Sign Alaska RFP Secure

Document type sign rfp alaska secure

uh hello everyone thank you for joining our cyber security awareness webinar my name is anna dripchuk i am a marketing manager at siclu and i'm joined with my colleagues today to discuss the role of cyber security in today's volatile world let me kindly introduce our speakers so alexander nuke director of quality engineering global solutions leader at cyclone master of science applied mathematics experienced in establishing scaling and leading engineering teams founder and community of communities and pro bono initiatives speaker at variety of events and conferences and really sook head of cyber security at cyclone andrey has more than 20 years experience in information security management application security network security etc and used to work as a security consultant in top global consultancies for years bordens rodnicki a certified cyber security engineer at cyclone bogdan has a deep expertise in web and mobile app security assessments penetration testing devsecops project and many others so welcome excuse me welcome and before we start i encourage all of you to participate in discussion leaving your thoughts and questions in the comments we will try to cover most of them in the end of the webinar so today our webinar will cover a role cyber security in modern world analytics at uh of the latest data of latest data breaches supply chain information security uh risk management security program at the growth enabler vendors coloring uh application secure security and finally uh in the end of our discussion we will have 10 to 15 minutes uh for the q a so again don't hesitate to ask your questions in the comments now andrei uh awards to you thank you anna so first i would like to talk to you about the role of cyber security in modern world we observe a number of changes how business are operating now we see an increase in online presence and hyper connectivity between organizations a number of online transactions is increasing and number of e-commerce transactions and as selling of goods is also increasing we observe efficiency of business operations boosting up by artificial intelligence machine learning algorithms we see also automated business decisions made at scale also we see a lot of companies are doing matched operations with different partners where the capabilities are not present at the companies themselves for example different payment systems video processing charts and others and last but not least we've observed the shift to remote workforce caused by pandemic covet which increased the reliance on the infrastructure so all these changes required companies to adapt to new circumstances so do the vlans they also adapt and change their tactics and strategies so we see number of different cyber security threads a lot of data leaks destruction and breaches of data at large scale we see number of digital schema attacks personal identifiable information is sold on the black markets after being disclosed we see rise of ransomware attacks which are targeting different organizations of different size denial service conditions on critical infrastructure supply chain is attacked what about targets in fact every organization irrespectful of the size can be the target of cyber attack an example of such statement is wannacry outbreak in 2017 when every organization was a victim almost every organization was a victim irrespective of the size however there are some preferences for cyber criminals medium-sized businesses and e-commerce stores they are more frequent targets because of bigger controls and also a more easy way of monetizing the data that was stolen from the companies so online customers suffer from their data compromised how to deal with all the threats and how to approach this problem the best way is to establish solid and robust cyber security program it allows to achieve certain benefits first of all it allows to help managing technology risks appropriately by reducing probability and potential impact also this can allow companies to prove reliability for the customers to make sure that their data is in the trustful hands and also even enter new markets not accessible before how to build this cyber security program the best way is to learn from the past to analyze latest data breaches and incidents to see where the application of efforts is the most efficient when we are doing analytics of related data breaches we can utilize different sources of course we can use public information for example you can go to the wikipedia page with the list of recent data breaches with the references to data sources and they are classified by the size by the type attack vector involved which malicious sectors were were acting also the root cause for the attack and the impact this analytics can give understanding of the the likelihood and the magnitude of the potential attacks and of course i also just encourage you to look at different analytical data sources like reports prepared by organizations uh dealing with incidents helping companies to investigate and to mitigate them one example is data breach investigation report yearly prepared by verizon and for this year there are key takeaways they can be obtained from that report first of all let's look at the attack vectors uh 45 percent of data breaches involved hacking it means that compromise software was associated with such data breaches also you can see quite a lot of data breaches associated with human errors or social engineering attacks it means that a lot of attention should be paid to cyber security awareness campaigns which can be started for example from our webinar and 43 of data breaches were associated with web applications which also elevates the importance of web application uh security program how to test them how to identify vulnerabilities and how to mitigate and later in our webinar you will see a couple of examples how such activities can be performed and also we can look at the malicious actors where 55 of data breaches were made by organized criminal groups which makes sense that because now uh criminal activities are being organized and it's not just individual hackers who are going after the data of the companies uh there are different chains um first data is stolen then it is monetized and etc 70 percent of successful attacks initiated by external actors however they can appeal to internal actors by utilizing social engineering vector let's refer back to the statement about the data breaches including social engineering and financial motivated breaches are more common than espionage so let's go through uh several examples of latest data breaches first one clearview ai in 2020 there is the company implemented the special recognition software utilizing artificial intelligence um it took information from different social networks and that information was used by law enforcement organizations like police department in toronto atlanta florida during that data breach 3 billions of records were lost which sparked privacy concern about the reliability of such organizations another example is instagram data breach this year that was caused by the vulnerability in hosting of deep social systems deep social is currently defunct company that was took over by social data after security researcher notified the cto of social data he acknowledged the exposure and demanded to shut down the servers hosting that vulnerable database however that time was enough for the information to be leaked and third example is the merit hold till chain in 2020 five million records were lost uh some personal details contact information preferences that wasn't the first data breach for search hotel chain uh there is a link here to the official press release so this hotel chain officially communicated to the customers about it and that is an example uh proving that it's uh important to be prepared for potential security breaches and collect evidences information and investigate root cause and now i would like to touch upon mage card attacks which worth attention for a couple of reasons in fact there is series of attacks performed by organized criminal groups car digital scheming which includes a collection of current data at the checkout page of online stores and then validation of these data in different online stores and performing fraudulent transactions there is an evolution of classical card scheme and attack where some devices are attached to atm and are used to copy a magnetic stripe with all the data online digital scheming is more dangerous because more information is taken not only data from the genetic stream but also personal data like postal address and date of birth probably so root cause is the wide usage of third-party components in different e-commerce platforms a rapid time to market without proper verification and usage of components with known vulnerabilities the impact of such attacks was for different organizations and the latest high profile victim was british airways in 2018 which resulted in loss of reputation some loss of reputation penalties and fines related to gdpr and also of course a lot of efforts for remediation and customer disputes resolution when supply chain is involved in providing software or services security risk associated with supply chain should be evaluated nowadays supply chain are quite popular and diversified they allow more rapid time to market delivery of value access to different expertise not available to the company software vendors software solution providers are providing services to the business and there are certain attributes associated with supply chain like integrity quality resilience and security as you can see on this diagram service is flowing from the provider to the client however which is important in the opposite direction there should be a flow of demands and requirements including security requirements before going into this relationship with supply chain providers a risk of supply chain compromise should be evaluated which can be intentional or unintentional unintentional can be attributed to human errors let's come back to data breach investigation report and 22 percent of data breaches caused by human factor as a result there are certain cybersecurity threads which can be malware and hardware recent examples where by software laptops contain malware malware and software modules like vulnerabilities in open ssl also vulnerabilities in software and applications one example is mediocre in ukraine which was used for statutory reporting and contained vulnerability that was later used by external threat agents and last but not least issues with licenses couple of years ago there was a problem with jquery module uh widely used by software developers uh one company commercial company claimed that they own a patent for the technology in this gquery and a lot of companies suddenly appeared in a situation where they have to make a tough decision what to do next either to get rid of jquery in all the software which is not so easy or prepare amount of money to pay for the license and the mitigation for that is to perform security due diligence including vulnerability scanning for all third-party components and the solutions security program could also be considered as the role enabler and now we will discuss why many companies are trying to target large clients not only small ones because slash clients allows to grow for their providers themselves however there are challenges for such pursuits for smb small and medium businesses and because from the large clients often there are rfp with security questionnaires they are demanding some contract clauses related to security demands for certifications like iso27001 and such uh demand can reduce to risk uh causing downtime and improve productivity there are a lot of positive benefits however there is a quite difficult road to go and to achieve this certification and status so um large clients they are taking their requirements from different sources like industry regulations financial regulations data privacy regulations and of course their customers are demanding certain security requirements and they prepare all these in internal policies and put this into rfp for the service and only the companies that are well positioned to answer all these security-related questions they have high chances to win the contract um so security can be considered as a growth enabler there was an old perception of paradigm that information security is a cost of doing business and the new paradigm is that information security can enable growth market success and innovations and efficiency a quote from the innovation accelerator report prepared by vodafone states that 90 percent of organizations leaders consider that cyber security enhances reputation on the market and helps with attracting new clients one example uh how good attitude to security can strengthen market position is the incident with cloud flare so in fact it was incident in 2017 uh data breach due to the vulnerability in the software uh resulted in a lot of customers being affected however the way how cloud flare reacted to this how they investigated and mitigated and how they put this into the isolated box so how they limit the spread spread of impact was resulted in even stronger brand and in our practice at cyclone we also observe a number of companies one good example is the company fast-growing startup that planned to target large organizations large companies and after they received a lot of questionnaires related to security they put a certification for iso 27001 on their roadmap so that driver was not how to deal with security issues but more uh driver from the market to win market competition on the market vendor scoring is used by um clients to evaluate vendors by different categories and criterias like financial position long-term viability ethical way of doing business uh information security practices so no one wants to be in the newspapers covering security incidents that's why a care should be taken when vendor is selected example of negative impact from the vendor on the client is the data breach at t-mobile this year that was caused by email vendor which provided services to t-mobile a couple of organizations that can be named among such agencies are a bit side which provides rating for cyber security uh by evaluating information from public sources and from the perimeter by scanning perimeter organizations and also for business reputation um an agency operating on the north american market the dvd can be named there are certain categories for reliability starting from a plus ending by f and uh it relates to building trust uh telling the truth uh transparent advertisement and so on um so that principle that should be used during the building of cyber security program is the following and once of prevention is worth a pound of cure it's better to be prepared to validate to check for vulnerabilities than to deal later with cyber security incidents and a helpful thing in building cyber security program is a number of different frameworks international frameworks and regulations that can provide a hint which requirements can be how to secure applications so data privacy regulations like gdpr in europe or ccpa in california can be used also regulations from payment industries like pci dss and regional regulations nist in u.s i.t security act in germany and security essentials or security essentials plus in uk and now um i would like to ask bogdan to discuss with you to present what can be the steps for implemented application security program thank you andrea hello everyone uh as you can so from andrei's talk applications are really spread nowadays and their security is already hot topic so let's dive into practical part it will be easier to understand the types of the vulnerabilities if we take a look at a typical application architecture each component can have its vulnerabilities including traffic between those components and third parties that application can use the impact of the application attacks can affect either one of the main pillars of security it's confidentiality integrity and availability or even all of them at once and i would like to point few important security testing principles companies often tries to find simple solutions for a plication security by using only automated scanners but actually there is no silver bullet as scanners can cover less than 50 of possible vulnerabilities so approach to application security should be complex it's easier and cheaper for company to implement security on early stages of development and include it to the development life cycle security testing is more efficient if security specialists dive into details when they think like an attacker thing when they think out of the box and when they try to understand the application business logic now let's move to practical part and review popular web application attacks according to wasp top 10 web application security risks injection is on the first place and one of the injection attack types is a skill injection let's see how it works typically an attacker can add a sql query to wallet request and application will execute this malicious query as valid one and as we see in our case the database will return sql server version to the attacker now let's see practical example of sql injection attack actually we have prepared pre-recorded demo to avoid any technical problems and to save your time in this demo i will show you practical exploitation of a sql injection attack i will use a last just shop application that has lots of vulnerabilities and can be legally used for learning purposes in the first scenario we'll try to bypass looking check to do this we have to enter part of scaled query as an email this statement will modify initial sql query to be always true and application will let us in as a password we can submit any text the result we are logged in and we have access to the administrator account in the second scenario we will try to obtain users data from the database even without being logged in to speed up i will miss the reconnaissance part and will go directly to the attack we have found a search request that can return us items in the shop and if we will add special character that is used for basic sql injection test we will see that error that has information about database we can see that it is sqli database and such application behavior tells us that application is vulnerable to scale injection in our case we will use scale injection union attack it means that we will add another sql query to the existing one to be able to retrieve the results from an injected query this type of attack requires to identify the number of columns first to make a volt request and then we can start obtaining the data from the database let's see how it works with this request we will obtain an sqlite version and as a result of this attack we see that the version is three three one one let's get the names of the tables that are present in current database how to use this request it will show us all available table names from system table sqlite master and here we have the results we can see different tables and there is table users that can potentially have sensitive information about available users so let's get information about columns that are present in it to do this we can use request with pragma function that will return all the columns on the name table now we see that there is email call let's go next and we see the password called name they might be interesting for us let's obtain information from in the them we are selecting email and password fields from users table and we have successfully retrieved information with users emails and password hashes let's for example take an admin password hash and try to crack it for this purpose we will use free password hash cracker crack station crack hashes and now we see that the result is admin 123 so let's look into the application using means email and password that we have found and now we see that we have administrator session successfully obtained these attacks were done manually but actually they could be executed using for example sql map tool as the main mitigation for scalar injection the parameterized queries are recommended to be used planeterized queries ensures that attacker is not able to change the intent of a query even if sql commands are inserted by an attacker but they can be used to handle untrusted input in other parts of the query such as table column names or the order by clause another popular attack is cross-site scripting one of typical text scenarios looks like this attacker sends malicious script to the application and it stores it for example in a comments page and this page is available by other users and when a user visits the page with comments from an attacker malicious script executes and sends session cookies to the attacker let's see the demo how it could be done in practice this demo will see how it is possible to exploit cross-site scripting attack we will use last just shop vulnerable application for this purpose we log it in on the registered user account and in a warp suite application that works as a proxy it has number of other models for security testing we have found that we can update description of the product we can change the description parameter here and in response we can see that it was successfully updated now let's put an as a description exercise build this payload will add a frame to the page with an image and at the source of an image we are pointing an attacker's machine ap address and we are adding document cookie parameter this script will execute http request to an attacker's machine and will add session cookie of the user for opening this page with a malicious script to be able to receive this request attacker has to have listener running we will use python for this goal and will run a local server on port 88 let's go to the victims account and open product with modified description we see that we are under administrator account and here is the item with modified description and let's go back to the attacker's machine now we can see request from victim's machine with session cookie's parameters appended let's copy it and look what's inside having this information we can modify our user's session by changing token parameter to the victims file to do this we will go to the web application and open developer tools and change cookies parameter now we have to refresh webpage and now we can see that we are under administrator session main recommendations on excess preventions are to filter input data to encode an output to prevent it from being interpreted as active content use appropriate response header such as content type or its content type options to ensure that browsers interpret the response in the way you intend use content security policy to reduce the severity of any success vulnerabilities that still occur and additionally i would like to share with you some useful links that developers testers and administrators may use as guidelines to make their applications more secure but now i would like to pass the board to alexander with andre the different security vulnerabilities and strategies from a business point of view and bogdan uh showed the practical examples as you ask them right now i will be shortly sharing our sequel experience and how we are dealing with implemented cyber security program shortly and then we will be switching to their q a session so first of all um i would like to point your attention to the our framework where we implemented based on our sql experience and based on the various of their international frameworks uh we have defined the framework uh with a step-by-step guide for the implementation of different cyber security program as you might see it's really applicable for small companies that are starting your cyber security journey meets a companies during the journey you need to upskill your personal or implement the proper cyber security metrics or change or adopt your service security strategy based on the technology of business changes or you might need to receive the real-time results of embedding of cyber security into cicd pipelines implementing def secops practices and upskilling the team uh having enough of comprehensive knowledge on the security area so uh we are doing this you uh through the discovery phases where we together with the partner or company defining uh assessing current level then going through the strategy and advisory phases understanding business and technical goals and desired state plus together we are doing the poc plus implementation of required practices from processes or technical point of view or upscaling the teams or embedding the proper controls or embedding the metrics on the server through the proper ccd and the sdlc cycles the services it's uh really useful for any stages of the journey we are providing from the application security uh dynamic static security analysis basically designed to support sdlc process and the bad cyber security into that we are professional doing the penetration testing for the web mobile iot infrastructure types we are designing a security operation center to provide and prevent uh the protection of the systems and networks uh we do specialize in security services with the gdpr hipaa iso and the pcs pci dsso leads it might help you and your teams to be more compliant and delivers a proper assessment and guidance with the mitigation strategies we able to set up for use their security team uh focusing on the different stages and different substreams on your security programs and we are providing security education and training based on their various standards and guidelines if for for uh for companies that started the journey or on the middle maturity level we are providing advanced techniques how we inviting and managing cyber security into agile and devops environments you might see on the screen shortly that's uh we we are helping to uh proper managing the security database organizing the reporting mechanism for technical product and management teams we know how to integrate cyber security into the cicd tools from all popular providers infrastructure so code embed secops and build a proper process of managing the incidents from their beginning to the full scale and implementation we are operating in the modern infrastructures and orchestration of the environments and you might find useful our blog posts and articles around how we manage uh and implement security programs on the various environments like from aws to google cloud to open stack and right shifts and uh to point your attention that's uh always discuss with your partner or potential vendors security governance security certifications that the vendor holds plus methodologies that they're using we specifically secret uh focusing on the four popular methodologies from wasp to penetration testing frameworks and having both individuals and company governance and certifications that are helping our personal our teams be more upskilled and delivers available results for our customers and right now let's work to anna to doing some small announcement and moving to the q a unknown yeah thank you colleagues thank you everyone i hope this 45 minutes will were really helpful for you i'm i would like to quickly announce our next event that next session that is going to be conducted on november 20th we will be happy to see you next time uh on a techniques used by penetration team session so stay tuned um and follow a sequin page for more details regarding this session and now we are ready for the q a uh we got a lot of quite quite a bit of questions during the webinar and uh we still have some time to answer some of them so uh the first question from the audience again if you still have some questions feel free to ask them in the comments section under this live stream and we will try to answer as much as we can uh so the first one uh when is it when is it appropriate to use the insurance just a second i will get our colleagues back yeah go ahead so uh maybe i will take this question uh probably the question was about cyber insurance which is quite popular method how to deal with the cyber security risks uh you know there are different ways how to deal with risk it's possible to mitigate the risk to apply some counter measure to avoid the risk just not to use application that is vulnerable uh to accept the risk to accept the consequences and uh one of the option is to transfer the risk so it means that another organization or company is bearing that risk for some payment such kind of organization is a cyber influence company there are a lot of such companies operating on different markets uh usually for cyber assurance are those risks that have a low probability or extremely low probability and high or extremely high impact uh that is the same as for normal insurance for example you buy insurance policy to protect your apartment or house from from destruction uh or from other disaster conditions it's not worth to build the um some construction to protect it by yourself because you will pay a lot of money for that and probability is quite low uh what is done at the cyber insurance companies they are aggregating the risks so they are taking policy from many organizations and they are measuring probability that that risk will be realized so however there is some caveat um in buying cyber security policy uh the price for that policy is dependent on the level of cyber security practices in your organizations usually they are asking you to demonstrate cyber security certificate or they are doing their independent audit so the complex solution should be in place uh some small risks should be mitigated by the company itself for example implemented a proper password policy checking for vulnerabilities however for large disasters cyber insurance policy is a good candidate cool thank you andrei uh another question from the same person uh how to digitize industrial cyber risks there are two approaches to deal with risks one is qualitative and another is quantity for quantity we need to establish certain value figure and then compare one risk to another that value is usually consistent from the probability and the impact the impact can be more or less identified precisely but it's it's difficult to do it however as for the probability usually the question how probable that incident can be is quite difficult to answer and again we can refer back to the cyber insurance companies they're collecting a lot of data and they're professional in managing risks managing natural risks uh so they're collecting these tables from the past i know once i had an experience with a large insurance company and the most critical asset for that company was the list of records for the past incidents for tens of years and they kept that in offside storage because that can be used to predict the future so we use the past to predict the future we need a large volume of such data that's why one organization can't properly evaluate quantify that it's better to to deal with such professional organizations great thank you very much uh another question is related to the source of the statistics we referred to in our session can we uh recommend any uh sources for the audience to to read up some statistics during the preparation for this webinar we took information from different sources but the main source with quite good analytics is this data breach investigation report that can be obtained easily from from verizon and verizon is as i mentioned it's better to refer to professionals for different matters so verizon they are doing a lot of forensic and they analyze a lot of incidents that's why they can provide such statistics about the size of company the industry also there is another good source of data about the cost ponemon institute is preparing analytics for the cost of data breach in that case you can even see what is approximate amount of money that company is going to pay or is pushed to pay in case of uh security incident uh so a data breach investigation report is quite valuable in case you want to compare yourself with other organizations to see and to identify what is the risky area for you great uh another another one uh what happens if we simply put ips between our site and the world in case you don't have professional staff to mitigate on application level okay i will take also this one so ips stands for intrusion protection system which is an evolution of intrusion detection sy tem which uses certain signatures analyzes traffic between two components in our case uh client and web application and when certain rule is triggered there is a certain pattern which is similar to attack pattern the source of attack can be blocked the ap address can be added to blacklist or maybe certain commands or strings can be removed from the flow for web application for web applications the ips type is usually implemented in web application variables that is the next generation firewalls that are aware about how data is processed by the applications they are looking for different vulnerabilities from alaska to 10 for example and they can provide automated protection however as with any automated solution there are a number of problems like false positives or false negatives false positives means that this solution treats something as an attack which in fact is not an attack and false negatives means that we are relying on the solution to protect us from the attack however that is going through uh for the first time in my practice i've seen examples when some vendors of the application firewalls some models like f5 they are not compatible with certain libraries used by the applications and legitimate users are blocked usually the approach for implementing them are the following the companies first implementing them starting to activate the rules then they see a number of complaints from users they are deactivating it completely and then after several waves they are tuning that so each solution each automated solution it requires quite a lot of tuning in order to adapt to the way how applications are operated in that environment and for the false positives but also not good experience with them because false positives means company is considering they are protected by their and not protected in fact it's a false sense of security which is quite dangerous and what happens if we use pam solutions uh pam solution can help with account management at operating system uh to implement different rules uh for example enforce password policy and etc but these solutions are working at the operating system level um and applications they are using for authentication different mechanisms sometimes it is the database of accounts in the database management system sometimes some sso integration with identity providers are organized so uh the bottom line for all this is that uh it's necessary to do comprehensive analysis of the application ecosystem components that are there and they see if some combinations so integration of different components they can add new vulnerabilities and new weaknesses one one good article that i can recommend you to read to get a sense of what can happen when two seemingly secure systems are grouped together and they create a vulnerability that article was written by editor of wired journal and the title if i remember correctly was how um apple and amazon flaws or vulnerabilities led to uh to the disaster to an epic fail that person suffered from certain attack on that person uh which was possible due to the possibility to use some information provided by amazon to to take over the account in icloud and completely erase all the digital presence on different devices that is quite a good article to understand how complex the problem of information security and conflict system can be so our advice is to have proper threat modeling analysis of the architecture analysis of application itself and of course infrastructure some infrastructure penetration testing is also recommended thank you very much andre so we have the final question for now we still have a few minutes if uh in case if anyone from the audience still have one so go ahead and ask it in the comment section uh so meanwhile the final one at this point um after hasting the data from a web service to a web application and vice versa is it secured or there are other risks to be taken into account like let me take this question actually to answer properly for this question it requires some more details but general recommendations and what to stress on is that great thing is on what this question depends on what the security depends is the hash algorithm that is or that are used in this solution and how actually this is implemented as there are really strong and there are weak algorithms for hashing and from our side we recommend to use the strongest algorithms that are supported by the system and that are available again if we talk the about the average algorithms that could be supported by the system we have two take into the account other vectors attack vectors that could be arise if we use some less strong algorithms also we recommend as a general recommendation for hashing is to use salt and [Music] and to always look after what is going on with those things as they from time to time they could be updated or there could be some uh actually attacks completed on audio horizons and i'm not sure if this webinar is public that some time ago andrei has talked to about the cryptography and i will recommend this presentation to everyone who wants to have some information about cryptography and hatching that webinar was for internal use only however that is good idea to prepare something similar for wider audience and i think we will take this idea and we can share it as a link afterwards so yeah it's a good idea to share to the audience okay thank you bogdan uh i see we have another question uh from the audience uh so if the company experiences cyberattacks from from time to time does it make sense to inform some sort of government agency or is it up to companies to deal with this kind of threats i feel like companies don't like to announce that they had a heck i don't see how police or some other agency can help either especially when the attackers can be anywhere so i will take this question as i mentioned in our webinar currently we see that a lot a lot of attacks are becoming attacks organized by criminal groups so it's not the individual attacker or hacker who is doing such things it's more like organized crime financially motivated and quite [Music] it's quite probable that that attack is happening for the neighboring organizations as well so it's good to coordinate efforts in order to to minimize the damage many companies large companies they implemented threat intelligence function their cyber security that is looking for different attacks they are taking information from from public sources or some communities indicators of compromise and they're checking if internally they have been hacked before or currently and also some regulations they require to disclose such information that there was a data breach for example gdpr if data breach was related to personally identifiable information a company has to announce it and has to notify all affected parties thank you very much for your answer thank you for the presentation uh we are out of time now uh thank you for your time and interest it was a very interesting uh a session for us um if you have any questions to our speakers you can reach out to us at cyclone.com at seeklum.com or visit our website cyclone.com thank you again and see you soon