Architectural Flaws in CrowdStrike Caused the Outage in the CrowdStrike Update: Legal Protection for CISOs is More in Doubt Than Ever Before
The recent CrowdStrike outage has exposed a critical flaw in the CrowdStrike Falcon architecture. This flaw allows unsigned code to run at the kernel level, bypassing crucial security measures. CrowdStrike CEO George Kurtz acknowledged the logic error that triggered this vulnerability, leading to significant risks for CrowdStrike customers. This isn’t just a simple oversight; it’s a fundamental design flaw that opens the door to malicious actors. Leading many CISOs to question themselves about meeting regulatory reporting requirements driving them to report this software update outage.
Watch this Video explaining CrowdStrike catastrophe from 7:15 onward:
The Flawed Architecture
CrowdStrike’s product architecture has been found to be fundamentally flawed. This isn’t a simple oversight; the entire design appears to bypass the security measures that EV Code Signing certificates are supposed to enforce. This means unverified content can be executed at the kernel level, posing a massive security risk.
Direct Quotes from the Video
- “Unsigned code of unknown provenance running in full kernel mode”
- “Executing untrusted PE code in the Kernel is risky business at best and could be asking for trouble”
The Legal Responsibility of CISOs and IT Managers
As a Chief Information Security Officer (CISO) or IT Manager, the responsibility to safeguard your enterprise’s digital infrastructure is paramount. Ignoring such a glaring vulnerability and continuing to use the affected product could lead to severe repercussions, including data breaches, system failures, and significant financial losses. Moreover, there are legal implications to consider.
Regulatory Requirements
With the increasing emphasis on cybersecurity, regulations have become more stringent. The U.S. Securities and Exchange Commission (SEC) has implemented new rules that require public companies to report material cybersecurity incidents within four days. This tight timeline places immense pressure on CISOs to report incidents quickly, even before fully understanding the situation. Failing to comply with these regulations can lead to significant legal and financial consequences.
Personal Liability for CISOs
Recent legal cases highlight the personal risks CISOs face. For example, Joseph Sullivan, the former Chief Security Officer at Uber, was criminally charged for actions taken after a data breach. Similarly, Timothy Brown, the former CISO of SolarWinds, faced financial penalties related to the company’s cyber incidents. These cases illustrate that CISOs can be held personally liable for failing to adequately manage and disclose cybersecurity risks.
Known Vulnerabilities as Material Cybersecurity Incidents
Knowing that you have a known vulnerability in your systems can be considered a material cybersecurity incident if it meets certain criteria. Specifically, if the known vulnerability:
- Poses a significant risk to the confidentiality, integrity, or availability of critical data or systems.
- Could lead to unauthorized access to sensitive information, resulting in data breaches.
- Might cause substantial financial loss or operational disruption if exploited.
- Has the potential to damage the company’s reputation or trust with customers, partners, or stakeholders.
- Results in legal or regulatory implications, including the possibility of fines, sanctions, or mandatory disclosure requirements.
CrowdStrike’s Architectural Flaw: Falcon Outage Explained – Flawed Update
In the context of CrowdStrike’s architectural flaw, the presence of such a significant vulnerability clearly meets these criteria. The ability for unverified content to be executed at the kernel level poses a severe risk to data integrity and system availability. Unauthorized access facilitated by this flaw could lead to data breaches, substantial financial losses, and operational disruptions. Additionally, the damage to the company’s reputation and trust with stakeholders could be immense. Given these factors, it is imperative that CISOs consider whether the use of CrowdStrike’s flawed architecture constitutes a material cybersecurity incident. Reporting this vulnerability could be necessary to comply with regulatory requirements and to ensure transparency with stakeholders about the potential risks involved. For more on this read The Risks Cybersecurity Vendors Place their Clients Operations In
CISOs Regulatory Reporting Mandates of Incidents
Should CISOs be Reporting Using CrowdStrike as a Material Cybersecurity Incident because of its Flawed Architecture? In such cases, the existence of the vulnerability and the steps being taken to mitigate it may need to be disclosed to ensure transparency and inform stakeholders of the potential risk. Given the significant risks associated with the flawed architecture of CrowdStrike’s product, CISOs should seriously consider whether the use of this product constitutes a material cybersecurity incident that needs to be reported.
Cyber Security’s Future of Endpoint Defense
Leveraging Warden with Enhanced Protection At Cyber Strategy Institute, we recognize the critical importance of robust endpoint security. Our Warden solution, provides an unparalleled level of defense. With its kernel-level protection, Warden auto-contains threats that could impact your endpoint systems, ensuring that even if unverified content attempts to execute, it is contained and neutralized. Learn more about why Warden’s Zero Trust Endpoint Defense does not have the same problem as CrowdStrike Falcon here.
With these advanced capabilities, we offer an MSSP solution that prioritizes your security needs. In light of the architectural flaws revealed in CrowdStrike, our approach ensures that your organization is not left vulnerable to similar risks.
CrowdStrike Root Cause System Crash of Microsoft Windows
Final Note on CrowdStrike’s Response: The CrowdStrike update focused on a specific issue with a logic error in their Falcon sensor configuration, leading to system crashes. While they addressed this particular software update incident, it does not mitigate the broader architectural concerns we’ve highlighted. For technical details, you can refer to their official blog post: Falcon Update for Windows Hosts: Technical Details.
Exploiting the CrowdStrike Outage
The recent CrowdStrike outage has presented a unique opportunity for cybercriminals to infiltrate CrowdStrike customers’ systems. The CrowdStrike outage shows that attackers are leveraging the configuration update flaws to deploy malware, ransomware, and other malicious software. Here’s a breakdown of the attack vectors being used:
Phishing Campaigns: Cybercriminals are sending fake recovery manuals to CrowdStrike accounts, disguised as updates.
- Example: Fake Recovery Manual
Malware Distribution: The CrowdStrike outage is being used by likely eCrime actors to distribute malware through the CrowdStrike’s Falcon sensor.
- Example: eCrime Actors
Ransomware: Exploiting the flawed update in the CrowdStrike Falcon platform to spread ransomware.
- Example: Falcon Sensor Issue
Attack Vectors
- Phishing Campaigns: Leveraging the CrowdStrike outage as a lure.
- Malware Distribution: Through the CrowdStrike’s Falcon sensor configuration update.
- Ransomware: Specifically targeting windows version 7.11 and above.
- Exploits: Using content update for windows hosts to insert malicious payloads.
Recommendations for CISOs to Respond
Security practitioners should remain vigilant, ensuring that all security tools are updated and that content update processes are closely monitored to avoid falling victim to these attacks.
CrowdStrike CEO George Kurtz and security experts emphasize the importance of proactive measures and robust cybersecurity practices to mitigate these risks.
Security practitioners should also start to review their robust cyber security measures and reevaluate their approaches to mitigate these risks. For more information on secure alternatives, visit:
- Why Warden’s Zero Trust Endpoint Defense does not have the same problem as CrowdStrike Falcon
- The risks cybersecurity vendors place their clients’ operations in
This CrowdStrike outage exemplifies the critical need for a proactive and comprehensive approach to cybersecurity to safeguard against evolving threats.
Conclusion of CrowdStrike Architectural Flaws – Future of Cyber Security
While no security solution is perfect, some flaws are too dangerous to ignore. The CrowdStrike catastrophe is a stark reminder that even trusted products can have significant vulnerabilities. As security professionals, it is crucial to remain vigilant and proactive in protecting our enterprises. Ignoring this issue not only puts your organization at risk but could also place you in legal peril.
By addressing these vulnerabilities and complying with regulatory requirements, CISOs and IT Managers can better safeguard their organizations and avoid potential legal consequences. At Cyber Strategy Institute, we are committed to providing the highest level of security through our Warden solution, ensuring that your organization is protected against even the most severe threats.
Also, read more on the broader risks posed by cybersecurity vendors here.