Newsletter

Keeping Information Security Simple – CrowdStrike’s big goof and the importance of Cyber Hygiene

By

Letter from the CISO, Vol 4 Issue 2 

Washington University Community: 

Last Friday, all the news was about the millions of Windows computers around the world that had been taken down by a flawed CrowdStrike file update. 

Starting in the wee hours of Friday morning, systems administrators and computer users everywhere were struggling to boot their computer into safe mode, delete the offending file (C-00000291*.sys), and reboot again. 

Matters were complicated by the need for a BitLocker key and an administrative password. 

Which brings us to Cyber Hygiene… 

In my column last August on “Who’s your Cyber Security Buddy,” I wrote about the importance of cyber hygiene, and how we all need to help one another achieve it. 

Not only do Cyber Security Buddies act as “Wing Persons” to make sure you aren’t taken advantage of, but they also help you check your cyber hygiene. If your shirt clashes with your pants or you’re wearing too much cologne, a buddy lets you know. It takes a little more sharing, but if your cyber hygiene isn’t good enough, a cyber buddy will let you know that too. 

In the August 2023 column, I gave a prioritized list of cyber hygiene concerns: 

  1. Using 2-factor Authentication everywhere you can, but especially for email accounts, Apple iTunes or Google accounts, bank accounts, and cell phone service accounts – July 2021 
  2. Using passphrases & password managers – July 2021 
  3. Being vigilant, skeptical, and a little paranoid – August 2021 
  4. Protecting physical security – September 2021 
  5. Backing up important files – October 2021 
  6. Enabling Find My Device service – November 2021 
  7. Turning on automatic updates for everything – December 2021 
  8. Privacy and security – January 2022 
  9. Only using App Store & Play Store apps – February 2022 
  10. Managing devices, including replacing them when they are no longer supported – March 2022 

These cyber hygiene practices will protect you from most cyber security disasters. 

How would they have helped with the CrowdStrike problem? 

Since CrowdStrike is a system used by companies to protect company computers from malicious actors, there’s nothing anyone (outside of CrowdStrike) could have done to prevent Friday’s disaster. 

However, once it occurred, companies with good cyber hygiene were able to recover more quickly and completely than others. 

Most importantly, having the administrator password for affected computers was essential. Most companies didn’t have much trouble with this, but if administration was highly decentralized, the use of password managers, per #2, could have helped. 

Secondly, many companies had difficulty finding and distributing the BitLocker keys needed to boot the computer in Safe Mode. BitLocker keys are essentially very long passwords, and good hygiene requires them to be stored securely. While there are many options for where to store them securely, for decentralized organizations, the secrets or notes vault in a Password Manager is a great place to store these keys as well. 

Third, if you don’t have your BitLocker key, #5, backing up important files is critically important because then you can simply wipe your whole computer and start over. It’s a giant pain, but it protects you from losing everything. 

Lastly, #3, being vigilant, skeptical, and a little paranoid goes a long way toward protecting you from the onslaught of phishing attacks and fake websites designed to lure in people looking for solutions to their CrowdStrike problem. 

Many users took to Google, Bing, and DuckDuckGo searches in hopes of finding a solution. Unfortunately, opportunistic cybercriminals broke speed records setting up new websites with Google advertisements to exploit the chaos by promising help to those affected. A cybersecurity researcher identified websites with names like crowdstriketoken[.]com, crowdstrikedown[.]site, crowdstrikefix[.]com, and more that were created to install a range of malware tools or steal login credentials. 

In the case involving CrowdStrike, the best course of action is to get instructions from your IT organization, and if you are the IT organization, read the official CrowdStrike guidance

Call to action

It’s summer, so I’ll return to my call for action from last August – get a Cyber Security Buddy and help one another. See “Who’s your Cyber Security Buddy” for details. 

Just as I learned at summer camp many years ago, don’t go swimming without a buddy, and don’t compute without a cyber security buddy. 

If you need help with any of these ideas, please contact the Office of Information Security at  infosec@wustl.edu

Thank you for reading my column and for being a member of the university’s Information Security team! 

Good luck, and be careful out there! 

-Chris Shull, CISO