Welcome to Cash in the Cyber Sheets. I'm your host, James Bowers, and together we'll work with business leaders and industry experts to dive into the misunderstood business of cybersecurity and compliance to learn how to start making money from being secure and compliant. Welcome to Cash in the Cyber Sheets.
Hey everyone, welcome to Cash in the Cyber Sheets. I'm your host, James Bowers, Chief Security and Compliance Architect here at Input Output. Very happy to have you here today.
So last week we talked about user access audits. We talked a little bit about MFA, importance of making sure you structure everything right. This week what I wanted to do is actually dive into MFA, multi-factor authentication, and wanted to review one, what it is as a quick primer, also some of the different available options out there, and I want to dive into different ways that MFA can actually get bypassed.
It really, really helps, but it's not infallible. And finally, I want to go over a really good tool that we're using for MFA, the YubiKey. So we'll go through each of those.
Before jumping into that, since we are actually now live on Apple podcast on Spotify, you can finally hit that follow button. You can hit that subscribe. You can do it on YouTube as well.
Do it on all of them. That'd be awesome. Tell your friends, but also leave us some comments.
We'd love to hear from you. Love to know what you're having trouble with, some questions you have, things that you'd like to talk about, even if you'd like to be on the show, more than happy to discuss those. So very, very much, very interested in what you have to say, what comments you have for us.
So with that said, let's jump into MFA. Now, MFA, we're going to go through a quick primer here, but multi-factor authentication. Also, typically what people are talking about when they say 2FA, two-factor authentication, just means 2FA is two factors.
Multi-factor can be two factors. It can be three. Technically it can be four.
What multi-factor authentication is, is different methods of authenticating who you are. And as the steps go, once I claim an identity, I go to log into a system. I say, hey, I'm James Bowers.
Well, then I have to authenticate. That's typically with a password. Now I can use MFA, something else to say, yes, I was claiming that I'm James Bowers.
Now, you know, because I had James's password, I had his MFA tokens, yada, yada, that I'm actually James Bowers. Then we move on to the authorization section where the system would see what permissions and such we have. But for MFA, it's very important to note it's not two passwords or it's not a password and a pin.
What MFA is, is there's four different methods of authentication. It can be something you know. So that's a password.
That's a pin number, a phrase, whatever. It's something that, you know, sits up here. It's something that you have, you have a physical access.
So in our case, like a YubiKey, it could be an authenticator app. It's actually something tangible. You put your hands on it.
It's somewhere that you are. So that's like geofencing or IP restrictions. A lot of times that's managed in conditional access in Microsoft.
So we'll say only these IPs can, can log in. That's a, that's another form of authentication. I'm within, I'm within this boundary.
I'm, I'm somewhere. And finally, the last is something you are. That typically refers to, actually typically is probably not the right word.
That refers to biometrics, fingerprint, voice, eye scan, you know, skin samples, blood samples, any of that. Something that you actually are. So again, it's something, you know, something you have somewhere you are or something you are.
I feel like there's a catchy little song or jingle in there somewhere. Maybe, maybe we'll come up with that. But with multi-factor, it needs to be different, those different types.
So it can't, like I said, it can't be two passwords. Those are two things. You have a password, that's something I know.
Then if you have a pin, well, that's something I know. It's not multi-factor. But if I have a password, something I know, and I use an authenticator app or a key, that's something I have, that's two.
And then if I'm using IP restrictions, I can only log in from a certain IP. Well, that's somewhere I am. That's actually three.
So that's, that's MFA. And also making sure that with the biometrics, that it is actually taking your biometrics, not releasing a password. So some biometric devices will store a password on it.
When you hit it, it'll throw that password. That would technically turn into two things that you know, because if you knew that password, you could send that in certain protocols. So just be careful there.
That's, honestly, it's probably a little bit too deep for this conversation. But in any case, that's multi-factor authentication. And we want to make sure that we have that on, well, all of our applications if we can.
Um, reason why is according to Microsoft, multi-factor stops 99.9% of account compromise attacks. Well, that's, that's a high number. Now that's, that's just the account compromise attacks.
That's, that's not all, all attacks. So there's still ways to, to get in, but for the most part, MFA is pretty secure, pretty difficult to get around. It's not that you can't get around it.
There are definitely ways to do that. And we'll talk about that in the next segment, but long story short, MFA helps secure your accounts and it makes sure if your passwords get out there that somebody can't access it because they still need that somewhere you are, or they still need that authenticator app, or in our case, they still need the security key, the physical key to plug in. So that's very important to keeping the account secure.
A few, a few different ways that authenticators are done are some of the different types of MFA setups is, is with texting. You know what, I, I want to talk about something else first, then we'll get into the typical kinds of, of MFA. It's very, very important MFA, but you also want to make sure, and we talked about this in our last podcast, that you don't lock yourself out of your accounts.
You have MFA set up on everything. Let's say it's an authenticator app and you lose that app. Now you can be in a very bad position.
So when you're setting up multi-factor, always make sure you have another way into your account. Make sure that ask yourself the question, if this authenticator or this multi-factor process or solution doesn't work as intended, what then? How am I going to get in? Also, please make sure to consider that if you're setting up conditional access in Microsoft, it's great to do that to IP addresses. However, even though at home, which a lot of people are working from now, a lot of the home IP addresses can sometimes stay the same for a very long time.
They're typically not static, meaning that Comcast or AT&T, whoever you use, it's not an endorsement for them, whoever you use can change that IP anytime. And if you're restricted your access to a single IP and that changes, you might just inadvertently get locked out of your accounts. So again, that's the conditional access with IP, along with MFA and a password, makes your account very, very secure.
It's definitely a very secure way to kind of lock everything down. Pretty much account compromise attacks are, that concern's almost deleted. There's other ways you can get in, but you can really kind of patch up a whole area.
But again, just make sure, especially if you're using the somewhere you are with the IP addresses, that you lock that down and that you have a backup. So that, I think that that takes us better into the typical types of multi-factor. So typically multi-factor, for most, for most accounts, for most systems, it's a text message will come right to your phone, sends you that, that OTP, the one-time password.
And it's typically like six digits. So let's say, here's your code, type this in, boop, now you're in. Pretty, pretty solid system.
And most people will have their phone. And even if you lose your phone, you can get a new one and you'll have the same number. So you should get those texts.
I do want to point out a few considerations here. We'll get into how you can get around that later, but if you're using a business phone, a VoIP solution, voiceover IP, make sure you take into an account the campaign registry, TCR, which is now limiting business to business messaging. And some VoIP providers are locking it down to where if you're not registered, your number can't get any text messages.
If you've relied on that before, say you've given your VoIP number that goes to your mobile, you've given that as your, as your texting number, your SMS to receive, it could lock you out of being able to get those text messages. There's also some considerations with certain VoIP services of if they, the type of message they send and whether they're sending from a short code or a long code can also prevent you from getting it. One example of that that we had a long time ago was with Amex.
And sometimes it came one way, sometimes it was processed another way. And when it was processed the other way, we never got them. So just make sure there's considerations there.
It's not just SMS is always going to be available. All right. So some important things to consider there that falls back to what we talked about last week, kind of the break glass accounts, the other way into the account.
The next one is that a lot of people use is email. Some systems, this is all they allow. This can be a good way to where I'll send you an email, you approve it, then it lets you in.
If you can, I would recommend against that. Reason why is if somebody compromises your email, well, now they've got access to your two factor. So if they've got your email, they should be able to go to any account and they don't need your password because they have access to your email.
They can just say, I forgot it, send me a new one. And when it does the two factor to your email, you authenticate it and say, yep, that's me. So it creates a single point of failure and can quickly propagate to somebody gaining access to multiple accounts very, very quickly.
So that's why it's really important to, to lock down the accounts appropriately. But if you can avoid using email or use a, like a different recovery email account, that's maybe locked down in a different way. The other one that's kind of the next level it's in, this is being used more and more are the authenticator apps for the little tokens like RSA will give them to you and it gives you like six digits or so.
There's Google Authenticator, there's the Microsoft Authenticator Duo, some really cool things with each of those. Google, Duo, Microsoft, very easy to install their authenticator from any of the mobile app, you know, Apple, Apple Store, Google Play. Very, very, very cool with the authenticator apps.
You always typically have your phone with you. Some of them, like a Duo, if they're set up, you can actually create to where they'll send you a push. That way it, rather than giving you a code, it pops up on your phone and says, hey, are you trying to sign in? Click yes or no.
And you can click yes and it lets you in. Just like we've talked about with some of the other options, make sure that you have a backup because sometimes the authenticator apps can hiccup. And if you lose your phone, now you've lost all of your access.
Some other considerations are the Microsoft one, especially the recent changes is pretty solid to where it actually sends you a challenge and says, hey, what's the number? Type this number in. So it's not just giving you a number, you're typing that in on the device to authenticate. So it kind of goes both ways.
That's pretty neat. Google authenticator, easy to use. Duo also can be very easy to use.
And the thing I like, I'm going to give a like and a dislike about Duo based on my experience. I like with Duo that if I set it up correctly, I can tie it to multiple platforms. And if I tie it to those platforms, if I disable my Duo user, the person can't get into, that user can't get into those other platforms because the authenticator has been disabled.
The push capability has been disabled. It won't work. So it creates a situation to where even where I may not have SSO, I can still kind of utilize those capabilities by using Duo to just disable an authenticator, which will instantly limit access to all the accountants linked to.
So that's pretty cool. Once you have the setup, it can also, you can fully brand it. As far as costs go, not crazy.
And if you have very little users, it costs practically nothing. If you have tons of users, you've probably got enough money that the cost still isn't an issue. So I was always happy with their cost.
Here's the thing, and this may be fixed. This may not be an issue anymore. But the only thing I didn't like about Duo is when using it like Google Authenticator or the others to where I just scan a QR code and use it to give me those six digits.
When I use it as a as an authenticator itself, when I made changes to the usernames or I tried to rename some of those to where I could better identify what platform it was for, I've had it, the code stopped working. I've had, I've had it almost like break it. That may have been something that I was doing.
Definitely, definitely open to that, that theory. But it's something that whether I was doing or whether it was something with them happened a few times when I was using the Duo app. And I've yet to really notice that with any prevalence on any other app.
So take that how you will. Just my experience. But overall, I've got very good things to say about Duo and really, really do like it.
It can also with applications like Microsoft really be tied into their well. So those are, those are good ones. Another one, kind of the the last one I'll talk about here because I'm not going to go into biometrics, but our pass keys.
Sometimes PIV, personal identification cards that you might use in the government. But like we use, where's the keys. So what's cool about this is I type in my password.
And I've actually got to have that key plugged into the system. And then I've got to actually tap it. So the key isn't just sending the information as soon as it's attached.
It's even challenging that I'm standing right there next to it. So it adds a little bit extra layer of protection that somebody can't just like pull the data right off of it and use it. But a very, very secure way for, for multi-factor.
I'm going to sound like a broken record. Make sure you have a backup with the, with the YubiKeys. What's cool is when you're setting up any account, you can, you can follow it up with another, another key.
Typically each platform you can do at least two, if not more. So definitely when you're using something like a YubiKey, if you can, have to have one stored away just in case something happens to the first one. But otherwise they're a very secure, very secure option.
So with that said, you know, and there's probably some, there's some others we could go to, but I think those are the heavy hitters. MFA, like Microsoft said, 99% of 99.9% of attacks are thwarted. Account compromise attacks are thwarted.
So it's, it's definitely a must have on your accounts. And it also, I mean, really satisfies a lot of the regulatory requirements. They practically all require it.
Now, FTC safeguards, that's actually one of the stated requirements. You have to have MFA. So just all around good to have.
However, big hairy, but it's not infallible. So as with anything, don't set it up and think, okay, we're secure. That's it.
We don't need to do anything. There are ways that you can get around MFA. And I want to go over some of those now, and we're not going to go into all the specific technical aspects, but I want to give you a flavor of how that can happen.
Exactly. You know, exactly how somebody could sidestep a multifactor. And it comes down to a lot of compromises to where perhaps I'm not technically compromising the device or that process.
You know, that may be impossible, but I'm sidestepping it some way to where, all right, I'm just, I'm just avoiding the, either the need for MFA or I'm kind of changing the rules of the game so I can get around it. And I've got 12 different, 12 different ways listed here. And some of them blend together a little bit, but number one, social engineering.
That's, and I think that this sums up quite a few of these here because technically some of them are social engineering, but number one is social engineering, the actual user. So I may call up, hey, I'm tech support. I'm trying to get in.
We need to check your account. Please go ahead and sign in for me on this link. Great.
Can you give me your multifactor code? Let us get in. Perfect. Can you, can you confirm that that let you get in? Awesome.
Give me just a minute. I need to check some things out. That's a real, that's a real simple social engineering way.
And if you're thinking that, oh, that sounded kind of rocky, that sounded dull. That's the exact thing that's been said in some of the social engineering attempts and tests that we've done. And I hate to say it works.
So the next one, still social engineering, but not the user, but the actual service desk. So that's where I call up and I may talk to technical support of your service provider or of the SAS platform and basically convince them that I'm you, but man, I just lost my, my multifactor. Can you reset that for me? Or can you disable that so I can get in way that this actually happens and gains legitimacy is if I've compromised your email and I'm talking to service desk and say, Hey, you know, you can shoot me an email.
I'll validate that and go through the new password process. Um, you know, I do have access to the email. Um, that's definitely a way that people can bypass it.
So two ways right there, social engineering users themselves, or the service desk. Um, just as we talked to everybody, don't ever give out your multifactor. No one's ever going to ask for that if they need it, they don't need to be in there.
Um, so good thing to talk about with the users. Next one I have on here. And with the exception of the social engineering for user, I don't technically have these in like an order of, Hey, this happens to most, um, I'm just kind of a light order.
I've got social engineering all the way at the top reports, brute force at the bottom. But the next one I have here, uh, number three is a lot, uh, bombing. Uh, and basically what that is, um, I guess the easiest way to simplify an OAuth, um, is I can essentially make connections to different apps and then I won't need to do the password or the MFA.
I'm just, I'm making a connection. Um, you know, some APIs, uh, things like that, but I can continue to send OAuth request to somebody. And eventually they may hit yes on one of them that will let me handshake with their account.
I can't do that. Um, let me handshake and now I've got access. And that's scary because that's kind of backdoor, uh, access.
And with some systems, once that's set up, it has to be disabled from the, from the other end, which absolutely blows my mind. But we have had situations where the, the platform did not support killing that from, from the user side. And, um, so it can, it can create some serious persistent access there.
Um, and that's, that's just leveraging capabilities that are already in place. Next one is, and this is kind of social engineering, but MFA prompt bombing. So let's say I've got access to your account.
I know your password and I, I just keep sending those requests. Hey, can you, the push request, Hey, are you trying to sign in? Click yes to sign in. And I just keep doing that to your phone.
Just keep doing it. Just keep doing it. Finally, eventually, eventually one of the a hundred times you accidentally, or just because you're annoyed, you click yes, or you think that it's the one that you were using to try and sign into something.
And I, I squeezed it in there and in that same time, and you, uh, allowed mine to go in, but not yours. And a lot of people don't even notice that because sometimes there's hiccups. So they just try again and, Oh, okay.
I got in this time. Everything's fine. Um, so that's just really asking for it multiple times.
Hey, can I have your MFA code? Hey, really? Can I have it? Can I have it? Can I have it? Mom, mom, mom. And then they get it. So kind of low tech, but it definitely works.
If it, uh, if it works, it's not stupid. Next one I have is just general technical vulnerabilities. Um, new vulnerabilities come up in systems all the time.
Uh, so some of those could come up, give somebody a access around it, um, or let somebody say do remote code execution to where they don't even need to sign in. Um, a lot of different, a lot of different things there. That's a pretty big, pretty big blanket.
Um, exploiting generated tokens. So, uh, one that you already have, um, that actually kind of relates to session hijacking to where once you have a legitimate token, I'm using that and using it to sign in, using it to do things. Um, and just using that token, that legitimate token, that legitimate session that you had.
Um, next one's in point compromise. Uh, basically just, just like somebody sitting at your computer. Um, they get keystrokes, they get, uh, access to maybe authenticators that you have on the computer and, and then they're able to bypass or get in or your accounts on your system.
Don't require it. Hey, trust this browser for 30 days or trust this computer. Don't ask me again.
Um, your system gets compromised. So when they log in through there, it doesn't even, it doesn't even register. It doesn't even ask.
So they remove the need for 2FA. They don't really MFA. They don't really break it.
Uh, an email compromise. We, we talked about that. They get access to your email and they use that.
If, if you have the, uh, request coming right to email, well, that's easy. Now, now they've got access to it, but they can also use it to support those, uh, kind of service desk, social engineering, or just right online requesting the, the repeat themselves or the, the password reset. Uh, the next one's exploiting SSO.
So single sign-on single sign-on can be awesome because it creates it to where rather than all of these different accounts that I now need to manage, I'm only needing to manage one. And when I set up that user that propagates to everything, that gives them access to everything. And then when they leave, it removes all their access, makes a management much easier.
Um, it makes user access reviews considerably more easier. Like we talked about last week, but the bad thing, the bad side of it, there's always a good and a bad. If I gain access to your account, not just gaining access to one account, I'm gaining access to everything.
So that can quickly propagate into a very serious issue. Um, and one that needs to be considered that, that really comes into play with considering the different systems you have set up, you know, talking about identifying all those, uh, systems with sensitive data. You want to make sure that, that you're identifying those and you're setting it up correctly because you want to balance it between, I want it to be easy for all of my users to be able to sign in.
I don't want them to have to remember tons of passwords, but I also don't want it to be that if this gets compromised, well, that's everything. So it's, it's always a, it's a seesaw and that's where the risk assessments come in and identifying which, which works better. We talked about session hijacking.
Um, the next one in it, you know, it goes back and forth. Some people say it's easy. Some people say it's not.
Um, but some, some hacking, um, or some hijacking, um, basically it's just getting your messages to go to another phone. And if I clone your phone, um, if, uh, this is, this is the second week, this thing's bugging me like crazy. I just can't, I can't get this cord in the right place.
Um, with the, basically if I, if I clone your cell, well now I get your messages. And if your one-time passwords are coming there, your two factors are coming there. Well, now I get access to them.
So that's something that could can happen. That's why a lot of companies even restrict the ability to use SMS as a, as a two factor. Um, I think in most cases it's probably fine.
And I would, I would just caution here. Don't blanket, uh, don't blanket restrict people from using SMS because one that's, that's a really easy one that everybody can implement just because of this threat out there that somebody could compromise it. Um, for most systems, it's probably fine.
And the juice wouldn't be worth the squeeze anyway, to go through all of those steps to clone, to clone the phone, um, just to gain access to the account. For, uh, serious accounts for those with sensitive data, probably limit it on there, especially if there's a SSO, don't use it for SSO, uh, cause that, that just opens up. But for a lot of systems, uh, especially that's all they support.
So that's all you're going to use. But again, weigh that against user usability. The final one is brute force.
Um, and that's, that kind of goes in with the MFA prompt bombing. That also goes into, um, depending on how the system's set up. If it doesn't have like a lockout, um, I can just keep trying MFA codes and passwords and eventually I might get lucky.
And if it's a, say only a four digit, something like a pin or something, um, well then my chances of success are, are a lot better. So those are, those are just some different ways. Um, definitely other ways, but some, some of the core ways that you can get around multi-factor and it's not, that's not to say don't set up MFA.
No, absolutely set up MFA, always set up MFA, but it's not a golden goose, right? So make sure in the back of your mind, just as with everything, what happens if this system fails or what happens if somebody gets around it and then answer those questions as they, as they propagate. That's, I mean, that's that's risk management. So here we are rounding out, uh, the final part.
And I think what we'll do is probably eventually do a video on it. Um, cause I want to talk about it more. Uh, and I, I don't have the time today, but the YubiKeys.
So we utilize these and what's very cool about the YubiKey is like I said before, I'm able to plug it into a platform and you have to have my password and you have to have this key to be able to get it. Um, and with the way that it's structured is you can't, you shouldn't, shouldn't be able to, to get the data right off it. If you're not standing next to it, um, you, you still need to touch it.
That little, you know, that little metal spot there's your finger touches it just to, uh, to validate that you're actually standing there, that you actually have physical access. So that's a very good way to secure accounts. And there's two ways that we do that.
One, a lot of applications now, a lot of systems now support the use of those type of keys, uh, specifically the YubiKeys or other, um, other pass keys. And you can just use that as your two factor. You can set that right up in the account.
You can set up a backup one, very, very easy to do. But YubiKey, YubiKey as a product, YubiCo, the, uh, the manufacturer, the, the company also has an authenticator app, just like one that you would use with Google and with Microsoft and Duo, like those we talked about. But what I like about the YubiKey authenticator is that I code everything to this key.
And then when I plug it into the authenticator app, if I've set it up right, it asked me for a password, put in my password, and then it gives me all of my, my one-time codes that I can, that I can use to sign in. Well, I can do that on a mobile app. I can do that on my computer.
I can do that on another computer. Doesn't matter which system I use it on. It's all coded to the key that I have.
So I essentially eliminate that worry of if I lose my authenticator or if I lose my phone, I've lost all of my authenticators. I'm in a bad spot. It, it eliminates, um, that, that single point of failure.
And while you can't clone a key because that's not how the encryption works, it would kind of invalidate it, you can use the same QR codes when you set up the authenticators to these, to, to their app. You can use that on different, um, YubiKeys. So if you save that and only save it for a limited time, if you're going to do that, or in a secure location, make sure you scrub any drives that have, have it on, but you can essentially create backups.
So I can have one in a safe. I can have, you know, one of my bag, one of my key chain. And then that way, if I, if the key breaks or I lose it, I've got it on other devices.
If somebody steals it, well, they've still got to get the password to be able to see those codes. And then they would have to have my password on each of those apps to be able to sign in. And if, if it got lost or stolen at that point, I would go in and reset them all.
So I think actually going into how to set that up in some other ways that you can use the keys, because they support a lot of different authentication and to just talk about the different types of a YubiKeys. We utilize the FIPS series, the YubiKey 5, 5C, the FIPS. They also have the non-FIPS.
Really the only difference there is the FIPS are certified, meaning that all of the encryption algorithms, everything is validated by external parties, by government, and they can actually be used in government. The non-FIPS are not validated that way. They use the same technology, but they just don't go through the validation process.
So one, they're a little cheaper. Two, they get firmware updated more frequently. So that's a, that's a little seesaw thing there too, just like all things security.
It's nice with the non-FIPS series that you save some money and you can get new features faster. With the FIPS series, I, I kind of like that because it's not YubiCo telling me that, that they're secure. It's another organization that has come in and validated that.
And that's nothing against YubiCo or anybody else. But I trust you. I just want to verify it.
And some companies here in the past, I'm not going to name those, but in the past have said, yeah, we have, uh, we have full encryption on all of our transmission. Everything in our, in our app is, is encrypted. And then there's a data breach and lo and behold, no, it's not actually encrypted.
It, it, we didn't have those security features that we said we did. Um, and that can happen either a, because the company's lying because money, um, or it can happen because it just went down the line multiple times and just fell through that Plinko machine of everybody saying, yeah, we've got that, or yep, that's all set up. And it actually really wasn't.
And here we find out that it, that it isn't performing the way that, that we thought it was. On the FIPS side, I know that it's gone through a validated process and for, for our needs, we can use it for government as well. So that, that kind of matters, but I think we'll go into, into the different types of UB keys later.
Um, kind of don't want to use up more time than we have today, but there's a lot of really cool stuff there. And actually I think we even set one of these up and do a, um, maybe a one-off, but I think actually just walking through how to set up the UB key, because there's a few different things to consider. And when you first look at it, especially if you don't use these a lot, it can be a little overwhelming, but once you know what you're doing, pretty easy to go through.
And, uh, I don't know, does it sound like I'm a fan boy? Uh, especially with the authenticator app thing. Um, I don't know. I love the keys.
Uh, very, very good way to secure things. Nothing's perfect, but it is a cool way. Um, and when you show it to companies that you talk to, if you're doing any type of audits or you're an MSP, um, carries a lot of weight, uh, they've never seen it before.
And, oh, wow, you've got some sort of key. This, this person really knows what they're doing, you know, show, uh, some of this is so showmanship. So, you know, do good marketing for yourself, um, as much as you can.
So we'll definitely go into the, the, uh, UB, UB code, UB keys, uh, another time, but I do have a link. Uh, I will have a link in the description, uh, that you'll be able to click on. They'll take you right to their page in Amazon.
Um, so that you know, that you're looking at the right keys. And I'll also put a link in there directly for the one that we use, uh, or some of the ones that we use, uh, just because they've got so many, it can be a little overwhelming, um, and kind of our, our primary recommendation ones, um, but then also to the store. So that way you can look at all this stuff that they have.
Um, and then we'll also put all the information that we talked about today, some of the different ways that people can bypass things. Um, and obviously more than happy to engage with you and help connect you to some of our partners that specialize in these things. If you're wanting to make sure you've got everything typed up.
So I think that's all the time that we have today. I mean, it is because I'm done talking. So I really appreciate you tuning in today to cash in the cyber sheets.
Um, again, also because it's so exciting that we're finally on apple and Spotify and getting on more, please click those subscribe, click those follows. If you go to our Facebook page, cash in the cyber sheets, um, as it's, as it's starting to get rolling, uh, go ahead and follow us on there. Throw us a comment, say, Hey, we'd love to hear from you.
Um, that also helps us, um, get more affiliate support to where we can provide more and more of the tools and information at no cost to you. Um, so that's always kind of a cool thing. And the more that we can, that we can just give out, help you be secure and compliant.
Um, I'm more than happy to do that. So go hit that subscribe, leave us some comments. Let me know if there's anything that you want to talk about and we'll see you next week, 10 a.m. Thanks for listening.
Talk to you soon.