by Dwayne Stewart
3:30 min read
The first two CIS Controls for Internet security address keeping an inventory of hardware and software. The third CIS Control deals with secure system configurations. Its central principle is that a strict process for change control and configuration management is necessary to prevent attackers from exploiting poorly set up hardware and software. The road inside should be a less navigable path for those coming from the outside.
The importance of configuration management
Accepting the default configuration in any installation rarely produces the most secure configuration. The emphasis is on ease of deployment and use. And attackers know what to look for. A secure configuration turns off options which aren't necessary, changes names from the defaults, and limits access to what's necessary for usage.
It's especially important to turn off inherently insecure features. There's no good reason for modern systems to allow Telnet access or unencrypted FTP, nor should web servers provide directory listings to the browser.
Default accounts are a common vulnerability, even if they have custom passwords. Eliminating these accounts if they aren't needed, or changing their names if they are, will reduce susceptibility to standard probes. Any, and all, "admin" accounts need to be rechristened.
Even devices that normally aren't considered computers need configuration management. A printer may directly accept print jobs via email, communicate by Bluetooth or run unused network services such as Telnet, FTP and SNMP. These services could provide an avenue of attack for a malicious user and they should be disabled if not used. Some services may be re-enabled after applying a firmware update or performing a hard reset, so continuous monitoring of these devices is important.
Establishing a standard, secure configuration of operating systems and applications provides consistency. This can be accomplished using installation scripts or directly installable system images. Containerized software is especially amenable to this approach.
The Center for Internet Security recommends creating standardized system images with hardened versions of the operating system and applications. This is an effective approach for multiple servers sharing the same tasks or as a baseline for desktop systems. Standard images need to be updated periodically as security patches are issued or new concerns arise. If a system becomes compromised, reinstalling the image is a quick way to get the software back to a known, good state.
Configuration management tools
Software automation tools are a huge help to configuration management. Manual deployments are time-consuming and error-prone. The larger a network is, the greater the value it gains from automating its configurations. Tools such as Puppet, PowerShell DSC and Windows Group Policy allow centralized automation of system configurations.
File integrity tools can check installed software using a digest or checksum to make sure it hasn't been altered. If there is an unexplained change, the software should be reinstalled and the machine checked for any other signs of a breach.
Administrators should be able to run the tools from a single console through a secure channel. The less they need to visit machines in person, the more effective they'll be.
Being scanned is a fact of life. Internet connected devices worldwide are continuously scanned for vulnerabilities by untold numbers of bots. Many of these vulnerabilities exist due to default, or an otherwise insecure, configuration.
Many tools are available to scan software installations for weak points. Scanning master images periodically for vulnerabilities can call attention to the need for updates or tightened configurations.
Tools that follow the SCAP standard provide a consistent way of checking configurations against standard baselines. They will report any deviations; whether they are acceptable depends on company policy and the level of security needed. The report may include recommendations for fixing issues.
CIS benchmarks provide recommendations for secure configurations of various operating systems, applications and network devices. Many tools build their baselines on them.
Greater security and confidence
Using standard configurations, supported by automation tools and vulnerability scanning, provides a double benefit. It makes software more consistently secure while reducing the effort needed to configure it. Having the same settings in every installation reduces idiosyncratic software behavior, so there are fewer maintenance issues. This also aids in the deployments of patches across the network.
A fair amount of effort is needed up front to set up standard configurations, and ongoing work is necessary to keep them up to date. In the long run, though, they save effort as they improve security.
by Andrea Lee Taylor
Wondering how to go about implementing or integrating Control 2 with your current system set up? We're partners with Tenable and Ted Gary's blog post about this specific CIS is especially apt.
"Knowing and controlling your software is certainly a control that increases security – detecting and blocking malware and high-risk applications reduces your attack surface and can prevent incidents. However, the benefits of knowing and controlling your software extend beyond security. For example, identifying and updating unsupported software versions reduces IT support costs, and can even increase user productivity and license compliance." -- Ted Gary
Read the full post here.
by Marian Bodunrin
4:00 min read
The first of the CIS Controls for internet security is taking an inventory of authorized and unauthorized devices/hardware. The second CIS control is so similar it’s natural to wonder why it was granted its own control: an inventory of authorized and unauthorized software. The purpose and some of the methods are similar, but software is more fluid than hardware. Adding software is common, updates are necessary, and vulnerability reports can require reassessing existing software.
Unauthorized software, in this context, simply means software that hasn't been authorized, not necessarily forbidden software. Users may have leeway to install applications without explicit permission. However, a secure network needs to identify and assess the software which is installed on each machine, especially if it isn't pre-approved.
The potential complexity of implementing control 2, as well as control 1, pales in comparison to its importance to a responsive security program.
There are several risks in unauthorized software:
Methods of tracking software
Endpoint management is as useful in tracking software as it is in tracking hardware. A software agent in each machine will report installed software and versions. Inventories need to run frequently, since new software can be installed at any time. Automated asset discovery tools exist, allowing for more accurate data and less confusion and ambiguity.
Not all machines can have agents, for example it's usually impractical to require them on personal mobile devices and home computers. Neither are they likely to agree to list all software on their computers, or to be able to find it all even with their best efforts. Network managers can compensate for this lack by restricting access from these machines and monitoring their network activity.
A whitelist, covering software which is explicitly authorized and up to date, lets IT management focus on whatever other software is present. Some networks may allow only authorized software; others may consider it case by case even blacklisting unauthorized applications. Servers should never have software which isn't there for an explicit reason, but desktop machines and mobile devices may need more flexibility.
If endpoint management isn't suitable for a network, it needs to have policies on installing software. Setting rules (e.g., "no games" or "no installation without specific permission") and requiring users to report any applications they install is much better than nothing. Periodic audits of machines, merging the results into the inventory, will get people to take the policies seriously.
The list of authorized software and accepted versions needs to be kept up to date. If an important vulnerability report comes out and the publisher issues a patch, the previously acceptable version can become risky and unacceptable overnight.
This is where the inventory becomes your best asset, demonstrating its value in the extreme. If it comprehensively lists the installations of software that needs updating, the IT department can push the update to all the machines. For a quick response makes attackers' window of opportunity as small as possible.
If software is no longer getting support, it will eventually become necessary to remove it from the authorized list. Identifying the situation as early as possible makes it easier to find alternatives before compatibility or security problems arise.
An organization that doesn't know what software is on its computers is open to unnecessary risks. Keeping track of software, by whatever means are best suited to the network's needs, is an essential part of a security strategy.
by Andrea Lee Taylor
3:00 min read
When an inventory of authorized and unauthorized devices seems daunting, a first step is a comprehensive approach to mapping what's there. There are tools that can fundamentally help. One of our partners, ForeScout, has found that "what is often lacking, though, is the clear direction as to what “improving security” actually entails". Following a well-known framework, the CIS Controls, provides this guidance. More from their blog.... https://www.forescout.com/company/blog/ot-network-security-starts-knowing/
by Dwayne Stewart
4:00 min read
The CIS Controls provide a clear and elegant, if not always simple, framework for a cybersecurity plan. From the Center for Internet Security, the top 5 in order of priority:
The device inventory
The first priority masks a simple assumption – that there is an explicit awareness of every device on a network. Without this fundamental information, it isn't even possible to track software, configurations, and access reliably. Compiling a full inventory may take some effort if starting from scratch, taking into consideration remote employees, mobile devices, and IoT devices. But there are several software tools/vendors in the IT asset management market that help expedite inventory making it much less onerous.
While the process takes a significant time commitment, it’s truly essential for being able to get the most out of your security efforts. Sometimes there are rogue devices that have gained access, usually through Wi-Fi. If there’s been a breach, an accurate inventory proves crucial for locating devices and enacting safeguards quickly.
Newer devices are generally more up to date and easier to keep secure, while older devices may have problems updating to the latest, most secure software. IT management needs to identify the devices that need special attention. At some point, they should be retired for security reasons; if this isn't possible, access to the network should be restricted.
The process needs to start with a scan of the network to identify as many devices as possible. The results should include anything with an IP address, including printers, VoIP phones, PoS devices, and network-connected devices. The first scan will most likely be incomplete, since some devices are intermittently connected, but it establishes a baseline.
The scan needs to obtain as much identifying information as possible. This includes the MAC address, device type, operating system, and version. Devices that can't be identified need additional scrutiny. The safest policy is to block access until they can be validated. If the network uses DHCP to assign IP addresses, DHCP server logging will help to track all devices.
A network that implements complete endpoint management, with a software agent in each authorized device, can take an inventory most easily. It may not be possible to install agents in all cases, but the better discovery software products can recognize many devices even without one. Where possible, they rely on queries with ICMP, HTTP, and other protocols. In addition, they can send and track malformed packets as different device models and operating systems respond to those in different ways. These techniques can identify nearly all machines that aren't intentionally disguised.
Going forward, it is then necessary to simply stay up to date. If the endpoint discovery software can recognize any new device when it joins the network, this will happen automatically. Otherwise, periodic rescanning of the network will pick up devices that were previously offline or have been added.
Matching the physical devices
While the inventory process starts on the network, the devices it lists are physical objects. Devices on the premises have to be matched up with listed network devices. Personal devices need to be matched with their owners. This establishes who is responsible for a device, where it can be found if service is needed, and whether it has an appropriate level of physical protection.
The process of acquiring and adding a device should start with confirming that it conforms to the network's requirements, including the installation of software agents if required. New devices need to be set up securely before connecting them to the network; otherwise they constitute a window of vulnerability which malicious network probing can quickly find. Devices which are added to the network temporarily, or which aren't fully under the network management's control, need to be treated with special care such as mobile devices under a BYOD policy and home computers used for telecommuting.
Checking and updating devices
Having an inventory lets the network administrator check whether each connected device meets the requirements for safely connecting to the network. This gets into control #3: configuration of hardware and software. Every device should be running a currently maintained and patched operating system. If any of them aren't, they should be updated, blocked, or at least restricted in their access to the network. Endpoint management software can keep all devices which have installed agents up to date. In other cases, the network needs enforced policies for updating all authorized devices.
How tightly an organization can control its inventory of devices will vary greatly from case to case. In all cases though, network management needs to make the best effort possible to enumerate the devices which are authorized to access the network, if only in order to identify and remediate unauthorized ones. Device inventory -- a security basic with a top priority; it makes everything that follows less complicated.
by Andrea Lee Taylor
3:35 min read
When the training of employees becomes your next step in securing the organization against human risk, where do you begin? We've chosen to partner with Wombat because of a storied history of helping with just that. Take a look at a few of the considerations from their blog.....
Security Awareness Training: Best Practices to Consider
by Gretel Egan | January 16, 2018
When it comes to security awareness training, each organization's program is likely to be, at least slightly, unique. In fact, we encourage organizations to put their own stamp on their cybersecurity education initiatives in order to reflect specific policies and elements of corporate culture. That said, we have identified several elements that are common threads among the most effective programs. These are the key components to consider as you plan your initiatives:
The most successful security awareness and training programs not only have top-down buy-in, they have top-down participation. This is simply because an all-in approach is the best — if not only — way to build an organization-wide culture of security in which good decision-making and application of cybersecurity best practices become daily pursuits for end users at all levels. When certain groups, locations, or individuals are excluded from a program, it is more difficult to encourage a mindset in which all employees feel equally invested in improving cyber hygiene.
C-level executives, board members, and managers absolutely should be communicated to early and often with regard to the vision and progress of your program. But end users should also be regarded as stakeholders — a factor that organizations can tend to overlook (to their detriment).
It is critical that employees understand the value and purpose of cybersecurity education before they ever receive a training assignment. And as a security awareness and training program continues, end users should remain clear on what is happening and, more importantly, why it’s happening and how they fit in.
Baseline Vulnerability Measurements
The premise of this recommendation is simple: How can you know how far you’ve come if you don’t know where you started? Baseline assessment scores — related to phishing susceptibility and cybersecurity knowledge levels — allow you to mark your starting point and gauge progress. But it’s also a good idea to take note of other metrics — like rates of malware infections and successful phishing attacks from the wild — before you begin employee awareness training. You should see a reduction in employee-driven cybersecurity incidents over time, which is a good indicator of program success.
Regular, Ongoing Assessments and Training
To change mindsets and reduce the mistakes and risk associated with end-user behaviors, cybersecurity must become a regular pursuit. Occasional phishing tests and once- or twice-a-year training simply will not be enough to raise awareness and help your employees learn how to apply best practices. To develop new skills, end users must be given the benefit of regular cybersecurity education and the opportunity to learn over time.
Creating a Clear Link Between Assessments and Training
As is reflected in our Continuous Training Methodology, we make a clear distinction between assessments (like simulated phishing attacks and question-based evaluations) and training. These two types of activities work most successfully when used in conjunction with one another. A phishing test, for example, is an excellent way to motivate employees to complete follow-up training. However, it’s critical that these initiatives are clearly linked, with a small window of time between assessments and training. After all, if you send a phishing test in January and then send an anti-phishing training assignment in October, the logical connection between those two activities is lost.
We’ve regularly spoken about the need to reinforce key messages with end users. When you revisit topics on a regular basis and incorporate ongoing awareness activities, you help to keep cybersecurity best practices top-of-mind for employees. Without reinforcement, you are put in the position to regularly rebuild — rather than build upon — a cybersecurity foundation.
Consistent Tracking and Reporting
As is reflected in the Data-Information-Knowledge-Wisdom hierarchy, data is helpful, but wisdom should be your ultimate goal. As such, it’s important to choose security awareness and training tools that do more than churn out data for data’s sake. Seek instead tracking and reporting capabilities that give you access to value-add data that ultimately translates to actionable business intelligence.
We’ve seen a number of organizations generate great engagement and results by applying gamification techniques to their programs. We strongly believe in using rewards and positive reinforcement to raise end-user interest and participation; in fact, our reporting features, including our Training Leaderboard report, are designed to help organizations track successes at the individual and department levels and more easily apply gamification to their programs. We do recommend exploring this option if it's supported within your corporate culture because it can elevate the effectiveness of your program.
by Andrea Lee Taylor
3:00 min read
Insider threats are a hidden and yet obvious peril. They are human security risks to an organization’s cybersecurity from those who have authorized access to the company's data and computer systems. They are the biggest cause of security breaches in companies. They are also difficult to deal with and costly to remediate.
A 2016 Cyber Security Intelligence Index by IBM reported that 60% of all attacks in organizations were carried out by insiders. In the US, it is estimated that 2500 internal security breaches occur in firms daily, yet only 1 in 5 of IT professionals consider them a priority when addressing security issues.
Who are the insiders in your organization?
Any trusted or privileged user in your system is a potential, even when unintentional, threat. They include:
Employees: Your workforce is your greatest asset, and yet they present a huge threat to the security of your organization. They may leak sensitive data due to negligence, ignorance, or misuse it intentionally for personal gain. Hackers target them on a daily basis in an attempt to compromise or steal their credentials.
Former employees: If their user access credentials were not disabled upon being laid off, terminated employees can still access systems and data. Some may take sensitive data with them when leaving while others may attack your business via malware, conversant with your security practices and thus your known vulnerabilities.
Third parties: This group comprises partners, remote employees, third-party vendors, and sub-contractors. They access your data but you may not know how secure their systems are. It is also hard to establish if they have any ill motive.
Types of Insider threats
Insider threats are grouped into two broad categories, inadvertent and malicious.
Inadvertent insider threats: These breaches are caused by insiders who have no malicious intent. They may result in data loss, damage to your infrastructure, or unauthorized disclosure of confidential and sensitive information. Everyday situations involve negligence, convenience, human errors such as accidental deletion of files, unintentionally aiding someone with malicious intent, phishing, or someone accessing your systems using stolen employee credentials.
Malicious insider threats: Malicious breaches are intentional, and they are meant to harm your organization. The motivation for malicious threats may be personal vendetta, competition, or financial gain. They include theft of intellectual property, fraud, corporate espionage, and sabotage.
Why are insider threats so rampant?
It is easier to overlook risks posed by insiders. Training employees takes time, and time away from other projects. Most budgets for IT emphasize making infrastructure and databases impervious to hackers and malware.
Breaches or data leaks can go on for months before they are discovered. And when employees routinely work with sensitive data, intellectual property or customer information, it can be difficult to know which interactions are harmful or not. Employees who infiltrate systems with malicious intent also cover their trails by editing or deleting implicating logs. And without egregious harm it can be difficult to prove intent. Mistakes do happen.
And there are innocent, ignorant users in organizations. These insiders pose the most significant security risk to their firms. According to a report from Forrester, 36% of security breaches in companies stem from careless or ignorant user actions. Another report revealed more than 50% of employees don't think it is risky to share their work login information. Some employees even leave their workstations without logging out of their user accounts, giving malicious insiders the opportunity of using their credentials to sabotage systems or obtain sensitive data.
True crime stories aside, there are ways to help. Wombat’s User Risk Report outlines issues and helps for training employees – in ways that make an actual difference.
by Peter Dietrich
3:00 min read
The principle of least effort is sensible in many cases, but it's a poor guide to computer security and an uncomplicated human security risk. If a device or software service comes with a default password, failing to change it will open security risks. In a complicated networking environment, it takes some effort to make sure no default passwords open backdoors because they went unnoticed. Installed systems need review to make sure none have been missed.
Infrastructure? All passwords need changing
There are websites with comprehensive lists of default passwords for every device on the market. On one level, this is helpful; if users need to do a hard reset, they need to know how to access the device, and they may not have the original manual anymore. But these lists are also very handy for criminals.
Default passwords are often weak in themselves, so intruders can guess them in a few hundred tries even if they aren't publicly available. The password "admin" is a popular one.
Even devices that seem unimportant in themselves need a password change. That smart thermostat or security camera very likely has a full operating system running on it, and someone with access can install software that has nothing to do with its intended function. It becomes a back door to the local network, able to infiltrate other systems and steal data.
Software services may come with default accounts, where the installation procedure either automatically disables the accounts after they've served their purpose or keeps them locked until their passwords are changed. For example, Oracle sets up default accounts with these precautions built in. The best practice is to delete such accounts or immediately change their passwords, so that no one will inadvertently enable them in a vulnerable state.
New virtual machines, set us as PaaS, may likewise have accounts with default passwords or no passwords. The setup procedure should prompt the administrator to select a password but hitting Enter too hastily may leave one unchanged. It's wise to review all accounts after setting up a VM to make sure they have good passwords.
The biggest risk is not realizing that there's a password that needs changing. A service such a database may set up a default account which ought to be removed or changed. Administrators may be careful in securing every new account yet fail to notice that a vulnerable one was automatically installed.
Documentation isn't always good about mentioning the issue, especially on commodity IoT devices. If a password is needed only for maintenance functions, the person installing the device might not notice that it's there.
Changing it may not be easy. It may be necessary to set up a Telnet or SSH connection to the device and run the "passwd" command or some equivalent, without any mention in the documentation of how to do it.
Sometimes accounts exist on a device that aren't revealed to the user at all, and sometimes there's no way to change the password. These are sometimes leftover test code that the manufacturer forgot to remove. Security updates may remove the test account or give instructions for changing the password.
Don't assume it's unreachable
Even if the device is reachable only on the local network, leaving its password unchanged is a poor practice. A network configuration error could expose it, or malware could reach it through another computer on the network. The principle of defense in depth says that networks should have strong internal security as well as protection from outside threats.
At one time, routers were commonly shipped with a published, default administrative password, and remote administration over the Internet was enabled by default. Botnets devoted to scanning them quickly sprang up. They used the brute-force method of probing every possible IPv4 address. The routers would typically get compromised within seconds of being plugged in.
Sometimes there's no getting around this vulnerability. Administrators need to familiarize themselves with the security setup for devices before installing them, and if possible keep them off the public Internet while setting them up as these devices are inherently insecure.
Following CERT's recommendations will help to avoid exposing devices to default-password risks. Suggested measures include:
by Andrea Lee Taylor
4:30 min read
Phishing remains the top human security risk. But what works to help mitigate the risk? There are proven, measurable, methods. So we thought we'd share a post you might appreciate from one of our partners.
Wombat 2017 Beyond the Phish
by Gretel Egan, Marketing Brand Manager @WombatSecuirty
Wanting industry- and category-specific data points that illustrate business implications and highlight knowledge deficiencies in end-user cybersecurity knowledge? Our partner, Wombat Security Technologies’ 2017 Beyond the Phish Report™ is now available for download.
This analysis represents more than 70 million questions asked and answered — a survey of over a thousand US and UK working adults. The report examines strengths and weaknesses related to phishing threats, but also analyzes end-user knowledge beyond the phish. Within the Beyond the Phish Report, we explore employee understanding of business-critical cybersecurity best practices such as data protection measures, mobile device security, safe social sharing, password hygiene, and more. It’s important that organizations take the opportunity to evaluate knowledge across a range of topics, as poor cyber hygiene in these areas can compound the phishing threat and weaken security postures in general.
Wombat President & CEO Joe Ferrara noted, “We continue to see in our year-over-year results that reinforcement and practice are critical to learning retention. As with any learned skill, organizations need to work on cybersecurity awareness and knowledge to see continual improvements. Organizations that focus on building a culture of security and empowering their employees to be a part of the solution develop the most sustainable and successful security awareness training programs.”
Areas of Improvement
Key areas from the 2017 Beyond the Phish analysis that revealed room for improvement include the following:
Areas of Improvement
While we can likely all agree that there is always room for improvement with regard to managing end-user risk, the 2017 Beyond the Phish Report did reveal categories and industries in which employees are improving year-over-year:
Ultimately, the 2017 Beyond the Phish Report shows the need to continuously assess and train employees about cybersecurity threats. Infosec teams cannot assume that knowledge is a constant; like any skill, cybersecurity expertise needs to develop over time, and users need the opportunity to practice and grow their abilities. An hour of training, once a year, is not the way to move the dial on behavior change, nor can anyone tool serve as a silver bullet to knowledge enhancement. It is a combination of phishing tests; question-based knowledge assessments; interactive training; reinforcement techniques and tools; and gathering of metrics and business intelligence that will give your security awareness and training program the best shot at success.
As always, Wombat and Anchor Technologies remain poised to be the partners that can help you move the dial and deliver measurable behavior change within your organization.
by Peter Dietrich
3:30 min read
Human behavior is a huge issue in network security, and it's one of the hardest to manage. Technical protection is important, but the human security risk is the mistakes people make that can undo it. People tend to be trusting. This makes for good social relationships but is a problem for network security.
Phishing attacks prey on people's trust. When we think of phishing, we usually think about email. Criminals don't stop there, though. SMS phishing, called SMiShing, makes up a rapidly growing proportion of the threat. Trojan Horse attacks delivered by SMS were one of the fastest-growing forms of malware distribution in 2017. Many phones have no SMS spam protection, so it's easier to get through.
People haven't had as many years of experience with deceptive SMS messages, so they aren't always as alert to them. Text messages are normally terse, so the lack of personally identifying information isn't as obvious a clue as with email. People usually deal with them more hastily than they do with email, and it's easier to catch them off guard with a text message.
The pattern isn't much different from email phishing. Typically, it's a fake notification of a payment or invoice, or some other supposedly urgent message. The victim taps on the link and opens a Web page that's designed to cause trouble.
Varieties of SMiShing
The link may lead to what looks like a legitimate business site, claiming some issue needs to be resolved. The victim is asked to enter personal information, such as a Social Security or credit card number. After getting the information, the site will probably express polite gratitude. It now has a lot more to be grateful for than the user realizes.
Sometimes the linked site tries to download malware. It might claim that an application or plug-in is needed to see some important content. It might try to exploit a browser bug and install the malware directly.
Phones are often the weakest link in a business network. BYOD policies let employees use personal phones that may not have any security software. Getting malware onto a phone with access to a VPN is the first step to getting at the company's confidential data.
If the criminal is targeting a particular individual, the message can use techniques to appear more plausible. It can forge the sender ID to impersonate someone the recipient knows. It can add personal details.
If someone's phone is infected by malware, it can send out text messages without the owner's knowledge. They don't just appear to come from someone the target knows, but really do come from there.
The first line of defense is user awareness. Employees need to be as aware of the dangers of SMS spam as they (hopefully) are of email spam. Their awareness needs to be a habit, not just a fact they can recite. A training program in security practices is the best way to accomplish this. Followup testing with SMiShing messages can attest to how well employees have incorporated the information, as well as reminding them they need to stay alert.
Even smart people will sometimes be fooled, though. Security measures that protect the whole network are necessary. Spam filtering is as important for text messages as it is for email. A BYOD policy should require phones to meet certain standards before they get VPN access or custom applications. IT departments need to keep software patches up to date. Network monitoring is necessary to detect suspicious traffic.
Check Point SandBlast Mobile provides comprehensive mobile security. It filters SMS messages, using dynamic security intelligence, and blocks malicious ones. It checks downloaded applications for malicious behavior, keeping them in a sandbox environment till it has verified them. Users continue to use their phones the way they always have, but with fewer annoying text messages and less risk. SandBlast is designed for EMM deployment, so it can easily be installed on all devices on a network.
People make mistakes, and nothing can eliminate them all. However, a multi-layered approach to security can sharply reduce their consequences. It needs to include training, network maintenance, and high-quality security software.