What's Your Blast Radius?

What's Your Blast Radius?

By Steve Gold
Posted in Security
On April 18, 2023

Don’t know what a blast radius is, well let’s turn to our friend Wikipedia: “The distance from the source that will be affected when an explosion occurs. A blast radius is often associated with bombs, mines, explosive projectiles (propelled grenades), and other weapons with an explosive charge.”

From a security perspective, blast radius is used “to designate the impact that a security breach of one single component has on the overall environment. Reducing the blast radius of any component is a good security practice”.

So why am I telling you this? You need to know your blast radius. You can’t protect what you can’t see. I’m willing to bet there are things you can’t or don’t see. COVID changed how we work and amplified the challenge of users, apps, and data being more geographically dispersed. So, what should you see? Everything! Every account (service, privileged, corporate user, external partner/contractor/vendor), every network connected device (laptop, desktop, server, printer, IoT device), every file, every application, every cloud resource. EVERYTHING! If it connects to or lives on the network, it can be used against you.

When you’re attacked (and you will be if you haven’t already), having a full, accurate inventory helps in a number of ways:

  • Isolate the compromised devices from the rest
  • Identify where you need to start your recovery/remediation efforts
  • Understand what data/customers/vendors/users have been impacted for effective communications

There’s a lot of benefits to understanding what you have and what can hurt you. Here’s the CIS definition of this Control/Safeguard:

CIS Control 1:

Actively manage (inventory, track, and correct) all enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/Internet of Things (IoT) devices; and servers) connected to the infrastructure physically, virtually, remotely, and those within cloud environments, to accurately know the totality of assets that need to be monitored and protected within the enterprise. This will also support identifying unauthorized and unmanaged assets to remove or remediate.

Implementation Group 1 - CIS Safeguard 1.1

Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, enterprise asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise’s network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently.

Steve Gold

Steve Gold

Steve Gold is the Cybersecurity Practice Director at Gotham Technology Group (Gotham). He is responsible for providing the vision and thought leadership to expand Gotham’s legacy of success and build a world-class cybersecurity practice. He works closely with Gotham’s customers, industry partners, and subject matter experts to develop relevant solutions for Gotham’s clients and prospects.

Prior to joining Gotham, Steve worked with the Center for Internet Security (CIS), where he expanded the global reach, revenue, and impact of the CIS Benchmarks, CIS Controls, and CIS Hardened Images. He led the efforts to promote the CIS portfolio of low-cost and no-cost cybersecurity products and services that help private and public organizations stay secure in the connected world. He grew a team of security specialists from 12 to over 40 to assist organizations with implementing security best practices in their continual journey of cybersecurity maturity.

During his more than 20-year career, Steve led teams responsible for developing and implementing technology solutions at some of the industry’s most recognized companies such as Varonis, VMware, Dell & Wyse Technology

Steve is a frequent speaker/moderator at industry conferences and webinars, covering a wide array of information security topics. He resides and works remotely in Baltimore, MD.