วันอาทิตย์ที่ 28 กรกฎาคม พ.ศ. 2567

After CrowdStrike Outage, Companies and Governments Reassess Risks of Using Cloud

We're losing our resiliency as a nation,' a cybersecurity consultant said.

July 28, 2024 | Subscriber Exclusive

 

Dear reader,

 

Welcome to the Premium Report! This newsletter features content from the Premium section of the Epoch Times. Experience expertly designed articles, documentaries, infographics, and more.

Our editorial team digs deep to present you with facts that matter, providing a unique perspective on the issues shaping our world. Meanwhile, our designers format it for you into a beautifully curated layout.

 

We hope you enjoy it. 

 

After CrowdStrike Outage, Companies and Governments Reassess Risks of Using Cloud

We're losing our resiliency as a nation,' a cybersecurity consultant said.

Image

(Illustration by The Epoch Times, Shutterstock, Getty Images)

By Kevin Stocklin | July 24, 2024 Updated: July 26, 2024
 

As companies and government agencies around the world scramble to restore their computer systems following last week's global outage from a faulty software update, questions are being raised about whether proper protocols for updates were followed.

 

Simultaneously, technology analysts are raising concerns about the extent of the United States' increasing dependence on an oligopoly of cloud computing firms.

 

An antivirus software update issued on July 19 by CrowdStrike, one of the largest cybersecurity companies, caused more than 1 billion Windows-based computers to crash, taking down essential operations at airports, hospitals, 911 centers, police departments, trains, jails, municipal services, and corporate operations.
 

The company has issued multiple apologies since the event and pledged to resolve the issues, much of which cannot be fixed through system-wide updates but require fixes on individual computers.

 

CrowdStrike Chief Security Officer Shawn Henry stated on a LinkedIn post: "On Friday we failed you, and for that I'm deeply sorry.
 

"The confidence we built in drips over the years was lost in buckets within hours, and it was a gut punch. But this pales in comparison to the pain we've caused our customers and our partners."

 

Cybersecurity experts have raised questions about whether CrowdStrike may have circumvented best-practice procedures when it circulated the July 19 update.

 

"The cautionary tale, to me, is the basics—for patches, updates, and on critical business systems, take the 10 minutes to test them," Robert Thomas, owner of cybersecurity company 180A Consulting and a former Defense Department staffer, told The Epoch Times.

 

"You take one minute and you download the patch; you take another minute, you install the patch on a test system; one more minute, you reboot the system, and then you run tests against your business-critical software applications."

 

The Center for Internet Security (CIS) and the National Institute of Standards and Technology (NIST) have created standard protocols regarding how software updates should be conducted. Had they been followed, Mr. Thomas said, the flaws in the update should have become apparent before it was circulated to users.

 

"Software updates, by best practice/protocol, should go through numerous stages of testing prior to touching a customer," Tom Marsland, training and project manager of Cloud Range and author of "Unveiling the NIST Risk Management Framework," told The Epoch Times.

 

"This would include automated unit testing on the code, security reviews, and testing inside of the CrowdStrike team [and] only once those actions are completed should a patch be rolled out to customers," Mr. Marsland said.

 

In addition, updates should be rolled out initially to a smaller group of customers and then expanded, rather than sent out broadly all at once, he said.

 

"In the case of the CrowdStrike update on Friday, it does not appear those practices were followed," Mr. Marsland said.

 

In its post-incident review published on July 24, CrowdStrike stated, "Due to a bug in the Content Validator, one of the two [updates] passed validation despite containing problematic content data."
Image

People walk past flight information screens during the outage at Chicago O'Hare International Airport on July 19, 2024. Companies worldwide were affected by an outage from a faulty software update issued by CrowdStrike. (Adam Gray/Getty Images)

 

The 'Cascading Effects' of the Faulty Update

According to an assessment by the CIS, the effects of the faulty update became apparent just after midnight Eastern time on July 19, when computers operating on Microsoft's Windows software that implemented updates from CrowdStrike's Falcon security software went down.

 

The update circulated for about an hour and half until the flaw was discovered and the update was "reverted," according to the CIS.

"CrowdStrike has since issued a workaround that requires manual remediation for each affected device," the CIS stated.

 

CrowdStrike quickly assured customers that the outage was not a cybersecurity attack.
 

"They're saying that this isn't a cybersecurity attack, but it had the same net result as a cybersecurity attack," Rex Lee, a security adviser to companies and governments, told NTD News, an Epoch Times affiliate. "We're talking about government agencies, we're talking about Fortune 500 businesses, airlines ... the cascading effects of this are unbelievable.

 

"If you look at the critical infrastructure that's being affected, this is actually going to cause harm and people may be dying as a result of this, because first responders are being affected, hospitals are being affected. We won't know the total damage from all this, but it's going to go down in history as the largest mistake and/or outage in the history of the internet."

 

The shift by companies and government agencies to cloud computing has been rapid and continues to accelerate.

 

Global spending on cloud services is expected to grow by more than 20 percent in 2024, to a total of $678.8 billion, up from $563.6 billion in 2023, according to a November 2023 forecast from Gartner, Inc., a tech analytics firm.
 

"Cloud has become essentially indispensable," Sid Nag, vice president analyst at Gartner, stated in the report.

 

But last week's outage has highlighted the issue of company and societal vulnerabilities because of the extent to which cloud computing services are controlled by a small number of providers.

Image

Staff work in the server farm in the 1450 m2 main room of the CERN Data Centre in Meyrin, Switzerland, on April 19, 2017. (Dean Mouhtaropoulos/Getty Images)

 
A January report by Stephan von Watzdorf, a cybersecurity expert at Swiss Re, a global insurance company, highlighted the vulnerabilities of cloud services being concentrated essentially in three companies.
 

"A decade ago, businesses were uncertain whether the expansion of cloud computing by tech giants like Google, Microsoft, and Amazon was just a passing trend or a lasting shift," Mr. Von Watzdorf stated in the report. "Today, companies worldwide have embraced the cloud in droves, recognising it as a vital component of successful digital transformation.

 

"However, the concentration of services with three dominant providers has created new risks, which are relevant to the re/insurance industry.

 

"If the cloud services go down, the accumulation risk falls on the re/insurers offering commercial cyber insurance products."

 

Societal and National Security Risks

Government agencies are also assessing the risks of cloud computing and tech consolidation.
 

On the day of the outage, a senior White House official stated that "the White House has been convening agencies to assess impacts to the U.S. government's operations and entities around the country."

 

Amid the rush to shift operations onto the cloud, the CrowdStrike outage will likely spur users to reassess the extent of their dependence on one or a few service providers, and their ability to weather errors by providers.

 

"We're reaching the point where over-centralization makes us less 'healable,' and less resilient," Mr. Thomas said. "We're losing our resiliency as a nation."

After the CrowdStrike outage, companies and governments are now seeing the risks, as well as the benefits.

 

"There are absolutely societal and national security risks from putting all of your eggs in a single vendor basket, and I think those were clearly indicated in the past 72 hours when we grounded most flights nationwide," Mr. Marsland said.

 

"The benefits of the cloud versus the risks is something each organization must answer for themselves," Mr. Marsland said. "For organizations seeking a broader customer base, the benefits absolutely do outweigh the risks—but these organizations can afford to hire experts in cloud security."

 

On a personal level, individuals who store their data in the cloud also face risks.

 

According to a 2023 report by the Information Security Office at the University of Texas, those risks include security risks, privacy risks, and reliability risks...
 

Try your first month for $1!

Your subscriber exclusive benefits include:

  • News & Analysis
    Truthful, unbiased reporting free of censorship
  • Health & Wellness
    Curated articles on diet, exercises, and aging well
  • Epoch TV
    Shows, movies, and award-winning documentaries
  • Games & Puzzles
    Sudoku, crosswords, word searches, and more
  • Premium eMagazines
    5 weekly digital magazines PLUS our Special Series

Thanks for reading the Epoch Times!

 

Don't want to miss out on important emails from us?
Be sure to add newsletter@epochtimes.ca to your contact list.

 

Subscribe to The Epoch Times

 

Subscribers get full access to the Epoch Times, including the Premium section and EpochTV. You can check out the digital plans here or get a print newspaper + digital plan combo here.

 

If you prefer to subscribe through the phone, you're always welcome to call us at 1-800-766-0157.

Copyright © 2024 The Epoch Times

195 Allstate Parkway, Markham, Ontario L3R 4T8

You are receiving this email because you subscribed to the Premium Report newsletter email list.

Manage your email preferences here or unsubscribe here

mt

ไม่มีความคิดเห็น: