Security of remote work: We’ve been attacked! Overview of security mechanisms and tools for the public sector (16.06.2020)

Rafał Broda, Project Manager, EXATEL S.A.

Paweł Wojciechowski, Business Development Manager, Fortinet

— Rafał Broda —

Previous webinars covered classic tools and mechanisms for building a secure network edge. Now we are going to share with you our knowledge on holistic approach and improving business or statutory needs of an organization. Our technology partner Fortinet has joined us today on the webinar.

— Paweł Wojciechowski —

Fortinet is celebrating its 20th anniversary this year. From the very beginning, security has been of a high priority for us and over the years we have become the largest cybersecurity company. While most of you may know us as a firewall developer (every third firewall is developed by us), we currently have over thirty product lines in our portfolio. Not only firewalls, of course. What’s more, thanks to Fortinet’s strategic focus on organic growth from the very beginning, the Fortinet Security Fabric platform is available now. It is a coherent security platform in which these thirty product lines are integrated with each other and thus give you a consistent view of your infrastructure and attack surface. You get tools that can be used to effectively manage safety and risk.

03:13

— Rafał Broda —

It has already been a quarter of a year since the pandemic was declared in Poland, so the first studies related to this exceptional period have already been published. Our discussion today will be based on some findings published in the studies made by the following three companies: Kaspersky, Fortinet and IDC. In reports on Covid-19 prepared by all of these companies, we can notice a recurring topic – in the first stage, the condition was to provide a hybrid working model. This of course resulted in some nuances that those companies decided to explore. We have listed the most important ones that seem most relevant to us. Going one at a time: employees and employers stated that half of the employees were fully provided by their employers with the IT equipment they needed for work. This raises a question about the other half – what equipment these people work with and whether we trust it in relation to its security. What’s more, 3/4 of employees confirm that to this day they have not received any IT security awareness training. In my opinion, this gives a huge space for social engineering and phishing attacks. Of course, companies are trying to cope with this somehow, but usually solutions implemented by them are unstable and most certainly do no substitute awareness training. 1/4 of employees admitted they had received unsolicited e-mails about Covid. Curiously enough, those were e-mails that were not marked as SPAM, i.e. e-mails that reached the employee’s account. This shows how massive this action must have been on the part of cybercriminals. FortiGuard shared us quite interesting data – daily, about 600 phishing campaigns with Covid as a recurring theme were found. Of course, we are talking about a global scale here. Juxtaposing those statistics with data that has been known for years that over 90% of malware delivery attempts are made via e-mail (this trend has been constant for years and it has also continued during the pandemic), we get an interesting cluster – lots of unwanted e-mails on the one hand, and incoming malware attempts on the other. Another statistic we would like to share is that 1/3 of companies admitted that in order to maintain any kind of business continuity, they were forced to undergo an accelerated transformation, meaning they started using tools that they had not been certified previously in any way. Grouping these most interesting statistics we’ve picked out for you, it is fair to say that the first two points touch on the topic which – for the purposes of today’s webinar – we would call “host/terminal/endpoint security”. And this is one topic do be discussed. The theme of the second one is e-mail security. The third topic comprises all kinds of cloud access – public clouds, SaaS. These are the three categories we would like to focus on today. But before that, we would like to come back to what we’ve talked about in previous webinars, namely the security ecosystem.

— Paweł Wojciechowski —

Let me start with a brief reminder of our webinar series. We started with instructions how to provide secure remote access. In this aspect, we talked about the VPN gateway that you can run on FortiGate and FortiClient, which is available in FortiClient VPN trial version that doesn’t have all functionalities but gives the ability to connect to a VPN. Our first step was how to establish remote connection in a secure way. Next, we talked about the fact that since these computers had worked remotely and they had been more vulnerable to other attacks (as the security at home might be weaker than at a business place), it would have made sense to protect the computer.

And here we recommended FortiClient in the paid version, which, in addition to providing VPN, also gives us a vulnerability scanner, URL filtering and malware protection. It is a fully managed client via the EMS console. In the next step, we said that when working remotely, it was a good idea to strengthen security with two-factor authentication. For this we used a solution consisting of FortiAuthenticator and tokens. Later, we showed that having a larger environment, it was worth investing in tools that would manage the environment in a consistent and uniform way – here we talked about FortiAnalyzer and FortiManager. And that’s how our solution architecture has evolved so far. However, FortiNeta offer is much broader and the image on the right shows you other selected solutions from our offer. We’ll focus on just three of them today: FortiEDR, which is a tool for securing endpoints (hosts), FortiMail (mail protection) and FortiCASB (protection of temporary services in the cloud).

10:27

— Rafał Broda —

Moving on to the first category. Remote work model continues, we have equipped employees with laptops, we have provided VPN access, but as I recall from security training or best practice books, every computer used out of work place constitutes some sort of migrating problem, being out of our reach yet with access to our network. And these are everyday problems of a company, e.g. updates – how fast is an IT network administrator able to install updates on a remote computer? The second problem is the media which users connect to. Wi-Fi networks are not always inherently secure either. To sum up, many hosts are beyond the reach of our local security. So, how could their vulnerabilities be managed?

— Paweł Wojciechowski —

Their vulnerabilities and many more. Perhaps this is the time when for larger environments it is worth considering a solution that also provides protection response, i.e. the ability to respond to attacks in real time. Last year we acquired enSilo. Their solution makes it possible for us, in addition to protection, to detect attacks and respond to them in real time. I am not sure whether you are aware of the fact that many reports state that some attacks are invisible and the average time to detect that someone has attacked a company and is inside the system is 3 to 6 months. That’s really long. So, it’s worth having a solution that helps to detect and analyse these types of attacks. What does FortiEDR do? FortiEDR has features that protect against infection (Discover & Predict and Prevent) and help when that infection has occurred. Before infection, this feature works reactively, detects vulnerabilities and protects through virtual patching mechanism. It also prevents malware from being installed on the user’s endpoint. This software has a lightweight agent that runs at the kernel level, is signatureless, and has mechanisms for machine learning, application control and several other advanced techniques that enable effective protection. On the other hand, we know that no system will protect us 100% and a break-in will happen sooner or later. Then you have to be able to detect it. We have many different mechanisms to detect hacking (Detect phase). Further on, we have a rather unique phase called Defuse which acts as a sort of delay. If an attack is detected, many systems cut off the host and the user using that particular host cannot continue their work. Defuse technology can only freeze a process, a piece of a host fur as and still allow that host to work until we decide what to do with that break-in. This decision can be manual or automatic. This way we can, for example, protect against data leakage – when we see that something unusual is happening and someone is communicating with command & control. We block one process then, not necessarily the entire computer. The same applies when we see that someone is trying to install ransomware, to encrypt drives – then we can also automatically act and freeze the process so that it does not happen. Once we get past the Defuse phase, we have two other categories, namely Respond & Investigate. The response can be manual and automatic. In case of hacking, it is very important to actually diagnose how it happened and then take steps to ensure that it does not happen again following the same scenario. We provide tools and software to do such forensic analysis. Point four: Remediate & Roll back. These are tools to restore the computer to the moment before the break-in. The FortiEDR makes all this possible.

This is a sample screen shot of a piece of a software that allows to analyse and detect these attacks. You can see a message, a description of it which you can expand and there you can also see why this process was blocked. And at the bottom you can see the individual steps that were performed by the process and at what point it was blocked (that red thing at the end). As you know, a power shell was launched which tried to contact command & control, the external bot server and this communication was blocked. It happens automatically. Attack analysis can be multidimensional and you can ask for a history of what was happening on the host to analyse these attacks. Here you can see a list of libraries used by the program, you can ask for further actions on the processor and (if there are such fileless attacks on memory) you can also take a memory dump for full analysis. The possibilities for this analysis are really very broad, and here in particular. As you can see, we have a program running and it is suspicious – you can scan it using VirusTotal. The second option is threat hunting and you can view other hosts that have been infected in the same way in your environment.

This tool gives you a lot of visibility and a very effective way of analysis, but also a way to respond to an attack. Playbooks (providing automated incident response) help with the response which you can define granularly, depending on the group, on the status, and others. Simplifying a bit, playbooks are an automatic action that will be executed in case of a specific activity that is happening on the managed endpoint.

On the left you can see the items that emphasise effective protection, so it’s an analytical tool but it’s also one that allows you to detect and respond quickly to an incident. What is still worth highlighting (see right) is operational efficiency. I’ve mentioned that this agent is very lightweight, takes very little CPU and memory time – it’s a kernel-level process, so it sees a lot and is able to react almost immediately. The other thing worth pointing out are platforms that are supported. If you use platforms that are no longer supported by the software developers (such as Windows XP or Windows Server 2003), this software can still protect them.

21:02

— Rafał Broda —

Sounds tempting. Detection, analytics, automation, but the question of cost returns. We’re not talking about a single solution or a single installation here, we just need to secure the laptops of all our employees if we want to maintain the integrity of our organization’s security. It is known that the effect of scale does its job and the question immediately arises: how to estimate this solution? What is licensed there?

— Paweł Wojciechowski —

It is licensed like other solutions available on the market, namely we license the managed computer i.e. the number of installed agents. Licenses are available in packages, while the prerequisite is the minimum number of managed end devices which equals 500. The first license you need to buy is for 500 work stations. This is a premium sector solution designed for larger environments. Of course, we have smaller license options, e.g. a package of 25 but they can be bought only as an addition to the 500 package. E.g. when someone needs 550 licenses, they buy one package of 500 and two packages of 25.

In the table you can see the features I mentioned. The Discovery feature makes it possible to reduce the attack surface through vulnerability scanning and virtual patching. Pre & Post Infection Protection feature has both pre and post infection protection mechanisms. The Forensic and Threat Hunting feature is used for analytics. You can buy the package that meets your needs the best. There is, of course, the Full Suite package. If you have some sort of endpoint protection solution, the EPP/EDR suite would provide analytics and protection capabilities against advanced attacks.

Two more things about FortiClient and FortiEDR. As you know, we talked about FortiClient in relation to endpoint protection. If you have a smaller environment i.e. less than 500, then we would definitely recommend FortiClient. These two solutions have some overlapping features, while other are completely different. FortiClient provides you with Secure Remote Access – and this feature is available in the free version of FortiClient. The features that overlap are vulnerability scanner and application inventory. If you have a smaller environment and wish to have just endpoint protection, FortiClient is perfectly adequate. If you want advanced ransomware protection feature but also analytics tools, then you  should use FortiEDR. Definitely. You can have both solutions and they will cooperate with one another, but you can opt for either one.

25:05

— Rafał Broda —

Another aspect that came out of the Covid-19 statistics was e-mail. E-mail is crucial when it comes to security and this trend has continued for years. As far as I know, in many institutions an e-mail has additional functions, such as replacing digital workflow systems. I would like to secure it adequately to my needs and security requirements. What can be added here? How can we change and design it? How to do it?

— Paweł Wojciechowski —

E-mail is the primary attack vector for businesses. Covid-19 statistics and other data show that the percentage of phishing attacks has grown by triple digits. But even regardless of Covid-19, you should pay close attention to e-mail protection. It is also an essential work tool at the moment.

You may have on-prem e-mail and then a typical gateway solution is used to protect your e-mail. You can have Office 365 and use cloud e-mail provided. And now, as far as on-prem is concerned, gateway is indispensable and you need to install it. When it comes to cloud solutions, as far as I know, you have basic spam and malware protection in any subscription. On the other hand, if you want advanced protection, you need to buy Advanced Threat Protection 1 or Advanced Threat Protection 2 packages offered by Office 365. These are separately licensed and mailbox licensed packages. We are able to provide you with these advanced features much more cost effectively. If you have other FortiNeta components, this will still be integrated under Security Fabric.

And a few more words about advanced features which are worth and even necessary to have in an e-mail protection solution to make this protection effective. First, you need to have a tool that allows you to protect yourself from malicious attachments. FortiMail has an activated antivirus of course that scans input data (a classic engine for finding known malware).   Second, it has a solution that is called Content Disarm & Reconstruction. It involves cutting out the active parts from office documents and PDFs, so if an attachment reaches a user who even clicks on it, the computer is not infected as there is simply no active content there. Third, it has Sandboxing which can be a separate solution and you can potentially use it in the cloud. If an attachment comes from a suspicious source, Sandbox opens it and reports whether its content is malicious or not.

29:46

The second important aspect to consider is protection against links that may prove to be malicious and through which cybercriminals can get into our business. And here FortiMail (but not only FortiMail) provides several solutions. The first one is URL Filtering which is FortiGuard’s database. If we know something is a botnet or it’s a malicious website, it simply won’t be allowed in. Second, Time-of-Click Protection, which is a FortiMail feature. When a link is checked at the input, it may turn out to be a link to a site with good reputation. The e-mail gets into the inbox then and the user can open it at any time, say three weeks later. During this time, the website may become “malicious”  that is, from a site with a good reputation, it may transform into a site with a bad reputation. Time-of-Click, as the name suggests, will check the reputation of that site the moment a user clicks on a link in an e-mail, regardless of when they do so. Sandbox as an external solution can also check links to see whether they lead to malicious websites.

The last feature I wanted to talk about is the FortiIsolator isolation platform, which is a completely separate product that is not part of FortiMail. Here on this slide you can see two websites – the one on the left was opened directly by a browser, the one on the right was opened by the FortiIsolator platform. What does it mean that it was open by a platform? If you had FortiIsolator, it would go as follows: an e-mail comes in, the link is replaced on our gateway on FortiMail with another link directing to the FortiIsolator platform and then if the user clicks on that link, a browser is opened, of course, but it does nothing

– it just asks FortiIsolator to download this page. What FortiIsolator does is, it downloads the entire website on its platform by launching the browser, it renders the same and sends only the dynamic image to the user’s browser. You can see the difference in the code. On the left, you can see the code of a website opened directly on your browser, lots of different links, active scripts the purpose of which is unknown etc., so there is a lot of potential room for infection. On the right, you can see a simple code that refers to the FortiIsolator platform where everything happens. As you can see, this page looks the same. When the selected link is clicked, it acts as a command to the isolation platform. The isolation platform downloads the entire content and then passes the dynamic image to the user again. What do we accomplish with this? We implement “zero trust”, we don’t trust any website that we open and if there is any malware that is going to be delivered that way, it won’t be delivered because it will stay on the isolation platform. As I mentioned earlier, this is a separate solution, subject to a separate licence.

34:09

The last thing to look out for (and this is also an advanced feature) is protection against so-called Business Email Compromise. These are e-mails that have neither a malicious link nor a malicious attachment but they use some social engineering instead. We are usually asked to immediately transfer a large amount of money and usually cyber criminals in such messages impersonate a high-ranking official such as the CEO of a well-known company. Such an e-mail is often followed by a phone call to the person to whom the e-mail was sent and with the use social engineering to force that person to make that transfer. FortiMail allows you to detect such e-mails and to block selected ones. Using DKIM/DMARC/SPF protocols, we authenticate the sender i.e. we check if this sender exists. Secondly, we detect spoofing i.e. impersonation of another user (an e-mail looks like it came from the CEO but in fact it didn’t). The third element is the detection of the so-called Cousin Domains and these are domain names that are very similar but have one different letter or an underscore. At first glance they look like the domain we know but they are actually different. FortiMail uses technologies that detect such actions. It can block some of them and some other cases it warns the user about the probability of spoofing or a Business Email Compromise attack. So, have a closer look at the aspects I listed namely advanced protection against malicious attachments and advanced protection against malicious links. Those are the features that I think you should have as part of effective e-mail protection.

FortiMail also has additional features that make it possible to filter content i.e. protect the system against data leakage in accordance with the GDPR requirements. FortiMail also provides Identity Based Encryption functionality. This is also compliant with the GDPR if you have contractors or companies that you work with and need to encrypt selected e-mails. FortiMail provides all this. E-mails are encrypted and a mechanism is provided for recipients to safely read them. FortiMail can also archive e-mails for back-up or forensic purposes if you need to go back to the original e-mail.

37:28

— Rafał Broda —

This solution does look very comprehensive indeed and addresses our biggest pain points, i.e. ransomware and fake URLs. However, once again there is a question regarding budget. How will the fees be calculated? Just three months ago our e-mail inboxes were simple e-mail inboxes but today we attach many large documents to them. How will the fees be calculated in this case? Depending on the number of e-mails, their size? Is internal mail somehow included and calculated separately? How to prepare a cost estimate?

— Paweł Wojciechowski —

I will focus on two models. We have devices (7 models) and virtual machines. What matters to us: In FortiMail the licences are not granted in relation to the mailboxes if we are talking about devices and virtual machines. We license the solution, i.e. you have to answer how many domains you have and how many e-mails (either per day or per hour) come to you, including potential spam. Then, you choose the solution that you like the most from these seven models which are available in both VM and the device and purchase the solution that addresses your needs. This cost can be estimated and countable of course. If you want a cluster, then you need to buy a second box or a second VM and cluster it. So you could say that we have an unlimited number of mailboxes. What you need to know when choosing a particular device or virtual machine is how many e-mails are received by your mailbox and how many domains you want to support. Second thing: we have a basic and an advanced bundle. Advanced features are in the advanced bundle and you can buy additional functions such as Dynamic Adult Image Analysis Service (a website that identifies pornographic images), FortiIsolator (a separate platform), FortiSanbox on-prem, as well as integration with Office 365 via API.

40:28

— Rafał Broda —

Let’s move on to the third topic of today’s webinar that is cloud access. We’ve seen this trend for a few years now and we’re unlikely to escape it but from a security standpoint, using cloud in any form of public SaaS is taking the plunge. Exposure to attack is increasing. To sum up, I have some trust but to a limited extent. If I use this service model, how would I ensure security? How far can my area of jurisdiction spread?

— Paweł Wojciechowski —

I’ll focus on Office 365 here but before I get to that I’m going to discuss the shared responsibility model a bit more. Namely, if you migrate your data to a cloud or use e-mail and other services via cloud, it is a SaaS model. In such a model, the public cloud provider or the service provider that practically renders all the services does not take full responsibility. You are still responsible for personal information and a few other things. Migrating data to the cloud does not relieve you of responsibility, even in a SaaS model, and this is something you need to remember. So what does it mean? It means that you are to provide the tools or you have to keep that data secure, including data in the cloud. What we provide – we’re talking about a SaaS model because we have other tools for IaaS or BaaS models but for use of applications as services – is FortiCASB. It definitely gives visibility of application usage, visibility of the stored data and mechanisms for securing information, protecting against threats, which is a scanner that will scan selected stored data and show if there’s any malware or not, but it will also provide reports on compliance with applicable regulations. In fact, by installing FortiCASB, you get visibility into what is happening in that application (such as Office 365). The way we do it is that we don’t change anything on the user or network side, we just connect the FortiCASB solution over the API to the application. When we connect to the application, we can see what users are doing, say Office 365, how they’re using that application, what type of data they’re storing, and so on. This provides an easy way to configure and gives you full visibility and much more security regarding the use of Office 365 in the cloud. From a security perspective, I can’t imagine using Office 365 without having insight into its use and full visibility, so I see FortiCASB as part of the security architecture.

— Rafał Broda —

Now, I would like to tell you how EXATEL could help you in this new reality. On the one hand, it can be said that the implementation of the products discussed above is to meet functional needs, but on the other hand – from the security point of view – it is to introduce new ways of detection and defending against different types of attacks which can be data leakage or some kind of controlled unavailability. I will refer here to our staff resources, the Security Operations Center. They can share their own experience with security issues. These are the people who are the backbone of the third line of support, and while SOC is associated with monitoring, incident response or reactive support for the client to remove the damage of an attack, today I want to talk about our other products. We can be proactive in this new Covid reality with increased exposure to attack, by the fact that we have implemented certain solutions, new initiatives. We installed some of them on the spur of the moment because in March business continuity was our top priority, but now we should sit down and do some examination of conscience. The product we would like to talk about today is security reconnaissance. The reconnaissance service is carried out by people using tools and in accordance with good practice. The name of this service is very important because we chose it to represent some common sense approach to estimating needs and safety requirements. We also wanted to make a very clear distinction between this product and a security audit. We perform security audits as well, both civilian and military ones, that is we help with meeting the guidelines under the Act on the National Cybersecurity System. I would like to avoid the word “audit” here because it is associated with the holistic approach, a formal and process analysis, while the reconnaissance is a clash of the practical interpretation of security with the situation of your company today. This situation may be a bit tumbled due to Covid: all-hands-on-deck approach ended in creating certain gaps appeared that we were not aware of and it would be useful to identify them today.

Reconnaissance itself is not a new product and we didn’t create it because of the Covid pandemic. We have had it in our portfolio for some time, while we have noticed that it is gaining popularity very strongly. What is worth noting is that it does not apply to technological security alone, but also to process security. As far as the scope of this service is concerned, this is a one-off action, although of course we encourage to repeat it at intervals. At the start, however, this is a one-time action that involves scanning the ICT environment for potential threats. On the basis of the activities carried out by EXATEL, such elements of the environment are identified in terms of the most significant threats and vulnerabilities. We are not only talking about technological aspects, but also about process aspects, so there are people involved from the area of procedural security as well as penetration testers. The final effect of such reconnaissance is a report in which we describe the most critical gaps or openings, as well as suggest some corrective and mitigating actions, and at the end of the day you get a structured list of priorities to do immediately or within specific deadline.

The service model is that we start with a survey of a dozen questions and there is generally an hour-long interview that we can do remotely. On our side, a project team is set up for the survey findings. There is still a requirement on your side – we need to have at least one dedicated person who cooperates with us and with this person we will go to a higher level of precision (setting up specific lines of interest, administrative matters, providing access accounts for penetration testers).

Since these will be offensive tests, it is important that the client provides system backups. Due to the fact that these are offensive tests, some of the data may undergo some modifications and, what is very important from a formal and legal point of view, we must have the client’s consent to unauthorized access to the IT system. The overall work depends on the size of the organization but we usually finish within a week. Within the successive two or three days we prepare a report and with it we finish the service provision.

— Questions — 51:32

“How much does such a reconnaissance cost?”

Rafał Broda: The cost depends on the size of the organization. In theory, it is a simple service. The proportion here is that penetration testers typically work twice as long as process-form analysts. As far as specific amounts are concerned, please contact sales managers. In the vast majority of cases, the work is finished within a few days. We have never performed a reconnaissance that lasted more than a week. The reconnaissance should not be considered preparation of the organization to a National Cyber Security Act audit. It is a very simple product, responding to current needs and providing directions. It is a remedy for the current Covid situation.

“What results in more EDR than antivirus and client VPN?”

Paweł Wojciechowski: EDR is a completely different class of solution than antivirus alone. If there was an attack, this tool would allow a full analysis of that attack and give the ability to draw conclusions as to how the attack progressed, the subject of that attack, what was the attack vector, etc. That’s the main difference. EDR also has advanced mechanisms (FortiClient has some of them) but because it’s an external tool that we bought, it has these signatureless mechanisms for protection that work well in closed environments that don’t have Internet access, for example. It is worth noting that FortiEDR provides support for legacy windows platforms that can be protected, which is important especially in industrial environments.

“We would like use the cloud but we are restricted by GDPR and EU regulations.

Technical security alone is not enough.”

Paweł Wojciechowski: I am not a lawyer, nor a GDPR expert, but looking at the market and talking to my clients I can see that also on the public market there are many entities, even very large ones, that are moving its data to the cloud, using it (certainly Office 365), and some of them even use IaaS and PaaS platform. So, it can be done, I guess. On the other hand, more and more often the biggest cloud service providers declare that they will build their data centres in Poland soon, so then there will be no problem with something called data residency and you will be able to indicate that the data should be located in Poland. I think it will lift those restrictions. I know that many public entities, even large ones, use Office 365, so somehow they are able to meet the requirements of the GDPR and use this solution.

Rafał Broda: In fact, within a year Google and Microsoft will “settle” with their services in Poland. However, I should point out that the GDPR is not just a “Polish problem” – its regulations are in force in all UE countries and those global players do not want to lose their market here so they will provide services in accordance with European regulations. In the beginning, these companies were focused on Western European data centres, but they can observe Polish market which has become saturated with their services and they do it in their own interest. In case of an audit, as end users, we will have the comfort of indicating that our data does not cross the borders of Poland. What is more, we also have our Polish answer to these needs – Operator Chmury Krajowej (National Cloud Operator), which is a public project. Their negotiations with Google and Microsoft are already pretty advanced. If there was such a need on your part, EXATEL rents transmission links to them, as well as cooperates with regard to data centres.

“Will the current rate of change introduction continue after the pandemic? Or is it just a thing of frenzy developments that just stop after the situation is under control?”

Rafał Broda: I wouldn’t call them frenzy, really. This is like this funny picture about the digital transformation. It shows a survey on “who will introduce your company’s digital transformation” and there are three answers: the CFO, the tech CEO or Covid. So it’s not that the pace of change is slow. Covid has only intensified trends that have been around for years.

Paweł Wojciechowski: I think so, too. I don’t know what the pace of change will be. The pandemic made the management boards realise that such an abstract thing as shutting down the country or the world was possible, something they had previously treated in the business impact analysis as a risk that they were able to accept. So, it gives a very powerful weapon to the local CSO, or security department in general, to fight for some things. In my opinion, the changes that have now set in, and the realisation by those management boards that even the strangest risks may one day come true, will greatly accelerate changes. I think the process of digital transformation will accelerate. I also read a report from a respected enterprise that did an interview with CFOs of global companies. The CFOs said that after the COVID pandemic the company reality would be different – for example when it comes to remote work. As it turns out, some jobs can be completely remote and that doesn’t affect their effectiveness, in fact, the effectiveness can be even increased. So, these CFOs are analysing the situation, they’re testing models of operation during the pandemic and some jobs will definitely be dome remotely from here on out. The question is how many employees will be working from home. On the one hand, it will increase effectiveness of their work, on the other – the company will most certainly save money, for example in respect to the office space and expenses.