X

Easy Prey Podcast

Their Loss is Another's Gain

Cybersecurity Training from Boring to Engaging With Howard Goodman

“Organizations that understand security look at it as a journey and not a destination and look at it as a maturity level.” - Howard Goodman Share on X

The landscape of cybersecurity training and collaboration is changing, interactive education sessions and cross-team communication is key. Building a security culture and staying ahead of modern threats has never been more important. Today’s guest is Howard Goodman, Senior Technical Director at Skybox Security.

With over 20 years of experience Howard has become a well-known figure in the cybersecurity world, he combines strategic planning with hands-on application across many industries. In this episode we talk about; security culture, the evolution of cybersecurity training, and how Howard got phished during COVID. We also cover organizational challenges, best practices, and the future of cybersecurity.

“The only way to really be proactive is to know about potential risk and then look at prioritizing and finding ways to mitigate these risks” - Howard Goodman Share on X

Show Notes:

  • [00:48] Howard has a doctorate in cyber operations from Dakota State University. Besides working for Skybox Security, he's also an adjunct professor teaching graduate courses about cyber security.
  • [01:48] Howard shares a phishing experience when he and his wife were selling on eBay during COVID.
  • [03:34] If the pros can fall for something, regular people can too. We need to be on our game 100% of the time.
  • [04:53] We talk about opportunities for adversaries to get in when companies have large cybersecurity teams with a lot of moving parts.
  • [05:29] A lot of people ignore phishing attempts instead of reporting them. 
  • [06:04] It comes down to organizations training their people properly. Cybersecurity training is becoming more interesting, because the boring stuff just doesn't hold people's attention. 
  • [10:13] When talking about threats, they focus on the exposure side and the exploitability side. With most businesses, functionality comes before security.
  • [12:47] Formal testing is required before upgrading security patches to ensure they don't break down the whole system.
  • [13:47] The importance of leveraging other security controls while testing patches. Teams need to be able to communicate and act fast.
  • [14:52] Knowing about potential risk is the only way to be proactive.
  • [16:36] Looking at costs and gaps in technology. Failures are often due to a communication breakdown.
  • [19:33] The approach of starting out security first.
  • [25:08] Best practices include cross-training. Working together and training together. Organizations need to run simulations and see how they react as an organization.
  • [31:06] Skybox talks to organizations about security gaps.
  • [35:57] We discuss the loss that can happen from not having proper security measures in place.
“You have to be on your game 100% of the time. The reality is the attacker can fail 1,000 times, 10,000 times. He only has to get it right once.” - Howard Goodman Share on X

Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review. 

Links and Resources:

Transcript:

Howard, thank you so much for coming on the Easy Prey Podcast today.

Thanks for having me.

Can you share a little bit with me and the audience about who you are and what you do?

I am Howard Goodman. I have a doctorate in cyber operations from Dakota State University. I work for Skybox Security, as well as I’m also an adjunct professor teaching graduate courses and helping a lot of adults learn cybersecurity.

Awesome. One thing that I always ask my cybersecurity guests—the people that are in the counter-fraud and counter-scam space—is have you ever been a victim of a fraud, a scam, or a cybersecurity incident? Because if you and I can’t get it right 100% of the time, people who don’t do this for a living shouldn’t feel ashamed or embarrassed if they can’t get it right 100% of the time.

I have an incident, it’s something that occurred to me. It was during COVID when my wife and I were selling things on eBay, like a lot of people out there that were trying to make a couple of extra dollars. We had a problem with our account and with our bank on eBay. We were looking for help, and all we got were these online knowledge articles and things like that.

We wanted to speak to somebody and we just couldn’t find the number, so I googled eBay support phone number. The first thing that popped up, I called. The guy answered the phone and said, “I’m eBay support; how can I help you?” I said, “I’m having an issue in my account, adding my account to my bank account.” He said, “All right, well, what’s your username?” I gave him my username.

He turned around and said, “All right, I’m going to send you a one-time passcode.” I got this text message, and I read him the number. He goes, “Great. OK, we can continue. What problem are you having?” I was telling him what happened. In about 10–15 minutes, I got off the phone with him, and I realized that what I had done was that I put myself in the situation because I wanted the help. I was my worst enemy in this situation.

I was kicking myself about it and called my bank right away. I told them what I had done. They fixed it, but at the end of the day, it was no harm. It was embarrassing because I was thinking, “How can I have fallen for something like that?”

Cybersecurity Training from Boring to Engaging With Howard Goodman Share on X

It’s interesting because that story is so consistent with so many people that at any other time, in any other situation, you probably wouldn’t have done that, but there was a very specific set of circumstances where everything aligned just right, and in the moment, it made sense.

What I always say is you have to be on your game 100% of the time. The reality is, the attacker, he can fail a thousand times, 10,000 times. He only has to get it right once. That’s the difference between the two sides here.

What I always say is you have to be on your game 100% of the time. The reality is, the attacker, he can fail a thousand times, 10,000 times. He only has to get it right once. That’s the difference between the two sides here.… Share on X

That’s one of these real challenges with entities that everybody needs cybersecurity, but larger organizations that have cybersecurity teams, network security teams, and network operations teams, is you’ve now got a whole bunch of moving parts and a whole bunch of moving people that have got to get it right all the time.

Absolutely.

With those types of groups, where are some of the ways that these things break down and leave opportunities for the adversaries to get in?

A lot of times that it will happen is not everybody is going to be full victim and prey to a specific type of attack, whether it’s an email attack, if it’s a text message, or even a phone call if it happens to be that. Most people will ignore it and delete it, but then they’ll be too lazy to report it to their IT team to socialize within the organization.

I think that’s a potential risk because not everybody is in the same place at the same time. I could be half asleep, I can get a message, and I can click on a link, or I might’ve been expecting a package or something like that. It’s a matter of they’re going to attack everybody. It comes down to making sure organizations are training their people.

I’ve noticed an evolution in the training these days, that it’s more fun, it’s more interesting, it’s more entertaining. I think that that’s something we learned, that the boring stuff just doesn’t work. It just doesn’t cut it anymore. We’re very visual, we are very used to the mediums, we’re listening to things, we’re watching things on TV. We need to be entertained. We need to make sure that we’re getting their attention, and I think that’s critical.

It’s moving towards that cybersecurity edutainment, is the phrase?

Yeah.

I don’t work at a corporate office for a corporate entity anymore, but the times that I did and people that I know, you receive the annual cybersecurity training and it’s like, “Hey, if you get an email that says you should click on this link, what should you do? (a) Click on the link. (b) Delete the email. (c) Turn off your computer and run out of the office.”

Right. I think that we’ve gotten a little bit past that. I’ve noticed an evolution in the training as being part of the corporate world. There’s a big difference between the training that I saw working at a large organization 15 years ago versus today, where now it’s more entertaining. It’s a different world. We’re passing the baton to the next generation of technology.

We have to keep in mind that we’re still in the infancy of technology here. You and I have grown up during a different time when you remember a time before computers. Could you remember the time before computers, when you didn’t have a PC? I can’t remember that time. I remember having the conversation. How many times did I speak to a person who’s been around as long as I have and I go, “What was your first computer? What was my first computer?”

What was it?

A TRS-80, a RadioShack. My first experience with a computer actually was in elementary school going way back in the day in the 70s, and it was a mainframe. I remember playing a little football game on this teleprompter. I can’t even remember what it looked like, but it was called Football.

I’m trying to remember whether it was a VIC-20 or a Commodore 64 for me.

I’d like the Commodore 64. It had a floppy.

Yes, and it had the 300-baud modem and the cassette. I think we had a cassette tape, so that must have been the VIC-20 that had the cassette tapes for loading stuff. Everyone who’s listening is like, “What is a cassette tape, and why would you use it with a computer?”

That’s how the first viruses came about, my friends.

I remember the copy parties, where we get in a room with a bunch of people and copy games, and all of a sudden everything is infected.

That’s right.

From a perspective of corporate cybersecurity, what are the things that keep them up at night, that make them concerned of, “Are we going to be able to respond to incidents properly? Are we going to be a Sony and not know that we’ve been compromised for months on end?” What are some of the things that keep those professionals up at night?

I think what it comes down to is exposure and exploitability. -Howard Goodman Share on X

I think what it comes down to is exposure and exploitability. Skybox, when we consult and we speak to our organizations around vulnerabilities and threats that organizations have, we talk about these two terms: the exposure side and the exploitability side.

For a lot of cybersecurity professionals and IT people coming up, we use these two things synonymously. We feel they’re separated in many ways. Exposure is around knowing where I can get to. Whereas exploitability means are there vulnerabilities that can be exploited, the known vulnerabilities?

Not being able to marry these two areas together is a tremendous gap in an organization because at the end of the day, we say, “Well, if I have a vulnerability, I know what to do. I just patch my system.” You say, “Well, that’s the solution, of course. I keep up on all my security patches.”

The reality is with organizations—and here’s where the fundamental thing that keeps people up at night—is functionality comes first and foremost. I need to run my business, and my business requires technology. If this technology is not available to the consumers of my product, I don’t make money; I’m out of business. Functionality comes first before security.

This really comes back. Remember a few months ago, CrowdStrike? What happened? We have a patch. What did it do? It downed everything. It caused major worldwide outages. We require prior to introducing that patch, that upgrade, is that we go through formal testing and make sure this isn’t going to break something, isn’t going to bring down the house. If it’s a choice between accepting the risk versus not having an operational environment, organizations are going to choose to accept the risk.

Skybox says, “Well, there are other security controls out there. What about them?” If we don’t know, as an organization, about all your security controls, for example, let’s say I have to patch on an Oracle system and we find a vulnerability on that system, what should I do? I go patching. I haven’t tested the patch, and I can’t do it. What are the security controls? I have a firewall with an IPS system in place. Can I leverage that to mitigate this risk? If we don’t know, if the teams cannot communicate with each other, and we know about the capabilities of these other technologies, we can’t act fast. We have this exposure window.

What is happening of why these two teams, the security and the network teams, aren’t working together or communicating as closely as they should?

A lack of commonality of communication, of knowing language between each other, knowing being open and transparent, knowing we’re prone to be more reactive than being proactive. I think that the only real way to be proactive is to know about potential risks, then sitting there, looking at prioritizing, and looking at ways to mitigate these risks.

You’ll never be 100%. The same thing goes for the human being. We all make mistakes, we trip on the sidewalk. We didn’t see the pebble in the road. It happens. The reality is we have to deal with the most obvious things. We must sit there and start with these first. I think that organizations that understand security look at it as a journey and not a destination, and look at it as a maturity level.

I think that organizations that understand security look at it as a journey and not a destination, and look at it as a maturity level. -Howard Goodman Share on X

At Skybox, we believe in the framework that can glue that commonality between the network, the SOC, and the NOC, to make sure that these two areas are communicating correctly.

What are some of the things that hinder that communication and that collaboration? Is it just turf wars, or are there more fundamental issues that keep these teams separate?

In some ways it’s a turf war. It’s a valid point. I think it’s also that we may have gaps in technologies. We may be looking at costs.

We did a study. We said that over 90% said that they had these communication channels between these organizations, but then they also sat there and 76% of them said that the failure was due to a breakdown in communication. The perceived threat versus the reality missed the problem here.

I think that it comes down to the fact that we’re still learning how to deal with this, but I think we’re getting better. At the end of the day, it’s a journey. You do what you can afford. I don’t pooh-pooh any security mechanism that you put in place. I think they’re all critical.

I think it’s one of those challenges that every business works through, and it’s not just a security and the network work operations team, but sometimes marketing and compliance, they’re in different silos. They have different functions that may set them up towards not being as communicative.

We have different goals. The sales team’s goal is to sell as much stuff as possible. The compliance team’s goal is don’t let the company get in trouble. Those things don’t always lead to the same decisions. I could see the same thing with security and network people. Let me just turn off all the connectivity, and therefore no one can get there.

The networking people have their priorities, and the security people have their priorities. Security people concern themselves with vulnerabilities. The applications concern themselves with the functionality. When the product’s not working, they’re the ones that are going to be yelled at, so it has to work, number one.

Time to market is critical. It’s absolutely critical. With any product in general, it really comes down to what’s going to give me the quickest time to value? Security sometimes stands in the way, and they have to work together.

I think that what we’ve learned as a culture of security and IT is to take an approach of starting out with security first in mind. When we do this, we’re building a better mousetrap.

At the same time, we see shortcuts in organizations, we see shortcuts in technologies. People are still using Java out there, and at the end of the day is their inherent problem that we’re trying to move away from.

Do you see better security practices in younger entities versus older entities? I can see if I’m starting a company now, I’m going to be more inclined to try to build security into my processes concerning the computers in opposition to a company that sells life insurance that’s been around for 120 years, that has done everything with paper and pencil for decades, and now we’re trying to figure out how to bring computers into an existing process, as opposed to someone who’s designing a process with computers in mind from the beginning.

I’ve never really looked at it. It really makes more sense that a younger startup would be building out with security in mind. I think that they’re starting out with different technologies. They’re going to cloud. They’re leveraging security products that are vetted by these cloud providers. I would say that without having any real data behind it, my mind says, you’re probably right about the younger.

Whereas the more mature legacy, hundred-year-old companies that have nothing to do with technology, are the clothing manufacturer, and they sit there and say, “Well, what do I need a computer for?” Might look at, “Well, you told me I needed a firewall. I’m done, right?” Is it possible that the adoption is much more difficult? I think it is a cost factor. I think it comes down to money a lot of times. It is a problem. It depends on the direction of the organization.

I feel like I could probably almost make the argument the opposite way also in that a well-established organization maybe has, “We’ve got our fundamentals down right. We know where we can invest in our resources. We’ve got margin that we can apply to building a good infrastructure.” And that brand new company is, “Hey, if we don’t get to market, we don’t have a product, we have no profit, we’re out of business, so let’s just skip the security. We’ll come back to it later.”

Maybe. It’s a mixture. I work with a lot of different organizations. I consult with organizations with tens of thousands of employees and some with a few dozen. I don’t really split my time based on size and quantifying. It’s more of a need.

I see some small organizations that are incredibly restrictive and locked down, and it’s almost problematic. It’s almost problematic in terms of, “All right, we need this tool.” And they turn around and they say, “I can’t download that tool. It has to go through this whole process.” It’s days or even weeks before we can even get started.

Larger organizations are, “Oh, we have this infrastructure in place; we can give you access, and you’ll have a jump system to be able to do work and to help us out.”

It’s all over the map, and I think that that’s the reason why we have more and more security controls being put in place around regulatory requirements and around privacy regulations out there. I just wish the US would come up with a national privacy law to make it easier for all of us, but that appears to be something political in some way. That’s another story.

That’s another topic for another day. Are there some core best practices for organizations who are like, “OK, we know we’ve got a cybersecurity team, we’ve got a network team. How do we get them to work better together? How do we up our game across the board?”

I think cross-training is probably at the forefront of it all if your organization should be able to work together and train together, to learn about security. When we talk about an organization from the business perspective, we learn a business language around our organization in a security language that we could speak to. That ultimately will make it better.

I think cross-training, collaboration, doing exercises together, training exercises, doing testing together, will ultimately give you that baseline metrics to work towards something better, to increase that communication.

That comes back to my whole disaster recovery days and keeping business continuity going in an organization. We need to run these simulations as an organization and see how we would react.

We also need to make sure that security people, when we ask for certain access, we’re testing and we’re understanding that risk prior to implementation and having multiple teams look at the same information and discuss their perspective on it.

I always say we’re better together. I don’t care if I’m talking to somebody that’s a CISO or a junior engineer. I ask them both their opinion. I want to know both of them, because somebody might see something. We really haven’t talked about it, but I’ll bring it up to you as a question. I think that there are some cultural gaps that we have out there of communication that we’re still trying to learn as we become more and more globalized.

If you’re speaking to a guy that’s a VP, you’re not going to question him or say something. You might be thinking, “Wait a minute. I’m not allowed to do that because in my culture, that’s not how it works. I need to follow this process in order to do something.” I think that as we globalize, we’re learning how to do that more. As somebody that’s a New Yorker, I almost pull it out of them.

I find this a lot of times. It’s like, “What do you think?” I might be talking to somebody that feels like he can’t really speak up. I said, “What would you do if you were in charge?” I think that it builds confidence. When you start doing it once, it’s uncomfortable. You do it again and again, it’s repetition, you will get better. It’s like anything else. It’s a muscle.

I’ve heard some great scenarios around security of really trying to elicit responses from a wide range of people because my background is different from your background. There are things that I will see that you won’t see just because of your life experiences, because of the way things work, and some strengths that companies ultimately turned into weaknesses.

I had a guest once, that her job was physical penetration into companies and finding where physical security is failing. She was doing a walkthrough prior to her attempt. The person she was talking to was like, “We’re really, really good about following the rules around here and not questioning the rules.” She’s like, “OK.”

On her way out, she stuck a piece of paper on a door and said, “Under no circumstances do you lock this door.” Everybody saw the sign and went, “OK, I’ve been told not to lock the door.” That was her way in because everybody followed the rules and everybody was taught to not question the rules.

Like you’re talking about, I think that works true in security of someone who’s young and was talking with his college buddies about some hacking incident is going to see something different than a CISO who’s probably thinking more on the business side of things.

Absolutely.

Is this thing that Skybox helps facilitate these types of discussions, or is this more of a mantra for you?

No. The physical security stuff is not really our purview. I find it to be a fascinating topic because dumpster diving and all those other techniques seem like fun activities to run through a test in an organization. From an ethical point of view, not a bad guy point of view, it sounds like a fun test and an idea in practicing certain things.

What I do is we talk to organizations around gaps in security. “Are you doing this? Are you doing this,” we ask. A lot of times, it’s cost. It probably comes up probably the most, but what I find the organizations that are most concerned do in fact have a regulatory requirement. They’re the ones that have to speak to the order.

I say the order, in my perception, an auditing is a security mechanism. It’s the verification phase of anything. I always used to say trust but verify because that comes from my old military days. I don’t think we really say that anymore because now I think that’s no longer viable. You can’t say trust and verify. That means you let them in, but then you check and make sure you have done that or not, and it’s already too late. I would say verify it then trust. It would be a better way to go about it.

When I work with organizations, it’s always a process. You never know where it’s going to go—the conversation—but it’s never a one-and-done. It never is. You have to stay up.

No organization is ever static. You’re always adding resources, you’re adding inventory, you’re changing processes. If your business isn’t changing, it’s going out of business.

That’s right. Yeah, absolutely. There’s a lot to be said about that. I see a lot of organizations moving to the cloud. I remember going to the virtualization days. At first it was lots of resistance, and now everything is virtualized. Now, everything is, “Can we go to the cloud? Can we go to the cloud? Is it more secure? Is it less secure?” It’s debatable either way. You can argue either side.

I know a small organization that had an auditor come in. They did their standard auditing things. I said, “Well, we want to see a disaster recovery plan.” They’re like, “Well, we don’t have anything.” Their entire organization, everything was in the cloud. Maybe there’s disaster recovery in terms of, what is the entity that we’re using for disaster recovery? But for themselves, it was like, “Well, we don’t have anything physical that we have to recover.”

That’s why it’s very attractive.

Is that one of the things that makes your job fun? Every organization that you work with is a little bit different, has different gaps, has different strengths and weaknesses, and your job is to try to find those little nuggets?

It’s not about finding them, it’s more about growing it. Probably the most satisfaction I get from an organization is when they see the value of security. That’s sometimes tough to quantify in an organization.

Going back to the whole legacy versus new organizations, legacies look at security as an operational cost. It’s not a profit sum. But without the security, you don’t have the profit. If security is breached, you have fines. You have loss of intellectual property, loss of credit card information. You have a whole bunch of things that could pretty much shut you down forever, especially if you have a mandate for PCI.

I go back to an incident that occurred in 2012 where I was doing consulting, and it was a large organization. They had a public loss of hundreds of thousands of credit card numbers. Security at the time was so lacking in the organization that they had to deal with the federal government.

They were told they were going to lose their contracts with Mastercard and Visa unless they dealt with these issues, and they had to address them. It was a grueling process. It changed a lot of people’s lives that lost their positions because of it.

I think security is everybody’s responsibility. I think that it’s a team effort. Security is a team sport, so to speak. We work as a community. I think what you do is incredibly important because you’re educating the community. We’re on the same side.

I think security is everybody’s responsibility. I think that it’s a team effort. Security is a team sport, so to speak. We work as a community. -Howard Goodman Share on X

You don’t have a dark hoodie and a mask on saying, “Here’s how you hack Office 365 to get back at your ex-wife.” You’re on the good guys’ side. It’s critical that we maintain that, and it’s great that people listen to these things and look for them because we only get better with education. The future is even more complicated.

We won’t go there with all the problems that we foresee in the future. We’ve got to deal with the here and now first.

Sure.

As we wrap up here, any parting advice or particular resources, like people need to read this, people need to know about this?

If you’re an organization that is grasping with the concept of marrying these two technologies, at Skybox, we have a wealth of documentation that we offer up virtually free. If you go there, we have things to look at.

My advice to all, to everybody, is to stay up on the free resources that are out there and these organizations that are really designed to keep us alerted to vulnerabilities and threats out there. I subscribe to CISA’s threat feed. I get emails every single day among others that are out there. I think the key is to maintain and be informed.

Information is key. If people want to find you and Skybox online, where can they find you guys?

You can find us at www.skyboxsecurity.com. I am on LinkedIn. I’m pretty much an open book, so you can find me easily. Howard Goodman, and I’m a technical director at Skybox Security. You can find me on LinkedIn, and please connect with me.

We’ll make sure for those who are listening, link to those in the show notes so that you can find them. You don’t have to worry about mistyping them and ending up in some other place that you don’t want to be.

Howard, thank you so much for coming on the podcast today.

Thank you, Chris. I enjoyed it.

Leave a Reply

Your email address will not be published. Required fields are marked *

Get Notified When We Release New EpisodesALERT ME

X

Logo

Get Notified

When we release
new episodes

We will only send you awesome stuff!

Privacy Policy

×

 
×

Easy Prey Self Assessment Cover

Are you safe or at risk? Find out.

We’ll send you instructions to download the self-assessment right away. It takes only a few minutes to complete.

We hate spam and promise not to spam you.
Unsubscribe at any time.

Privacy Policy

×

Hire Me To Speak

Privacy Policy

×

Privacy Policy

Your privacy is important to us. To better protect your privacy we provide this notice explaining our online information practices and the choices you can make about the way your information is collected and used. To make this notice easy to find, we make it available on every page of our site.

The Way We Use Information

We use email addresses to confirm registration upon the creation of a new account.

We use return email addresses to answer the email we receive. Such addresses are not used for any other purpose and are not shared with outside parties.

On occasion, we may send email to addresses of registered users to inform them about changes or new features added to our site.

We use non-identifying and aggregate information to better design our website and to share with advertisers. For example, we may tell an advertiser that X number of individuals visited a certain area on our website, or that Y number of men and Z number of women filled out our registration form, but we would not disclose anything that could be used to identify those individuals.

Finally, we never use or share the personally identifiable information provided to us online in ways unrelated to the ones described above.

Our Commitment To Data Security

To prevent unauthorized access, maintain data accuracy, and ensure the correct use of information, we have put in place appropriate physical, electronic, and managerial procedures to safeguard and secure the information we collect online.

Affiliated sites, linked sites, and advertisements

CGP Holdings, Inc. expects its partners, advertisers, and third-party affiliates to respect the privacy of our users. However, third parties, including our partners, advertisers, affiliates and other content providers accessible through our site, may have their own privacy and data collection policies and practices. For example, during your visit to our site you may link to, or view as part of a frame on a CGP Holdings, Inc. page, certain content that is actually created or hosted by a third party. Also, through CGP Holdings, Inc. you may be introduced to, or be able to access, information, Web sites, advertisements, features, contests or sweepstakes offered by other parties. CGP Holdings, Inc. is not responsible for the actions or policies of such third parties. You should check the applicable privacy policies of those third parties when providing information on a feature or page operated by a third party.

While on our site, our advertisers, promotional partners or other third parties may use cookies or other technology to attempt to identify some of your preferences or retrieve information about you. For example, some of our advertising is served by third parties and may include cookies that enable the advertiser to determine whether you have seen a particular advertisement before. Through features available on our site, third parties may use cookies or other technology to gather information. CGP Holdings, Inc. does not control the use of this technology or the resulting information and is not responsible for any actions or policies of such third parties.

We use third-party advertising companies to serve ads when you visit our website. These companies may use information (not including your name, address, email address, or telephone number) about your visits to this and other websites in order to provide advertisements about goods and services of interest to you. For information about their specific privacy policies please contact the advertisers directly.

Please be careful and responsible whenever you are online. Should you choose to voluntarily disclose Personally Identifiable Information on our site, such as in message boards, chat areas or in advertising or notices you post, that information can be viewed publicly and can be collected and used by third parties without our knowledge and may result in unsolicited messages from other individuals or third parties. Such activities are beyond the control of CGP Holdings, Inc. and this policy.

Changes to this policy

CGP Holdings, Inc. reserves the right to change this policy at any time. Please check this page periodically for changes. Your continued use of our site following the posting of changes to these terms will mean you accept those changes. Information collected prior to the time any change is posted will be used according to the rules and laws that applied at the time the information was collected.

 

×
close
Embed this image

Copy and paste this code to display the image on your site