CrowdStrike Holdings, Inc. is an American cybersecurity technology company based in Austin, Texas. It provides cloud workload protection and endpoint security, threat intelligence, and cyberattack response services. CrowdStrike collaborates with companies like Microsoft to deploy tools such as Falcon to protect against hacking and security threats.
On Friday, July 19, 2024, CrowdStrike released a configuration update for its Falcon Sensor software, installed on Windows PCs to detect intrusions and hacking attempts. While the update was intended to bring minor improvements that customers would have barely noticed, it instead caused significant problems due to a logic error in the update software. Many computers running CrowdStrike services faced repeated reboots and the notorious Blue Screen of Death.
Impact of the Incident
The CrowdStrike update incident had a profound impact, affecting nearly 8.5 million Microsoft devices across various user groups.
The incident caused a significant IT outage that reverberated globally. Critical systems faced disruptions, leading to widespread consequences. Downtime from the outage led to significant financial losses due to halted operations, lost productivity, potential fines, and costs related to breach mitigation. According to Parametric Impact Analysis, Fortune 500 companies lost $5.4 billion in the outage (Parametrix, 2024).
In addition, trust in CrowdStrike’s reliability was undermined, affecting both the organization’s reputation and client confidence. CrowdStrike, the security company responsible for the update, experienced a sharp decline in its stock value. Shares plummeted by nearly 13% during premarket trading on Friday (McKenna, 2024).
Mac and Linux systems did not receive the update and, therefore, are not experiencing these issues.
What Affected Organizations Could Have Done Better
This incident underscores the necessity for effective patch management, incident management, and robust business continuity strategies to ensure that organizations are able to restore normal operations after an incident.
Affected organizations that faced restoration challenges struggled due to several key factors:
1. Poor Patch Management Practices
In the CrowdStrike incident, poor patch management practices played a critical role in facilitating the breach. Testing patches in a controlled environment before deployment is crucial to ensure that they do not introduce new issues and are, hence, critical.
2. Inadequate Incident Response Plan
Without a well-defined incident response plan, organizations had delayed and uncoordinated responses, exacerbating the disruption.
3. Insufficient BC/DR Preparedness
The absence of effective Business Continuity and Disaster Recovery (BC/DR) measures led to prolonged downtime and operational losses.
4. Untrained Staff
- Lack of Training and Awareness: Inadequate training in incident response resulted in an ineffective response and exacerbated the outage’s impact.
- Inability to Implement Mitigation Strategies: Untrained staff struggled to implement effective mitigation strategies, including system isolation and communication.
What Organizations Can Do to Prevent Similar Incidents
Preparedness and training are key. Blue team training programs such as the Certified Network Defender (C|ND), EC-Council Certified Incident Handler (E|CIH), and EC-Council Disaster Recovery Professional (E|DRP) can help organizations maintain better incident preparedness and manage the technical, administrative, and human aspects of handling such disasters.
1. Effective Patch Management
Effective patch management is a critical aspect of maintaining the security and operational continuity of any IT infrastructure. It involves the timely testing and deployment of updates and patches to software and systems to address vulnerabilities, improve performance, and enhance functionality. The workforce must be trained with comprehensive defensive training programs, such as the C|ND, which equip participants with patch management best practices, helping organizations mitigate security risks, avoid downtime, and ensure compliance with industry regulations.
2. Comprehensive Incident Handling and Response
Organizations must develop structured response plans and incident response strategies. A well-defined incident response plan includes predefined procedures for handling software conflicts and outages. This ensures that the response is swift and coordinated. Timely detection and analysis help contain the damages and achieve faster recovery. EC-Council’s E|CIH program equips students with the knowledge, skills, and abilities to effectively prepare for, deal with, and eradicate threats and threat actors in an incident. The program provides skills to build robust incident-handling response frameworks and best practices for handling incidents.
3. Proactive Risk Management
Proactively assessing potential risks allows organizations to recognize and address them before they escalate into serious issues. Organizations also need to learn to identify and assess risks related to updates and vendor dependencies. Training programs such as the C|ND and E|DRP provide requisite skills to anticipate threats and develop and implement strategies to mitigate or eliminate risks, such as updating security protocols or conducting regular system audits.
4. Enhanced BC/DR Planning
Effective Business Continuity and Disaster Recovery (BC/DR) planning helps minimize downtime, ensuring that essential business functions can continue or be quickly restored, reducing the impact on operations. Organizations need robust change management processes to assess the impact of updates on critical systems. Maintaining backups and redundant systems ensures continuity even during outages. Regular data backups and failover mechanisms are crucial. EC-Council’s E|DRP program provides a strong understanding of business continuity and disaster recovery principles, including conducting business impact analysis, assessing risks, and developing and implementing policies, procedures, and BC/DR plans.
5. Security Best Practices
Following security guidelines, such as timely patching, network segmentation, and access controls, helps prevent vulnerabilities that could lead to incidents. Implementing security best practices, conducting employee training, and performing mock drills are crucial for preventing cybersecurity incidents. EC-Council’s industry-recognized, accredited, and hands-on training programs can help organizations build a strong skill base and avoid such incidents as CrowdStrike.
The CrowdStrike incident highlighted how a simple issue such as a faulty update to security software could cause widespread problems. To prevent similar incidents, organizations need to implement robust patch management, comprehensive incident response plans, proactive risk management, enhanced business continuity and disaster recovery strategies, and adhere to security best practices. Training programs such as EC-Council’s Certified Network Defender (C|ND), Certified Incident Handler (E|CIH), and Disaster Recovery Professional (E|DRP) can help in maintaining better incident preparedness and managing the technical, administrative, and human aspects of such crises.
References:
Parametrix. (2024, July 24). CrowdStrike to cost Fortune 500 $5.4 billion. Parametrix. https://www.parametrixinsurance.com/in-the-news/crowdstrike-to-cost-fortune-500-5-4-billion’
McKenna, G. (2024, July 28). CrowdStrike shares slide as IT disruption continues. BBC News. https://www.bbc.com/news/articles/c725knvnk5zo
