Already anticipated to be the largest IT outage in history, the recent CloudStrike Windows meltdown is giving us some valuable lessons in risk mitigation strategies — particularly in the case of software updates. Here are my initial thoughts on this matter based on information I’ve gathered so far.
First, this is what I know:
- The outage was global, impacting various businesses like banks and stock exchanges, as well as critical infrastructure like airports and hospitals
- It affected Windows devices running CloudStrike
- It was caused by a CloudStrike software update
When the WannaCry outbreak happened in 2017, the cybersecurity community emphasized the importance of software updates. You see, WannaCry exploited a vulnerability in the Server Message Block (SMB) protocol, which is present in every Windows system.
Now, a month before WannaCry ensnared hundreds of thousands of computers across the globe, Windows already released a patch that would fix that vulnerability. Had businesses applied the patch before WannaCry could compromise their systems, the wormlike ransomware couldn’t have caused as much damage.
So, this means it’s imperative to patch as soon as a software update is available, right? Probably not.
The recent IT outage involving CrowdStrike and Windows wasn’t a cyber attack. It was caused by a faulty CrowdStrike software update on Windows installations. That faulty update caused Windows systems to malfunction and display the dreaded “blue screen of death” (BSOD).
I don’t know yet exactly the root cause of the issue. All I know is that the outage was caused by the update. Indeed, some software updates — like this one, for example — can go awry. That’s why, before an organization applies a software update, it must make sure first that the update won’t adversely impact operations.
If you’re applying a patch on your own personal device, you probably don’t have to go to great lengths in performing that action. However, if that patch is going to be applied across multiple systems in your organization, you must exercise extreme caution. If you can apply the patch in a test environment first and see if it causes any issues, that would be ideal.
It is however worth noting that many software updates are now being pushed automatically. I’m not sure if the CrowdStrike update was pushed automatically, but some software updates are. When you enable auto-updates on your software, your software vendor can push updates without your approval. While this practice is certainly convenient, you shouldn’t be doing it in mission-critical systems.
So, to clarify before I end this quick blog post. Patching is very important. Many of these patches contain security updates that fix critical software vulnerabilities. However, before you patch, you must ensure that the patch won’t cause any business-impacting issues.