<div dir="ltr">I skim read the book and have some initial thoughts. For sake of this list, the TL;DR version of it is (in my poor paraphrasing):<div>Take network, plot a graph, give nodes score based on connectedness, estimated attacker value sort by PageRank which gives you the most nodes-at-risk which then suggests where to concentrate defence efforts. The Risk formula is adjusted as per the attached png. </div><div><br></div><div>I think this is an overall interesting approach and the authors consider multiple types of attackers - e.g. authorised users exceeding privileges and ghosts in the network, but I would find the application of this model in the Real World [tm] problematic for the following reasons:</div><div><br></div><div>* value of node for its owner vs value for an attacker differs depending on the type of attacker (I wish Authors would have used Intel's TARA); organisations find it problematic to put a value on the asset themselves.</div><div>* connectedness matters when you consider inbound connections, but (unless I misunderstood), it sort of makes endpoints either super-connected (each surf session to <a href="http://facebook.com">facebook.com</a> makes the node much, much more connected than anything else inside the network) or connected very little - perhaps only to nearest management system.</div><div>* the value of secrets on a system is quite important as an intermediary target, for example, a management system in a NOC which has all those RW SNMP strings is priceless and a big target and stepping stone.</div><div>* finally, I think not all nodes are made equal as they have different "hardness", e.g. something running an ERP probably is a softer target than a patched and locked down DC.</div><div><br></div><div>Regardless, I think this is a good foray into the topic and I wish authors luck in following revisions.</div><div><br></div><div><br></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature">--<br>Konrads Smelkovs<br>Applied IT sorcery</div></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br></blockquote></div><br></div></div>