One strike and we’re out
- July 22, 2024
- Steve Rogerson
Steve Rogerson reflects on last week’s IT outage.
Oh dear. We spend so much time and effort protecting our devices against viruses and malicious attacks, and what happens? One of those companies – sorry, one of the major companies – that is meant to be on our side in this war does an over-the-air update and crashes the world.
Well, not exactly the world, but just about anything running Windows, and that is a large chunk of the world. OK, rubbish sometime happens (I cleaned that up), and it isn’t the first time an update had bricked the very things it was meant to protect, but I struggle to remember anything quite on this scale. I am glad I wasn’t flying anywhere last week.
It also makes me feel a little better that I don’t let my iPhone install updates automatically but wait a week or so until enough other people have updated and I know it’s safe. Some have called me over cautious for this, but maybe they won’t in the future. Oh, and I am not being smug because I am tied to the Apple infrastructure, which was not affected; our day will come.
Anyway, enough of that. What do we do going forward? Confidence in automatically letting updates install has never been so low, understandably. But without regular updates, all those devices – from major computers down to edge IoT sensors – are vulnerable to nasty hackers. They must be rubbing their hands with glee.
Unsurprisingly, there has been no shortage of experts emailing me their suggestions and comments, and I suspect there will be more when they get their computers running again.
For example, Mark Grindey, CEO of Zeus Cloud (www.zeuscloud.co.uk), said: “It’s clear that adequate testing for updates should be done in a safe environment before issuing them company-wide.”
Well yeah. That should be a minimum. And one of the big surprises from the outage was that this does not happen as a matter of course.
He went on to say: “Companies should never have auto-updates set in a live environment and always test an update in a safe environment before releasing it live to minimise potential risks. This global outage highlights the need for businesses to not blindly trust their suppliers when it comes to updates before testing first.”
And I agree, to a point, but most companies that use computers do not have the skillset to test updates before they install them. They hire others to handle cyber security for them, companies such as CrowdStrike.
I also received a very long email from cyber-security expert Eric O’Neill (ericoneill.net) who pointed out that CrowdStrike was the very company called in to sort out the SolarWinds attack in which bad actors infiltrated the patch update process. After that, a cyber-crime syndicate deployed a similar attack against Kaseya’s customers.
“Every company should have learned the lesson about controlling updates, especially CrowdStrike, which was called in to solve both the SolarWinds and Kaseya cyber attacks,” said Eric’s email, adding that he hoped this did not undermine confidence in cloud-based security.
Actually Eric, I think in reflection it probably won’t because we do have to trust these people and, as someone pointed out on the radio this morning, most affected companies by now are already up and running and dealing with the backlog. If that really is the worst that can happen, was it that bad?
Finally, one of the highlights of the whole debacle was a picture that went viral online of Mercedes Formula One engineers during free practice for yesterday’s Hungarian Grand Prix staring at blank screens while wearing their team tops clearly showing CrowdStrike as a sponsor. Being a supporter of the rival Red Bull Formula One team, I was particularly amused, though not by the race itself that saw another type of crash when Mercedes driver Lewis Hamilton unbelievably escaped punishment after he turned into Red Bull’s Max Verstappen (you can tell I’m a fan).
Hamilton, meanwhile, has done it before and I am sure he will do it again. As to CrowdStrike, please don’t do that again.