Getting affected Windows machines up and running will be an arduous undertaking in some firms, but the following precautions still apply

After a chaotic weekend of global computer outages due to a faulty update patch to CrowdStrike’s Falcon endpoint detection and response software on the Windows platform, spokespersons of various organizations have come forward with helpful guidance on how to recover from and prevent future outages.

According to Andras Cser, Vice President and Principal Analyst, Forrester, because of the way in which the update has been deployed, recovery options for affected machines are manual and thus limited. Administrators must attach a physical keyboard to each affected system, boot into Safe Mode, remove the compromised update component, and then reboot.

Administrators unable to gain access to hard drives due to BitLocker encryption measures should follow official guidance by CrowdStrike to work around this issue.

Observe cyber resilience best practices

The firm recommends that tech and security leaders take the following actions immediately:

  • Empower authorized system administrators to fix the problems quickly and effectively
  • Communicate clearly both internally and externally the impacts, status, and progress of remediation efforts
  • Pay attention to the vendor’s communication strategies and follow official advice
  • Once the immediate issue is fixed, implement infrastructure automation, a must have for controlled and managed software rollouts
  • Refresh and rehearse IT outage response plans
  • Obtain unified, written warranties from security vendors on their quality assurance processes as well as threat detection effectiveness
  • Over the longer term, reevaluate third-party risk strategy and approaches, using detailed contracts as a risk mitigation tool

Circumventing phishing campaigns

The US Cybersecurity and Infrastructure Security Agency (CISA) has already observed threat actors exploiting the ongoing global crisis for phishing and other malicious activities. They are urging people to avoid clicking on links promising quick fixes to the specific problem.

According to Sumit Bansal, Vice President (Asia Pacific and Japan), BlueVoyant: Headline-grabbing news serves as an excellent and timely pretense for adversaries to make the worst out of a bad situation. “Under the guise of helping, adversaries will use these events to gather privileged information about your organization, such as whether you use an impacted solution; convince users to enter credentials into fake ‘support portals’; and install remote access tools that lead to further internal compromises. Rather than providing information to an inbound caller, visit the incumbent organization’s website and call only the documented support number. Also, let the entire organization know that the incident is being handled by internal IT and security teams, and that they should not provide any information to external callers.”

Said Stu Sjouwerman, CEO and President, KnowBe4: “Numerous (spoof) websites have surfaced, promising help to those affected by the outage. Names like crowdstriketoken[.]com, crowdstrikedown[.]site, crowdstrikefix[.]com, have been identified by a UK-based cybersecurity researcher specializing in credential phishing. These new domains were registered and designed in record time to lure in people desperate to restore their systems. Several other fake websites were still under construction, including crowdstrike-helpdesk[.]com, and crowdstrikeclaim[.]com.”