targets with their eyes or something. And then another person can see it. What I'm thinking is that when happens, if I'm sitting there with a laptop and I hacked all these guys helmets, and then something they all blind or whatever it may be. But just, yeah, fascinating in terms of, I guess the amount of IOT utilization. And it sounds like a video game to me, to be honest.
Garrett O'Hara: I was gonna say, is there mods for aug- augmented reality where you could have like pixelated people or characters?
Bradley Sing: Well you can. It's doable now. Like, on the topic of VR, you just gotta spend a lot of money. I hear like, yeah, basically a lot of money, you could do it. I think somebody set up one the other day where they... It was like a horror game or something, but if you got... did a certain thing, it like put water on you or whatever it was. So, like, 4D or if you will. But I mean, yeah, there's another idea, right? As we start to move into the, the realms of VR and stuff, and, and that more kind of interconnection, what at the cybersecurity risks there as well?
Dan McDermott: Well, we've spoken a lot about, I guess, the review of the year and in cybersecurity sometimes, you know, it can be a bit scary and a bit negative, but one of the positives coming out of, of the year is, is that we started to see the good guys fight back a bit. We saw [inaudible 00:44:13] being severely disrupted by Euro poll early, earlier in the year. We've seen the Revo gang vanish from existence for now. What can we say about, you know, the success of sort of, I guess the law enforcement side coming in to actually stop the cyber crimes?
Garrett O'Hara: It sort of feels like the war on drugs, isn't it? Where, how long has that gone on and how successful has that been? A long time and not very, probably the answers to both of those questions. And like, unless fundamentally, some stuff changes in the world. I mean, I really don't see how cyber crime goes away. It's... I mean, crime has been with humanities as long as humanity's been around because we're now a technological society or developing towards that. Those two things are intrinsically linked, and you're, you're just gonna see some version of cyber crime continue. And, you know, we've dealt with ransomware, we've dealt with BCE. There will be things. Like, there will be new things that we've... no ones ever thought of and, and one day will happen and, and we'll all kind go, "Oh wow. That's, that's kind of scary. And that's, that's crazy."
So, like, my two cents is, unless we have, you know, universal, basic income around the world and create some kind of utopic society, like how, how does this go away? We won't... we won't see it from any level of law enforcement. We won't see it from technology. There is no panesier, but I think what we can do... and we have to fight the fight. Like, that's the thing. So it's not like we can go, "Well, yeah, it's just gonna keep on going. So let's, let's not bother." what we will see, I suspect more of is, is better technology. Better practices. The... I think that it's fair to say cyber security has absolutely elevated in the zeitgeist over the last 18 months. It's just... it feels different to me in a very, very meaningful way.
And I think with that, you'll see better budgeting for cyber security, more attention being paid to it. It'll become much more formalized or codified as a, you know, a part of a business in much the same way as we've, you know, just general- generally done this risk analysis in, in a business. But you know, when I think about somebody sitting in a, a country or, or jurisdiction where there's no opportunity to make money, but you've got access to a laptop in the internet, and that's incredibly compelling.
Bradley Sing: To get the nail on the head there, Garrett, like you are right. I think comparing to the war on drugs, like if people are desperate, if, if they need money, like we've, we've seen reports of traditional kind of, I guess, gangs who would do, you know, breaking and enterings hold-ups, move towards doing fraud because the jail time's less, and it's a much safer job [laugh]. So I think you're 100% right. It comes back down to people, right? Like, as long as people are... need money, unl- unless we can solve that problem, which I don't think been able to solve things like world hunger or wherever will, we're gonna have to live with it, and we- we're gonna have to learn to be resilient.
Dan McDermott: So we'll finish off with a look forward. What is 2022 gonna bring us from a... from a cyber perspective? Garrett, kick things off for us.
Garrett O'Hara: Yeah, these are... these are always, so it's so interesting when you kind of think about what's gonna happen. 'cause putting a timeframe on it is probably the, the hard part, but these are things that I suspect we're gonna have to think about. The first one has been talked about quite a lot over the... not recently it's gone on for quite some time, but you know, the idea of DFAS actually, something that we, we talked about with Dr. Chase Cunningham at length as, as well. But you know, it's been covered in, in the media. And there's been two kinda relatively sizable incidents where deep fakes have resulted in organizations being compromised, so, you know, BEC.
And I think, you know, everyone on this call would know like dep fakes is the idea that you can use ML to analyze a big data set of somebody's voice, for example and then create a machine version of that. So, you know, it's indistinguishable and when, you know, Dan McDermott calls up and says, "Hey Garrett, you know, do X, Y, Z." And I kind of go, "Oh, that's Dan. I know Dan's voice." And what we got to the point of is real-time deep fakes. So if you think about, you know, I'm talking to you now, and I'm using, you know, my normal Irish accents and saying the words in English, but you know, the good use of this technology is that I could quite easily using you know, real-time translation be talking in Mandarin in female's voice, and that's fine.
Um, But what you can actually start to do is then what, what does that voice sound like? And in real-time as I'm having a conversation with you on the phone, I actually sound like the executive that's gonna authorize a a change of some sort. Many organizations, you know, we talk about people process technology, many organization builds builds protocols for authorization or checks based on a phone call because we all assume that it's human beings. We're gonna know what Brad sounds like. We're gonna know what Daniel sounds like, but actually, we're getting to the point where those protocols and processes are gonna start breaking because it will become very easy to make a phone call that sounds like somebody else. And yes, you could say, "Well, the phone call has to be coming the inbound, blah, blah, blah." Like... but here we are, we're back to social engineering and ways where you can easily sort of manipulate a situation, so that, that isn't the case.
Now, if you think about it, when you talk to your bank, how often do you hear some version of, you know, we're gonna record your voice for, you know, authentication. I mean, that's just starting to feel like a really bad move to me these days. And I think I'm starting to feel more and more funny about biometrics in general. So sorry, I'm going off track here. So prediction and nobody please, nobody check-in in 2022, if this was true or not check in-
Bradley Sing: Check in. Come back, guys, please.
Garrett O'Hara: I'm gonna say that we're gonna have to start evaluating that use of protocols or processes at a human level to start thinking about what it means when we... when we get phone calls that are deep fake, real-time And then let's start thinking about what it means when video becomes in a, you know, a doable thing. I think at the moment, it's probably pushing available processing pair, but it, we will get there. There will be a point where I, I, you know, we like get far from the podcast and you can just pay somebody to type a script and then say some stuff, and no ones gonna know the difference, right? We will get there eventually.
Dan McDermott: So I did feel as though you were in deep fake mode when you called me Daniel. So that was-
Garrett O'Hara: Sorry.
Dan McDermott: So that sort of was a giveaway [laughs]. I thought. Has deep fake technology really gotten that far? Because I remember seeing some... I don't if it was Tom Cruise or who it was, but the phenomenal ones deep fakes made by like an ex Hollywood CG artist. And I think to do it, to like that level, like, it did require a lot of pre-processing and, and kind of rendering and stuff, but yeah, like, are, are we that close?
Garrett O'Hara: For video, I'd say we're a little ways away. Like, I don't... I don't think that's in the short term, and that does take a, a bit of time to, to make convincing and get rid of glitches. Like, that's the thing it's done by machine. So every now and again, it'll glitch But the voice stuff that, that is just intrinsically easier, you know, it's just, it's sand is a, you know, the complexity of an image is, is a completely, completely different thing and requires different levels of processing. So yeah, it feels like we're, we're not a million miles away from there. And, and that... if I could... if I'm... some runway here, cause it kinda leads perfectly into, like, my next prediction, which is we're gonna see huge excitement and adoption of stuff, like passwordless authentication and-
Dan McDermott: I've started.
Garrett O'Hara: Yeah. And that's the reaction and, and so do I, right? I mean, I think passwords are.. they're awful. Unless you're using a password manager and then I'm actually-
Dan McDermott: They're still awful. I've got like hundreds now. It's, it's got to the point where like... it's, it's as easy, don't get me wrong and I've got it set up, so it's all face ID, one click. But so many passwords. And they're not all the forms, and web forms and websites actually work with the password manager. Like, most of them do, but they don't. And then, ah, it's just a bit of a mess.
Garrett O'Hara: So, so you're clearly an advocate for passwordless authentication, which I think is gonna be good. The, the issue that I would have then is when it comes to the, the thing that's gonna replace the password quite often, that's gonna an inherent factor or a thing you are, right? So your iris or your face or your fingerprints-
Dan McDermott: Your voice.
Garrett O'Hara: ... your voice. And we need to start thinking about what it means if if those things can be compromised in some way. And there's been academic proofs where you can see things like master fingerprints um based on ML kind of analysis of the very small sort of surface area that is to, you know, check a fingerprint, you don't get to change your fingerprint or your face. So I think that needs to be a, a conversation. And then my last one is, you know... and we've seen a little bit bit of this, but, you know, colonial where the impact was, was pretty significant, and the panic that ensued around availability of oil and petrol and stuff.
I think we're gonna see some big things this year and, and maybe more in, in nations uh, where the security forces aren't as mature as, as some of the, the more developed nations and, and, and maybe some severe impacts to to human beings and their ability to, to kind of go about their day-to-day lives in a way that we haven't really seen before, like true kind of panic stations. We've had a little taste of that with the COVID and, and how everybody went and bought a, you know, ton toilet paper. There's no reason whatsoever that a, you know, significant cybersecurity impact edge could impact a country in a way that causes the same panic.
Dan McDermott: Indeed, I guess I have two quick ones. One is we're heading into a federal election, and I think cyber will be a key platform for, for the election. And I think that there needs to be a re-imagining of how government supports small businesses to become... that raise that cyber health and cyber hygiene that they have across the board. Not predicting what the answer is, but predicting that something needs to be done and not just call it out as, as a challenge and, and the soft undervalue of cyber being SMB. That's nice, but what is the actual response to that going to be is one. And the second one that is, is continuing trend, I think, is around the skills shortage and diversity in cyber overall and what that means for everything.
And, you know, we had a, a recent episode hosted by Amy Holden around, you know, getting more females into, into cyber and what that means and having great guests on board. And I think that that diversity and that inclusion and helping... having that to help address the skill shortage, as well as all the training and all those sorts of things that will happen. Both of those I think are, are gonna be big things for 2022.
Bradley Sing: I'll do a quick one just 'cause I don't have time for one, but IoTs. And I think I might even said this last year, but it's IoTs for me are just the most interesting in the world and I'm, I'm looking at all these little COVID check-in device things that people set up at the start of the pandemic and I'm thinking how many of you have updated on the day you installed them?
Dan McDermott: Well, terrific. I think on that note that brings this week's episode and this year's series to a close. So firstly, a huge thanks to Brad and Garrett. I appreciate your insights as always. I'd also like to thank our incredible guests who are extremely generous with their time and we couldn't deliver the value of the show without you.
Also, I want to give a big shout-out to our backroom crew who make the magic happen. Dave and Matt from Green Hat who are our magicians in producing the show. And Mel from Mimecast who helps us generate interest in grow our audience. Which leads me to the final thank you for the year, and that is to you, our amazing loyal listeners. And we do this for you and appreciate you spending time with us each week. We'll return in February for season five until then, thanks for listening. Have a wonderful Christmas and holiday period, and always, stay safe.