so, you're on Krebs' RSA list?

There’s been a bit of panic since Brian Krebs published a list of businesses or their networks that had connections with servers believed to be involved in the attack for which RSA has already paid the price.

your name is on Krebs’ list

Your company’s name is on the list. Please doctor, is it serious? Do I need to jump on the first vendor that sticks his nose in our door, or listen to every security consultant who comes to comes to talk to us on how to fix this problem? No. In any case your network was breached a couple months ago, and worrying about it won’t help. The damage has been done.

In the list, you will find AS3215, the France Telecom Group’s public IP network, which is far-reaching and quite large. Within the France Telecom network you’ll find consumer Internet accesses, internal services platforms, infrastructure services, as well as dedicated corporate Internet accesses … you have everything you need for a seven-course meal, including aperitif, appetizer, entrée, cheese (yes, this is a French meal), dessert, coffee, petit-fours and digestive. The same goes for other providers. When it comes to this list, Krebs is rather “fuzzy” if not totally unclear.

denial as a defense

I understand that some companies will take the lead and deny any involvement. We’re in the reputation game. “No, it’s not true, it’s not me/us.” ”This doesn’t concern us.” “We did this on purpose so we could analyze the attack.” “The details they’ve provided are insufficient,” etc.
Those who work in communications will be able to make the most of their creative skills in this situation; the most incredible reasons and explanations will easily make do.

but, it’s the list itself – rather than the contents – that is the most interesting

In fact, it’s not which networks included in the list that are interesting (you can find all the major Internet players there…). What’s truly interesting is to explore the possibilities around the attacks. Were they all equally attacked? Was it their customers who were attacked? Did they deliberately allow themselves to be attacked in order to analyze and gather information about the attacker? It’s a mystery worthy of a gumshoe.

What’s truly interesting about this list is its scope: the fact that these attacks potentially affect a very large number of players from around the world.

a call to action

You have to get over the idea that "it only happens to others," or "I’m not an attractive enough target." The threat is global and it’s time to accept it. We are facing a "call to action" for which the leaders of corporations and governments need to give appropriate responses.

target or provider? The conclusion is the same.

On one hand, you’re the target, and as the target, you need to protect yourself from this growing threat.

On the other hand, it’s your clients who are the targets of these attacks. Thus, it makes sense that they expect, and even demand (implicitly or explicitly), that their provider do what it’s being paid to do. Their service provider is paid to protect them from these types of threats and attacks.

Let’s be direct: how many organizations can claim to be capable of protecting themselves from these types of attacks? If RSA wasn’t able to protect itself from this kind of attack (Advanced Persistent Threat, or APT), rare indeed is the organization that is immune from these types of attacks.

step on the gas!

This is a situation that needs to be followed. Perhaps we’ll know more in the weeks and months ahead. In any case, Krebs’ reputation is well established, so I suggest you seriously take into account the underlying messages of the list’s publication: the threat is global and affects almost everyone. It’s even more critical than ever to improve the security of our information systems and continue to boost the security services that providers and consultants offer organizations.