What happened to CrowdStrike's software was not a cyberattack, but a classic software development incident. CrowdStrike is a reliable company and will likely continue to be so if this systems failure doesn't affect its image and stock too badly. This is what advice cyber security expert Christian Daskalov gave to FACTS.
- Mr. Daskalov, how did a hacked CrowdStrike company drive the world crazy, literally?
- This happened because - when we talk about cyber security, we give such developers unlimited access to our system. We have files from different software providers on our computers and on the phones we work with every day, but the majority of them have far more limited access and there is no risk of a problem locking up the operating system. The special thing when talking about cyber security providers is that this “broken“ file has full access to the operating system that guides the work of our computer, of our smartphone. Respectively, it can give all kinds of instructions and confuse this operating system so that it gets stuck on that notorious “blue screen”. It is foreseen and planned, if I can summarize, such type of software, to have unlimited access and precisely because of this, many rules and procedures must be followed and followed during their development, there should be a special degree of attention when working in depth on these processes in development that would not allow something like this to happen. But clearly there was a gap in this very software development management process, most likely for the purpose of speed of reaction on a particular occasion.
- To put it simply, the program in question is being updated, but there's a bug in the update that's messed everything up…
- This is an update to a problematic file that was not sufficiently tested before being updated, and which itself served to mediate larger security software updates, but this is a minor issue. However, I am obliged to clarify it.
- We are used to our phones being updated or something. Every program at some point wants to update…
- I have to make one clarification here. It would be completely wrong if this incident caused a reaction in users of the type “… no, I will not allow activation of updates”. Updates are the surest way to avoid being victimized by a cyber attack directed against you as users. And that's because every new update aims to make the software more stable and efficient, especially the security one – be it antivirus software, a firewall, or any other type of security service. The update ensures that the relevant machines - computers, servers - are up to date with the most current threats and imperfections that have been identified since the last version of the installed software. If we simply say that “… I don't want to update my Windows” such as the operating system or the given anti-virus program, so we will cause a high degree of risk to the respective user who has refused the update.
Now the problem happened as a result of an update, but that does not mean that the right thing to do is for us to ban or reduce updates.
The chance that similar types of unintentional or “malicious“ accidents happen regularly on our computers is minimal. As users, especially with smartphones, it is good to try to install a minimum amount of applications, from those that are not critically needed. For example games or to download something that appears as an advertisement and we decide to install it. Any such application carries its own risks because the application accesses our data and is potentially an attack vector. If we have downloaded 5 or 10 games, the moment we no longer use them, my advice is to delete them immediately. And to continue about the antivirus programs. In no case do not limit these programs to update at the first possible moment, because they protect us by updating their databases from known attacks. A case of having a “black swan” is one in a million, but in the other 999,999 cases these updates protect us.
- Banks, media, airports, etc. were now affected. There has been a lot of confusion, but is this incident already being considered as an opportunity for analysis to avoid similar problems in the future?
- In the future, problems cannot be avoided 100%, but the damage from the occurrence of such type of problems can be reduced. No one is guaranteed that a similar type of software development incident will not occur tomorrow or any other day at another company. To release something that has not been sufficiently tested, to be implemented with us. Also, even if it's not through an update - it could be something we're installing for the first time and it “breaks“ our computer. This cannot be avoided as a risk, but it is important not to be caught off guard. Every company should have an action plan for crisis and emergency situations of this type. Not only from a risk management perspective, but we need to know every single minute literally what is happening at a different level of our protection. By the way, in this type of crises and management of the consequences of crises that have already occurred
A very important role and help can be provided by artificial intelligence.
Thanks to it, various processes can be largely automated and artificial intelligence can help us manage better and develop different types of scenarios. For example, in the European digital innovation hub “Thrace”, which provides free cyber security services under the “Digital Europe” program. of the European Commission and the Bulgarian PNIIDIT, we have developed a cyber training ground, through which, with the help of artificial intelligence, we create scenarios for cyber attacks and countermeasures according to the specifics of the relevant environment and system that we virtualize. We're talking about hundreds, if not thousands of scenarios depending on what the parameters of the attacks we're playing are, how likely the risk situations are for the companies we're analyzing, etc. The other thing we can do to protect ourselves is to diversify our risk. If we assume that part of our information assets are on computers or servers that operate under Windows, then it is good for another part of our assets to be on another operating system - say under some version of the open Linux distributions. Another example in the same vein - one part of our assets being protected with one type of cyber security software and another part with another. In this way, we will avoid the risk of excessive dependence on end suppliers and possible incidents with them. It is good to diversify the risk by diversifying the providers of the various services that we use on a daily basis – cloud services for storage, file sharing, e-mail, etc. Let's not be dependent on only one single supplier in the same direction.