CrowdStrike的漏洞破壞性巨大,沒(méi)有簡(jiǎn)單的解決辦法
SHARON GOLDMAN
2024-07-23
圖片來(lái)源:SELCUK ACAR/ANADOLU VIA GETTY IMAGES
7月19日凌晨4點(diǎn),當(dāng)邁克爾·阿默(Michael Armer)的手機(jī)被打爆時(shí),他“感到驚慌失措”。阿默是RingCentral的首席信息安全官,他收到了關(guān)于一場(chǎng)令人震驚的計(jì)算機(jī)故障的通知,這場(chǎng)故障像多米諾骨牌一樣導(dǎo)致機(jī)場(chǎng)、銀行和醫(yī)院的技術(shù)系統(tǒng)紛紛癱瘓。
混亂的范圍引發(fā)了人們對(duì)重大網(wǎng)絡(luò)安全漏洞或國(guó)家支持的攻擊的擔(dān)憂。阿默說(shuō):“這足以讓你血脈僨張。”
事實(shí)證明,這次大規(guī)模的計(jì)算機(jī)故障并非邪惡黑客所為,而是安全公司CrowdStrike在例行軟件更新中出現(xiàn)故障的結(jié)果。阿默在談到CrowdStrike的更新故障時(shí)說(shuō):“我們都很幸運(yùn),這與他們的標(biāo)準(zhǔn)化和自動(dòng)化軟件部署有關(guān)。”
不過(guò),在慶幸這次破壞不是網(wǎng)絡(luò)攻擊的同時(shí),這次事件也凸顯了現(xiàn)代社會(huì)所依賴的技術(shù)的脆弱性和可怕的互聯(lián)性,以及當(dāng)今錯(cuò)綜復(fù)雜的軟件更新系統(tǒng)所帶來(lái)的危險(xiǎn)程度。安全專(zhuān)家表示,即使是規(guī)模最大的企業(yè)也會(huì)讓員工不堪重負(fù),并迫使他們不斷進(jìn)行風(fēng)險(xiǎn)權(quán)衡的艱難抉擇。
補(bǔ)丁的問(wèn)題
當(dāng)檢測(cè)到威脅時(shí),CrowdStrike等安全軟件會(huì)提供“補(bǔ)丁”或軟件更新。鑒于探測(cè)公司系統(tǒng)并設(shè)計(jì)新攻擊路線的黑客數(shù)量之多,對(duì)補(bǔ)丁的需求是持續(xù)不斷的,有時(shí)甚至一天數(shù)次。各企業(yè)行動(dòng)迅速,通常會(huì)自動(dòng)進(jìn)行這些更新,以確保其防護(hù)盾沒(méi)有漏洞。
問(wèn)題是,新軟件就像未經(jīng)測(cè)試的藥物——每一行新代碼都可能有漏洞或缺陷,從而導(dǎo)致問(wèn)題、意想不到的副作用,以及與其他軟件的危險(xiǎn)交互。在理想情況下,公司會(huì)花時(shí)間測(cè)試每個(gè)軟件更新,然后再將其部署到所有計(jì)算機(jī)上。
紐約一家頂級(jí)律師事務(wù)所的首席信息安全官表示:“這確實(shí)是一個(gè)棘手的難題,你無(wú)法跟上黑客的數(shù)量。有時(shí),你必須發(fā)布安全補(bǔ)丁,原因是它很關(guān)鍵,而供應(yīng)商一直在緊盯著你,你根本無(wú)法對(duì)它進(jìn)行[測(cè)試]。有時(shí)24小時(shí)內(nèi)會(huì)有幾次更新,這樣你就會(huì)陷入反復(fù)測(cè)試的怪圈,永遠(yuǎn)無(wú)法完成測(cè)試。”
對(duì)于許多內(nèi)部安全團(tuán)隊(duì)來(lái)說(shuō),這意味著要在速度和風(fēng)險(xiǎn)之間取得平衡。軟件供應(yīng)鏈平臺(tái)捷蛙科技(JFrog)的首席信息安全官保羅·戴維斯(Paul Davis)表示:“防病毒產(chǎn)品每天都要推出多次更新,因?yàn)樵谀撤N程度上,我們已將其逼入絕境。它們檢測(cè)軟件或惡意活動(dòng)的反應(yīng)速度越快,就越有優(yōu)勢(shì)。因此,在這種情況下,每天進(jìn)行多次測(cè)試的要求變得非常繁重。”
他說(shuō),真正的挑戰(zhàn)是如何保護(hù)企業(yè)應(yīng)對(duì)可能在數(shù)小時(shí)甚至數(shù)分鐘內(nèi)傳播的網(wǎng)絡(luò)安全威脅,同時(shí)確保這些軟件更新經(jīng)過(guò)測(cè)試。“我們必須測(cè)試軟件的基本功能,但我們依靠這些自動(dòng)更新來(lái)確保安全,這幾乎就像是一種經(jīng)過(guò)計(jì)算的風(fēng)險(xiǎn)。”
對(duì)每臺(tái)受影響的計(jì)算機(jī)進(jìn)行現(xiàn)場(chǎng)心肺復(fù)蘇術(shù)
這家位于紐約的律師事務(wù)所使用了來(lái)自不同供應(yīng)商的30多種獨(dú)立安全工具,這些工具可在筆記本電腦、臺(tái)式機(jī)或服務(wù)器上運(yùn)行。通常情況下,如果更新導(dǎo)致問(wèn)題,軟件供應(yīng)商會(huì)部署一個(gè)修復(fù)程序,企業(yè)可以在同一天內(nèi)迅速將其推送到數(shù)千臺(tái)計(jì)算機(jī)上。
但由于CrowdStrike漏洞的性質(zhì),這是無(wú)法實(shí)現(xiàn)的。該漏洞導(dǎo)致運(yùn)行微軟(Microsoft)Windows系統(tǒng)的電腦死機(jī),并顯示可怕的“藍(lán)屏死機(jī)”。受影響的系統(tǒng)需要一個(gè)接一個(gè)地恢復(fù)正常。
紐約律師事務(wù)所的首席信息安全官解釋說(shuō):“你必須親自走到每臺(tái)電腦前,關(guān)掉電源,然后再開(kāi)機(jī),當(dāng)屏幕亮起時(shí),你必須按F3鍵進(jìn)入所謂的安全模式,然后去刪除在某個(gè)位置存放文件。這簡(jiǎn)直就是一場(chǎng)噩夢(mèng)。”
然而,一些首席信息安全官將大部分責(zé)任歸咎于微軟,而不是Crowdstrike,甚至盡可能避免使用Windows。一家中型人工智能公司的首席信息安全官表示:“在硅谷,科技公司傾向于避免使用Windows。”由于討論安全功能緩解措施的敏感性,他要求匿名。他說(shuō),這是因?yàn)閃indows核心架構(gòu)的設(shè)計(jì)導(dǎo)致了惡意軟件、間諜軟件以及今天因Crowdstrike漏洞更新而出現(xiàn)的驅(qū)動(dòng)程序不穩(wěn)定。
他說(shuō):“CrowdStrike無(wú)疑需要進(jìn)行流程改進(jìn),但在2024年不應(yīng)該出現(xiàn)內(nèi)核(核心架構(gòu))被第三方破壞穩(wěn)定性的情況。從安全的角度來(lái)看,微軟今年的表現(xiàn)很糟糕,必須贏得生態(tài)系統(tǒng)的信任。”微軟沒(méi)有回應(yīng)置評(píng)請(qǐng)求,只是指出了關(guān)于此次故障的聲明。
CrowdStrike首席執(zhí)行官喬治·庫(kù)爾茨(George Kurtz)7月19日在網(wǎng)上發(fā)表聲明,為這一事件道歉,他說(shuō)此次事件涉及到“Windows主機(jī)的內(nèi)容更新”,并指出Mac和Linux主機(jī)不受影響。
“CrowdStrike的全體員工都明白這一事件的嚴(yán)重性和影響。我們迅速查明了問(wèn)題所在,并部署了修復(fù)程序,從而能夠?qū)W⒂诨謴?fù)客戶系統(tǒng),這是我們的首要任務(wù)。”
事后分析
捷蛙科技的戴維斯反駁了一般企業(yè)可以不使用 Windows 的觀點(diǎn)。他說(shuō):“Windows仍然是占主導(dǎo)地位的操作系統(tǒng)。當(dāng)你加入一家公司時(shí),(通常)會(huì)提供給你一臺(tái)Windows電腦或Mac電腦。”
身份安全公司Silverfort的首席信息安全官約翰·保羅·坎寧安(John Paul Cunningham)表示,7月19日的宕機(jī)事件應(yīng)該給企業(yè)敲響警鐘,讓企業(yè)對(duì)自動(dòng)軟件更新更加謹(jǐn)慎。在坎寧安看來(lái),并非所有的威脅都是一樣的,企業(yè)需要更加謹(jǐn)慎,不要總是默認(rèn)進(jìn)行自動(dòng)更新。
他表示:“像CrowdStrike這樣的公司經(jīng)常建議進(jìn)行自動(dòng)更新,但是這一前提是使用最新版本的產(chǎn)品更安全。”但他說(shuō),公司可以在推送之前花更多時(shí)間測(cè)試,即使這需要多花點(diǎn)功夫。“只要安全團(tuán)隊(duì)知道有更新,他們就可以手動(dòng)推送,而更新本身仍是自動(dòng)進(jìn)行的。”
RingCentral的阿默表示,對(duì)于大多數(shù)網(wǎng)絡(luò)安全領(lǐng)導(dǎo)者來(lái)說(shuō),如何在風(fēng)險(xiǎn)和速度之間以及各大操作系統(tǒng)之間取得平衡,需要進(jìn)行一些事后分析和決策。
雖然進(jìn)行軟件更新很重要,但他指出,公司也應(yīng)慶幸7月19日的宕機(jī)沒(méi)有帶來(lái)更糟糕的后果。他說(shuō):“我個(gè)人很慶幸,這不是一次國(guó)家支持的攻擊。”(財(cái)富中文網(wǎng))
譯者:中慧言-王芳
7月19日凌晨4點(diǎn),當(dāng)邁克爾·阿默(Michael Armer)的手機(jī)被打爆時(shí),他“感到驚慌失措”。阿默是RingCentral的首席信息安全官,他收到了關(guān)于一場(chǎng)令人震驚的計(jì)算機(jī)故障的通知,這場(chǎng)故障像多米諾骨牌一樣導(dǎo)致機(jī)場(chǎng)、銀行和醫(yī)院的技術(shù)系統(tǒng)紛紛癱瘓。
混亂的范圍引發(fā)了人們對(duì)重大網(wǎng)絡(luò)安全漏洞或國(guó)家支持的攻擊的擔(dān)憂。阿默說(shuō):“這足以讓你血脈僨張。”
事實(shí)證明,這次大規(guī)模的計(jì)算機(jī)故障并非邪惡黑客所為,而是安全公司CrowdStrike在例行軟件更新中出現(xiàn)故障的結(jié)果。阿默在談到CrowdStrike的更新故障時(shí)說(shuō):“我們都很幸運(yùn),這與他們的標(biāo)準(zhǔn)化和自動(dòng)化軟件部署有關(guān)。”
不過(guò),在慶幸這次破壞不是網(wǎng)絡(luò)攻擊的同時(shí),這次事件也凸顯了現(xiàn)代社會(huì)所依賴的技術(shù)的脆弱性和可怕的互聯(lián)性,以及當(dāng)今錯(cuò)綜復(fù)雜的軟件更新系統(tǒng)所帶來(lái)的危險(xiǎn)程度。安全專(zhuān)家表示,即使是規(guī)模最大的企業(yè)也會(huì)讓員工不堪重負(fù),并迫使他們不斷進(jìn)行風(fēng)險(xiǎn)權(quán)衡的艱難抉擇。
補(bǔ)丁的問(wèn)題
當(dāng)檢測(cè)到威脅時(shí),CrowdStrike等安全軟件會(huì)提供“補(bǔ)丁”或軟件更新。鑒于探測(cè)公司系統(tǒng)并設(shè)計(jì)新攻擊路線的黑客數(shù)量之多,對(duì)補(bǔ)丁的需求是持續(xù)不斷的,有時(shí)甚至一天數(shù)次。各企業(yè)行動(dòng)迅速,通常會(huì)自動(dòng)進(jìn)行這些更新,以確保其防護(hù)盾沒(méi)有漏洞。
問(wèn)題是,新軟件就像未經(jīng)測(cè)試的藥物——每一行新代碼都可能有漏洞或缺陷,從而導(dǎo)致問(wèn)題、意想不到的副作用,以及與其他軟件的危險(xiǎn)交互。在理想情況下,公司會(huì)花時(shí)間測(cè)試每個(gè)軟件更新,然后再將其部署到所有計(jì)算機(jī)上。
紐約一家頂級(jí)律師事務(wù)所的首席信息安全官表示:“這確實(shí)是一個(gè)棘手的難題,你無(wú)法跟上黑客的數(shù)量。有時(shí),你必須發(fā)布安全補(bǔ)丁,原因是它很關(guān)鍵,而供應(yīng)商一直在緊盯著你,你根本無(wú)法對(duì)它進(jìn)行[測(cè)試]。有時(shí)24小時(shí)內(nèi)會(huì)有幾次更新,這樣你就會(huì)陷入反復(fù)測(cè)試的怪圈,永遠(yuǎn)無(wú)法完成測(cè)試。”
對(duì)于許多內(nèi)部安全團(tuán)隊(duì)來(lái)說(shuō),這意味著要在速度和風(fēng)險(xiǎn)之間取得平衡。軟件供應(yīng)鏈平臺(tái)捷蛙科技(JFrog)的首席信息安全官保羅·戴維斯(Paul Davis)表示:“防病毒產(chǎn)品每天都要推出多次更新,因?yàn)樵谀撤N程度上,我們已將其逼入絕境。它們檢測(cè)軟件或惡意活動(dòng)的反應(yīng)速度越快,就越有優(yōu)勢(shì)。因此,在這種情況下,每天進(jìn)行多次測(cè)試的要求變得非常繁重。”
他說(shuō),真正的挑戰(zhàn)是如何保護(hù)企業(yè)應(yīng)對(duì)可能在數(shù)小時(shí)甚至數(shù)分鐘內(nèi)傳播的網(wǎng)絡(luò)安全威脅,同時(shí)確保這些軟件更新經(jīng)過(guò)測(cè)試。“我們必須測(cè)試軟件的基本功能,但我們依靠這些自動(dòng)更新來(lái)確保安全,這幾乎就像是一種經(jīng)過(guò)計(jì)算的風(fēng)險(xiǎn)。”
對(duì)每臺(tái)受影響的計(jì)算機(jī)進(jìn)行現(xiàn)場(chǎng)心肺復(fù)蘇術(shù)
這家位于紐約的律師事務(wù)所使用了來(lái)自不同供應(yīng)商的30多種獨(dú)立安全工具,這些工具可在筆記本電腦、臺(tái)式機(jī)或服務(wù)器上運(yùn)行。通常情況下,如果更新導(dǎo)致問(wèn)題,軟件供應(yīng)商會(huì)部署一個(gè)修復(fù)程序,企業(yè)可以在同一天內(nèi)迅速將其推送到數(shù)千臺(tái)計(jì)算機(jī)上。
但由于CrowdStrike漏洞的性質(zhì),這是無(wú)法實(shí)現(xiàn)的。該漏洞導(dǎo)致運(yùn)行微軟(Microsoft)Windows系統(tǒng)的電腦死機(jī),并顯示可怕的“藍(lán)屏死機(jī)”。受影響的系統(tǒng)需要一個(gè)接一個(gè)地恢復(fù)正常。
紐約律師事務(wù)所的首席信息安全官解釋說(shuō):“你必須親自走到每臺(tái)電腦前,關(guān)掉電源,然后再開(kāi)機(jī),當(dāng)屏幕亮起時(shí),你必須按F3鍵進(jìn)入所謂的安全模式,然后去刪除在某個(gè)位置存放文件。這簡(jiǎn)直就是一場(chǎng)噩夢(mèng)。”
然而,一些首席信息安全官將大部分責(zé)任歸咎于微軟,而不是Crowdstrike,甚至盡可能避免使用Windows。一家中型人工智能公司的首席信息安全官表示:“在硅谷,科技公司傾向于避免使用Windows。”由于討論安全功能緩解措施的敏感性,他要求匿名。他說(shuō),這是因?yàn)閃indows核心架構(gòu)的設(shè)計(jì)導(dǎo)致了惡意軟件、間諜軟件以及今天因Crowdstrike漏洞更新而出現(xiàn)的驅(qū)動(dòng)程序不穩(wěn)定。
他說(shuō):“CrowdStrike無(wú)疑需要進(jìn)行流程改進(jìn),但在2024年不應(yīng)該出現(xiàn)內(nèi)核(核心架構(gòu))被第三方破壞穩(wěn)定性的情況。從安全的角度來(lái)看,微軟今年的表現(xiàn)很糟糕,必須贏得生態(tài)系統(tǒng)的信任。”微軟沒(méi)有回應(yīng)置評(píng)請(qǐng)求,只是指出了關(guān)于此次故障的聲明。
CrowdStrike首席執(zhí)行官喬治·庫(kù)爾茨(George Kurtz)7月19日在網(wǎng)上發(fā)表聲明,為這一事件道歉,他說(shuō)此次事件涉及到“Windows主機(jī)的內(nèi)容更新”,并指出Mac和Linux主機(jī)不受影響。
“CrowdStrike的全體員工都明白這一事件的嚴(yán)重性和影響。我們迅速查明了問(wèn)題所在,并部署了修復(fù)程序,從而能夠?qū)W⒂诨謴?fù)客戶系統(tǒng),這是我們的首要任務(wù)。”
事后分析
捷蛙科技的戴維斯反駁了一般企業(yè)可以不使用 Windows 的觀點(diǎn)。他說(shuō):“Windows仍然是占主導(dǎo)地位的操作系統(tǒng)。當(dāng)你加入一家公司時(shí),(通常)會(huì)提供給你一臺(tái)Windows電腦或Mac電腦。”
身份安全公司Silverfort的首席信息安全官約翰·保羅·坎寧安(John Paul Cunningham)表示,7月19日的宕機(jī)事件應(yīng)該給企業(yè)敲響警鐘,讓企業(yè)對(duì)自動(dòng)軟件更新更加謹(jǐn)慎。在坎寧安看來(lái),并非所有的威脅都是一樣的,企業(yè)需要更加謹(jǐn)慎,不要總是默認(rèn)進(jìn)行自動(dòng)更新。
他表示:“像CrowdStrike這樣的公司經(jīng)常建議進(jìn)行自動(dòng)更新,但是這一前提是使用最新版本的產(chǎn)品更安全。”但他說(shuō),公司可以在推送之前花更多時(shí)間測(cè)試,即使這需要多花點(diǎn)功夫。“只要安全團(tuán)隊(duì)知道有更新,他們就可以手動(dòng)推送,而更新本身仍是自動(dòng)進(jìn)行的。”
RingCentral的阿默表示,對(duì)于大多數(shù)網(wǎng)絡(luò)安全領(lǐng)導(dǎo)者來(lái)說(shuō),如何在風(fēng)險(xiǎn)和速度之間以及各大操作系統(tǒng)之間取得平衡,需要進(jìn)行一些事后分析和決策。
雖然進(jìn)行軟件更新很重要,但他指出,公司也應(yīng)慶幸7月19日的宕機(jī)沒(méi)有帶來(lái)更糟糕的后果。他說(shuō):“我個(gè)人很慶幸,這不是一次國(guó)家支持的攻擊。”(財(cái)富中文網(wǎng))
譯者:中慧言-王芳
When Michael Armer’s phone started blowing up at 4 a.m. Friday morning, he “freaked out.” Armer, the chief information security officer at RingCentral, was receiving notifications about a stunning computer outage that was knocking down airport, bank, and hospital tech systems like dominos.
The?scope of the chaos raised fears of a major cybersecurity breach or a state-sponsored attack. “That’s enough to get your blood flowing really quickly,” Armer said.
It turns out that the massive computer outage was not the work of nefarious hackers. It was the result of a glitch in a routine software update by security company CrowdStrike. “We were all very fortunate that this was related to one of their standardized and automated software deployments,” Armer says of the CrowdStrike update snafu.
But along with the relief that the disruption was not a cyber attack, the incident has highlighted the fragility and frightening interconnectedness of the technology?modern society depends on — and the extent of the danger posed by today’s convoluted system of software updates which security experts say stretches staff thin at even the largest organizations and forces a constant balancing act of risky trade-offs.
The problem with patches
Security software like CrowdStrike provide “patches,” or software updates, when threats are detected. Given the number of hackers probing companies’ systems and devising new lines of attack, the need for patches is constant — sometimes as many as several times a day. Organizations move quickly and often automate these updates to ensure that there are no holes in their protective shields.
The problem is that new software is like an untested pharmaceutical drug – each new line of code could have a bug or defect that causes problems, unexpected side effects, and dangerous interactions with other software. In an ideal situation, a company would take the time to test each software update before deploying it to all their computers.
“It’s a really difficult conundrum, you cannot keep up with the number,” said a CISO at a top law firm in New York City. “Sometimes you have to put out a security patch because it’s critical and you’ve got vendors breathing down your neck and there’s no way to [test] it,” he said. “Sometimes there are several updates within a 24-hour period so you’d be caught in a recursive circle of testing where you would just never be done.”
For many in-house security teams, that means striking a balance between speed and risk. “The antivirus products are pushing up multiple updates per day because in some ways we’ve pushed them into a corner,” said Paul Davis, field CISO at software supply chain platform JFrog. “The faster that they can respond to detect a piece of software or malicious activity, the better they are. So that being the case, then the requirement to test multiple times a day becomes onerous.”
The real challenge, he said, is how to protect the organization that is responding to cybersecurity threats which can spread in hours, or even minutes, and at the same time make sure those software updates are tested. “We have to test the basic functionality of the software, but we rely on these automated updates to be safe, and it’s almost like a calculated risk.”
Hands-on CPR for each affected computer
The New York City law firm uses more than 30 separate security tools from a variety of vendors that run on laptops, desktops or servers. Normally, if an update causes problems, the software vendor will deploy a fix that an organization can quickly push to thousands of computers within the same day.
But because of the nature of the CrowdStrike flaw however, that wasn’t possible. The flaw essentially caused computers running Microsoft Windows to freeze up and display the dreaded “blue screen of death.” Affected systems needed to be brought back to life, one by one.
“You have to physically walk over to every computer and power it down and then bring it up, and when the screen comes up, you have to hit F3 to go into what they call Safe Mode and then go and delete a file somewhere,” the New York law firm CISO explained. “It’s just a nightmare.”
Some CISOs, however, put the bulk of the blame on Microsoft, not on Crowdstrike– and even avoid Windows altogether if they can. “In Silicon Valley, tech companies tend to avoid Windows,” said the CISO of a medium-sized AI company, who requested anonymity due to the sensitivity of discussing security mitigations. He said that it is because of the design of Windows in its core architecture that leads to malware, spyware and the driver instability that occurred today as a result of the Crowdstrike flawed update.
“CrowdStrike has clear process improvements to make, obviously, but it should not be possible in 2024 to have a kernel [core architecture] which is destabilized by a third party,” he said. “Microsoft has had a bad year, from a security perspective, and they have to win the trust of the ecosystem back.” Microsoft did not respond to a request for comment other than pointing to its existing statement about the outage.
In a statement posted online Friday, CrowdStrike CEO George Kurtz apologized for the incident, which he said involved a “content update for Windows hosts,” noting that Mac and Linux hosts were not affected.
“All of CrowdStrike understands the gravity and impact of the situation. We quickly identified the issue and deployed a fix, allowing us to focus diligently on restoring customer systems as our highest priority.”
Post-game analysis
JFrog’s Davis pushed back on the idea that a typical organization could get away with not using Windows. “Windows is still the predominant operating system,” he said. “When you join a company, you’re [usually] offered either a Windows machine or a Mac machine.”
John Paul Cunningham, CISO at identity security company Silverfort, said that Friday’s outage should be a wake-up for call for organizations, and make companies more leery of automated software updates. In Cunningham’s view, all threats are not created equal and companies can exercise more discretion by not always defaulting to the automated updates.
“Companies like CrowdStrike often suggest doing auto updates with this premise that staying on the most current release of the product is more secure,” he said. But companies can take more time to test it before pushing it out, he said, even if it takes a little more work. “As long as the security team knows there is an update, they can push it out manually–the update itself is still automatic.”
The bottom line is that for most cybersecurity leaders, figuring out how to strike a balance—between risk and speed, and between operating systems—will require some post-game analysis and decision-making, said RingCentral’s Armer.
And while getting a grip on software updates is important, he noted that companies should also be thankful Friday’s outage was not even worse. “I personally am thankful that it wasn’t a state-sponsored attack,” he said.
