A number of people who were quoted regarding the CrowdStrike
incident took pains to point out that it wasn’t caused by a “cyberattack” – by which
they probably meant that it hadn’t been caused by the deliberate actions of an
attacker. In other words, if a very damaging cyber incident was caused by the inadvertent
actions of someone who had no malicious intent, that somehow makes it more
tolerable than if the bad guys caused it intentionally.
However, such statements reflect a fundamental
misunderstanding of cybersecurity threat sources and vulnerabilities. Any
person or thing that can damage cyber systems is a cyber threat source; it
doesn’t matter whether the damage is intentional or unintentional. And any
situation that could enable the threat source to succeed in causing damage is a
vulnerability.
It’s almost certainly true that whoever is responsible for
the fact that Friday’s (or Thursday night’s) CrowdStrike update wasn’t adequately
tested (I’m assuming that’s the root cause of the problem, even though there was
clearly also some technical cause) didn’t intend to cause any damage. But the ultimate
effect of this lack of testing could never be distinguished a priori
from an attack launched by the most vicious North Korean threat group.
In this case, the threat source was perhaps rushed
preparation by CrowdStrike staff members. The vulnerability was perhaps the fact
that what might have been just an ordinary mistake in an update was greatly
magnified by the fact that CrowdStrike runs at a high privilege level within
Windows systems. Perhaps this privilege level needs to be looked at as the
cybersecurity community searches for lessons to be learned.
But both the threat and the vulnerability need to be investigated
just as seriously as the threat source (Russia) and vulnerability (lack of
detective controls in the CI/CD pipeline) involved in the SolarWinds attack. In
fact, by far the best examination
of the SolarWinds attack was conducted by…CrowdStrike!
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. If you would like to comment on what you have
read here, I would love to hear from you. Please email me at tom@tomalrich.com.
I lead the OWASP SBOM Forum, and its Vulnerability Database Working Group. These two
groups work to understand and address issues like what’s discussed in this post;
please email me to learn more about what we do or to join us. You can also
support our work through easy directed donations to OWASP, a 501(c)(3)
nonprofit. Please email me to discuss that.
My book "Introduction to SBOM and VEX"
is available in paperback
and Kindle versions! For background on the book and the link to order it,
see this post.
No comments:
Post a Comment