
Defenders think in lists. Attackers think in graphs - colinprince
http://blogs.technet.com/b/johnla/archive/2015/04/26/defenders-think-in-lists-attackers-think-in-graphs-as-long-as-this-is-true-attackers-win.aspx
======
jerf
The more I think about this, the less sense it makes. Defenders do not "think
in lists" as if the lists represent their network connectivity, defenders keep
lists because, like TODO lists, having a "list" of all their priorities helps
them enforce them. Odds are that in a competent organization, the list's
ordering will be based on the connectivity of the graph, with the critical
nodes coming first. Or, at the very least, everyone's going to know which
nodes are the critical ones, and given a power-scale graph distribution that's
the vast bulk of what there _is_ to know, because there are generally very few
critical nodes unless you've gone _way_ out of your way to somehow super-
decentralize your network.

Assuming basic competence (i.e., neither blithering ignorance nor any sort of
extreme skill), both sides are well aware that it's a graph. If the defenders
have a list, well, it's because they have responsibility over all the things
and the list is useful, because nobody is going to do something like "apply a
patch" based on literally doing a depth-first traversal of the graph or
something.

~~~
sukilot
IOW, the problem is a graph, and the solution is a list.

------
agnokapathetic
Another thing to keep in mind is that a lot of these lists are compliance-
driven.

    
    
       - Hosts which process credit cards (PCI)
       - Hosts which reconcile the general ledger (SOX)
       - Hosts with medical data (HIPAA)
       - Hosts with student data (FERPA)
    

The problem is that while the security of the enumerated hosts is taken quite
seriously, systems which have security trust relationships which grant access
to the enumerated hosts are not locked down.

    
    
       - PCI Payment Processing Application server: locked down.
       - CI system with deployment keys to said host: zero authentication.

~~~
emidln
If there was a PCI audit, that CI system would fall inside the audit's scope
and thus held to the same rules as the app server.

------
saraid216
It's a meaningless buzzword clickbait. You can't denigrate "list thinking" and
provide a 10-point list as your response and expect to be taken seriously.

The actual point Lambert seems to be making is, "Recognize the existence of
security dependencies between your assets." I wouldn't be terribly surprised
to learn that there are a number of security professionals who fail to do
this, but I'm not surprised to learn there are well-paid programmers who can't
do FizzBuzz either. It's not a useful thing to point out unless most of your
audience isn't already aware.

------
brians
I play defense. The system owners I work with have to manage many systems with
complies relationships. They keep a list, and report to management that they
have patched, say 98% of machines against the latest vulnerability. Great!

The remaining 2% include the KDC, the build system, and the default shell
servers for dev and ops. To catch this slip-up, I have to understand the
dependencies that even the supervising managers don't. And I have to be able
to explain such to management. Every time.

I sympathize greatly with the point the author's making. Like him, I don't
have a fix in mind.

------
lowrekey
relevant:
[http://lowrekey.github.io/fourd.js/](http://lowrekey.github.io/fourd.js/)

