CrowdStrike, Failings of a Cyber Security Titan

Anatomy of a Trusted Tech Supplier’s Failure

CrowdStrike achieved infamy over the last few days, as it went in one instant from being a company that supplies technologies and services to protect companies from cybersecurity threats to being directly responsible for a massive global tech outage that impacted major banks, hospitals, supermarkets, telcos, media companies and other large enterprises and forced airlines to ground flights.

This highlights once again the issue of supplier risk, and the impact on companies when this goes wrong. Cyber Security’s core objective is to protect the Confidentiality Integrity and Availability of information and systems, and so although this is not being attributed to a cyber security attack it is definitely a cyber security incident.

What went wrong?

CrowdStrike has communicated that a sensor configuration update to Windows systems triggered a logic error resulting in a system crash and ‘blue screen of death’ (BSOD) on impacted systems. This update had been intended to allow CrowdStrike’s Falcon sensors running on endpoints to target newly observed, malicious named pipes being used in cyberattacks (pipes are part of the Windows Operating System and help communication between processes, and a named pipe is a mechanism used to transfer data between unrelated processes, and between processes on different computers). It only impacted Windows environments and Mac and Linux hosts were not impacted.

As the update caused computer endpoints to crash with the Blue Screen of Death, they cannot be updated remotely and this problem must be solved manually, endpoint by endpoint. This is a process which will take several days.

While the overall percentage of businesses was small and the number of affected endpoints was relatively low at 8.5 million, which is less than 1% of all Windows machines, as CrowdStrike is used by enterprises that run many critical services, the economic and societal impact was significant. It is ironic that CrowdStrike’s purpose is to protect organisations from, not cause, chaos in their operations and systems.

Expected impact

The Australian Securities and Investments Commission (ASIC) has repeatedly highlighted third-party suppliers as a strategic risk. This incident underscores the importance of this warning, emphasising that even non-malicious errors from cybersecurity vendors can have significant consequences. Normally this is referred to in the context of a Cyber Security attack or incident affecting personal information, however, although in this case there was no malicious threat actor and there has been no unauthorised access to personal information, this should be considered a Cyber Security incident for a number of reasons:

1. The incident arose due to an error from a cyber security vendor seeking to update cyber security systems.
2. The incident impacted “Availability”, one of the key pillars of Cyber Security, which at a basic level means that resources providing information and systems are accessible to authorised users when requested or needed.
3. It has highlighted Nation-State actors engaged in cyber espionage, disruption and warfare as another means of attacking systems and critical infrastructure. As discussed in a previous blog, Australia is thought to face government or government-sponsored cyber threats from Russia, China, North Korea and Iran. Cyber-criminal organisations will also have to take note.

Wake-Up Call for Robust Contingencies

Will this event serve as a wake-up call for more robust contingencies arising from third-party supplier risk and its impact on cyber security specifically and operational continuity more generally? This incident is a stark reminder that no significant organisation is safe from the impact of technology failure, whether due to a cyber security threat actor, human error or third-party suppliers. Organisations should ensure that when developing and considering contingencies, they take into consideration that even if a supplier is a large and sophisticated technology company, they still need to understand and plan for the potential impact if they fail. If this incident had been caused by a cyber security attack, it would be further complicated by uncertainty around the cause and extent of the attack and this would automatically lead to a longer and more complex recovery process.

Incident Response

CyBiz works with Sygnia, the foremost global cyber readiness and response team, to support Australian and New Zealand organisations prepare for or responding to significant cyber security incidents.

Contact CyBiz for more information about our Cyber Security Incident Response services.