The more I think about this, the less sense it makes. Defenders do not "think in lists" as if the lists represent their network connectivity, defenders keep lists because, like TODO lists, having a "list" of all their priorities helps them enforce them. Odds are that in a competent organization, the list's ordering will be based on the connectivity of the graph, with the critical nodes coming first. Or, at the very least, everyone's going to know which nodes are the critical ones, and given a power-scale graph distribution that's the vast bulk of what there is to know, because there are generally very few critical nodes unless you've gone way out of your way to somehow super-decentralize your network.
Assuming basic competence (i.e., neither blithering ignorance nor any sort of extreme skill), both sides are well aware that it's a graph. If the defenders have a list, well, it's because they have responsibility over all the things and the list is useful, because nobody is going to do something like "apply a patch" based on literally doing a depth-first traversal of the graph or something.
Another thing to keep in mind is that a lot of these lists are compliance-driven.
- Hosts which process credit cards (PCI)
- Hosts which reconcile the general ledger (SOX)
- Hosts with medical data (HIPAA)
- Hosts with student data (FERPA)
The problem is that while the security of the enumerated hosts is taken quite seriously, systems which have security trust relationships which grant access to the enumerated hosts are not locked down.
- PCI Payment Processing Application server: locked down.
- CI system with deployment keys to said host: zero authentication.
It's a meaningless buzzword clickbait. You can't denigrate "list thinking" and provide a 10-point list as your response and expect to be taken seriously.
The actual point Lambert seems to be making is, "Recognize the existence of security dependencies between your assets." I wouldn't be terribly surprised to learn that there are a number of security professionals who fail to do this, but I'm not surprised to learn there are well-paid programmers who can't do FizzBuzz either. It's not a useful thing to point out unless most of your audience isn't already aware.
I play defense. The system owners I work with have to manage many systems with complies relationships. They keep a list, and report to management that they have patched, say 98% of machines against the latest vulnerability. Great!
The remaining 2% include the KDC, the build system, and the default shell servers for dev and ops. To catch this slip-up, I have to understand the dependencies that even the supervising managers don't. And I have to be able to explain such to management. Every time.
I sympathize greatly with the point the author's making. Like him, I don't have a fix in mind.
Assuming basic competence (i.e., neither blithering ignorance nor any sort of extreme skill), both sides are well aware that it's a graph. If the defenders have a list, well, it's because they have responsibility over all the things and the list is useful, because nobody is going to do something like "apply a patch" based on literally doing a depth-first traversal of the graph or something.