Avoiding hardware-based cybersecurity threats

[00:00:00] Chris Sienko: Cyber Work listeners, I have important news before we dive into today's episode. I want to make sure you all know that we have a lot more than weekly interviews about cybersecurity careers to offer you. You can actually learn cybersecurity for free on our InfoSec skills platform. If you go to infosecinstitute.com/free and create an account, you can start learning right now.

We have 10 free cybersecurity foundation courses from podcast guest, Keatron Evans. Six cybersecurity leadership courses from also podcast guests, Cicero Chimbanda. 11 courses on digital forensics, 11 courses on incident response, seven courses on security architecture, plus courses on DevSecOps, Python for cybersecurity, JavaScript security, ICS and SCADA security fundamentals and more. Just go to infosecinstitute.com/free and start learning today. Got it? Let's begin today's episode.

[00:00:58] CS: Today on Cyber Work, I'm pleased to welcome Jessica Amado, Head of Cyber Research at Sepio Systems, to specifically discuss hardware-based security threats. We've all heard about the USB in the parking lot trick, but Jessica tells us about the increasingly complex ways that cybercriminals bypass hardware safeguards and let’s you know how to make sure that the keyboard or mouse that you're just about to plug in isn't carrying a dangerous passenger. That's all today on Cyber Work.

[00:01:29] CS: Welcome to this week's episode of the Cyber Work with InfoSec Podcast. Each week, we talk with a different industry thought leader about cybersecurity trends, the way those trends affect the work of InfoSec professionals and offer tips for breaking in, or moving up the ladder in the cybersecurity industry.

Jessica Amado is the Head of Cyber Research at Sepio Systems, where she researches and covers multiple aspects of hardware related cyber threats. She is a Regents University London graduate with a first-class honors in Global Business Management with leadership and management and holds an IDC Master's in government with specialization in Homeland Security and Counterterrorism. Jessica’s extensively researched new and emerging hardware security threats, including some very intriguing and sneaky variations on the old USB in the parking lot routine, and is an all-round go-to authority on hardware threat, so let's get into it. Jessie, welcome to Cyber Work.

[00:02:22] Jessica Amado: Thanks for having me today. Really excited for the interview.

[00:02:25] CS: Absolutely. Great to have you. We always like to start out getting a little baseline of our guests. I want to get a sense of where you first got interested in computers, in tech and specifically, where you got interested in cybersecurity. What was the initial draw?

[00:02:39] JA: My dad's actually in cybersecurity. Yeah.

[00:02:44] CS: Family business.

[00:02:44] JA: Sorry?

[00:02:46] CS: It’s a family business.

[00:02:47] JA: Yeah, exactly. He upped his career, basically. He's done that his entire life. I think, obviously, that's I'm sure what sparked the interest. I think, also just not understanding what he did for so long made me curious. I was always wondering what he did. When my friends would ask, I think, me not knowing made it sound super interesting. That was the appeal where it started. I think, also just, I've always had an interest in politics and intelligence work, and spies and all that stuff. I think, now that as that's what has been for a while, but even more so moving into the cyber world, it was natural to move there as well. I'd probably say, that's how it started.

[00:03:41] CS: Yeah. Now, what age would you have been when you went from, I don't know what my dad does to, I have to figure out what it is my dad does?

[00:03:51] JA: Honestly, only recently, I still don't really understand what he does. I'd probably say, over the last few years.

[00:03:58] CS: In the sense of like, yeah. When did you start saying like, “Okay, this is the thing I want for myself as well,” whether it was your teens, or your 20s.

[00:04:08] JA: I’d probably say, towards the end of my undergrad. Because, yeah, when I did my undergrad, I didn't know what I wanted to do yet. I think, I vividly, vividly remember being an internship at a investment company that was researching Elbit Systems. I think, that's when it clicked that maybe, I'd want to go into something in the cyber world.

[00:04:36] CS: Okay, yeah. We mentioned a little bit, but based on your background, your education began in political science and international business. Are there any crossovers between these two fields in your current work? You mentioned, also counterterrorism force and the intelligence community. How does these all pieces come together in the stew?

[00:04:57] JA: In both degrees, there was more in the masters in government there was a slight focus on cyber. I think, again, like I said, with warfare and all of that stuff moving into the cyber domain, there's a massive link between those two. Of course, with terrorism it's becoming easier and easier for terrorists to get a hold of cyber weapons and to carry out their attacks. In terms of in the field of research, specifically, so just doing two degrees, which are pretty assignment-based. There's a lot of research that goes in to that. It's actually a skill in knowing how to be efficient in the research, knowing what to look for, where to look for things, knowing what information is relevant to what you're doing and what's not. It can be really inefficient if you're not aware of that stuff.

I think, I didn't realize at the time, but actually, all of that work has so much relevance to what I do today. Again, especially the business degree, which was super, super broad. There were so many aspects from it, whether it's the way I work, or actually the things I'm doing that helped me, that probably again, because I didn't know what I wanted to do at the time, and actually realize how useful those skill sets would be.

[00:06:29] CS: That's awesome. Yeah, so for the benefits of our listeners who are starting or choosing where to begin in their cybersecurity careers, we find it helpful to ask guests about the day-to-day work of their current position. Moving on from what we were talking about, the study and the research of what you do, can you tell me about an average day, or an average workload as the head of cybersecurity research for Sepio Systems?

[00:06:51] JA: Yeah. I would say, my days are pretty busy. Depends what project we're working on at the time. We recently just completed the first state of hardware security report. That was the main focus for quite a while. That was combining different content based on different topics we were talking about. It was putting all of that together. Basically, creating the content for that. The entire day would be filled with that.

That would be gathering the research, putting, writing it up into actual document. Then, we've also working on a hardware access control index, which would basically score companies – like a risk assessment, but specifically related to hardware. That's a lot of effort, and it's ongoing. Because it's the first of its kind, where things come up some challenges that we have to get around. That's basically what a day would be like. I would mention that I always start the day with reading the news, what's going on. I have email subscriptions to also, cyber magazines obviously, just keeping – it's really important to keep up to date with what's going on in cyber, but also, the world. I always like to start that way. It's a nice way to ease into a busy day.

[00:08:27] CS: Okay. That really helps, because I think when people hear someone is a researcher, it sounds like, you just wake up and like, “What am I going to research today?” I'm glad to hear, I mean, it's interesting to hear you have specific goals and tasks to complete. Are you also given free rein to do research in whatever direction it takes you? Or are you really going from task to task to task?

[00:08:54] JA: It depends. We do have the main projects that we're working on. Again, because things change a lot in the cyber, world cyber domain, it’s where that takes me. Not so much, where I'm being instructed to go, but more – If a big cyber-attack happened recently, that's the direction I'd head in. Generally, if there's something else I'd like to work on, or not such a specific project we have in mind, then yeah, I would have free rein to see what's going on, see what's interesting. If there's a topic that interests me, I'll find a way to get into that and relate it to what we're doing.

[00:09:40] CS: Can you talk about your morning reading? I think, people get maybe intimidated if they're like, “Okay, I've got to keep up with what's in the world and you don't know where to start.” Do you have a routine, “I start here and then I go here and then I go here and then I check this against this, and so forth?”

[00:09:59] JA: The morning reading is more what I would say, appeals to me and what interests me. Of course, I do keep up with the cyber side, but I basically just go on to BBC, see what's on, what's happening. Naturally, I'm interested in politics and what's going on in that domain. That's probably where I look up first. Again, obviously, because my day is so focused on the work, I like to keep that 30 minutes, however long it is, just to read up on what interests me, not cyber related, as well as cyber related.

[00:10:37] CS: Right. Okay, so as I mentioned at the start of the show, I'm excited to talk with you about hardware security, and specifically the business of hardware-based ransomware. A few weeks back, the FBI warned that the F-I-N7, or FIN7 cyber-criminal group has been targeting US companies with packages disguised as shipments from Amazon, or the Department of Health and Human Services. Of course, what they contain were malicious USB devices, which when you insert in the computer, deploy ransomware. Can you give us the highlights of the bad USB attack? What happened? If we can find any takeaways from how it was handled?

[00:11:12] JA: Yeah. Basically, like you said, what happened was, is as much as it is a hardware-based attack, it's a really good example of social engineering. They are playing on what they were hoping would be human greed, or human curiosity and the need for being in control in terms of sending USB disguised as COVID guidelines. There's a lot of chaos going on, people want to be up to date. Their cautionary instincts are pushed to the back of their mind. That's basically what happened.

Again, it's not the first of its kind. It happens, and hospitality, you get targeted, critical infrastructure. They basically get, whether it's, again, like I said, supposed COVID guidelines, or a free giveaway, an Amazon gift voucher. That was an example with the Best Buy gift voucher. The idea is that that will incentivize the user to plug in the device. Then of course, once it's plugged in, it just deploys a ransomware attack, or whatever the device is instructed to do, basically.

[00:12:32] CS: The USB, it was like, insert this USB and you get a free Best Buy gift card, or something like that?

[00:12:37] JA: Basically, yeah. You would get a letter. It's like with a phishing email that looks super genuine, though, disguise the letter as well. Yeah, but you'd be surprised, people genuinely think that that is what happens if they were to plug in the device, that they will get a gift voucher, or COVID guidelines, or whatever they're disguised to be.

[00:12:57] CS: Right. Okay, so as noted in our pre-show introduction, discussions, you said, you've seen this attack vector coming for a while, and you just said just now that this is certainly not the first of its kind. You also noted that this isn't even the only hardware-based security threat currently in circulation. Can you summarize some of the highlights of the research paper you've written about these security threat vectors?

[00:13:21] JA: Yeah, sure. Of course, USBs, whether it's the thumb drive itself, or you have a mouse, a USB device, a keyboard, all these devices are actually, can be manipulated to work as an attack tool. You might have an attack tool that by design, it's an attack tool, or it could be a legitimate device, it's just been manipulated along the supply chain. The supply chain is a massive risk, obviously, with a company that has hundreds of suppliers. At any point along the supply chain, someone can go in and quickly take – if it's a keyboard, take it off the supply chain implant, an attacking tool and put it back on and then it eventually ends up in an organization, looking like a keyboard, working like a keyboard. It's an attack tool.

Again, with devices that are designed to be an attack tool, you have these things known as USB ninja cables. They look just like iPhone chargers. Once you plug it in, again, it's executing a payload to deploy ransomware, or steal data, or just sit there and sniff your traffic, or look at what you're doing and steal your data and that's what they do. They're all designed to look not only to the computer, but to the user, like a genuine device that wouldn't raise any suspicion.

[00:14:54] CS: Yeah. I think, I had heard that the ninja cables that they were being found in airports and stuff. People are just using random chargers that they find, because they need to charge their phone right now.

[00:15:03] JA: Right. Exactly. That's also known as juice jacking. Again, most of these attacks rely heavily on social engineering. Again, if you're sitting in an airport and you need to charge your phone, you're more interested in getting the phone charged, than you are thinking about the security issues, especially the fact that most people wouldn't even know to think that that's a potential security threat. Yeah, it does happen in airports. Again, now with BYODs and everything you do with work and be on your phone, I even have my work emails on my phone, that kind of thing. Just because you're out the office, it doesn't mean that attackers still aren't targeting you. They can target you anywhere.

[00:15:51] CS: Have you seen any through lines, or anything that you can determine in terms of are these particular cyber-criminal groups? Is this happening at large and small levels at scale? Do you have a sense of what the success rate of these sorts of things are? Is it getting worse? Is it going up?

[00:16:16] JA: Attackers are always whoever they are. They're always looking to avoid detection, obviously. Because there's nothing really out there to detect these devices, it's becoming more common. There's, I think, a 37% increase in malware designed for USBs. There's actually been a 30% increase in USB usage. It's becoming easier for attackers to actually get that device in basically without raising suspicion, in terms of who is carrying them out. The ninja cable, for example, is actually based on a NSA attack tool. What probably started as mainly state sponsored groups, or actual governments themselves, while they still are using these tools, it's becoming more accessible for anyone, whether it's a terrorist, or cybercriminal, the ninja cable, you can buy on AliExpress, you can buy these devices online. It's pretty cheap. It's not difficult.

[00:17:20] CS: Yeah, the barrier is low, unfortunately.

[00:17:24] JA: Right. For a terrorist group, instead of the NSA attacked, or was I think $20,000, which maybe, okay, a lot of terrorist groups actually do have the funds for that. A cybercriminal, for example, just a average person doesn't have that money to spend. Now, you can get these tools, some of them cost $5. It's pretty accessible. It basically means that anyone who wants to can carry it out, basically. It's just a matter of getting it inside.

[00:17:55] CS: I know that there's more protocols in a lot of business settings, where they don't accept USB drives, or you need to get permission to use an USB on your computer and stuff. Do you have any overarching suggestions in terms of, first, from a tech side in terms of changing industry-wise, everywhere, like changing protocols to halt some of this? Or are we falling behind on this a little bit?

[00:18:28] JA: Of course, yeah. There are practices not allowing USBs in, blocking those ports. Again, people are still using mice and keyboards, and those are USB devices. Even over Bluetooth, it can happen. I mean, obviously, we can't avoid using keyboards, but it's more just getting them from reputable vendors. Even then, again, there's still the risk, but especially with working from home employees, they might want a nice home office setup, and they might buy a nice keyboard on Amazon that they look that they think looks really nice.

If it's coming from a sketchy vendor, it's likely that they're going to have even less security protocols in their warehouse, or whatever, making it much easier for an attacker to come in and manipulate the device. Whereas, if it's coming from a reputable vendor, although there's still the chance, there's a lot more security measures in place that would prevent the likelihood of this happening. It's just making sure that of course, companies in the actual office themselves will probably only use well-known brand products. They also want to make sure that their employees working remotely are not just buying any ARB keyboard, or mouse from the first place they find.

[00:19:51] CS: Then going for the lowest price, because it took me eight weeks, but it's coming from somewhere. We don't know where it's coming from.

[00:19:59] JA: Exactly. Or might light up and be a neon and look cool. You'd rather have a boring gray, or black, or white board that’s more secure. Exactly.

[00:20:10] CS: If you get a document and you're like, “I'm not sure how I feel about this document,” even if it's someone you know, you know you can run a Malwarebytes. Or you can run a scan on it, make sure everything's hunky dory. Are there any similar tests you can run on keyboards or mice, when you get one in just as a precaution, even if you get it from a reputable source?

[00:20:35] JA: No. That's taking it apart would basically be the answer. Our solution, that is what we are – that's what we're here to do is so that you don't have to take apart the keyboard. Essentially, without that, you would basically have to take the keyboard apart and the mouse apart. That's why also, mitigating these attacks, or determining where it came from is so hard, because data theft carried out by one of these devices, you might not know about. Obviously, if you're attacked by ransomware, you're going to know. It's A, determining that it came from a hardware device.

Then, if you can do that is determining which one it came from, that literally requires you to take apart every single amount you've got, every single keyboard you've got, or whatever it might be, to find where it came from. That's a pretty tedious task if you're in a big company.

[00:21:29] CS: Okay. I think, probably the better solution, or I mean, you can suggest alternate, but it sounds like, I mean, if we say, let your IT department order your stuff for you, and then it goes through them, and then they check it, and then they send it to you. I mean, do you have any overarching recommendations in terms of hardware protocols? Obviously, some people, they have enough autonomy. They want to buy their own, the keyboard that looks right to them, or whatever. Do you have any recommendations in that regard to open up the aperture of security protocols?

[00:22:09] JA: I would say, when it comes to hardware attacks, it almost always lies on the human, the employees. That's what these attacks take advantage of, with social engineering. It is very difficult to mitigate, because it's hard to control people, basically. It's more about emphasizing, and really teaching employees about hardware risks. Because again, it might be great if the company in the IT department is buffing all your devices.

There's a free giveaway, the local coffee shop have iPhone chargers, and you take it and you go home and use it, while A, you're not using it in the organization, and B, it doesn't look like it's a risk, that device is a USB ninja cable that attackers have purposely been handing out at that coffee shop, knowing that either you're going to use it in the organization, or you're going to use it at home. Because of how interconnected the world is, using it at home is still a risk to the company.

It's just emphasizing to employees, and also, being aware of what seems too good to be true. In the Best By example, with USB, the person who received the device actually didn't plug it in, because he was suspicious about it. No one sends gift vouchers via USB. Why would somebody be sending it by USB? Or if you get something telling you you've just won $10,000. If it's too good to be true, it probably is. It's not worth the risk, basically. It's just important to emphasize that.

[00:23:57] CS: Yes. Looking to the long range, where do you think practices like malware, ransomware and other such attacks will be five to 10 years from now? I mean, it seems like, every other guest I have on says that this will be a preventable solution due to improved protection software, or subtle access safeguards, or other non-human element interventions. While the other half say, it's always going to be with us and only outpace our ability to stay one step ahead. Based on your research, what do you see the threat landscape looking like in the semi-distant future?

[00:24:31] JA: Again, humans are always going to be the biggest weakness and there's not – you can always have your software security software as backup. If humans are, especially with hardware-based attacks, if humans or allowing them in, then it's very – It's already in. It’s very difficult to stop it there. I would say, that critical infrastructure is becoming more and more of a target, because the – with IoT and stuff, you can now actually have physical damage through a cyber-attack.

This means that A, critical infrastructure is becoming more of a target. B, it's becoming a target to more threat actors. Like I said, in terms of hardware-based attacks, basically, anyone can carry them out. Whether it's terrorists, or state sponsored groups who want to undermine national security, it's becoming so easy to do it now. You don't have to get on a flight, get into the country, or do whatever you want to do. You can do it a million miles away.

[00:25:42] CS: Remotely. Yeah.

[00:25:43] JA: Exactly. You can carry it out for cybercriminals, if you disrupt critical infrastructure with a ransomware attack, there's a huge incentive for the victim to pay the ransom. They need to get their operations back. They're really, really incentivized to pay. Obviously, for cyber criminals, it's an instant reward. Yeah, where cyber-attacks might have been data theft, or targeting just any organization, it's now, I think, we'll see more and more critical infrastructure getting targeted by cyber-attacks. Again, with hardware-based attacks, because there is no way to detect these devices, it's a really, really valuable attack method to use.

[00:26:30] CS: Yeah. That's something that we talk about on the show a lot. It's one of my hobby horses is infrastructure security, and how I would love to see the next generation of cybersecurity experts really go into their local municipalities and their local government and really start to work the – there's just so much open – so many open networks, and so many opportunities to poison the water supply, or shutdown an electrical grid, or any other thing like that. That feels like the future to be in terms of all right, let's keep it going.

[00:27:04] JA: Even these attack tools, that covert nature, they bypass air-gapped networks. Basically, even really stringent security measures aren't feasible when it comes to hardware-based attacks.

[00:27:19] CS: Yes, for sure. From discussing the state of world security in our part in it, we like to turn over to the work side of the Cyber Work Podcast and talk about the work of hardware security researcher. You gave us a nice look at your day-to-day activities and your research agenda and so forth. For people who've been listening and decided that they want to pursue this type of work, what would you recommend they begin in terms of areas of study, practical experience, or job searching techniques to do the type of work that you do?

[00:27:51] JA: I would say that, when it comes to cybersecurity, a lot of people think that you need to have a degree in computer science, or electrical engineering, something like that. Of course, there are a lot of jobs in cyber, you do have to have that. You can't just wing it and hope for the best. You do need to have [inaudible 00:28:09] training.

[00:28:09] CS: Yeah, security architects, and if I need that. Yeah.

[00:28:12] JA: Right, exactly. I obviously didn't. For my job, I didn't need to. I would say, when it comes to cybersecurity, if you think that you can't get into the industry because you're not in one of those fields right now, i.e. computer science, electrical engineering, whatever it is, don't let that put you off. Because I would say, go with your interests. That's what I did. My undergrad, I did, because I didn't know what I wanted to do. My masters were purely done out of interest. Based on that, I ended up in this field.

I would say, again, there are some jobs where you do have to have a specific educational background for. If you know that that's not for you, but you still want a role in cybersecurity, I would say, follow what interests you. There are so many different fields that link into cyber security, because it is such a broad domain, and it's becoming so important in almost every single thing we do.

It's not explicit to those technical degrees, where it might once have been. Then I would say, in terms of experience, work experience is so, so important. It doesn't even have to be cybersecurity. Obviously, if you can, it's better. I didn't have work experience in cybersecurity companies, but I did have a lot of work experience. It's just a really good way, A, to know what you don't want to do. Also, to the working environment is so different to school, or university, or something like that, that it's a really good way to learn how to enter the working world. Again, I think it's so important to a work experience to know what you don't want to do, because it really –

[00:30:12] CS: Yeah, absolutely.

[00:30:13] JA: Also, it can open your eyes to what you do want to do. I had that experience when I was in the investment bank. I realized, okay, this is not where I want to go. Not only did I realize that, but I also realized why I didn't want to go. Because, I mean, at 18, or 19, or whatever age you're going to university, it's so hard to know what you want to do. That getting as much experience as you can, even if it's not in the field you are going to end up in, it's a really, really important thing to do. Again, I would say, work experience and I would say, follow what interests you, if you're lucky enough to know what thing interests you right now.

[00:30:56] CS: Yeah. That's good advice in general, because I think we hear a lot about people who are very nervous that if they get into this line of work, and they don't like it, then, “Oh, I'm stuck there for life.” Obviously, you can leave. You can move. You can pivot. There's so many different options. I'm always trying to break that mindset of what if I become a penetration tester and I don't like it? Well, then try something else. Go into risk assessment.

[00:31:22] JA: Exactly. I think, obviously, that can happen at any stage. If you do work experience before as well, you can realize that a bit sooner. Again, like you said, it can happen at any stage.

[00:31:35] CS: Yeah. Also, just to jump back to another thing you said there, that cybersecurity is so pervasive in any industry. I think, it's also worth considering that if you have an interest in in things other than cybersecurity, that there's probably going to be a cybersecurity component to it. If you're interested in the music industry, music Industry needs cybersecurity experts. If you're interested in medicine, medicine needs cybersecurity. Teaching, teaching needs cybersecurity. Government, government. Take your take your interest, and then also see what would the security component of that particular field be.

[00:32:08] JA: Exactly. Things, even, of course, we have a marketing team. You might not need a computer science degree to be doing the marketing roles, but you're combining an interest in marketing and an interest in cybersecurity, and doing them together.

[00:32:29] CS: Yeah. I think, that's great advice. I hope people really think about that. From a professional standpoint, speaking to the near future, what advice would you give cybersecurity students getting their knowledge and experience in 2022? Are there any trends, or innovations that they should be looking at, things that are happening say, in the next six to eight months that they really need to have on their radar?

[00:32:52] JA: I think, in terms of where to get your knowledge from is just to keep up to date with different, of course, news channels in general, but cyber specific magazines, or online. There are online cyber magazines. Keeping up to date with that. In terms of trends, like I said, I think, operational technology, critical infrastructure is becoming more and more of a target, especially with IIoT, and just IoT in general, as well, in the medical field. It's becoming more and more part of cyber warfare between governments, between terrorists, whoever it might be.

I think, things like data theft. Although, it's always going to happen. A lot of the times, actually precedes ransomware attacks. The standard data theft on a bank, or a healthcare organization, well, it's still going to happen, of course, and it's still a massive issue, and something that people always need to be aware about. We're seeing more attacks, like the one on Colonial Pipeline. It's going to become extremely valuable to bad actors using these techniques, and those targets.

[00:34:12] CS: Yeah. Definitely keep it keep an eye on the news. Keep an eye on the world. Maybe your next job opportunity is going to come out of something that you read online. As we wrap up today, Jessie, could you tell our listeners about Sepio Systems and some of the projects and products you’re excited about going into the new year?

[00:34:34] JA: Sure. At Sepio, we have a software solution and is hack one, hardware access control. Basically, what it is, is it gives customers complete visibility of their assets. The problem with hardware attack tools is that they go under the radar of existing security software solutions, like the bad USB, the ninja cable, whatever it might be. It impersonates a legitimate HID. It essentially just gets recognized as a keyboard. It acts like a keyboard. That's the problem. The hack one solution will go deeper and see, actually, no, it's not a keyboard. It's a USB ninja cable, and will block it.

We provide customers with complete visibility of all their assets. Also, just not in terms of whether there's an attack taking place, but just if you're trying to enforce zero trust access, then you need to know everything about your devices to make sure you're properly segmenting them, and having proper access policies and making sure they're being enforced properly. Then, of course, when it comes to hardware-based attacks, the solution will also block those devices, as soon as they get plugged in, if they are known to be rogue and acting maliciously. That’s what Sepio does.

[00:35:59] CS: Nice. One last question for all the marbles. If our listeners want to learn more about Jessie Amado, or Sepio, where should they go online?

[00:36:08] JA: On LinkedIn, you can find me, you can find Scipio. We also have a Twitter, and Instagram, a YouTube and our website, sepiocyber.com.

[00:36:21] CS: Sepiocyber.com. All right, Jessie, thank you for your time and insights today. Really appreciate it.

[00:36:26] JA: Thank you so much for having me.

[00:36:28] CS: Thank you, as always, to our great listeners for supporting and promoting the show. New episodes of the Cyber Work Podcast are available every Monday at 1 p.m. central, both on video at our YouTube page and on audio wherever you find podcasts are downloaded.

I'm excited to announce that our InfoSec skills platform will be releasing a new challenge every month with three hands-on labs to put your cyber skills to the test. Each month, you'll build new skills ranging from secure coding, to penetration testing, to advanced persistent threats and everything in between. Plus, we're giving away more than a $1,000 worth of prizes each month. Just go to infosecinstitute.com/challenge and get started right now.

Thank you once again to Jessica Amado, and thank you all for watching and listening. We will speak to you next week.