Iain McLaren

What happened with Cloudstrike and why it is interesting from a security perspective

https://www.crowdstrike.com/blog/statement-on-falcon-content-update-for-windows-hosts/

What happened?

Cloudstrike sells falcon security software which its customers install on their computers. This software can update itself by checking for, and then downloading, software updates from Cloudstrike servers. On Friday, Cloudstrike made such an update available to its customers, which caused some of its customers’ Windows computers to crash and restart with a “bugcheck\blue screen error”. Until this problem is fixed, these customer Windows computers will not work at all.

What was the result?

This apparently caused flight delays, surgery cancellations, banking issues, and amongst other issues an outage of Starbucks’ mobile order-ahead feature requiring baristas to direct customers with handwritten signs to “plz come to walk-up.”

Was customer data accessed in an unauthorised way, lost, stolen, or held for ransom?

It does not seem so.

How do customer security teams generally react to problems like this?

Generally, major technology security problems are categorised as (1) business continuity / disaster recovery events which stop customers from accessing or using technology, such as third-party technology systems not being available, pandemics, power failures, telecommunications failures, war, insurrection, etc. and/or (2) a major security issue which often manifests as data breaches, viruses/ransomware/malware, hacking, social engineering (tricking people), denial of service attacks, etc.

How customer security teams are reacting

For impacted customers, this is definitely (1) a business continuity / disaster recovery event. While seemingly not malicious, any incident involving downloading third party software to multiple local computers which unexpectedly causes those computers to crash and not recover without intervention will also be treated by security teams as (2) a major security issue.

What makes this interesting from a security perspective?

Security specialists generally think about systemic technology risk in the context of the risk of very large numbers of customers using the same technology hosting provider (such as Google Cloud Platform, Amazon Web Services, etc.) or the same operating system (Microsoft Windows). This is interesting because one update, to one type of software installed on customers’ computers, provided by one software vendor has caused such significant issues.