Recent research shows almost three quarters of large businesses believe remote working policies introduced to help stop the spread of COVID-19 are making their companies more vulnerable to cyberattacks. New attack vectors for opportunistic cyber attackers – and new challenges for network administrators have been introduced.
To select a suitable remote workforce protection solution for your business, you need to think about a variety of factors. We’ve talked to several cybersecurity professionals to get their insight on the topic.
Vince Berk, VP, Chief Architect Security, Riverbed
A business needs to meet three main realizations or criteria for a remote workforce protection solution to be effective:
Use of SaaS, where access to the traffic in traditional ways becomes challenging: understanding where data lives, and who accesses it, and controlling this access, is the minimum bar to pass in an environment where packets are not available or the connection cannot be intercepted.
Recognition that users use a multitude of devices, from laptops, iPads, phones—many of which are not owned or controlled by the enterprise: can identity be established definitively, can data access be controlled effecitvely, and forensically accurately monitored for compromise at the cloud/datacenter end?
When security becomes ‘too invasive’, workers create out-of-band business processes and “shadow IT,” which are a major blind spot as well as a potential risk surface as company private information ends up outside of the control of the organization: does the solution provide a way to discover and potentially control use of this modern shadow IT.
A comprehensive security solution for remote work must acknowledge the novel problems these new trends bring and succeed on resolving these issues for all three criteria.
Kate Bolseth, CEO, HelpSystems
One thing must be clear: your entire management team needs to assist in establishing the right infrastructure in order to facilitate a successful remote workforce environment.
Before looking at any solutions, answer the following questions:
- How are my employees accessing data?
- How are they working?
- How can we minimize the risk of data breaches or inadvertent exposure of sensitive data?
- How do we discern what data is sensitive and needs to be protected?
The answers will inform organizational planning and facilitate employee engagement while removing potential security roadblocks that might thwart workforce productivity. These guidelines must be as fluid as the extraordinary circumstances we are facing without creating unforeseen exposure to risk.
When examining solutions, any option worth considering must be able to identify and classify sensitive personal data and critical corporate information assets. The deployment of enterprise-grade security is essential to protecting the virtual workforce from security breaches via personal computers as well as at-home Wi-Fi networks and routers.
Ultimately, it’s the flow of email that remains the biggest vulnerability for most organizations, so make sure your solution examines emails and files at the point of creation to identify personal data and apply proper protection while providing the link to broader data classification.
Carolyn Crandall, Chief Deception Officer, Attivo Networks
When selecting a remote workforce protection solution, CISOs need to consider three key areas: exposed endpoints, security for Active Directory (AD) and preventing malware from spreading.
Exposed endpoints: standard anti-virus software and VPNs are no match for advanced signature-less or file-less attack techniques. EDR tools enhance detection but still leave gaps. Therefore pick an endpoint solution capable of quickly detecting endpoint lateral movement, discovery and privilege escalation.
Security for Active Directory (AD): cloud services and identity access management need protection against credential theft, privilege escalation and AD takeover. In a remote workforce context AD is often over provisioned or misconfigured. A good answer is denial technology which detects discovery behaviors and attempts at privilege escalation.
Preventing spread of malware: it is almost impossible to prevent malware passing from workforce machines reconnecting to the network. It is vital therefore to choose a resolution that uncovers lateral movement, APTs, ransomware and insider threats. Popular options include EPP/EDR, Intrusion Detection/Prevention Systems (IDS/IPS) and deception technology. When selecting, take account of native integrations and automation as well as how well the tools combine to share data and automate incident response.
In short, the answer to remote workforce protection lies in a robust, layered defence. If attackers get through one, there must be additional controls to stop them from progressing.
Daniel Döring, Technical Director Security and Strategic Alliances, Matrix42
Endpoint security requires a bundle of measures, and only companies that take all aspects into account can ensure a high level of security.
Automated malware protection: automated detection in case of anomalies and deviations is a fundamental driver for IT to be able to react quickly in case of an incident. In this way, it is often possible to fend off attacks before they even cause damage.
Device control: all devices that have access to corporate IT must be registered and secured in advance. This includes both corporate devices and private employee devices such as smartphones, tablets, or laptops. If, for example, a smartphone is lost, access to the system can be withdrawn at the click of a mouse.
App control: if, in addition to devices, all applications are centrally controlled by IT, IT risks can be further minimized. The IT department can thus control access at any time.
Encryption: the encryption of all existing data protects against the consequences of data loss.
Data protection at the technological and manual levels: automated and manual measures are combined for greater data protection. Employees must continue to be trained so that they are aware of risks. However, the secure management of data stocks can be simplified with the help of technology in such a way that error tolerance is significantly increased.
Greg Foss, Senior Cybersecurity Strategist, VMware Carbon Black
The most important aspect for any security solution is how this product is going to complement your current environment and compensate for gaps within your existing controls.
Whether you’re looking to upgrade your endpoint protections or add always-on VPN capability for the now predominately remote workforce, there are a few key considerations when it comes to deploying security software for protecting distributed assets:
- Will the solution require infrastructure to deploy, or will this be a remote cloud hosted solution? Both options come with their unique benefits and drawbacks, with cloud being optimal for disparate systems and offloading the burden of securing internet-facing services to the vendor.
- What is the footprint of the agent and are multiple agents required for the solution to be effective? Compute is expensive, agents should be as non-impactful to the system as possible.
- How will this solution improve your security team’s visibility and ability to either prevent or respond to a breach? What key gaps in coverage will this tool help rectify as cost effectively as possible.
- Will this meet the organization’s future needs, as things begin to shift back to the office?
- Lastly, ensure that you allow for the team to operationalize and integrate the platform. This takes time. Don’t bring on too many tools at once.
Matt Lock, Technical Director, Varonis
With more remote working, comes more cyberattacks. When selecting a remote workforce solution, CISO’s must ask the following questions:
Am I able to provide comprehensive visibility of cloud apps? Microsoft Teams usage exploded by 500% during the pandemic, however given its immediate enforcement, deployments were rushed with misconfigured permissions. It’s paramount to pick a solution that allows security teams to see where sensitive data is overexposed and provide visibility into how each user can access Office 365 data.
Can I confidently monitor insider threat activity? The shift to remote working has seen a spike in insider threat activity and highlighted the importance of understanding where sensitive data is, who has access to it, whose leveraging that access, and any unusual access patterns. Best practices such as implementing the principle of least privilege to confine user access to the data should also be considered.
Do I have real-time insight into anomalous behavior? Having real-time awareness of unusual VPN, DNS and web activity mustn’t be overlooked. Gaining visibility of this web activity assists security teams track and trend progress as they mitigate critical security gaps.
Selecting the right workforce protection solution will vary for different organizations depending on their priorities but the top priority of any solution must be to provide clear visibility of data across all cloud and remote environments.
Druce MacFarlane, Head of Products – Security, Threat Intelligence and Analytics, Infoblox
Enterprises investing in remote workforce security tools should consider shoring up their foundational security in a way that:
Secures corporate assets wherever they are located: backhauling traffic to a data center—for example with a VPN—can introduce latency and connectivity issues, especially when accessing cloud-based applications and services that are now essential for business operations. Look for solutions that extend the reach of your existing security stack, and leverage infrastructure you already rely on for connectivity to extend security, visibility, and control to the edge.
Optimizes your existing security stack: find a solution that works with your entire security ecosystem to cross-share threat intelligence, spot and flag suspicious activities, and automate threat response.
Offers flexible deployment: to get the most value for your spend, make sure the solution you choose can be deployed on-premises and in the cloud to offer security that cuts across your hybrid infrastructure, protecting your on-premises assets as well as your remote workforce, while allowing IT to manage the solution from anywhere.
The right solution to secure remote work should ideally enable you to scale quickly to optimize remote connections and secure corporate assets wherever they are located.
Faiz Shuja, CEO, SIRP Labs
In all the discussion around making remote working safer for employees, relatively little has been said about mechanisms governing distributed security monitoring and incident response teams working from home.
Normally, security analysts work within a SOC complete with advanced defences and tools. New special measures are needed to protect them while monitoring threats and responding to attacks from home.
Such measures include hardened machines with secure connectivity through VPNs, 2FA and jump machines. SOC teams also need to update security monitoring plans remotely.
Our advice to CISOs is to optimize security operations and monitoring platforms so that all essential cybersecurity information needed for accurate decision-making is contextualized and visible at-a-glance to a remote security analyst.
Practical measures include:
- Unify the view for distributed security analysts to monitor and respond to threats
- Ensure proper communication and escalation between security teams and across the organization through defined workflows
- Use security orchestration and automation playbooks for repetitive investigation and incident response tasks for consistency across all distributed security analysts
- Align risk matrix with evolving threat landscape
- Enhance security monitoring use cases for remote access services and remotely connected devices
One notable essential is the capacity to constantly tweak risk-levels to quickly realign priorities to optimise the detection and response effectiveness of individual security team members.
Todd Weber, CTO, Americas, Optiv Security
Selecting a remote workforce protection solution is more about scale these days than technology. Companies have been providing work-from-home solutions for several years, but not necessarily for all applications.
How granular can you get on access to applications based on certain conditions?
Simply the credentials themselves (even with multi-factor authentication) aren’t enough any longer to judge on trusted access to critical applications. Things like what device am I on, how trusted is this device, where in the world is this device, and other factors play a role, and remote access solutions need to accommodate granular access to applications based on this criteria.
Can I provide enhanced transport and access to applications with the solution?
The concept of SD-WAN is not new, but it has become more important as SaaS applications and distributed workforce have become more prevalent. Providing optimal network transport as well as a visibility point for user and data controls has become vitally important.
Does the solution provide protections for cloud SaaS applications?
Many applications are no longer hosted by companies and aren’t in the direct path of many controls. Can you deploy very granular controls within the solution that provides both visibility and access restrictions to IaaS and SaaS applications?
The COVID-19 pandemic has dramatically changed the business landscape and, over the past few months, employers have found themselves in uncharted waters on more than one occasion. First, it was getting entire workforces up-and-running from home practically overnight. And now, as employees are welcomed back onsite, employers are required to follow new health and safety protocols to prevent the virus’ spread and maintain near-normal operations.
One health initiative causing confusion (and often tension) within many organizations is the use of contact-tracing applications. The Center for Disease Control (CDC) believes contact tracing is key to slowing the spread of COVID-19, putting business owners and managers under pressure to use these applications.
Many are also sensitive to how this measure might affect employee privacy rights. Contact-tracing applications require employers to collect all kinds of employee health data that they never had to worry about before – temperatures, health symptoms and travel history, for example – and they aren’t sure how to use and protect this data in a way that balances health and safety with privacy.
Data protection guidance
Employee health data is considered personally identifiable information (PII) and should be protected accordingly. This is easier said than done, though. In the U.S., there’s no single federal law that regulates the protection of PII or a certification body for compliance. Instead, there’s a mix of federal (e.g., the FTC and Gramm-Leach-Bliley Act) and state laws (e.g., the California Consumer Privacy Act), sector-specific regulations (e.g., the Health Insurance Portability and Accountability Act) and self-regulatory programs developed by industry groups. It’s up to individual organizations to become familiar with the federal, local and industry requirements applicable to their business and ensure they are in full compliance with all relevant policies.
For organizations that aren’t aware of these PII protection mandates and don’t have a documented data classification policy in place, protecting COVID-19-prompted employee health data can be an overwhelming concept. To help get you started on the right path, here is a 10-point plan for securing PII, including new employee health data collected through COVID-19 contact-tracing applications and other healthcare tracking systems.
1. Identify a single point of contact who will be responsible for the privacy and security of PII
This best practice is self-explanatory, but it’s worth taking a moment to discuss why it’s so important in the data protection process. There are many business departments involved in the collection and usage of PII, including security teams, compliance teams, the legal department, HR, business units, etc. Without a designated leader to define roles, responsibilities and processes, it’s likely that PII privacy and protection activity will be minimal, because each employee will assume someone else is taking care of it.
2. Determine your goal for collecting employee health data
Why are you collecting employee health data? Your answer will determine which data fields you need to collect and store. For example, if your goal is to prevent the spread of COVID-19, you might document an employee’s name, number, temperature or location data. It’s important to note here, that in the world of security, less is better – don’t collect data that is irrelevant to your goal.
3. Store only the minimum data necessary for the minimum amount of time necessary
To reiterate the point I just made: The less data you have on file, the less you have to secure and there’s a lesser chance of a privacy or security breach. This is why it’s so important to keep only the data you absolutely need to achieve your health and safety goals for only the required length of time – and no longer.
4. Implement strict access controls based on job requirements
In addition to determining why you’re collecting employee health data, it’s also important to identify who will be accessing the information, so you can implement the proper security controls. Role-based access control (RABC), as its name implies, can help you restrict access to PII based on employees’ roles within the company. Once access controls are put in place, it’s important to implement consistent monitoring measures to prevent unauthorized access that could lead to privacy or security issues.
5. Only store PII in documented and approved locations within the network
Make sure employee health data is stored within the trusted internal network and not in a DMZ network (i.e., a demilitarized zone). Housing this data on external-facing systems that sit on untrusted networks, such as the internet, can greatly escalate security risk. Data flow charts are a great way to keep track of which applications are storing data and where they reside.
6. Vet your vendors and business partners to ensure they meet your organization’s security standards
Before partnering with a third-party vendor to manage employee health data and systems, assess their internal security and compliance processes and how they apply to their work with customers. Ensure contracts include:
- Protocols for safeguarding your data.
- Breach notification requirements.
- A defined process for the destruction or handing back of your data at the end of the contract.
7. Protect data by encrypting it at rest and during transit
According to data from nCipher Security, fewer than 50% of enterprises have an encryption strategy applied consistently across their organizations. Encryption is a basic best practice in any security program, but it plays a critical role in protecting PII from both insider and external threats. The reason is, even if employee data falls into the wrong hands, when encrypted, the attacker won’t be able to use the stolen information.
8. Ensure data is regularly archived in accordance with your organization’s disaster recovery/business continuity (DR/BC) plan
In addition to storing and archiving data in accordance with compliance mandates, make sure your data archiving processes follow your DR/BC plan requirements as well. Additionally, if you need to add systems to your infrastructure for employee health data tracking, you must update your DR/BC plan accordingly. Given the rate at which environments change, it’s always a good idea to review DR/BC plans on a periodic basis to make sure they reflect your current IT estate.
9. Destroy PII when it’s no longer needed
Remember how I mentioned only storing data for the minimum amount of time necessary? Once you no longer need employee health data, you must eliminate it from your network to reduce security and privacy risk. To keep up with data hygiene, implement a process to ensure all unneeded employee health data is destroyed on an established schedule.
10. Implement privacy principles
There are several privacy principles that should be included in any data classification program. These include:
- Notice – Let your employees know what data is stored and why.
- Consent – Offer employees an authorization form, so they can give their consent to the collection, use and disclosure of PII for specific purposes.
- Withdrawal – Make sure employees understand that they have the right to withdraw consent at any time.
- Policy – Create policies that lay out the collection, use and disclosure of PII.
- Limited purpose – Only collect PII that is relevant, and do not exceed the stated business goal.
- Accessibility – Give employees the right to access their data at any time.
- Accuracy – Give employees the ability to request corrections.
Balancing the scales
Preventing the spread of COVID-19 is a top priority for companies around the world, but it must be done in a way that adheres to security requirements and maintains employee privacy. Hopefully, this 10-point roadmap will get you on your way to creating a data classification program that gives equal weight to health, safety and employee privacy considerations. Doing so will result in not only healthy employees, but happy employees as well.
Cybercriminals have been using the COVID-19 pandemic as a central theme in all kinds of crisis-related email phishing campaigns. But because of the dramatic rise of the number of at-home workers, one method that has become increasingly common over the past few months are vishing attacks, i.e., phishing campaigns executed via phone calls.
Rising success rates are the reason why vishing has become more common, and there are several factors driving this trend:
- People are actually at home to receive calls, giving threat actors more hours to connect with live targets
- Everyone is on high alert for information about the pandemic, stimulus checks, unemployment compensation, ways to donate to charitable organizations, and other COVID-related topics, providing attackers with an endless supply of vishing social engineering options
- Cybercriminals conduct research and use personal information – the last four digits of a social security number, for example – to build credibility and fool their victims into thinking they are speaking with legitimate sources.
Let me expand on this last point. Modern vishing attacks use research-based social engineering to attack targets with convincing scams. How do these attackers know so much about their targets? Typically, cybercriminals obtain personally identifiable information in one of three ways:
1. Social media
Many social media profiles are not protected from public view and they serve as a treasure trove of personal information that can be used for building attacks. For example, listing your place of employment with an employee badge not only lets an attacker know where you work, but what the company badge looks like for replication purposes.
“About You” sections of social media accounts often reveal personal information that can be used for password reset fields – your favorite color, your dog’s name, or the city you were born. And detailed posts outlining work projects, professional affiliations and technologies you’re using all help build a valid pretext scenario.
2. Password dumps
There has been no shortage of public data breaches that have resulted in extensive password dumps containing usernames, email addresses and passwords of compromised accounts. Individuals often reuse passwords across different accounts, which makes it easy for attackers to hack their way in through “credential stuffing.” For example, a LinkedIn password and user email address exposed in a breach could be used to access bank or e-commerce accounts.
3. Search engines
An individual’s name, address and photo of signature can often be found online via local government public records sites. In addition, paid services exist for individuals who want to obtain additional information, such as a target’s date of birth or marital status.
Many people don’t realize how much personal information can be found via a simple online search. As a result, when an attacker uses things like the last four digits of their social security number, the town in which they live, or the names of their children, victims assume the person they are speaking to is a credible source, and they don’t think twice about divulging information that they would otherwise keep private.
Vishing is a business problem, too
On the surface, it might seem like vishing attacks are a consumer problem only. But, in reality, businesses can be impacted too – especially now, as a significant portion of employees across the country are working from home.
These employees not only have corporate information stored on their personal devices, but they also generally have remote access to internal corporate resources. Vishing attacks are designed to build relationships with employees, eventually convincing them to give away confidential information, or to click on malicious links that are sent to them by the visher, who has earned confidence as a “trusted source.” As with other social engineering attacks, the ultimate goal is to gain access to corporate networks and data, or to get other information that can be used to commit fraud.
Tips for mitigating COVID-19 vishing attacks
Mitigating the risk of vishing attacks requires a multi-faceted approach, but it should start with end user awareness and education.
As soon as possible, businesses should roll out employee training sessions (even if they’re virtual) that explain what vishing is, how cybercriminals obtain personal information, and how they’re exploiting the COVID-19 pandemic to trick victims.
They should provide basic security tips, such as keeping social media accounts private and using different passwords for different accounts, as well as best practices for responding to a real-world attack. Incorporating attack simulations into training programs can also be a great way to teach employees how to respond to a vishing campaign using defined internal processes.
Technical controls are another key component of a layered security strategy to protect employees and your business from vishing threats. Web filters, antivirus software, and endpoint detection and response solutions are examples of the types of standard security controls that should be implemented. In addition, password policies must be defined and communicated to employees. And, last but not least, multi-factor authentication can be effective in thwarting attacks, as it forces cybercriminals to crack more than one user credential to gain access to corporate systems.
Defending against vishing during the pandemic and beyond
Even though COVID-19-prompted shelter-in-place orders are lifting across the country, many organizations are maintaining work-at-home policies for the safety of their employees and because they realize the operational and financial benefits that come along with telecommuting programs. This means that protecting the remote workforce should continue to be a top priority for businesses of all sizes and defending against vishing attacks should be a core component of security strategy.
Vishers will continue to come calling long after the COVID-19 pandemic comes to an end, so it’s important to make sure remote workers – and all employees – know how to identify suspicious callers, just like they should know how to identify suspicious emails. Supplementing employee education with the proper security controls is a good starting point to keep your staff and your business safe regardless of who’s on the other end of the line.
Optiv Security, a security solutions integrator delivering end-to-end cybersecurity solutions, emphasized its continued investment in securing Canadian enterprises and government entities with the grand opening of its Mississauga-based security operations center (SOC).
The center brings together a diverse team of cybersecurity experts – SOC engineers, developers, and threat analysts – to provide local, real-time, 24/7 threat monitoring and remediation resources for Canadian clients.
“Our clients in Canada are not immune to the reality that security teams around the globe are understaffed,” said Cheryl McGrath, area vice president and country general manager, Canada, Optiv.
“We feel it’s vital to put a SOC in their backyard, where we play an active role in helping them solve the pain points around security operations. We’re here to provide the value and peace of mind that comes with local resources, ensuring they can rely on us to understand their organizational objectives and keep pace with an ever-expanding digital threat landscape.”
Existing Canadian clients, previously served by Optiv’s U.S.- and India-based SOCs, will be seamlessly transitioned to the new facility.
With the support of on-site staff, in addition to the always growing number of Optiv consultants and cybersecurity experts working in-country, the Mississauga SOC will also leverage the data, analytics, and tools available through the company’s SOCs and advanced fusion centers (AFCs) in Baltimore, Bangalore, Dallas, Denver, and Kansas City to provide a global cyberthreat landscape and allocate resources and customizable solutions based on each client’s unique business model, compliance requirements, and risk tolerance.
The Mississauga location also fulfills in-country data residency and security clearance requirements.
“The Canadian emphasis on prioritizing cybersecurity to public and private organizations has driven a rapidly increasing need for managed security services,” said Anthony Diaz, division vice president and general manager, security operations, Optiv.
“By localizing operations, backed by global data analytics and expertise, we’re able to help these organizations tackle security from the inside-out, where their specific business and risk management needs drive security decision-making.
“We look forward to continue working with our technology partners and delivering innovative cybersecurity solutions that can be consumed in flexible ways for our clients in Canada and abroad.”
When it comes to cybersecurity industry predictions for 2020, Optiv researchers expect to see a focus on privacy, evolving threat actors, pervasive deepfake videos, and increased election interference.
“As we look beyond 2019 and into 2020, we have a solid idea of what threats the industry is facing, and not just ransomware and phishing attacks, but new, hard-to-combat threats,” said Anthony Diaz, division vice president, emerging services, at Optiv.
“As is always the case, us ‘good guys’ are forced play catch up with bad actors, who constantly remain a step ahead. There is much IT and business leaders must be aware of when it comes to cybersecurity, as the pace of change is quite high.
“That is why we recommend cybersecurity programs focus on proactive risk mitigation and build out from there. This ensures your organization is actively looking for, combating, and identifying threats before they can cause damage.”
Hybrid threat actors may become more commonplace
A growing number of “hybrid threat actors” have been found. These are attackers who impersonate one type of adversary to disguise their true intentions (for example, a nation state imitating a generic hacker targeting a customer database, when its true aim is to steal intellectual property).
There could be an increase in the number of adversaries to adopt this technique and launch “imposter” attacks to obfuscate their true intentions, adding yet another layer of complexity to threat hunting and incident response.
Apple’s “privacy as a human right” campaign should cause others to follow
The world’s foremost technology organization going all-in on privacy will shift the competitive landscape. Security and privacy could become a competitive differentiator for companies that follow Apple’s lead and grab “first mover” status in their markets.
Laggards may risk meeting the unseemly fate of past organizations that failed to embrace important technology paradigms such as internet, cloud, and mobile computing.
Election misinformation campaigns could proliferate
The effectiveness of the Russian misinformation campaign of 2016 increases the possibility of increased copycat attacks for the 2020 election. These attacks could come from nation states as well as domestic groups supporting rival U.S. politicians. This activity threatens to trigger a major public/private response to the online misinformation problem.
We might see the first cases of deepfakes used to manipulate stock prices
There has been much publicity around the potential to impact elections using deepfakes (AI-doctored videos that enable individuals to make it appear people said things they never said). However, not enough attention has been paid to how cybercriminals can make money using deepfakes against businesses.
This might change in 2020, as it’s possible we will see the first deepfake attacks designed to impact stock prices, by having CEOs, financial analysts, Federal Reserve leaders or other powerful economic figures make phony statements that will cause stock market movements. Cybercriminals would use these videos to make quick fortunes in the market.
There should be widespread realignment of IT and security organizations
As boards view cybersecurity as a peer-level risk to traditional enterprise risks, such as lawsuits and product recalls, more CISOs should become peers of CIOs and other executives, rather than direct or indirect reports. This would cause a realignment of the IT and security organizations to eliminate conflicts and encourage collaboration.
The most critical of these will be the continued expansion of DevSecOps, in which security is fully integrated into the application development process; and patch management, which will move from being divided between security and IT (security finds vulnerabilities, IT patches them), to becoming a unified process with a single point of accountability.
Cybersecurity basics may continue to vex consumers and enterprise organizations
Whether insufficient passwords, lack of education and training around phishing attacks, or simple upkeep and compliance, the tiny details of cybersecurity will continue to be the cause of a vast portion of compromises if left unaccounted for.
Simple passwords (those without special characters or are extremely obvious, such as “password123”) only take minutes to crack by professional hackers and can be done inexpensively.