CISOs, Role that Requires Depth & Breadth both!
??Archie Jackson ??
?Globally Recognized?23Yrs in Technology & Cybersecurity?APAC's Consecutive Top Ranked Cyber Security Leader?Researcher? Trusted Mentor & Advisor?Right Brain Critical Thinker?Opportunist ?
?
I wrote this article in July 2021
And exactly 3 years later, today July 2024 there is a global standstill with Airports, Businesses, SaaS, IaaS, PaaS services, Metro services.
Cause: CrowdStrike Update that Caused the Microsoft Outage
The global outage that occurred today was reportedly caused by an issue with CrowdStrike, a cybersecurity firm that produces Endpoint Protection software. CrowdStrike is the Leader in Gartner Magic Quadrant.
The CEO, George Kurtz posted – “customers impacted by a defect found in a single content update for Windows hosts. Mac and Linux hosts are not impacted. This is not a security incident or cyberattack. The issue has been identified, isolated and a fix has been deployed.”
It appears that CrowdStrike issued a software update that caused Microsoft Windows devices to crash. This resulted in the infamous 'Blue Screen of Death' (BSOD) appearing on Windows devices worldwide.
The impact of this outage was widespread and affected various sectors. Banks, airlines, and broadcasters were forced to go offline, and many Windows computers crashed suddenly. The issue impacted everyone from banks to airlines, with flights grounded, grocery carts abandoned, and productivity even lower than usual for a Friday.
?But!
This is not the first time; the supply chain is one of the most vulnerable high-risk threat to any business or institution.
Back in 2020,? SolarWinds, company that develops software for businesses to help manage their networks, systems, and information technology infrastructure got infected with a malicious code injected into its application by cyber criminals. The application was used by 33,000 customers out of which 180,000 government and private users downloaded the infected compromised versions.?425 out of 500 of the Fortune500 companies use SolarWinds.
And in 2021, Kaseya, company offering IT management software for remote monitoring & management - Kaseya VSA got infected with malicious injection to spread REvil Ransomware to its customers. The company has 40,000 customers and more than 200 organizations got hit by ransomware attack.
In today’s Global Outage - though it is not a cyber-attack, but the impact is equivalent. For sure, Microsoft didn’t anticipate this coming maybe.
>>The CrowdStrike Security product released a patch
>>It reached to the users running Microsoft Windows
>>And Microsoft Windows misbehaved because of the 3rd party application update
>>Triggered Microsoft Windows to get into BSoD
?From the statement made by CrowdStrike, there was a defect found in the update. This means that the CrowdStrike did not test the patch with Microsoft Windows. (really !?)
Negligence by the ‘trusted 3rd party A’ to find a defect in the updates causes the second ‘trusted’ 3rd party B to malfunction because the second ‘trusted’ 3rd party B does not have an ‘acceptance’ criterion to validate the ‘trust’ that they have on the ‘trusted’ 3rd party A for the updates that are sent to ‘trusted’ 3rd party A that operates on the ‘trusted’ 3rd party B’s platform.
Armed forces have a stringent process of selection with thorough testing and background checks, and only then does a civilian get the privilege to be part of it. They do not allow any such threat to enter their platform.
If this process is not stringent, how efficient would it be?
Food for thought:
Why the ‘acceptance’ is ‘trusted’ as a default on platforms? Why don’t every 3rd party application and its patches/updates get tested and approved before they enter the platform. Why rely and ‘trust’ the testing done by the ‘applications that function on the platform?
?Globally, the world is rapidly heading into a digital age with AI being the key enabler. From banking to autonomous cars, from digital IDs to OT devices – everything is strongly dependent on ‘trust’ on the third-party solutions that fit into the supply chain.
领英推荐
Ironically, there is also a global trend of Zero Trust Architecture, ensuring only the necessary is authentication and then authorization.
But,
What IF – The 3rd party software, application, platforms the businesses, institutions operate on are vulnerable and exploited by a Zero-day? How do we trust 3rd party platforms?
What IF – any patch update of the 3rd party software (not properly tested) triggers a chain of programs that are not meant to run on another 3rd party software/platform? How do we trust the cross-functionality of two 3rd party software applications or platforms?
What IF – any program of the 3rd party software triggers a chain of programs because of vulnerability on another 3rd party software/platform? In an array of APIs – API #1 > API #2 > API #3 > API #4 > API #5 – how confident is the relationship of API #1 with API #5? How do we trust that every application has zero trust on another application?
?Closing Note:
???? It is ‘not’ CrowdStrike fault ‘completely’! Agreed the update wasn’t properly tested. But the hashtag#platform (the OS) onto which it operates on, didn’t test it either!
????This could happen with any application on the platform with improper patch. Until platform creates a governance for updates with #ZeroTrust
?????? On one hand, there is improper testing by the application and on other hand, platform approves application updates for applications running on it without ’platform acceptance testing’
These examples are reminders that globally the biggest of the big are vulnerable. How foresightedness makes us hyperopic (can’t see what is close by). Acts like cyber-warfare or global shut-down, we are ‘trusting’ in a ‘zero-trust’ world and moving ahead with it, not visualizing. Assuming immortality with a potion but still mortal!
Cross-functional applications / cross-functional platforms must operate in ‘zero trust’.
And finally, there is a scarcity of ‘true’ security mindset. The balance of critical thinking, ‘wisdomized’ knowledge and clarity on fundamentals is getting artificially intelligent. The world is nearing the anticipated skill-deficit especially in the Cybersecurity space. Right mentors, leaders must help nurture the next generation.
?
Footnote Message: OEMs that are competitors to Microsoft, CrowdStrike or those playing in the space of Zero trust – please do not use this article as an opportunity to cross-sell. Please note, I have evaluated almost every known-good security product and there are some or the other gaps in each one. No one is perfect. That’s the point of my article. ?
?References:
?
?
?
?
This situation highlights the critical importance of robust testing protocols across both applications and platforms. The absence of clear acceptance criteria can lead to significant vulnerabilities, as you've pointed out. It's a reminder that while we rely on established entities, a collaborative approach to quality assurance is essential. How can we foster better communication and testing standards across different stakeholders to minimize such risks in the future?
Technical Manager Corporate IT
4 个月Seems process FMEA was neglected or over looked. We are very focused on technical aspect of preventive mechanism and often sideline the probable cause and effect of the outcome of such preventive mechanism. It is extremely important to ensure a strong technical preventive mechanism and same goes with the processes that accompany it. To ensure a strong and resilient BAU we side line projects which focuses on finding gaps in implementation.
CIO & CISO | Creating Business Value with Technology (CISA | CISM | ISO27k LA l BCMS) .
4 个月Such Big Names of the Industry Couldn't prevent the situation. || Unbelievable
Founder & CEO at Noledgehut IT Services Pvt Ltd
4 个月Well said!