The US House Homeland Security Committee has called for CrowdStrike CEO George Kurtz to testify about the company’s role in a widespread outage this month that caused the grounding of international flights, knocked banks and hospitals offline, and popularized a new term: Blue Screen of Death (BSoD).
In July, the company released a defective software update that caused millions of devices running Microsoft Windows operating systems to crash and not reboot. Reports say that 8.5 million Windows were affected. The outage caused widespread disruption internationally.
The issue was caused by a logic error triggered by an update to the CrowdStrike Falcon sensor configuration file. CrowdStrike Falcon is an endpoint security platform that is popular on Windows devices. It has highly privileged access to users’ systems, so when something does go wrong, it can impact the device in devastating ways, as was the case in this historic incident.
While the incident was not cybersecurity-related, it highlighted some important things around digital security, enterprise architecture, and disaster recovery. As we intertwine vendors into systems, including cybersecurity vendors like CrowdStrike, a single misstep, even an unmalicious mistake, can have ramifications that reverberate across industries and borders.
In the past several decades, much of our digital architecture has moved from on-premise servers to cloud computing. While this shift has rapidly increased innovation and helped companies become nimbler, aiding in lowering costs when it comes to digital technology, this shift has not arrived without risk.
Signup for our Newsletter
One of the main risks is our heavy reliance on specific third party vendors, whether that be hardware or software vendors. When something occurs, whether an outage or a defective software update, the consequences can be far reaching because of the mass adoption of these vendors. A major outage, even if it is brief, can cause wide disruption.
When it comes to digital security, we have certainly seen a sharp rise in incidents caused by third party vendors. When we take our data and information that used to be hosted on our own company servers and offer it up to a third party to host, process, and protect, we risk compromising our information.
Disaster recovery and digital security are very similar. An outage like the one seen in July can halt commerce in much the same way as a cybersecurity incident. Just last month, an incident impacting CDK Global affected car dealerships across the country and forced many of these dealerships to turn away business because they could not gain access to their systems hosted by CDK Global.
Similarly, a cyberattack on Change Healthcare caused widespread disruption of pharmacies, many of whom could not verify patients’ health insurance coverage, file claims, and send bills. This was particularly devastating for small and medium-sized practices who may not have the means to weather such a disruption.
These are two cases where an incident affected a popular third party provider in an industry causing massive upheaval in that industry. Of course, Microsoft Windows devices are used in nearly every industry and most organizations, hence why the incident that occurred in July was impactful enough for the US government to take immediate notice.
Downstream attacks are also a maturing concern. Downstream attacks occur when a service your vender engages with, not your own vender, causes an incident. In some cases, you may have no interaction with this vendor but are impacted regardless. One example would be when a vendor important to the internet backbone goes down. In 2022, Canadian telecom provider Rogers Communications had a major service outage that caused about a quarter of the Canadian internet to lose connectivity.
When it comes to cybersecurity, these types of incidents are becoming more common. In 2022, Okta, an identity and access management platform acknowledged that an attack against a third party vendor they use resulted in a data breach that impacted 2.5% of its customer base.
One report finds that 98% of organizations worldwide have integrations with at least one third party vendor that has been breached in the last two years.
Earlier this year, AT&T had its Snowflake cloud environment compromised. The compromised data included the calls and text message records of a breathtaking 110 million customers. I am sure that most of the affected customers thought snowflake was something that falls from an actual cloud not a platform on the digital cloud. But their sensitive data was compromised nevertheless.
Disaster recovery and cybersecurity have always walked hand-in-hand. In fact, digital incident response plans were traditionally rolled into disaster recovery plans. That was until cybersecurity moved from an after-thought in most boardrooms to a topic on the breath of many c-suite executives.
Proactive cybersecurity involves chiefly a robust incident response planning program. It is a must for information security. This includes developing playbooks and testing those playbooks with tabletop sessions. Tabletop sessions mirror potential real-life scenarios that you might encounter to test your organization and your team members’ response to that scenario. It is important to hold tabletop sessions at least bi-annually and update your playbooks at least annually.
Having a good crisis communications program is important as well. Every organization should have at least one person who is elected to speak externally if an incident does occur. This person should be trained in how best to respond. It is also critical to have language in place, so that you are not scrambling to come up with that language if an incident occurs. This is how you will notify the public of an incident. While every incident will be different, you can build a foundation that makes it easier to get your message out more rapidly and cohesively.
You may consider dark web/deep web monitoring. You can proactively monitor the darker corners of the internet for mentions of your critical vendors. This way, if a vendor does suffer an incident, you are more likely to hear about it sooner and can take steps to protect yourself and your information as well as be ahead on any narrative that would separate you from responsibility for the incident. That if responsibility does not fall to you but your customers will still be looking to you for answers.
Finally, it is important to have good due diligence on any vendor that will be processing your information. And not just your vendor but THEIR vendors. What assurances is your vendor doing to make sure any of your data they allow a third party vendor to process has good cybersecurity practices? Understand who will have access to your data or environment and what these organizations will be doing to safeguard that data.
Defending against third party incidents is not easy. In many cases, it is impossible. You can’t necessarily control a third party vendor and how they manage your information. We live in a world where we are beholden to these vendors to conduct our daily business. For better or worse, that is our digital world. So being proactive about protecting yourself is paramount.
About the Author
Corey White is a security analyst at Future Point of View. He is focused in the areas of cybersecurity, artificial intelligence, and data privacy. From guiding organizations on building robust incident response plans to identifying and remediating risk and even monitoring the deep and dark web for information, Corey has vast experience in keeping organizations and individuals safe in an increasingly complex, critical, and dangerous digital landscape. Learn more about Corey White.