Don’t know what a blast radius is, well let’s turn to our friend Wikipedia: “The distance from the source that will be affected when an explosion occurs. A blast radius is often associated with bombs, mines, explosive projectiles (propelled grenades), and other weapons with an explosive charge.”
From a security perspective, blast radius is used “to designate the impact that a security breach of one single component has on the overall environment. Reducing the blast radius of any component is a good security practice”.
So why am I telling you this? You need to know your blast radius. You can’t protect what you can’t see. I’m willing to bet there are things you can’t or don’t see. COVID changed how we work and amplified the challenge of users, apps, and data being more geographically dispersed. So, what should you see? Everything! Every account (service, privileged, corporate user, external partner/contractor/vendor), every network connected device (laptop, desktop, server, printer, IoT device), every file, every application, every cloud resource. EVERYTHING! If it connects to or lives on the network, it can be used against you.
When you’re attacked (and you will be if you haven’t already), having a full, accurate inventory helps in a number of ways:
- Isolate the compromised devices from the rest
- Identify where you need to start your recovery/remediation efforts
- Understand what data/customers/vendors/users have been impacted for effective communications
There’s a lot of benefits to understanding what you have and what can hurt you. Here’s the CIS definition of this Control/Safeguard:
CIS Control 1:
Actively manage (inventory, track, and correct) all enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/Internet of Things (IoT) devices; and servers) connected to the infrastructure physically, virtually, remotely, and those within cloud environments, to accurately know the totality of assets that need to be monitored and protected within the enterprise. This will also support identifying unauthorized and unmanaged assets to remove or remediate.
Implementation Group 1 - CIS Safeguard 1.1
Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, enterprise asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise’s network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently.