‘Who watches the watchmen?’
So asked Roman poet Juvenal and it’s a question we’re bound to return to again and again in the world of cyber security. And we’re right to. Because even experts in their field make mistakes, fail to follow processes and just plain muck up.
You’ll know by now we’re going to talk about CrowdStrike. Our story is an enlightening postmortem of the global IT outage. But our second story also reveals a ‘system failure’ in recruitment by a cyber specialist that could have led to disaster.
What connects these incidents is a failure of due diligence. Examining and reevaluating our processes, and checking they are fit for purpose, are fundamentals we must all follow.
But especially our cyber security providers.
Bugs within bugs – the true story behind CrowdStrike’s epic failure
Details have emerged about the CrowdStrike security update meltdown of 19 July – and at the heart of the problem was a catastrophic quality-control failure.
The global outage occurred because the cyber security firm missed a bug in a routine content update to its Falcon Sensor cyber security platform. This wouldn’t usually happen – it’s a 101 of cyber security that all updates must be stress-tested before they enter the wild. Of course, CrowdStrike did have such systems in place and would have run tests. But here’s the sting in the tail – the quality control systems ALSO HAD A BUG, which meant the devastating code slipped through.
Shareholders, clients and even the US House of Representatives Homeland Security Committee are asking CrowdStrike CEO George Kurtz some tough questions.
The need for due diligence and rigorous testing are some of the key takeaways from the fiasco. At Intersys, we have always put these risk management fundamentals at the heart of our cyber security strategy. None of our managed service customers were affected by CrowdStrike’s fatal Friday.
A final word from Head of Security Jake Ives. ‘This really reiterates how important it is to test and stage the deployment of updates. Considering the damage this caused globally, I think it’s fair to say that the entire industry learned a lesson.’
‘Hey, North Korean agent, welcome to our cyber security team!’ 🙌
Who are your employees? No, not names and job titles. Who are they really?
The following is a salutary tale for all of us in the business of cyber security. And it’s got everything a good HR horror story requires: fake identities, rogue states and skulduggery.
It all started when cyber security media company KnowBe4 was scouting for a new software engineer for their internal IT AI team. Their ideal candidate had successfully passed background checks and submitted verified references.
Job done.
So KnowBe4 sent out a Mac computer for the new hire to start working remotely.
Then things started getting fishy. The new computer/user immediately started to load malware, manipulate session history files, transfer potentially harmful files and execute unauthorised software.
When KnowBe4’s security team investigated, they found that the suspicious activities ‘…may have been intentional by the user and suspected he may be an insider threat/nation-state actor’.
KnowBe4 teamed up with leading cyber security experts Mandiant and the FBI to substantiate their findings. It turns out that in his/her job application, the new employee had deployed a stolen US-based identity, using an AI-manipulated stock photo of an employee.
The criminal is suspected to be part of a fake IT worker scam where hostile state actors embed themselves within Western organisations. They then either carry out espionage or even just work for the company to, according to KnowBe4 ‘…get paid well and give a large amount to North Korea to fund their illegal programs.’
KnowBe4 is urging organisations to improve their vetting processes for new hires. Recommended measures include not relying solely on email references, making sure new team members are physically where they are supposed to be, continuous security monitoring, and coordination between HR and security teams.
KnowBe4 has clarified that no illegal access was gained and no data compromised as a result of this infiltration. But they are calling it an ‘organisational learning moment.’
A phrase they presumably put together while wiping ice-cold beads of sweat from their brows.
The rogue ‘employee’ finally became unresponsive and was never traced. The FBI is actively investigating the incident…
Operation Power Off shuts down cyber gangs
Operation Power Off is an ongoing joint operation between American, British and European law enforcement to shut down ‘booter/stresser’ services that offer denial-of-service (DDoS) services for hire.
A DDoS (denial-of-service) attack is a cyber-attack where criminals force a website, online service or computer to go offline. The booter/ stresser services are the equivalent of a cyber crime Amazon, where hackers can order these DDoS attacks within minutes.
As part of Operation Power Off, the National Crime Agency recently shut down the operations of a booter service called DigitalStress. Criminals who try to browse this site are now met with a landing page that shows the domain has been seized. Police are also analysing the website’s data to find out more about its users. This move appears to be related to an arrest made by PSNI (Police Service of Northern Ireland) earlier this month where an administrator for DigitalStress was arrested.
The current operation is the latest of a series of wins that has seen the takedown of several ‘booter’ services over the last few years.