{"id":352,"date":"2024-09-25T02:10:06","date_gmt":"2024-09-25T02:10:06","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=352"},"modified":"2024-09-25T02:10:06","modified_gmt":"2024-09-25T02:10:06","slug":"crowdstrike-defends-access-to-windows-kernel-at-us-congressional-hearing-into-july-worldwide-update-failure","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=352","title":{"rendered":"CrowdStrike defends access to Windows kernel at US Congressional hearing into July worldwide update failure"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

A CrowdStrike executive told a US Congressional hearing on Tuesday that the company\u2019s endpoint detection and response sensor has to continue accessing the Windows kernel, despite criticism by some cybersecurity experts that the kernel access contributed to the crash of millions of Windows computers around the world in July.<\/a><\/p>\n

Access to the kernel by cybersecurity products helps protect operating systems from being tampered with, Adam Meyers, CrowdStrike\u2019s senior vice-president of counter adversary operations, told the House of Representatives subcommittee on cybersecurity and infrastructure protection.<\/p>\n

Members of the subcommittee are looking into the chaos around the world caused in July by a buggy CrowdStrike update configuration file. They started Tuesday\u2019s hearing today with ominous words.<\/p>\n

\u201cThe sheer scale of this error was alarming,\u201d said Andrew Garbarino, chair of the subcommittee. The incident, which knocked 8.5 million Windows computers and servers offline, created an environment \u201cripe for exploitation by malicious cyber attackers through phishing and other efforts,\u201d he said.<\/p>\n

However, Meyers defended the company\u2019s stand.<\/p>\n

\u201cAnti-tampering is very concerning, because when a threat actor gains access to a system, they would seek to disable security tools. And in order to identify that\u2019s happening, kernel visibility is required. The kernel driver is a key component of every security product I can think of. Whether they would say they do most of their work in the kernel or not varies from vendor to vendor. But to trying to secure the operating system without kernel access would be very difficult.\u201d<\/p>\n

As CrowdStrike has stated earlier, the problem was in a configuration file update to the company\u2019s Falcon sensor that is deployed in servers and PCs, and not a software code fix for Falcon. Software code fixes, he said, underwent a more rigorous pre-release testing process than the configuration files. The July problem was that one configuration file had a mistake in it that he likened to a command to move a chess piece to a square that didn\u2019t exist. Falcon sensors looking for a line that didn\u2019t exist reacted by crashing Windows<\/p>\n

\u201cThis was a perfect storm of issues that resulted in the sensor failure,\u201d Myers said. \u201cWe are deeply sorry and are determined to prevent it from happening again.\u201d<\/p>\n

It couldn\u2019t happen again, he said, for two reasons:<\/p>\n

CrowdStrike is more rigorous in testing configuration updates, which are released about 10 times a day;<\/p>\n

Falcon administrators now have the option of installing configuration updates when they want to. That should eliminate the risk of all CrowdStrike customers\u2019 Windows systems being knocked offline at the same time, as happened on July 19.<\/p>\n

CrowdStrike customers include 538 Fortune 1,000 companies, 298 Fortune 500 firms, and 43 of 50 US states.<\/p>\n

A congressman told the hearing that one insurance company estimates 25% of F500 firms around the world were affected, with firms suffering an estimated US$5.5 billion in losses.<\/p>\n

Meyers avoided directly answering a question by Representative William Timmons about \u201cmaking whole\u201d victims such as travellers whose flights were cancelled. He responded that CrowdStrike worked with customers to get their IT systems up and running quickly. About 99% were restored by July 29.<\/p>\n

Representative Eric Stalwell said he appreciated that CrowdStrike wants to protect customers against novel threats, but said \u201cspeed [of releasing updates] cannot come at the cost of operability.\u201d<\/p>\n

The chair of the Homeland Security Committee, Representative Mark Green, said, \u201ca global IT outage that impacts every sector of the economy is a catastrophe you\u2019d expect to see in a movie.<\/p>\n

\u201cTo add insult to injury, the largest IT outage in history was due to a mistake\u201d by a security vendor, he added. \u201cIt also appears that the update may not have been appropriately tested before being pushed out\u201d to the Windows kernel of CrowdStrike customers.<\/p>\n

\u201cMistakes happen,\u201d Green said. \u201cHowever we can\u2019t allow a mistake of this magnitude to happen again.\u201d<\/p>\n

But when it came to questioning Meyers, the congressmen spared the whip.<\/p>\n

After Meyers read an opening statement apologizing for the mess made by the July 18 update, which referred to a detailed technical report analysis<\/a>, Green thanked him.<\/p>\n

\u201cThere was a degree of humility that is impressive, and I appreciate the transparency that we have seen. I think some of the biggest lessons we learn come in times of adversity. You guys have shown the right attitude\u201d in being open.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

A CrowdStrike executive told a US Congressional hearing on Tuesday that the company\u2019s endpoint detection and response sensor has to continue accessing the Windows kernel, despite criticism by some cybersecurity experts that the kernel access contributed to the crash of millions of Windows computers around the world in July. Access to the kernel by cybersecurity […]<\/p>\n","protected":false},"author":0,"featured_media":353,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-352","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/352"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=352"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/352\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/353"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=352"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=352"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=352"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}