If you’re working in the IT organization of a company that uses CrowdStrike to protect its Windows computers, you likely spent your whole Friday (and possibly the weekend) trying to revert back a bad update that led to those machines crashing.
Earlier that morning, CrowdStrike had pushed an update to Windows machines that caused a logic error resulting in the device crashing and getting the Blue Screen of Death (BSOD). Even though CrowdStrike pulled the update fairly quickly, the fact that the computers were crashing meant that they had to be updated one-by-one by booting into Safe Mode and removing a file that prevents CrowdStrike from running.
Paul Davis, field CISO at JFrog, said this incident serves as a reminder to always “be prepared for the unexpected and have an incident plan for those surprise events. There is no such thing as perfect software. After all, software is built by humans and to err is human. It’s how quickly you identify and recover from the problem that matters most.”
According to Josh Aaron, CEO of Aiden Technologies, there are several preventative measures that companies can take to minimize the impact of issues when they do occur.
IT teams should regularly maintain and monitor all of their endpoints, use automation to handle updates and patches to cut down on the risk of human error, develop and regularly update disaster recovery plans, and invest in training and communication to improve response and communication when accidents do happen, he said.
“This incident should serve as a wake-up call for organizations worldwide to reassess their IT resilience and disaster recovery strategies,” he said. “It’s always after the fire that we think about installing sprinklers, but proactive measures can prevent such disruptions.”
Another preventative measure is possibly not installing software that can cause problems in the first place. Because of the nature of these anti-virus programs, they do require you to grant them pretty hefty permissions when you install them.
Dr. Justin Cappos, professor of computer science and engineering at NYU, says that companies should be a bit more selective about the machines on which highly permissioned software is installed. For instance, if you have an end user machine where you’re not doing super sensitive work or it’s not so crucial if you lose the information on the machine, then endpoint monitoring might not be necessary.
According to Cappos, end user Linux or Mac machines probably don’t need that type of software running on them anyway because viruses are not often written for non-Windows systems; attackers are usually targeting Windows because of how widely used it is across the enterprise.
“I think that people see the benefit, and they’re kind of missing the risk that’s involved here,” he said. “And I think that the benefits tend to be fairly minor, and the risks outweigh them in many cases.”
He explained that a lot of the monitoring that anti-virus software does can be accomplished by monitoring the network instead.
“And if that goes down or has problems, you just turn that off separately,” he said. “In general, in the network IT community, we’re all pretty familiar with how to deal with those types of issues. But when you’re giving some random vendor a chance to push code that’s going to Blue Screen of Death every end user device and you’ll never even know the update is coming, that’s pretty risky.”
He says that for low-risk machines, it’s probably better to do network monitoring versus adding software to every device that may behave in ways that cause problems in the future. For higher risk machines that are storing sensitive information, there might be a stronger case for wanting to lock that down.
Be wary of CrowdStrike related phishing scams
IT teams need to also be aware that when big events like this happen, bad actors will try to take advantage. Already there have been reports of phishing attempts from attackers pretending to be CrowdStrike support.
“This type of attack is not new; hackers consistently exploit current events and trusted brands to dupe unsuspecting users. It is crucial to be extremely vigilant about the links you click on,” said Jason Kent, hacker in residence at Cequence.
End users should inspect their links carefully and ensure that they are indeed “crowdstrike.com” and not some subtle variation that looks similar. “Hovering over links to preview their destination and looking for minor discrepancies in URLs can prevent many security breaches,” he said.
He says to be especially wary of links that claim to be coming from well-known firms or that are trying to prompt users into a specific action.
“Enterprises must prioritize training their employees to recognize and avoid such threats,” he said. “Implementing regular awareness programs and phishing simulations can help users identify fake brand representations and understand the dangers of clicking on suspicious links. By fostering a culture of cybersecurity awareness, organizations can mitigate the risks posed by these sophisticated scams and safeguard their digital assets.”
George Kurtz, CEO of CrowdStrike, wrote in a blog post saying that their blog and technical support are the official channels for getting updates on the incident. “We know that adversaries and bad actors will try to exploit events like this. I encourage everyone to remain vigilant and ensure that you’re engaging with official CrowdStrike representatives,” he wrote.
You may also like…
Securing client-facing apps in a hostile, risk-filled 21st century
