Repercussions of the major IT outage on 19 July 2024
A global IT outage caused significant disruption on Friday 19th July 2024. Organisations impacted included health services, such as the NHS, airlines and broadcasters. It was not the result of a security incident or malicious cyber activity but due to an update to the Windows security platform provided by CrowdStrike.
Increase in phishing
The National Cyber Security Centre has noted “an increase in phishing referencing this outage, as opportunistic malicious actors seek to take advantage of the situation. This may be aimed at both organisations and individuals. Organisations should review NCSC guidance to make sure that multi-layer phishing mitigations are in place, while individuals should be alert to suspicious emails or messages on this topic and know what to look for.
Crowdstrike publish Preliminary Incident Review
Ahead of a full investigation and analysis, Crowdstrike have published a review of the fault that caused the outage. This is summarised below:
On Friday, July 19, 2024 at 04:09 UTC, as part of regular operations, CrowdStrike released a content configuration update for the Windows security platform Falcon Sensor.
Previous testing of similar updates in March this year had led to trust in how these checks were performed.
However, when this update was deployed, it contained ‘problematic content’ which resulted an unexpected exception that could not be gracefully handled, resulting in a Windows operating system crash (BSOD).
The defect in the content update was reverted on Friday, July 19, 2024 at 05:27 UTC. Systems coming online after this time, or that did not connect during the window, were not impacted.
Crowdstrike have committed to implementing measures to ensure this does not happened again around the areas of software resiliency and testing, rapid response content deployment and third party validation.
In addition to this preliminary Post Incident Review, CrowdStrike will publish releasing the full Root Cause Analysis once the investigation is complete. Read the full preliminary Post Incident Review.
An eye opener for the business world?
Guy Golan, CEO and Executive Chairman of global cybersecurity company Performanta said on the day:
“A mistake of this magnitude is an epic failure and a huge eye opener for the cyber world and the business world more broadly. It should not have happened. This appears to have been a failure of process and QA, releasing something that was incorrect, perhaps driven by intense market pressures in the vendor race to have the best and greatest features, or in response to the evolving threat landscape and increased need for detection.
The impact of one vendor by some of the world’s biggest organisations can bring the world to its knees and the repercussions will be unprecedented. It’s going to cost companies billions, it will lead to legal action, and it will affect businesses and users in a way we’ve never seen before. Attackers may have more awareness of who is using CrowdStrike as a result of watching this unfold which could cause further cyber security complications down the road.
This isn’t the fault of one vendor – perhaps market pressures have led to such a catastrophe. More outages should be expected unless organisations of all sizes start to understand that the digital world is just as significant in the 21st century as the physical world. It’s about time we elevated cyber issues to the top of the agenda and understood the full effects of market pressures.”
