360 Degree Cyber Security, LLC

Tag Archive:smallBiz

Be Proactive – Not Reactive

October 15, 2017 – Cybersecurity is not ONLY about responding to a ransomware or hacker but being prepared to prevent it from happening. When you are prepared to prevent an attacker for entering your computers or network, you make it difficult for them to be successful. For an attacker that means they will have to spend more time trying to get what they want. If it is simply to hold your computer and information for ransom, then they will likely move on. If it is your information that they want, they will expend the extra time to get it. But who said you had to make it easy?

So, what can you do? Well, a lot. But don’t despair. It may not cost you a lot to implement. Let’s follow the National Institute for Standards & Technology (NIST) Cyber Security Framework. In the framework there are two areas that are easily addressed. Identify and Protect.

Identify

Asset Management – Get a list of EVERYTHING that processes information electronically. It could be a security camera connected to your network, your computers & servers, a printer, all you network devices, etc. Record what it is, what operating system (Windows, Linux, macOS, etc) and what software is installed on it (Office 2016, Adobe Reader, Adobe Flash, and the other programs you use). If it is a device like a printer or a security camera, record the brand and determine the firmware version.

Protect

Maintenance – Update your software and firmware when new version are available as they may address security flaws in the software. For Windows and other applications, updates are provided monthly. Others, not so often. Check with the developer and see if they have an email list you can join to be notified when there are updates.

The longer a security flaw remains in your software or firmware the easier you make it for an attacker to be successful in taking or ransoming your information. But by doing these two things, you have done a lot to protect your information and taken a proactive stance in preventing an attack from being successful.

If you need assistance, let us know.  We’ll be glad to help you become proactive!

Delaware’s Updated Privacy Law

August 23, 2017 – BLUF: We highly recommend that you contact an information security professional regarding this legislation.  If not us, find someone who can help you determine if you are doing what needs to be done to stay within the guidelines of this legislation.

On 17 August, 2017, Governor Carney signed legislation that improved cybersecurity protections for the citizens of Delaware and goes into effect in April. It improved on the original cybersecurity legislation written nearly a decade ago. House Substitute 1 for House Bill 180 (http://legis.delaware.gov/BillDetail?legislationId=26009) provides for additional protection requirements where personal information may be compromised as the result of a breach. In the event of a breach of personal information, the legislation requires notifications and free credit monitoring services whose social security information was potentially disclosed via the breach.

The updated legislation now includes a definition that is used to determine if a breach of security has occurred. A breach has occurred when “a person who owns, licenses, or maintains computerized data has sufficient evidence to conclude that a breach of security of such computerized data has taken place.” Reporting of a breach is left to the holder of the data to have the integrity to come forward and announce that they have had a breach. The key word in the legislation is determination. It has to be determined that breach occurred before any reporting is required. Who determines? Who makes the call? At any rate, the organization has 60 days to make notifications (as long as it does not ruin a police investigation) from the date of determination.

The legislation also introduces encryption to the lexicon. It states that it is required but it don’t provide minimum-level of encryption. The only statement is that it is “rendered unusable, unreadable, indecipherable through a security technology or methodology generally accepted in the field of information security. This is a problem, depending on the source that you query for, the organization could end up with an encryption standard that is reversible. Some developers, roll their own crypto algorithms that are found to contain faults.

The legislation states that organizations must protect by encryption personal information, which is defined as a Delaware resident’s first name or first initial and last name in combination with any 1 or more of the following data elements that relate to that individual

  • Social Security Number
  • Driver’s license, state, or federal identification card
  • Account number, credit card number or debit card number in combination with any security code, access code or password that would permit access to a resident’s financial account
  • Passport number ***added***
  • Username or email address in combination with a password or security question and answer that would permit access to an online account ***added***
  • Medical history, medical treatment by a healthcare professional, diagnosis of mental or physical condition by a healthcare professional or deoxyribonnucleic acid (DNA) profile. ***added***
  • Health insurance policy number, subscriber information number, or any other unique identifier used by a health insurer to identify the person. ***added***
  • Unique biometric data generate from measurements or analysis of human body characteristics for authentication purposes. ***added***
  • An individual taxpayer identification ***added***

“Personal information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records or widely distributed media.

 

Risk – How do you know?

March 4, 2017 – It is a simple question that is asked when someone needs proof that some piece of knowledge needs to be validated in some way and typically leads to follow-on questions.

So, when it comes to information risk let me ask you… “How do you know?”

How do you know what is the risk to your technology infrastructure or the information that you use? Have you identified the risk to your business? Identifying risk will help your organization (micro, small, medium, to mega sized) begin to prepare to address the risks that can present themselves to your business. In some industries, there are mandatory requirements to address risk via a risk assessment (HIPAA, PCI, etc).

The process of assessing risk is straightforward. To begin, identify what you have that could be at risk (databases, intellectual property, web site, servers, computers, users, network, etc.) Of those items, if something were to happen to them, what would be the impact? The loss of a laptop might not be considered, but what if that laptop had confidential or health care related information on it? Then the impact would be high.

In order for risk to be realized against those devices, there needs to be a vulnerability. A vulnerability is a weakness that would allow a threat to be successful in disrupting the organization. Vulnerabilities come in different forms. They could be a vulnerability in the computer’s operating system or software. They could be in a physical form, for example having a customer service window that would allow access to information or devices nearby.

Once you have identified what could be at risk and the associated vulnerabilities, think about what might disrupt your business operation or affect the business’ brand if those items have vulnerabilities that are subject to various types of threats. Identifying the threats can be the fun part. For example an attack by Godzilla or aliens from Mars. Yes those are unrealistic and the risk from those particular threats are extremely low if not zero. So they are discounted. However realistic threats to your business may come in the form of examples listed below. Don’t forget that the threat can be accidental or intentional, include both types of threat when identifying risk. There can be many more than that, it is up to you how far to go in identifying the threats.

  • Environmental
    • Fire
    • Flood
    • Tornado
  • External
    • Hackers
    • Vendors
    • Customers
    • Criminals
  • Internal
    • Employees
    • Equipment failure.

This is just the first part in dealing with risk. Identifying the what, how, and why of risk to your business critical information is followed by addressing the risk and then making a determination on those items that can’t be addressed.

Helping small business understand what is risk

Non-credit card pumps

Gas station in Plainwell, MI that still does not accept credit cards at the pumps.

To help businesses understand what is at stake in their business when it comes to information technology, it helps to show them the value of what they have as assets and then apply a level of risk to that asset

Rarely do you find a business any more that does not use a computer of any sort.  Gone are the days of credit card carbon slips, paper ledgers, and hand drawn engineering diagrams.  We are striving to do more with less to increase profit.  In this effort, we reduce what is at stake in one way and see increases in others.  For example, in my recent travels to Michigan, I stopped for gas at a gas station that did not have any card readers on their pumps.  While I do not know why, it provides a good example of what is at stake by not adopting technology.  For example, the reduced threat of credit card theft, but at the expense of having people drive off as it provides a different experience than at other gas stations.

To that end, to remain competitive, businesses of all sizes that are adapting to new technology, may not understand what is at stake by not addressing the risk of implementing it.  Does your small business understand what is at risk by providing free and open Internet access to your customers?  How about the risk of placing card readers on the gas pumps?  Do the benefits out weight the risks?  What information does your business have or use?  What happens if that information could be used to embarrass your business?  What can be done to reduce the effect on your business?

The effect can be reduced by identifying risk and that starts with identifying what you have at stake.  Don’t think of what is at stake just physically, because what you have is more than the physical devices that you may have purchased.  For example, the laptop that you bought may have only cost $300.  The value of the laptop itself may decrease (likely), but what about what you have been doing on that laptop for your business. How much information do you have stored on it (think contracts, projections, plans, contacts, etc?)  What is the value of that information?  Do you now see that the laptop is worth a lot more than just the value of the physical device.  Identifying what you have is designating what you have as assets.

Weaknesses in the laptop represent vulnerabilities.  These weaknesses can come in the form of how susceptible it is to damage (physical or logical).  For example the laptop is a portable device that contains various pieces of software installed on the computer and the information that is important to your business.  Each of these items are vulnerabilities that has different weaknesses.   But these weaknesses don’t necessarily mean your information will be lost.

Look at the weaknesses.  What or who might take advantage of or exploit those weaknesses?  The threat could come in the form of the user having an accident.  For example, accidentally spilling Starbucks into the keyboard, loosing it at the airport or mall, and dropping it on the ground?  Or the threat could be external:  Your house or place of business catches on fire; a meteor smashes a hole through the computer; or someone steals it.  How about cyber criminals infecting the laptop with malware when you visit innocently visit of interest?  Threat can come in many different forms and it is necessary to identify threats, even the hypothetical and far-fetched ones.

Given the look at the weaknesses and threats, the question that begs to be answered is “What is the likelihood?”   The chance that a meteor might smash a hole through the laptop is pretty slim.  That someone would steal your laptop is higher.  By identifying what risks exist, a small business can address the threats in a way that would reduce the risk.

For example with the laptop, what can be done to keep from loosing the information on it if it is stolen?  For example, maybe you could encrypt the hard drive.  Use cable locks to secure the laptop.  Keep it with you and don’t leave it in a car.  What about that meteor leaving a hole in it?  Back up the information off of the device.  These actions are called mitigating actions, in that the mitigate the risk by reducing the likelihood that the weaknesses we identified would be exploited.

Identifying what is at stake and determining what the risk is based on the weaknesses and the identified threats will help small businesses make informed decisions on the actions necessary to protect their information and ultimately their business, brand, and good name.  If you need help identifying what is at risk for you, do not hesitate to reach out to us info@360cybersec.com.

 

Do you KISS? I do!

 

I am all for the KISS methodology.  Keeping Information Security Simple (KISS) has to become a basic tenant.  It is how we as information/cyber security professionals can help small businesses, municipalities, and non-profit organizations realize some measure of information security.

 

16230-illustration-of-red-lips-pv

Here are some simple methods that won’t deplete your profits and apply to businesses of all sizes (1 person to 100,000 employees).

1.    Encrypt your mobile devices.  Laptops, tablets and cell phones are treasure chests full of goodies.  We store everything on them.  The days of the rolodex and the personal organizer/binder have given way to the electronic organizer.  It used to be that if we misplaced or day planner we would feel lost and maybe even anxious as a lot of information was stored in that book.

All that information has migrated into the digital age and is now present on all sorts of mobile devices.   Newer phones have enough processing power in them to encrypt the contents of the phone until the device’s owner enters a password to decrypt them.  The encryption is part of Android and Apple IOS.  It is also possible to encrypt the hard drive of your laptop in a similar manner.  If you use Microsoft Windows, spend a little extra money and purchase the professional edition.  It includes BitLocker, Microsoft’s utility for encrypting hard drives.

If you lose the mobile device, you are not likely to lose the encrypted information to unwanted eyes.

2.    Use complex unique passwords for every account.  I know, I know!  I hear it all the time.  I have this large number of accounts that I need to remember, how do I do it?  There are number of articles out there for crafting complex passwords that are easily memorized.  However, I offer that you only need to remember one or two.  Use technology to help you create and remember the rest.

Use password managers such as Sticky Password, LastPass, KeePass, etc.  Each offers certain capabilities that should fit with your business model.  Check out http://lifehacker.com/5529133/five-best-password-managers for a review of some popular ones.

For the one or two passwords you need to remember, create passwords that really have nothing to do with you.  One of the first things an attacker will do is profile their target.  Anything on the Internet about you can be used against you to build a list of words.  So when you choose a password, don’t use your favorite team, vacation place, family member names, etc.  For example choose three or four letter character unique nouns that are some related, but not directly.  Maybe you have three foods you don’t like, lasagna, buffalo wings, and prunes.  These three items make an excellent password as it is something you are not likely to write to the world about.  So let’s make a password out of it….

buf2alopRunel@$@gu@

or plainly buffalo prune lasagna. (sounds nasty!) But it is a set of words that when in plane text don’t make sense and if you apply some character substitution to them it becomes a long (in this case 19 character) complex password.  Come up with a consistent method in changing the letters.  In this example I:

  • when there is two of the same letters next to each other, I only put one and follow it with a 2.  So Mississippi would be mis2is2ip2i
  • I chose that the second letter of the second word must be capitalized making prune into pRune
  • Finally in the final word I use character replacement.  I replaced the a with an @, I replaced the s with a $ and I used ‘u’ for the letter ‘n’

Choose a similar way to develop your own password and apply your own password style and use that password to control access to your password manager.  Then let the password manager create complex random passwords for everything else.

These are just two quick examples of KISS that improve information security and don’t require a lot of cash.  I will write more examples in later posts.

State of Cyber Security in the First State

delaware-county-map
T
his week ethical and unethical hackers and cyber security professionals from all over the world are gathered in Las Vegas for two of the largest cyber security conventions , DEFCON & Black Hat.  DEFCON attracted nearly 15,000 people in 2014 and Black Hat attracts cybersecurity professionals from different industries.  Attendees to both conferences have differing motives and come from various backgrounds and experience. The attendees represent government, commercial, and criminal entities.

 

As a cyber security professional, I am always looking for ways to improve the cybersecurity of my clients.  Sometimes, it is just a good idea to take a step back and look at the forest as a whole and develop a general idea of how much cyber security is being addressed.  I recently conducted a survey to determine just how many openly Internet accessible devices there are in the state of Delaware.  I used an online service called Shodan and it revealed that there are nearly 1.2 million devices advertising services that are tagged as being in the state.  This can be deceiving in that some organizations in the state use web service or Internet service providers (ISP) in other states.  Despite that, it provides a decent snapshot of the general security of Internet connected devices.  Let’s put the numbers retrieved from Shodan into perspective, the U.S. Census Bureau estimates that in 2014 there were over 935,000 that call Delaware home.  That roughly equates to 1.3 devices publicly accessible on the Internet for every person in Delaware.  That does not include the number of devices that are not advertising their services even though they are connected to the Internet.


Those that do not advertise their services are safer than those that do.  Of those that are advertising their network services you will find schools (public & private schools, colleges & universities), hotel chains, car dealerships, places of worship, medical and dental treatment facilities, law offices, newspaper agencies, etc.  The services open to the world included printer and file systems.  The file systems exposed employee names, projects and sensitive documents.  such as  financial information.  Without actually entering their system, I was able to observe the filenames and folders that data was stored in.  This enabled me to determine the business’ name and with a simple Google search I learned that this particular business was owned by a politician.  Just think about the ramifications if a hacker with criminal intent had found that open system.  Fortunately for them, as a professional I reached out to the business and they were able to close the hole to the Internet by which their data could have leaked.


In another example an industrial facility, which I was not able to contact, exposed similar information, but had internal machinery exposed to the Internet as well.  It would not have been too difficult to modify the machinery processes by stopping the equipment or preventing it from stopping.  That very scenario played out late last year at a German steel mill in which a blast furnace was damaged.
 
During my survey, I literally found a gas station where I could have changed (if I was a bad guy) the quantity of gasoline in the storage tanks. Just think about it, I could have said the tanks are full and a new supply may have not been delivered and could have led to the station running out of gas. Worse yet, I could have reported the tanks near empty which would lead to them potentially being overfilled. Admittedly, I don’t know if there are any safe guards in place to prevent an overflow situation, but if those failed, the service station could be looking at paying for the clean-up.
 
I saw a number of servers connected to the Internet that would be easy prey for cyber attackers. The information on the server maybe worthless, but to the attacker it can be a way of disguising an attack on larger and more lucrative target. Reminds me of how children say it wasn’t me.


These examples represent how small businesses can potentially become a target for cyber attackers.  Hackers with criminal intent may look at the advertised network services as a potential entry method to get into the business’ network.  This can result in the installation of malware or ransomware which can lead to devastating affects to your data and that of others businesses you connect with.


The most alarming part of the survey was quite a few critical infrastructure related organizations are open to the Internet.  This includes water companies, fire and EMS organizations, and electricity providers.  Of the organizations found, some are subject to compliance reporting due to the data they process or infrastructure they control, yet were found to be open and easily identifiable.  After all the news about BlackEnergy2 and breaches of OPM, Anthem, UCLA Health System and others, basic cyber security is still not being adequately addressed.


Large corporations typically have teams addressing cyber security.  Mid-sized and large small businesses may have assigned staff or dual hat their IT staff with some of the functions.  However it is the truly small business (less than 150 employees) that represents the greatest cyber risk.  This includes everything from the small mom and pop corner store to the businesses that provide mechanical or financial services.  They typically don’t have an IT staff or they contract it out to a managed service provider.  There are well documented examples where businesses thought they had cyber security addressed but in fact were not prepared at all.  Those businesses have the ability to bring corporations to their knees as they spend millions to fix the damage.


The lack of preparation has its costs.  The cost of a breach continues to rise.  The cost is dependant upon the information lost as indicated by the IBM sponsored 2015 Cost of Data Breach Study: Global Analysis by Ponemon Institute, LLC.  In the study, the average cost per stolen record runs about $154, with healthcare related data costing as much as $363 per record.  The cost per record is driven direct and indirect costs.  The direct costs associated include notification (which is required in Delaware), investigation, and remediation of the breach.  Indirect costs have the most substantial effect as it takes into account the potential loss of customers once a breach is made public, often by an external entity.  Cyber insurance MAY help absorb the cost of a breach, but recently, insurance companies have started to decline payment if a business fails to implement any sort of cyber policy or practices.


In the end, it comes down to businesses of all sizes and in all industries in the First State to address cyber security.  Failure to do so can leave us with small businesses that drive the economy failing by not being able to recover from a breach.

 

Have you addressed Information Risk?

No question about it.  There are a lot of risks in running a business.  Cash flow, employees, suppliers, insurance, compliance, fire, flood, payroll, maintaining clients, gaining clients, and on and on and on.  But what about Information Risk?  I find that most businesses lump Information Risk into, “if it works why bother” or “I have IT handle it.”  However few realize the importance of addressing information risk, and that by addressing it, you maybe helping address other areas of risk and potentially reducing the risk.

There are seven common areas associated with information risk that when evaluated will help provide you focus when addressing risk management.  

Physical Damage – The container that contains your vital information is damaged.  The container could be your server, desktop computer, filing cabinet, desk drawer, or the box of receipts in the closet.

Humans – Humans are notorious for making mistakes, some make more mistakes than others.  🙂  Joking aside, humans (aka employees or the boss) account for a good portion of data loss.  The loss could be unintentional or as we have seen in the news very intentional.

Equipment Malfunction – Ever have that cringing feeling as you hear your computer make some very weird noises and beeps?  Especially after you have been working on something major?  What do you do?  How do you recover that data?

Internal or External Attacks – We have seen the news about Target, Home Depot, Sony, Anthem, etc.  They all represent external attacks.  What about that disgruntled employee that can hack your server’s admin account?

Misuse of Data – Now that the employee has hacked your server or maybe it is someone that already has access to the data, they run down the street to your competitor after copying any proprietary data that belongs to your business after hacking you from inside.  A good example of theft and how the data is being misused.

Loss of Data – This is where the crypto-locker ransom-malware comes into play.  An employee unintentionally adds malware that encrypts the data preventing you from getting to it.  Unless of course, you pay a ransom.

Application Error – This one almost got me a few years back.  I had a tax-preparer  do what they do.  When they were done, they said I owed the state nearly $5000.  There is no way that is correct I told them.  They said that is how their system calculated it.  Ok. Fine.  I didn’t pay it. I sat down and reviewed the forms.  It appears the application forgot to check mark a certain box and as a result I got $3000 back!

With the identified categories, we need to identify, bin, and evaluate the risks.  Once complete, you can address the risks and apply controls to reduce, eliminate, transfer, or mitigate them by applying various controls.  Once the risks have been identified, it may help you in addressing some of the risks of running a business.  If not take a bit of the stress off.

We, ItsEmc², an help you identify, bin and evaluate your information risk.  Contact us at info@itsemc2.com






Small Business Needs CyberSecurity

Happy President’s Day.

The recent Presidential Executive Order to share cybersecurity information should be a reminder to small businesses that cybersecurity continues to grow as a requirement.  Last year when the cybersecurity framework was released by NIST, it was initially regarded as something that only applied to large businesses that dealt with critical infrastructure.  After a year of reviews and open discussion, it is becoming the defacto standard for businesses of all sizes.

In the past couple of months we have seen how small business comes under attack by those that wish to make a political statement regarding their extremist views.  This group targeted the social media accounts of various organizations across the country.  Local TV stations were having to work to regain access to social media and text messaging accounts that are a major source of sharing information with their communities.  Military organizations were faced with quickly regaining access to their accounts.  This just goes to point out, it doesn’t make a difference in the size of your business.

I recently put together a display at the Delaware Business-to-Business Expo in Dover Downs on 12 Feb 2015.  To help other businesses understand why it is important I had on display the consequences of not doing due diligence.  One online business lost over $200,000 as a result of a cyber criminal activities that breached their network.  Another small mom and pop brick and mortar business lost over $22,000.  How do you compensate for those large losses on a small profit margin?

I highly encourage any business I talk with to take on developing a cybersecurity framework just so they are in the know.  It can seem daunting to those businesses that don’t really have their own IT/cybersecurity personnel (most small businesses don’t).  So that is where we come in.  Let us help you “know” what your cybersecurity status is.  Let us help you “know” what is in your network.  Let us help you “know” the vulnerabilities, risks, and mitigation strategies to ensure your business is operating in a #Cyber360 safe environment.

Protecting Grandma’s Secret Recipe

 

Need-to-know is part of a larger program of identifying (or classifying) information as confidential/sensitive and determining who as access to that data within your business.  Why is this important?

Look at it this way.  A business generates a lot of information.  There is banking information, clients, vendors, income, expenses, information technology, etc.  Each of these items should be afforded some form of protection from people that do not require access to perform their job.  How do you protect it?
Classify the information.  Look at the information you have.  Determine its value to your business.  The following example is roughly based on the construct the government uses to classify information.  Take a look at your information in this manner.
1.       Sensitive – Information (client credit card information, HIPAA, etc) or proprietary information that if released to the public or competitors would likely cause you to have shut your doors and go out of business. $$$$
2.       Private – Information that if released could cause your business to lose some customers, provide insight into the business’ finances or potentially cause the business some embarrassment. $$
3.       Public – Information releasable to the general public.
Now that you have classified the information, you need to determine who has the need-to-know that information.  For example, you run a chocolate shop and make your own chocolates.  You have a secret recipe handed down from grandma that you have classified (using the previous guide) as being sensitive.  It would inappropriate for the recipe to be known by the cashier, the delivery guy, accountant, or your customers.  So who has the need to know?  The employees that you have placed a special trust in and make the chocolate using that recipe.  Because the employee makes the chocolate, they “need-to-know” the recipe.  Without it they cannot make it.
Special trust is similar to the clearance system the government uses to determine if a person has the trust of the government to a certain level of information.  In the example above, you may have a special trust in your accountant.  However it is the need-to-know that prevents the accountant from knowing the secret chocolate recipe.
As part of the need to know process you have those employees that have access sign a non-disclosure agreement to ensure the secret recipe remains a secret.  This provides you legal recourse should the secret recipe be released to your competitors or the public.
So as you can see, not everything in Information Security is directly tied to a computer.  However because this information may be processed on an Information Technology device, you need to protect those systems according to how you classified information.
Our next article will discuss how to protect the secret recipe from intruders coming from the Internet.

October is National Cyber Security Awareness Month

The month of October has been designated as National Cyber Security Awareness Month (#NCSAM).  For the next month, we will cover varying #Cyber360 topics to business and personal cyber security as part of ItsEmc² dedication to fighting cyber crime and keeping you and your business safe.

Start today and think about all the items that are in your business or personal life that are connected to the world wide Internet.  These items range from your everyday cell phone, desktop computer, server, etc. to your point-of-sale, thermostat, even refrigerators.

How secure are they?  Think about it, most people get a device get home and plug it in, maybe make a few changes to make it work and don’t even give a thought about security.  This where you are likely to be hurt.  Not changing the default password and if possible the default user can provide a gateway into you network, computers, and information!

Make a list of everything connected in your business/home that is connected to the Internet.  Even if you hired IT experts to manage your IT, you should have a copy of what everything is in your network.

Start from the point where it comes into your house and document each item and the other items it is connected to.  Check to make sure that the default usernames and password have been set to something else on each piece of equipment. As you make the changes to the usernames and passwords annotate the list.

When you have compiled everything, building a network diagram is a logical next step.  They can be as simple as this hand drawn (amusing diagram) found on Tech Republic.

Hand drawn network diagram.

 

 

However there are several tools available to help build these professional looking diagrams. Check out this TechRepublic article for a list of popular ones (5 of which are free.)

Once the list is made, save it and update it when you add or remove items that connect to your business/home wired and wireless network.

Finally, secure the list.  Place it in an envelope then seal it.  Store it in a safe or in an area only accessible to those people that need to know that information.

Speaking of need to know.  What is it?  We’ll cover that another time.

Be safe and perform your Cyber360.