Reflection on the CrowdStrike meltdown

There is certainly an irony in the fact that over 8 million Windows computers were taken down by an organization called "CrowdStrike". A defective configuration file update pushed by the security software company caused millions of PCs to crash and enter a reboot cycle, forcing a hands-on series of technical fixes by IT personnel to bring them back online.

While there was no criminal or state actor involved in this incident, it brings to light a lot of details on critical systems worldwide that need very close attention by IT professionals and management. According to Gartner CrowdStrike's software has only a 14% market share of security software and yet the impact was significant and world-wide.

It is important to recognize that even though it was an errant CrowdStrike update in this instance, it could very easily have been an attack by criminal and state actors, and such an attack could have been far more devastating. CrowdStrike's Falcon software is designed to help prevent and detect just such an attack, but as the saying goes, "who is watching the watchers". The fact that CrowdStrike's software operates that the kernel level (the lowest level of access in the Windows operating system, effectively giving it full control over all hardware and software on the computer) means that an attack using those vectors would have almost no limitations on the client system. The only protection companies have is the trust in CrowdStrike's security practices, meaning trust in the same company that just bricked all their computers by accidentally pushing a defective update.

While endpoint detection of threats is important and a key element is maintaining up to date operating system and security software, every organization must look seriously at all the instances where they allow third parties to make configuration changes and updates automatically and without IT interaction or verification (or even notice). This is an threat vector that must be taken seriously.

IT management also needs to seriously look at the practice of using Windows endpoints for mission-critical operations. Windows is a general purpose operating system designed for desktop productivity and even gaming, it includes components as diverse as support for 3D gaming and support for decades-only outdated networking protocols. It even still ships with fax and modem components. When running 911 call centres, airline control systems and hospital processes, this opens up huge attack surfaces. While Linux is not immune from threats and attacks, its focused nature not only makes security much more manageable but also greatly reduces the available threat vectors for an attack. Anyone running mission-critical endpoints on Windows clients needs to seriously review their decisions.