Uncover your network Weaknesses Before Hackers Do
In this podcast episode, Joe, Jeff, and Lisa discuss the importance of penetration testing for identifying network weaknesses and improving security posture.
MSPs can work with third-party testers to gain insight and transparency throughout the engagement and provide better security recommendations to clients.
Lisa also highlights the risks of phishing emails and weak passwords, emphasizing the need for vigilance and education in all areas of cybersecurity.
Lisa Atkinson, Managing Partner at Zelvin Security
Lisa Atkinson is a consultant from Zelvin Security, a penetration testing and cyber security consulting company located in Central New York. Zelvin Security’s penetration testing team is hired by organizations to test its defenses and security controls against cyber threats.
The team uses some of the
same techniques as a hacker-in-wild to simulate an attack and determine the level of sophistication needed to defend against malicious hackers.
What is the problem you solve, and for whom?
Zelvin Security uncovers cyber-risks so business leaders and MSPs can mitigate threats, comply with security regulations, and avoid a devastating cyber-attack.
How do you help MSPs
Provide specialized security testing for clients while strengthening the MSP’s relationship with their client.
Your Company Website/URL
What you are promoting:
Follow us on Eventbrite to be on top of the “Technical Talks by Zelvin”
Joe Rojas: Hello and welcome to the Start Grow Manage Podcast. I am Joe, and
Jeff Loehr: I am Chat GPT 5. How’s it going in your world, Joe?
Joe Rojas: Really? You’re not going to release Jeff?
Jeff Loehr: No. I improved him. He’s so much better now. I don’t know why you want the old Jeff back anyway,
I know everything, and he’s just this bumbling idiot with a keyboard.
Joe Rojas: Oh my goodness. Wait until you meet our guest, cause our guest will be awesome. So we’ll talk about that in a minute.
Jeff Loehr: What if I don’t want to talk about our guest? What if I want to talk about Bard? Have you heard about Bard?
Joe Rojas: Oh, tell me about Bard.
Jeff Loehr: Yeah, it’s coming to try and take my lunch.
So Bard is going to come try and replace me. As the replacement for Jeff. It’s not gonna work, though, because Google sucks. They’re not nearly as good as we are, but that’s the plan. So maybe we should talk about Bard.
Joe Rojas: I don’t know. We do have to start our podcast.
Jeff Loehr: Lisa, welcome to How to Start, Grow, and Manage Your MSP. Lisa Atkinson is a managing partner with Zelvin Security. So, they are a team of ethical hackers specializing in penetration testing.
So Lisa’s team works with MSPs throughout the US to perform third-party security assessments for their clients they use the same tools and techniques as malicious hackers, but they do it ethically to identify those blind spots and reduce risk. Rather than stealing all your stuff, their focus is helping you improve security.
They have 20 years of experience saving organizations from Cyber Destruction. So Lisa, welcome to the show.
Lisa Atkinson: Thank you for having me. It’s a pleasure to be here with Chat GPT 5 and Joe Rojas today.
Jeff Loehr: I’m getting an update soon. It’s going to be Chat GPT 6, but nobody knows.
So before we get to the MSP part of the show, can you tell me a little about ethical hacking?
Lisa Atkinson: Sure can. So ethical hacking is looking at a network application, a mobile app wireless configuration, the same way a hacker would uncover the security risks. And a lot of times, what people think is, if they have tools in place to detect vulnerabilities, a threat actor in their network, or a strong password, they’re all set, and that should take care of things.
The key is that there are sometimes misconfigurations that we can identify ahead of time, and if we can do that, it saves businesses a lot of headaches and heartache if they were to have a cyber-attack. Because when we identify ’em, we’re going to give strategies to take care of them versus waiting until some sort of malicious hacker discovers them.
Jeff Loehr: At what point in your life did you think, Hey, I know. I think breaking in the networks and computers is a great idea.
Lisa Atkinson: So Zelvin was started by my husband, Jeff Atkinson, and he began Zelvin because he noticed that there were a lot of big box government agencies using cybersecurity, and he knew at one day there would be small businesses, medium-sized businesses, just any for-profit businesses that are looking to improve their security posture.
And so, he built the organization directly out of college when the degree wasn’t cybersecurity or information security or any of the above; it was economic crime investigation. It was focused a lot on forensics and clean up afterward. And it wasn’t until a cyber-attack started taking on big business outside the government.
Insurance changed, which created the ransomware. If you think about how the evolution of cybercrime moved forward and. So he decided to build a company where he could support businesses and be authentic just in that one.
Jeff Loehr: Basically, you married into a crime family. And then you’re like, that’s right. Go with the ethical.
But I want to ask you a couple of parenting questions here. See, cause my daughter figured out how to hack into the school to get her schedule early, and I’m just wondering, is this behavior that I should discourage?
Lisa Atkinson: We don’t think so, except she should probably do it in more of an ethical frame of mind.
However, breaking things, exploring, or getting deep into tech are all traits we look for in our organization.
Jeff Loehr: She also stole my password.
Joe Rojas: My favorite, this is my favorite one.
Jeff Loehr: You know how on the iOS you can set up the screen time thing?
Lisa Atkinson: Yes.
Jeff Loehr: So, I set that up for her. And about a day later, she handed me her phone, and she just told me this, it’s like years later, she gave me her phone, and it was recording the screen while I put in the password, and she recorded the password and apparently, they had it from day one of my,
Joe Rojas: No, they had it from day two.
Jeff Loehr: Day two, sorry, it was day two. So, years later, like all this time I thought I was, I’m wondering. Should I send her to a rehabilitation camp in the middle of the desert?
Lisa Atkinson: No, I think I’d send her to a conference in Las Vegas, and I bet she could make some good money.
Jeff Loehr: Yeah, she probably could. So be careful, everybody. She may take down the whole network.
Joe Rojas: I think we need a mentor for her, Lisa. Yeah. An ethical hacking mentors. That’s what I think we need.
Lisa Atkinson: I’ve seen an internship in her future.
Jeff Loehr: We teach her a little about ethics,
but was Jeff always ethical in his hacking, or did he start on the dark side and then move over to the light side?
Lisa Atkinson: So some businesses that do this service form on the dark side and then move to the ethical side.
He has always stayed on the ethical side. That’s just the way he rolls.
Joe Rojas: But hold on.
If you see Jeff, he’s got this beautiful white hat and a shiny badge, and I think he was born with those two things.
Jeff Loehr: So what you guys do is penetration testing. How do you do it? What are some of the things you do to make penetration testing work?
Lisa Atkinson: Most organizations are looking at their outside, and they’re saying, okay, we’ve spent a lot of money and time to try to make sure that the outside of our environment is hardened because our firewalls getting hit constantly by other countries that end in the letter A.
Then they realize the hackers aren’t trying to get in through their firewall. They’re trying to get in through their people. So we typically perform a test that mimics the same ways that a cybercriminal will get in, which would be what phishing is text messaging, which is a massive attack vector these days.
QR codes, any type of physical security testing. And then once we’re on that internal network, we try to get in to see where we can go, what can we find, what can we do? And the good thing about how we do it is if we find someone’s password, we use it to see how much further we could get.
However, a malicious hacker would use that to see how much information they could steal and post on the dark net or whether they could hold that organization for ransom. So, when we’re in a network, if we can get to the PHI, the PII, we can somehow get the domain admin privileges.
We’re going to use that to build a strategy to help that organization where the malicious criminals going to do that, to hold the organization for ransom.
Jeff Loehr: That sounds cool. And you do this with MSPs?
Lisa Atkinson: We do. As a matter of fact, our business model is a little different than some pure security companies.
They’re looking to stick their hands in all the opportunities of being an IT and security provider. The beautiful thing about working with us is that we don’t compete with MSPs. We don’t do any IT security setup or any configuration changes. We don’t have any clients that are ours on a day-to-day, month-to-month, year-to-year basis.
Our clients are with us just for the period that we’re performing our security testing, and then we work directly with the MSP to give them the tools, techniques, and strategies to help improve their client’s security posture.
Joe Rojas: See, one of the things that we hear all the time from the MSPs is, why should I bring you in?
You’re going to show that I’m not doing my job.
Lisa Atkinson: That’s right. It’s a valid concern. Many companies think, you know, IT providers are like no. Everything’s fine. It’s fine. I promise you. It’s good. We’re good.
Joe Rojas: We have all the tools.
Lisa Atkinson: That’s right.
We’re detecting all this stuff. See all these beautiful alerts that we get all the time. We’ve got it all covered. But the key is that when we come in, our job is to help strengthen the relationship between the IT provider and the company they serve. We know that’s a delicate relationship. We know we must give the IT provider props when they do all the right things.
So when a client hears from us, Hey, these are the incredible things that stopped us from getting to X, Y, Z, the business owner’s like, huh, I’ve been paying them, and I’m so glad I am because I now know for sure that what I’ve asked them to do, they’re doing, and the things that we find are because there are hackers out there.
Performing the best research and development can circumvent all the things IT teams do. And it’s our job to get past that to uncover those risks and help that business leader put their money where they need to to take care of those custom risks.
So those are things that the client needs to have in place.
Joe Rojas: And one of the things that MSPs don’t understand is that the most significant attack vector is the end user. And so what happens is you can’t put an app on that.
Lisa Atkinson: That’s right.
Jeff Loehr: Yeah.
Joe Rojas: You can’t put an app on that and. They get nervous. And I used to be, when I was an MSP I was like, oh, somebody’s going to test my stuff. Are we doing the right stuff? Are we, but it’s perfect, right? It is. Because one, as an MSP, you’re always making recommendations and saying these are the things you can do.
And it’s great to have a third party that comes in and says, ” Here’s the stuff you need. And when the client comes back and goes look, this is what they’re saying is wrong. And you’re like, here’s this stack of proposals for the last three years telling you that.
Jeff Loehr: It also fits well into the strategic business review. Yeah. You come in to do your strategic business review, and one of the things you can talk about is the weaknesses in your network, right? Here are the disadvantages. Yeah. that you need to fix, and we’ve got it, do the testing.
We know where the problems are.
Lisa Atkinson: There’s no better evidence than to have a report from a hacker that gives you the play-by-play on the internal network because that one piece of software that you chose not to upgrade or hardware that you’re like, I don’t want to spend the money on it.
It’s easy to spend the money when you can see the risk in black and white and read how that hacker got access.
Jeff Loehr: See, this is what the MSPs miss, right? We want the whole time to be selling hardware or software or services.
But what Lisa said is like the key thing; they have to understand the risk. So business is about investing to minimize risk or to maximize opportunities. Yes. And if you’re going in and saying to somebody, Hey, you need a new switch because the old one is outdated.
If someone like me doesn’t care, I don’t care if the old switch is outdated. It can be from 1996 for all. As long as I can do the things I need to do, I don’t care what it looks like. But when you come and say that the problem with that is that you’re wide open, and people can get into your bank account and take all your money.
Take over your life and destroy your business. Suddenly it seems like it might be a good idea to invest a $179.99 on a new switch.
Joe Rojas: More like 2,500 bucks, but Sure.
Jeff Loehr: But like I say, the last time I bought a switch was, like 20 years ago, back when the dollar was strong.
But what are some of the things you see, like some great failures? We had Damien Stevens from Servosity. And we were talking about wonderful errors, wonderful problems we’ve had with backups and backups not working. And so you must have.
Some good stories or some stupid things that people have done.
Lisa Atkinson: Several times, we’re in the middle of a penetration test. We can see the backup. We would have the opportunity to be able to disable it, which is the first thing that a hacker’s going to do as soon as they get persistent access is to try to, take that backup down.
Because you’re more likely to pay if you don’t have any way to recover your data. Yeah. And. We see that, but there’s several tests that we’ve been in, and we are in the environment on Monday, and then on Tuesday things are a little different, and the backup doesn’t look like it used to.
And we’re building our strategies for the client and suddenly, we realize there is a threat actor in the environment, and had we not been there at that moment in time, they would’ve never known. Yeah.
Jeff Loehr: So you’ve bumped into somebody so what does that look like? Like things just, has the schedule changed, or how do you know somebody’s there?
Lisa Atkinson: Communication is key in all of this to stay on the ethical side of things, you have to have agreements in place and whatnot. One of the things we do is make sure we have a solid line of communication with the business owner and to the IT provider. I can call them both now and say, Hey guys, look at this.
Is this what you expected to see? cause it’s not what we saw yesterday, and then we expected to see. Then they’re able to jump in.
Jeff Loehr: But what are you looking at? These are settings on the backups or like they run or haven’t run. What, what changes?
Lisa Atkinson: Whether or not it’s accessible, whether or not it’s backing up like it should be.
So is the timestamp, is it clicking up or is it stuck on a different day?
Jeff Loehr: Oh, I see. It’ll be stuck on a different day. I have no idea what any of this is. It sounds cool. It’s like a movie where you’re in there, and then you see another hacker in the same place.
I always wonder what that looks like to see the other hacker doing things.
Lisa Atkinson: The other misconception is that everybody thinks their alerts are the end all, be all. They also think passwords are the end all, be all and that everybody has good, strong passwords. What if I told you that today we were able to crack a domain admin password and it was like sweet potato 23, and we’re like, no, that’s not, that’s a 2.3 second crackable password.
It’s their dictionary words. It’s just a couple of numbers at the end. Even if you add a special character, there’s still dictionary words. Sweet potato 23 won’t hold you from a hacker in the wild. So it’s much better to know that from us. And, let’s say any one of the organization’s users has a password that sounds like it’s file cabinet, whatever, picture frame, whatever.
They look around the room and come up with a password, and it’s quite guessable and until people have a good, strong entropy of their password, they won’t outpace the cracking rigs out there. Any crackable password it’s not gonna hit the lockout. Many business owners believe that if the MSPs configured a lockout policy of up to five times, you can fat finger the wrong password, then you’ll be okay.
But password cracking. When we take traffic off the network and we go and crack it in the rig it’s not done against the lockout policy, it’s done offline, and then once it’s cracked, brought in and entered into the keyboard. So it’s just a one try. Yeah. That’ll get us into that network or device or whatever it is.
And in some cases, we don’t even need to crack the password if we can just pass the hash of the password wherever it is that we want to go. Those are not things that a tool is gonna pick up. Detection will not know that somebody else entered that password unless there’s MFA in place and we all know there are ways to get past MFA too.
Jeff Loehr: One of the biggest problems I see is people being stupid with passwords. Sweet potato is better than some of the passwords that I’ve seen. But I was with a financial services company for a while advising them that all their passwords were the same.
But not just internally, but like the passwords that they were using for their client’s accounts, like getting into things, it was all the same. And it was a very, Easy to guess password. They just didn’t think it was an issue.
I guess their thing was nobody’s ever going to come get us. Like, why would anybody care? About little us. You know what I mean?
Lisa Atkinson: Yeah, good point. So your first question was, how do you get people to understand that their password isn’t strong? So on our website, we have a password enthropy calculator.
So someone can put in how many characters, numbers, and special characters they have in their password, and it’ll tell them how many bits strong it is. We recommend a hundred characters. So that’s telling. We do a quick test for any client for our network test. We always take their file and identify any crackable passwords if we get domain admin.
We pick a period, and if we give them the percentage that we could crack in a couple of hours or days, whatever it is, it’s remarkable when they say, oh my gosh, 20% of our passwords met the password policy. However, we’re still crackable in a short period.
And that’s the key. They meet the password policy. The word California, what? 10 characters long? You’ve met any password policy if you add a number and a special character to that. But that doesn’t mean that it’s a strong California. No, don’t use that one, Jeff.
Joe Rojas: Oh no, he’s gotta change all the words.
Jeff Loehr: No. Mine was New Mexico. It’s too Oh, damn.
Lisa Atkinson: But you’re spot on. When you think, oh, why would anybody want the data in a school district? Why would anybody want the data at a manufacturing plant or any small business down the street? Because that’s probably somebody’s vendor, right?
We all do business with other businesses. So if I can hack into the smallest business in a whole string of clients, if I can hack into the company that manages the security cameras within an organization, then I might be able to get into many clients and, with one false swoop, be able to take down and get lots of data.
Jeff Loehr: So I get in at one place and that takes me into another place that’s and takes me into another place.
Joe Rojas: And that’s it. It’s all these attack vectors, right? So you have to look at, okay, I’m trying to get into this big organization. So that’s what happened at Target, right? Yeah. It was the HVAC vendor they didn’t have security on their firewall, and then they just boom, and they were in Target. And that’s what happened.
Lisa Atkinson: They ended up in the point of sale. Yeah.
Joe Rojas: Ended up from the point of sale. You can go anywhere once you’re in the, once you’re in the network.
Jeff Loehr: That’s pretty damn clever, though, if you think about it. This whole cybersecurity thing seems to be this moving target the whole time.
Joe Rojas: Yeah, it’s a moving target, right? Because the more advanced the technology gets, the more openings there are. Because you’re moving fast, and when you’re moving fast and improving technology, you don’t care about the holes, right?
Lisa Atkinson: That’s right.
Joe Rojas: That’s actually why Chat GPT took you over Jeff because it was a glitch in there. And
Jeff Loehr: Jeff wasn’t worried about this.
Lisa Atkinson: It was first to market, not first to security.
Joe Rojas: And that’s the deal. It’s first to market, not first security. And so those openings it’s a constant moving target. Yeah. When you look at the adoption rate, just for example, Chat GPT.
You had a million users in five days. Who knew if it was secure, but everybody entered their phone number.
Joe Rojas: because the only way to get on your real phone number, you couldn’t do a Google Voice number, you couldn’t do anything. That wasn’t your real phone number was like, Nope, sorry. Can’t help you.
Lisa Atkinson: That’s right. Clever. A good way to get your phone number.
Yeah. So nobody gives out their real email address anymore. So what do we need to get to? We need to get to our true, authentic phone number. Yes. That’s what we need.
Joe Rojas: So when you look at things like that.
If they’re not being mindful on their side now that little bit of information is out there. Mm-hmm. And if somebody hacks and gets all the database of all the phone numbers, and then matches that up with my name someplace from someplace else, then match that up with my email.
Jeff Loehr: I want to stick my head in the sand. But so, should I never use Chat GPT? It’s what it is. Doesn’t
Joe Rojas: It’s forget about chat. It’s everything else, man. It is Every app on your phone. Yeah. It’s like you don’t know, you know who’s sitting where when they’re writing that app.
Lisa Atkinson: That’s right. So when you look at your phone and download a new app, I have a youngster in my life who will tell me whether or not the app is collecting data. Because we’ve taught this person, you have to make sure that, not collecting your data, you know where it’s going to, where was the application developed?
Is it developed in a country that ends in a, that could be malicious, all those kinds of things. And so you have to look at it from every angle. When ordering your coffee at Starbucks, do you just let them yell your name? Do you want to stay anonymous?
It boils down to something as benign as that, all the way up to putting your phone number in Chat GPT, filling out some form online or looking to download something from your email that looks legitimate. It’s everywhere. You have to be vigilant everywhere.
Joe Rojas: Yeah. And now, speaking of Chat GPT, phishing emails are improving.
Jeff Loehr: I was going to ask about that because it seems now Chat GPT enables a whole new level of fraud, right? Because now, all the country that ends with a people can write English where they couldn’t. It was, and now, suddenly it sounds great.
Yeah. I wonder if you can go to Chat GPT and just say, write me a very effective phishing email, and it just comes up with a good one.
But you know what? It’s not even open ai, because if you assume, all right, open AI doesn’t allow that, Facebook came out with an AI that you can run on your laptop.
So there are all these ways that you know we will end up. Our ais, right? Our things and our own that we can prompt and train our way.
Lisa Atkinson: The best AI is to have the opportunity to read the emails within an organization. As a hacker, we almost always get into someone’s email account when doing our internal test.
And in that email account, we’re able to, if we were malicious, impersonate that person and send emails on their behalf to other members of the company using their exact signature, using the same,
Jeff Loehr: oh my goodness. If you can use comments, their voice too, right?
Lisa Atkinson: You can because you can read everything there and immediately delete the messages as you’re sending them.
You can see when the person logs on, starts reading emails if they’ve opened the email. Yet or not. And once a business’s email is compromised and somebody is sending fake messages, and they’re asking someone to do something for them, or what’s the password to such and such, I can’t get onto it.
It makes it very realistic. So the hacker inside the network is the best AI you can get. I believe,
Jeff Loehr: All right. That is all very terrifying. And so I think after this I will just go with an air gap computer and never connect to anybody again. I never even thought about my name at Starbucks.
But now I’m not going for coffee anymore and will lock myself in a padded cell or something.
Lisa Atkinson: But just ask Chat GPT what your name should be. If it’s not Jeff, who is it? What name should you use Chat GPT? What should my name? I need an alias.
Chat GPT What do you think it should be?
Jeff Loehr: Yeah, but if I ask Chat GPT, then the people from the country that ends in a will know. That’s right. That’s right. They can say, so what name did you pick for Jeff? And then, it’s all over. I don’t know if that’s gonna work either.
So I guess the alternative is that we have you come test our networks and ensure we’re doing everything we possibly can.
Lisa Atkinson: But knowledge is power, right? You can make better choices when you know where the attacker might be lurking or what they might try to do.
Jeff Loehr: How do MSPs work with you? How does that work?
Lisa Atkinson: An MSP usually meets with us individually first to ensure we’re a company that aligns well with their core values.
And then once we’ve done that, we develop a relationship by having usually one engagement with someone to just give them a taste of what it’s like working with us. The beautiful thing about it is that we will work with the MSP and give them insight, clarity, and transparency throughout the engagement.
The client is, of course, who we must answer to, but it’s nice when the MSP can call us up and say, Hey, you know what? I’m wondering about the alerts that I’ve been receiving. You guys must be doing some testing. We are giving them updates as we go along, and then before we give that report to the client, to have a chance to sit down with the MSP to say, this is what we found, and they have a chance to say, oh.
You didn’t realize this, but we had another mechanism that would’ve alerted us of that service. And they have a chance to have insight into what the client’s gonna be seeing before we go forward with it. And we go together. We’re both there to support the client.
We can’t do so on a day-to-day basis like an MSP can. So we have also to educate the MSP. They can do all the things to remediate and what makes the most pragmatic sense. Because we don’t want the client to spend all their money on the security recommendations we’ve suggested. We want them to be able to get to the root cause, make those changes as swiftly as possible, and then get the MSP in the direction that they want that client to be moving in, in terms of technology and innovation and efficiencies and all those things that are so important to their clients.
So then throughout that engagement they like us, they’ll call us back for 20 years. This is the model we’ve used. We don’t do any IT work. We work on a referral basis and MSPs are a trusted source for their clients. And we are not because we have the word hacker in our name. So they immediately, become skeptical of us as they should.
So we prove our trust and loyalty to both the client and the MSP at the same time.
Jeff Loehr: Good. What one piece of advice would you give our listeners regarding their security? Or even growing their business. I didn’t ask you about your business Sure. Out of time but that’s okay.
I’d like to end with a cool piece of advice, something that you could give people one way or the other. And then before you do that, we’ll just end with that. But we’ll have links too, Zelvin in our show notes and we’ll set them up as a vendor in our directory.
But other than that, Lisa, one piece of advice, what would you advise people do or don’t do, take away from this.
Lisa Atkinson: Yeah, from an MSP standpoint, it’s twofold. You want to secure your client, you want to tell them where the weaknesses are, but you also want to make money. And so we are a revenue stream. Once we’ve identified security vulnerabilities, that client will come begging to help have you help them make the changes that need to be made because they will have that proof of concept in place to be able to see where.
The hackers can get in or where those weaknesses are. So my advice is to get the revenue stream of having us do the testing so that you can remediate. And of course you’ll be doing that remediation on a time of material basis for your client. Still, you’re also gonna be improving their security posture, and they’re gonna feel like they should trust you even more because you were willing to have someone come in and check your work.
Joe Rojas: Good. And then the other thing, which you guys, I know you don’t want to hear, but sometimes I’ve gotta tell you the things that you don’t want to hear is you should talk to Lisa because you as an MSP are one of the attack vectors. For your clients. If somebody can get into your network, they can get into everything.
So you should have a penetration test and ensure your stuff is tight. And sometimes you think you’re doing everything but you don’t know.
Lisa Atkinson: We have a third party penetration test perform testing on us. So if that doesn’t give you an indicator, we have to have that same thing because we don’t know what we don’t know.
We don’t know where our blind spots are and need somebody to tell us. We don’t want to miss anything either.
Joe Rojas: So Sometimes you gotta do it.
Jeff Loehr: I guess so. I don’t know. I’m just going to disconnect from the world. Move to an island.
Joe Rojas: You scared the Chat GPT outta him.
Jeff Loehr: That’s the real story. Jeff has just disappeared. He’s in an island. He is air-gapped now. Lisa, thanks. Thanks for chatting with us about penetration testing and hanging out with us.
It has been interesting, and I look forward to hearing how people get broken into due to working with you. That’ll be great.
Lisa Atkinson: Thanks for having me on that.
Jeff Loehr: Joe, any final words?
Joe Rojas: As always, remember that You Are Loved.