Featured Article : CrowdStrike : What Happened?

Following 8.5 million Microsoft devices being hit by a faulty software update from CrowdStrike causing global chaos, we look at what happened, how, and why.

The Worst Cyber Event In History 

The scale of effects of the disruption caused make this event, which began on 18 July (Microsoft) or 19 July (according to CrowdStrike), makes it the worst cyber event in history, beating the WannaCry cyber-attack in 2017 where 300,000 computers in 150 countries were affected.

Who Are CrowdStrike? 

Texas-based cybersecurity technology company, CrowdStrike, formed in 2011, provides an AI and machine learning powered, cloud-based enterprise endpoint protection platform (intelligent real-time antivirus) called Falcon which is used by a wide range of businesses and organisations.

What Caused The Problems? 

As part of the Falcon protection mechanisms, it receives regular software updates. However, the recent update which caused the outage was described as a “sensor configuration update to Windows systems”. In this case, the faulty sensor software update triggered a logic error which resulted in a system crash and blue screen (the ‘Blue Screen Of Death’ – BSOD) on impacted systems, i.e. the computer system for the companies that were running Microsoft operating systems and using CrowdStrike’s Falcon platform (those running Falcon sensor for Windows version 7.11 and above) were completely disabled.

The ‘sensor’ is a software agent installed on endpoint devices (such as Windows systems).

Only Windows Affected 

The faulty software update only impacted Microsoft because the Falcon sensor update was specifically designed specifically just for the Windows operating system and the logic error that triggered the system crashes and blue screens (BSOD) was tied to a component or function that is unique to Windows environments.

Enormous Impact 

The faulty CrowdStrike software update caused major disruptions across a wide variety of industries globally, which included:

Airlines

Airlines experienced severe operational disruptions, thousands of cancelled /grounded flights and causing delays and passenger queues at major airports, such as the UK’s Stanstead and Gatwick airports and Berlin’s BER and Newark International airports. Passengers faced long waits while the airlines struggled to manage schedules and customer service due to the system failures. Customers (many of whom only learned of the cancellation of their flight when they arrived at the airport) suffered delays, as well as the stress, disruption, and expense of having to find later alternative flights and alternative routes, and/or book hotels overnight, and pay more for overdue car parking back at home.

Healthcare 

Hospitals and healthcare systems were notably impacted, with some facilities facing delays in clinical procedures and disruptions in medical technology and communications. This situation forced many hospitals to implement manual restoration of systems and downtime procedures, which affected patient care and led to cancellations of some clinical services. Even pharmacies have been affected with customers unable to get their prescriptions.

Financial Services 

Many banks and financial institutions encountered issues processing transactions, leading to service interruptions. The outage affected ATMs and online banking services, causing inconvenience to customers and operational delays.

Media and Broadcasting

Broadcasters such as Sky News experienced temporary outages, affecting their ability to deliver news and updates to the public, thereby highlighting the apparent reliance of media companies on cybersecurity and IT infrastructure to maintain continuous service.

Emergency Services 

Emergency call centres also faced operational challenges, which impacted their ability to respond promptly to emergencies, leading to increased risk and delays in emergency response times, raising significant public safety concerns.

Retail 

Retailers also had difficulties, particularly in their point-of-sale systems and online platforms. This disruption led to transaction delays and affected inventory management, impacting both in-store and online sales.

Fix Issued 

CrowdStrike says it has issued a fix although this in itself may be time-consuming and disruptive because it involves having to apply the fix to each affected device separately and the need for a manual reboot in safe mode for affected computers, thereby creating considerable work and issues for IT departments everywhere.

Ongoing 

At the time of writing this, the many effects are ongoing, and are expected to last around one week.

Not A Cyber Attack, But Cyber Attack Risk Now Increased 

Although CrowdStrike Founder and CEO, George Kurtz, stressed in a statement that the outage was “not a cyberattack”, there are warnings that scams and cyberattacks should now be expected, e.g. cyber attackers setting up phishing websites and running scams under the guise of offering help / fixes for those affected. Secureworks, for example, has reported a spike in CrowdStrike-themed domain registrations (a sign of potential phishing websites being set up), and there have been reports of emails being circulated by scammers claiming to be ‘CrowdStrike Support’ or ‘CrowdStrike Security’. The advice, therefore, is for those affected to only use CrowdStrike’s website to source information and help.

Although not directly related, on the theme of online security and issues relating to antivirus software, Russian security company Kaspersky has just announced that it will be exiting the US market and consequently will be cutting staff ahead of a government-imposed sales ban. Kaspersky reports: “Starting from July 20, 2024, Kaspersky will gradually wind down its US operations and eliminate US-based positions” and that “The decision and process follows the Final Determination by the US Department of Commerce, prohibiting the sales and distribution of Kaspersky products in the US”.

Sorry! 

Following the CrowdStrike issue, the company’s CEO, George Kurtz, has issued an apology, saying: “I want to sincerely apologise directly to all of you for the outage. All of CrowdStrike understands the gravity and impact of the situation. We quickly identified the issue and deployed a fix, allowing us to focus diligently on restoring customer systems as our highest priority”. 

What Does This Mean For Your Business?

The catastrophic event involving CrowdStrike’s faulty software update serves as a stark reminder of the vulnerabilities that can arise from our reliance on advanced cybersecurity solutions. For businesses, this incident is a reminder of the critical importance of rigorous testing and validation processes for all software updates. It also highlights the need for robust contingency plans to ensure operational continuity in the face of unexpected system failures.

The extensive disruption across various industries, from airlines to healthcare, illustrates the interconnected nature of modern business operations and the potential widespread impact of a single point of failure. Companies must therefore try to prioritise not only their own cybersecurity measures but also closely scrutinise and manage the cybersecurity protocols of their service providers and partners.

The legal and financial ramifications of such events also can’t be ignored. The anticipated lawsuits and claims for damages resulting from operational disruptions and customer inconvenience could set significant precedents, influencing future legal standards and liability expectations in the cybersecurity sector. This legal landscape will likely demand that businesses enhance their insurance coverage and legal strategies to mitigate potential risks.

Also, the warning from CrowdStrike about the increased risk of cyber-attacks in the wake of this incident should prompt businesses to heighten their vigilance against phishing and other cyber threats. The surge in CrowdStrike-themed phishing websites shows the cruel and opportunistic nature of cybercriminals, and businesses should now ensure their employees are well-informed and equipped to recognise and respond to these threats.

While the disruption caused by CrowdStrike’s software update was not a cyber-attack, it has nonetheless amplified the need for businesses to adopt comprehensive cybersecurity strategies. This could include, for example, maintaining up-to-date security protocols, preparing for swift crisis management, and fostering a culture of continuous improvement in cybersecurity practices. Businesses that learn from this incident and proactively strengthen their cybersecurity frameworks will be better positioned to navigate the complexities of the digital age and safeguard their operations against future disruptions.