A massive IT outage over the weekend caused by Crowdstrike software affected computer systems worldwide. In Australia and Aotearoa, New Zealand, reports indicate computers at banks, media organizations, hospitals, transport services, shop checkouts, airports, and more were all impacted.
The outage is unprecedented in its scale and severity. The technical term for what has happened to the affected computers is “bricked.” This word refers to computers rendered so useless by this outage that — at least for now — they may as well be bricks.
The widespread outage has been linked to a piece of software called CrowdStrike Falcon. What is it, and why has it caused such widespread disruption?
What is CrowdStrike Falcon?
CrowdStrike is a U.S. cybersecurity company with a significant global share in the tech market. Falcon is one of its software products that organizations install on their computers to keep them safe from cyber-attacks and malware.
Falcon is what is known as “endpoint detection and response” (EDR) software. Its job is to monitor what is happening on the computers on which it is installed, looking for signs of nefarious activity (such as malware). When it detects something fishy, it helps to lock down the threat.
This means Falcon is what we call privileged software. To detect signs of attack, Falcon has to monitor computers in great detail, so it has access to many internal systems. This includes what communications computers are sending over the Internet, what programs are running, what files are being opened, and much more.
In this sense, Falcon is a bit like traditional antivirus software, but on steroids.
More than that, however, it also needs to be able to lock down threats. For example, if it detects that a computer it is monitoring is communicating with a potential hacker, Falcon needs to be able to shut down that communication. This means Falcon is tightly integrated with the core software of the computers it runs on — Microsoft Windows.
Why did Falcon cause this problem?
This privilege and tight integration make Falcon powerful. But it also means that when Falcon malfunctions, it can cause serious problems. The recent outage is a worst-case scenario.
What we currently know is that an update to Falcon caused it to malfunction in a way that caused Windows 10 computers to crash and then fail to reboot, leading to the dreaded “blue screen of death” (BSOD).
This is the affectionate term used to refer to the screen that is displayed when Windows computers crash and need to be rebooted — only, in this case, the Falcon problem means the computers cannot reboot without encountering the BSOD again.
Why is Falcon so widely used?
CrowdStrike is the market leader in EDR solutions. This means its products — such as Falcon — are common and likely the pick of the bunch for organizations conscious of their cybersecurity.
As the outage has shown, this includes hospitals, media companies, universities, major supermarkets, and many more. The full scale of the impact is yet to be determined, but it’s certainly global.
Why aren’t home PCs affected?
While CrowdStrike’s products are widely deployed in major organizations that need to protect themselves from cyber attacks, they are much less commonly used on home PCs.
This is because CrowdStrike’s products are tailored for large organizations in which CrowdStrike’s tools help them monitor their networks for signs of attack, and provide them with the information they need to respond to intrusions in a timely way.
For home users, built-in antivirus software or security products offered by companies such as Norton and McAfee are much more popular.
How long will this take to fix?
At this stage, CrowdStrike has provided manual instructions for how people can fix the problem on individually affected computers.
However, at the time of writing, there does not yet appear to be an automatic fix for the problem. IT teams at some organizations may be able to fix this problem quickly by simply wiping the affected computers and restoring them from backups or similar.
Some IT teams may also be able to “roll back” (revert to an earlier version) the affected Falcon version on their organization’s computers. It’s also possible some IT teams will have to manually fix the problem on their organization’s computers, one at a time.
We should expect that in many organizations, it may take a while before the problem can be resolved entirely.
What is ironic about this incident is that security professionals have been encouraging organizations to deploy advanced security technology such as EDR for years. Yet that same technology has now resulted in a major outage, the likes of which we haven’t seen in years.
For companies like CrowdStrike that sell highly privileged security software, this is a timely reminder to be incredibly careful when deploying automatic updates to their products.
Toby Murray, Associate Professor of Cybersecurity, School of Computing and Information Systems, The University of Melbourne
This article is republished from The Conversation under a Creative Commons license. Read the original article.
Follow us on X, Facebook, or Pinterest
