The world experienced a digital pandemic of systems going offline and displaying the dreaded Windows Blue Screen of Death (BSOD), due to a catastrophic failure caused by a flawed file in an update to CrowdStrike cybersecurity customers. The impacts have been obscenely widespread, with many banks, airlines, train stations, financial exchanges, news agencies, supermarkets, and health care providers to name a few.

CrowdStrike is used by almost 60% of Fortune 500 companies and over half of the Fortune 1,000. It is popular in the financial sector, with deployments in eight of the top 10 financial services firms. Many of the biggest technology, healthcare, and manufacturing companies are also customers.

So far, the faulty CrowdStrike update is not attributed to malicious activities, but the impacts have been massive, prompting social media to unofficially designate today as BSOD day!

Implications

This outage of CrowdStrike customers on Windows 10 systems reinforces three important aspects.

First, cybersecurity solutions need deep and privileged access to systems, making them more impactful if they are hijacked or malfunction. This access is necessary to make preventative defensive changes before attacks occur, to monitor for stealthy attacks, and to coordinate system-level remediation actions when necessary. But when things go wrong, those permissions then can cause equally impactful damages.

The computing stack is like a layered cake, with data at the top, followed by applications, virtual machines, operating systems, VM managers, firmware, and finally hardware at the bottom. The deeper you go the more potential for problems to be impactful and difficult to remedy. Cyber attackers try to get as far down the stack as possible because they can avoid detection from any layer above and are more difficult to evict. When errors occur, the same relevance applies.

Second, the risk of supply chain attacks is real, and depending on the vendor, they could be catastrophic. CrowdStrike is one of the biggest cybersecurity players in the industry. An accidental or malicious problem in their flagship product, as we have seen, can deliver widespread impacts to the most important sectors. Let’s be glad that this was simply a technical glitch. A malicious package inserted into an update could completely take over systems or permanently destroy them.

Third, bad updates, code bugs, and misconfigurations happen all the time. No software, firmware, or hardware company is immune. More effort is needed as part of development and quality assurance, but even for the best organizations, it is possible for a series of mistakes to be made. That is why it is important to not only invest in defense and prevention but also architect ways to securely recover and resolve issues when they arise.

A Perfect Storm

This event has a combination of attributes that amplify the impacts: the issue causes catastrophic system impacts (i.e. the dreaded BSOD), across a large number of systems, in Critical Infrastructure sectors, and the offending code possesses deep permissions within the computing stack.

This is the case we are seeing with Crowdstrike.

This outage reinforces the fact that cybersecurity solutions mitigate risks but also can become a source of risk. Mistakes were made. Trust was lost. The entire cybersecurity industry will be scrutinized, and that is probably the only good outcome of this mess.

The post Massive CrowdStrike IT Outage Has Global Implications for Cybersecurity appeared first on Security Boulevard.

As an AT&T customer, I did receive the unwelcome news that they suffered a data breach.

Here is a rundown for what you should to know.

BREACH DETAILS

· This is a sizable data breach of about 109 million customers

· Call and text interactions from May 1, 2022 to October 31, 2022

· AT&T is blaming a 3rd party cloud platform — Snowflake

· FBI Investigating and 1 arrest has been made

· Hackers accessed and exfiltrated the files sometime from April 14th to 25th

· Telephone numbers and phone logs were acquired, but AT&T says call and text message content wasn’t exposed.

The breach does not contain customers’ personal information, like birthdays or social security numbers.

Apparently, AT&T Paid the ransom — which is not smart. Wired magazine reported that AT&T paid the hackers over $300,000 to delete the stolen information and provide video proof.

OVERALL RISK

Given that personal information was not exposed, the risk is nominal.

So far there is not conclusive proof that the data has been released in the wild, but that could change

Expect more phishing attacks

There could be some ramifications for those who need to keep their call logs secret — undercover agents, supreme court justices, cheating spouses, etc.

The geolocation data, which identifies the cellular towers that phones were connected to during activities, is interesting but likely not too valuable to attackers

SEC rules for mandatory shareholder notification were followed, with the US Government granting 2 delays to AT&T. Normally it is a 4 day rule.

AT&T has not deemed this breach a material event to its shareholders.

Overall, the scale of this breach is unfortunate, but the sensitivity of the data in not too worrying for the vast majority of those effected.

However, this breach does show an unfavorable trend in AT&T’s security posture.

ISSUES and RECOMMENDATIONS

AT&T, “Protecting customer data is a top priority. “ is not true. This is the second major breach in just 3 months, with 70 million customer’s affected back in April.

So, let’s talk about what I expect as a cybersecurity professional:

First, protect your data better! Use MFA, encrypt at rest, clean up the access permissions, institute data blocking for exfiltration

Second, remove all sensitive PII data you really don’t need. Why do you need my SSN, actual date of birth, the tower I most use during the day or evening, even my home address is questionable for my mobile phone and I pay electronically. Remove these. And if it is required by dated regulations, then drive the charge to have those regulations updated so all the telecommunications vendors aren’t a weak point for data harvesters.

Third, implement a data destruction policy to destroy old customer data. Do you really need to keep call logs of people dating back 2 years? I would argue there is likely a mound of data you want to have, but don’t actually need to have. Clean that up, lighten your servers, and focus on keeping your network up.

FALLOUT

AT&T is getting proficient at handling major data breaches, which is not really a compliment.

I hope its big competitors lean-in and invest in cybersecurity to showcase how they can protect their customers, thus leveraging security as a competitive advantage for consumers to choose a communications provider that really is making customer data protections a top priority!

AT&T, I will be considering how you protect my data when my contract is up and I look at other providers!

Be sure to like and follow me on LinkedIn and the Cybersecurity Insights channel

Follow Matthew on LinkedIn: https://www.linkedin.com/in/matthewrosenquist/

Follow for more Cybersecurity Insights: https://www.youtube.com/CybersecurityInsights

The post AT&T Data Breach: Understanding the Fallout appeared first on Security Boulevard.

There is no indication that the root of Microsoft’s cybersecurity issues is being addressed. In fact, all indications are that the executive team is somewhat worried and bewildered at the diverse and numerous issues arising. After many embarrassing incidents, which recently culminated in the President of Microsoft being called to answer questions before Congress, the Board and senior executive team once again instituted security measures to resolve the problems. Confidence among the cybersecurity community was not high, as this was not the first time such promises were made. Shortly thereafter, more security failures occurred.

Microsoft has announced additional measures as part of their Secure Future Initiative, which was actually created in November last year to solve the previous embarrassing problems that plagued them in 2021–2023, in another attempt to stem the cybersecurity failures. Based upon events that happened in July 2023, the U.S. Cyber Safety Review Board criticized the company’s leadership and culture which led to a “cascade of Microsoft’s avoidable errors”. Since then, two more major breaches have occurred and a myriad of other unsettling security issues.

Highlights of their best hacks and missteps 2021–2024

· Jan 2021: Microsoft Exchange Server Vulnerability Leads to 60,000+ Hacks

· April 2021: 500 Million LinkedIn Users’ Data Scraped and Sold

· Aug 2021: Thousands of Microsoft Azure Customer Accounts and Databases Exposed

· Aug 2021: 38 Million Records Exposed Due to Microsoft Power Apps Misconfiguration

· Mar 2022: Lapsus$ Group Breaches Microsoft

· Oct 2022: 548,000+ Users Exposed in BlueBleed Data Leak

· July 2023: Chinese Hackers Breach U.S. Agencies Via Microsoft Cloud

· Sept 2023: 60k State Department Emails Stolen in Microsoft Breach

· Jan 2024: Microsoft Azure Breached by Russian Intelligence Group, Source Code Stolen

· May 2024: Microsoft Announces Recall Feature, a Privacy and Security Nightmare

· June 2024: Microsoft Fails to Renew Their Security Certificates for Office*

*Unexpected expiration of Microsoft security certificates has happened numerous times, causing disruption (including to Teams in Feb 2024 and 2020, and to Azure in 2023 and 2013).

Failures Ahead

Sadly, it is clear they are attempting to leverage the same flawed framework, that created the systemic issues, to somehow solve the problem. Well, the problem is leadership which does not see the broader security issues, so having the same leaders guiding the way, will not get them out of this predicament.

I have been discussing, talking, and analyzing the many recent cybersecurity issues with colleagues, and in one of my most recent posts, I asked if anyone was willing to reach out to Satya, perhaps the most powerful person in the world of digital technology. No takers.

So, I put pen to e-paper and have published an open letter to him to paint the picture on the problems and offer recommendations on how Microsoft can evolve to be a much better steward of trust for its products and as a foundation for our global electronic ecosystem.

For context, I have seen nearly identical issues in other large organizations and have written many articles on the failures of cybersecurity leadership. In fact, I have identified and wrestled an identical issue in one of the biggest tech firms in the US. It is addressable.

Let’s Raise Expectations!

But I believe it will take Satya Nadella to be aware and engaged.

It is time we raise our collective voices to the top. To the CEO himself, Satya Nadella, who at the end of the day is ultimately responsible. I think at this point it will take his direct intervention.

If you have a chance, take a read of the full letter to Mr. Nadella. If you like it, upvote, share, and comment. If you don’t feel free to add your thoughts on how Microsoft should tackle this persistent problem. Let’s get this in front of the CEO of Microsoft, so we all can be safer in our computing and have a trustworthy foundation for digital innovation, productivity, and success.

Read the Open Letter to Satya Nadella, to address Cybersecurity Leadership Issues - Posted to Help Net Security: https://www.helpnetsecurity.com/2024/07/09/microsoft-cybersecurity-dilemma/

The post Microsoft in Cybersecurity Leadership Crisis – Open Letter to the CEO appeared first on Security Boulevard.