Airlines were grounded across the world on Friday, while hospitals were forced to cancel surgeries and medical appointments, and many retailers couldn’t process digital payments. It was all due to computers going offline – yet, it wasn’t due to a cyber attack.
Rather, the disruptions could be traced back to cybersecurity vendor CrowdStrike suffering a “minor” error in its software that caused computers running the code to fail. The problem was made worse because even after the code was patched, it was far from over. Each and every single computer that was impacted had to be manually restarted. It was a time-consuming process that nearly stopped the world, and it happened simply because a CrowdStrike update didn’t run as expected.
Even systems not running the company’s software were affected if they used any third-party service dependent on CrowdStrike. What is most ominous is that it wasn’t just airlines, hospitals, and grocery stores that were impacted.
“Overall, the outage had profound implications for national security and highlighted critical vulnerabilities in current cybersecurity practices,” said Rogier Fischer, CEO of Netherlands-based cybersecurity service Hadrian. “The need for diversified, robust, and resilient cybersecurity measures is evident to prevent such widespread disruptions in the future.”
The outage affected many sectors, such as healthcare, finance, and transportation, highlighting just how interconnected and vulnerable our systems are today.
“When 911 centers and emergency services went down in states like Alaska and Arizona, it made it harder to handle emergencies, putting public safety at risk,” Fischer told ClearanceJobs. “Also, grounding flights and halting public transportation in major areas like Washington, DC, and New York City caused massive logistical problems and security concerns. Federal agencies, including the FAA and DHS, had to step in to manage the crisis, showing just how serious the situation was.”
A Portent of Things to Come?
This outage, which fortunately has been mostly resolved, should serve as a portent of what can happen should a cyberattack strike one important software vendor. Past cyberattacks have targeted specific companies – such as the Colonial Pipeline ransomware attack.
Instead, hackers could bring down multiple companies by targeting a weak link in an ever-complex cybersecurity chain.
“This is a reflection of the criticality of our IT infrastructure and the importance of more and better planning and investing to ensure its resilience. The fact that a single release had this significant and lasting impact on thousands of organizations is a testament to the need to prioritize cyber security and resiliency,” Brett Hansen, chief growth officer at cybersecurity provider Cigent, told ClearanceJobs.
“Part of modern vulnerability management process puts the pre-deployment testing of patches onto an internal team. What’s happened here is that Crowdstrike’s self-update was able to occur without those teams doing compatibility checking,” said Evan Dornbush, former NSA cybersecurity expert and co-founder and CEO of Points3 Security.
“I’ve been speaking with several CISOs and network administrators over the last several days, and for those who have long wanted to have serious conversations with boards about budget and approach, the hope is that this is a very good opportunity for those dialogues to be meaningful,” Dornbush told ClearanceJobs.
This incident also exposed the critical issue of the reliance on the outmoded paradigm of detect and respond.
“While detection and response is necessary, the singular reliance on it requires more frequent updates on vulnerable endpoints that may have undesired effects,” suggested Hansen.
Strengthen Defenses While Understanding the Limitations
The CrowdStrike disruption also highlights the urgent need to reinforce all our security measures, while it underscores the importance of both having robust defenses and the importance of not being over-reliant on any one particular supplier.
“Competition is needed to drive excellence, and perhaps CrowdStrike has had too much success too quickly, and that results in complacency and lack of discipline in rolling out updates,” explained Ted Miracco of mobile cybersecurity provider Approov.
He described it as a self-inflicted wound that will hurt the entire cybersecurity community.
“The CrowdStrike incident suggests that over-dependence on one company’s solutions might lead to a single point of failure,” Miracco told ClearanceJobs. “A more diversified approach, incorporating multiple security vendors and technologies, can provide a more resilient defense against diverse attack vectors. This diversification is crucial in ensuring comprehensive protection and minimizing the risk of widespread breaches, but runs counter to most corporate procurement approaches that seek standardization on a single vendor, usually at the lowest price.”
Spotlight on FedRamp Certification
This latest cybersecurity misstep may also put renewed focus on FedRamp certifications, which are different from commercial solutions. While the certification is harder and more costly to obtain, it doesn’t mean it is infallible.
“Even those ‘FedRamp’ solutions could be one bad push away from a massive disruption event. These events should reinforce that good recovery and business continuity are as critical as a good cyber program,” noted Chris Bates, chief information security officer at cybersecurity vendor SandboxAQ.
“It is incumbent on the SaaS (software as a service) providers to be transparent about their security and quality assurance processes to build trust,” Bates told ClearanceJobs. “Any large SaaS service that runs at a privileged level is one bad push away from disrupting customers. This is just a fact of life and will happen again. What is more important is the transparency around the root cause of the issue and the corrective actions the vendors will take in processes and products to ensure the issue doesn’t happen again.”
The Fallout – Hackers Opportunity
The final fallout from the CrowdStrike disruption is that while it wasn’t a cyberattack, hackers could still use it in new social engineering campaigns – impacting those in all sectors, including within government agencies.
“Dozens of phishing websites popped up within hours of the crisis coming to light, to launch scams pretending to be ‘CrowdStrike Support’ or ‘Microsoft Backup,’ targeting those affected by the outage,” warned Fischer. “Relying too much on one cybersecurity firm can be risky, as this incident shows.”
