BitDepth#1470

Mark Lyndersay

ON JULY 19, cybersecurity firm Crowdstrike sent an automatic update to Microsoft Windows computers that was intended to upgrade the Falcon sensor security solution it sells to enterprise.

The worst possible thing happened. A bug in the code sent the computers that received into a death spiral of blue screens. The update was just 40 kilobytes in size and was intended to adjust the sensor's ability to detect malware.

Instead, it caused more than US$6 billion in real world damage.

Delta Airlines alone, which deployed the software widely in its computer network, reported losses of more than US$500 million over the week it struggled to normalise operations after the Crowdstrike bug crippled the company's ability to function.

Microsoft estimates that more than eight million Windows computers were affected by the bug.

Crowdstrike quickly deployed a patch that corrected the issue, but for many customers, it fixed nothing.

Falcon is an endpoint sensor widely used in computers that run systems like automated kiosks and customer interface panels that were also secured by Microsoft's BitLocker encryption software.

On those computers, it was necessary to decrypt the hardware, apply the patch then restart. Roughly 20 minutes work, multiplied by hundreds of devices.

Delta's long path to restoring operations was apparently compounded by outsourced IT, which meant fewer people available to "touch" stricken computers.

TT was largely unscathed by the incident (https://cstu.io/36e5d9), and most organisations affected by the bug reported resumption of transactions within 24 hours.

"Do I think that TT dodged a bullet because Crowdstrike is expensive? Yes," said cybersecurity specialist Shiva Parasram.

"The fact that Crowdstrike is very popular but very expensive might be one of the factors limiting its impact in Trinidad.

"But it's not necessarily a good thing. The reason why there was minimal impact is because we don't really spend much on cybersecurity."

The cruel reality of Crowdstrike is that it wasn't a cybersecurity attack. It was a quality of service lapse and the incident puts IT professionals in an odd space, sandwiched between determined and sustained attacks by hackers and ransomware organisations and hastily deployed software that ends up fragging their systems from the inside.

Do IT pros do all recommended updates as they are issued and risk buggy updates like Crowdstrike?

Do they wait a few days and risk compromise because of outdated security measures or unplugged security holes?

Do they create a sandboxed update system to confirm that updates are safe? If so, how practical would that be for typically underpaid, overworked local IT teams?

Parasram believes that sandboxed test systems to confirm updates are something that companies will have to build into their IT management.

"It's not going to get any easier for TT," he said.

"But we have a lot more graduates coming out, new professionals who are looking for a start. Companies will have to get seriou