首页 500强 活动 榜单 商业 科技 领导力 专题 品牌中心
杂志订阅

CrowdStrike的漏洞破坏性巨大,没有简单的解决办法

SHARON GOLDMAN
2024-07-23

由于CROWDSTRIKE软件更新出现漏洞,全球各地的电脑都受到了恐怖的“蓝屏死机”的困扰。

文本设置
小号
默认
大号
Plus(0条)

图片来源:SELCUK ACAR/ANADOLU VIA GETTY IMAGES

7月19日凌晨4点,当迈克尔·阿默(Michael Armer)的手机被打爆时,他“感到惊慌失措”。阿默是RingCentral的首席信息安全官,他收到了关于一场令人震惊的计算机故障的通知,这场故障像多米诺骨牌一样导致机场、银行和医院的技术系统纷纷瘫痪。

混乱的范围引发了人们对重大网络安全漏洞或国家支持的攻击的担忧。阿默说:“这足以让你血脉偾张。”

事实证明,这次大规模的计算机故障并非邪恶黑客所为,而是安全公司CrowdStrike在例行软件更新中出现故障的结果。阿默在谈到CrowdStrike的更新故障时说:“我们都很幸运,这与他们的标准化和自动化软件部署有关。”

不过,在庆幸这次破坏不是网络攻击的同时,这次事件也凸显了现代社会所依赖的技术的脆弱性和可怕的互联性,以及当今错综复杂的软件更新系统所带来的危险程度。安全专家表示,即使是规模最大的企业也会让员工不堪重负,并迫使他们不断进行风险权衡的艰难抉择。

补丁的问题

当检测到威胁时,CrowdStrike等安全软件会提供“补丁”或软件更新。鉴于探测公司系统并设计新攻击路线的黑客数量之多,对补丁的需求是持续不断的,有时甚至一天数次。各企业行动迅速,通常会自动进行这些更新,以确保其防护盾没有漏洞。

问题是,新软件就像未经测试的药物——每一行新代码都可能有漏洞或缺陷,从而导致问题、意想不到的副作用,以及与其他软件的危险交互。在理想情况下,公司会花时间测试每个软件更新,然后再将其部署到所有计算机上。

纽约一家顶级律师事务所的首席信息安全官表示:“这确实是一个棘手的难题,你无法跟上黑客的数量。有时,你必须发布安全补丁,原因是它很关键,而供应商一直在紧盯着你,你根本无法对它进行[测试]。有时24小时内会有几次更新,这样你就会陷入反复测试的怪圈,永远无法完成测试。”

对于许多内部安全团队来说,这意味着要在速度和风险之间取得平衡。软件供应链平台捷蛙科技(JFrog)的首席信息安全官保罗·戴维斯(Paul Davis)表示:“防病毒产品每天都要推出多次更新,因为在某种程度上,我们已将其逼入绝境。它们检测软件或恶意活动的反应速度越快,就越有优势。因此,在这种情况下,每天进行多次测试的要求变得非常繁重。”

他说,真正的挑战是如何保护企业应对可能在数小时甚至数分钟内传播的网络安全威胁,同时确保这些软件更新经过测试。“我们必须测试软件的基本功能,但我们依靠这些自动更新来确保安全,这几乎就像是一种经过计算的风险。”

对每台受影响的计算机进行现场心肺复苏术

这家位于纽约的律师事务所使用了来自不同供应商的30多种独立安全工具,这些工具可在笔记本电脑、台式机或服务器上运行。通常情况下,如果更新导致问题,软件供应商会部署一个修复程序,企业可以在同一天内迅速将其推送到数千台计算机上。

但由于CrowdStrike漏洞的性质,这是无法实现的。该漏洞导致运行微软(Microsoft)Windows系统的电脑死机,并显示可怕的“蓝屏死机”。受影响的系统需要一个接一个地恢复正常。

纽约律师事务所的首席信息安全官解释说:“你必须亲自走到每台电脑前,关掉电源,然后再开机,当屏幕亮起时,你必须按F3键进入所谓的安全模式,然后去删除在某个位置存放文件。这简直就是一场噩梦。”

然而,一些首席信息安全官将大部分责任归咎于微软,而不是Crowdstrike,甚至尽可能避免使用Windows。一家中型人工智能公司的首席信息安全官表示:“在硅谷,科技公司倾向于避免使用Windows。”由于讨论安全功能缓解措施的敏感性,他要求匿名。他说,这是因为Windows核心架构的设计导致了恶意软件、间谍软件以及今天因Crowdstrike漏洞更新而出现的驱动程序不稳定。

他说:“CrowdStrike无疑需要进行流程改进,但在2024年不应该出现内核(核心架构)被第三方破坏稳定性的情况。从安全的角度来看,微软今年的表现很糟糕,必须赢得生态系统的信任。”微软没有回应置评请求,只是指出了关于此次故障的声明。

CrowdStrike首席执行官乔治·库尔茨(George Kurtz)7月19日在网上发表声明,为这一事件道歉,他说此次事件涉及到“Windows主机的内容更新”,并指出Mac和Linux主机不受影响。

“CrowdStrike的全体员工都明白这一事件的严重性和影响。我们迅速查明了问题所在,并部署了修复程序,从而能够专注于恢复客户系统,这是我们的首要任务。”

事后分析

捷蛙科技的戴维斯反驳了一般企业可以不使用 Windows 的观点。他说:“Windows仍然是占主导地位的操作系统。当你加入一家公司时,(通常)会提供给你一台Windows电脑或Mac电脑。”

身份安全公司Silverfort的首席信息安全官约翰·保罗·坎宁安(John Paul Cunningham)表示,7月19日的宕机事件应该给企业敲响警钟,让企业对自动软件更新更加谨慎。在坎宁安看来,并非所有的威胁都是一样的,企业需要更加谨慎,不要总是默认进行自动更新。

他表示:“像CrowdStrike这样的公司经常建议进行自动更新,但是这一前提是使用最新版本的产品更安全。”但他说,公司可以在推送之前花更多时间测试,即使这需要多花点功夫。“只要安全团队知道有更新,他们就可以手动推送,而更新本身仍是自动进行的。”

RingCentral的阿默表示,对于大多数网络安全领导者来说,如何在风险和速度之间以及各大操作系统之间取得平衡,需要进行一些事后分析和决策。

虽然进行软件更新很重要,但他指出,公司也应庆幸7月19日的宕机没有带来更糟糕的后果。他说:“我个人很庆幸,这不是一次国家支持的攻击。”(财富中文网)

译者:中慧言-王芳

7月19日凌晨4点,当迈克尔·阿默(Michael Armer)的手机被打爆时,他“感到惊慌失措”。阿默是RingCentral的首席信息安全官,他收到了关于一场令人震惊的计算机故障的通知,这场故障像多米诺骨牌一样导致机场、银行和医院的技术系统纷纷瘫痪。

混乱的范围引发了人们对重大网络安全漏洞或国家支持的攻击的担忧。阿默说:“这足以让你血脉偾张。”

事实证明,这次大规模的计算机故障并非邪恶黑客所为,而是安全公司CrowdStrike在例行软件更新中出现故障的结果。阿默在谈到CrowdStrike的更新故障时说:“我们都很幸运,这与他们的标准化和自动化软件部署有关。”

不过,在庆幸这次破坏不是网络攻击的同时,这次事件也凸显了现代社会所依赖的技术的脆弱性和可怕的互联性,以及当今错综复杂的软件更新系统所带来的危险程度。安全专家表示,即使是规模最大的企业也会让员工不堪重负,并迫使他们不断进行风险权衡的艰难抉择。

补丁的问题

当检测到威胁时,CrowdStrike等安全软件会提供“补丁”或软件更新。鉴于探测公司系统并设计新攻击路线的黑客数量之多,对补丁的需求是持续不断的,有时甚至一天数次。各企业行动迅速,通常会自动进行这些更新,以确保其防护盾没有漏洞。

问题是,新软件就像未经测试的药物——每一行新代码都可能有漏洞或缺陷,从而导致问题、意想不到的副作用,以及与其他软件的危险交互。在理想情况下,公司会花时间测试每个软件更新,然后再将其部署到所有计算机上。

纽约一家顶级律师事务所的首席信息安全官表示:“这确实是一个棘手的难题,你无法跟上黑客的数量。有时,你必须发布安全补丁,原因是它很关键,而供应商一直在紧盯着你,你根本无法对它进行[测试]。有时24小时内会有几次更新,这样你就会陷入反复测试的怪圈,永远无法完成测试。”

对于许多内部安全团队来说,这意味着要在速度和风险之间取得平衡。软件供应链平台捷蛙科技(JFrog)的首席信息安全官保罗·戴维斯(Paul Davis)表示:“防病毒产品每天都要推出多次更新,因为在某种程度上,我们已将其逼入绝境。它们检测软件或恶意活动的反应速度越快,就越有优势。因此,在这种情况下,每天进行多次测试的要求变得非常繁重。”

他说,真正的挑战是如何保护企业应对可能在数小时甚至数分钟内传播的网络安全威胁,同时确保这些软件更新经过测试。“我们必须测试软件的基本功能,但我们依靠这些自动更新来确保安全,这几乎就像是一种经过计算的风险。”

对每台受影响的计算机进行现场心肺复苏术

这家位于纽约的律师事务所使用了来自不同供应商的30多种独立安全工具,这些工具可在笔记本电脑、台式机或服务器上运行。通常情况下,如果更新导致问题,软件供应商会部署一个修复程序,企业可以在同一天内迅速将其推送到数千台计算机上。

但由于CrowdStrike漏洞的性质,这是无法实现的。该漏洞导致运行微软(Microsoft)Windows系统的电脑死机,并显示可怕的“蓝屏死机”。受影响的系统需要一个接一个地恢复正常。

纽约律师事务所的首席信息安全官解释说:“你必须亲自走到每台电脑前,关掉电源,然后再开机,当屏幕亮起时,你必须按F3键进入所谓的安全模式,然后去删除在某个位置存放文件。这简直就是一场噩梦。”

然而,一些首席信息安全官将大部分责任归咎于微软,而不是Crowdstrike,甚至尽可能避免使用Windows。一家中型人工智能公司的首席信息安全官表示:“在硅谷,科技公司倾向于避免使用Windows。”由于讨论安全功能缓解措施的敏感性,他要求匿名。他说,这是因为Windows核心架构的设计导致了恶意软件、间谍软件以及今天因Crowdstrike漏洞更新而出现的驱动程序不稳定。

他说:“CrowdStrike无疑需要进行流程改进,但在2024年不应该出现内核(核心架构)被第三方破坏稳定性的情况。从安全的角度来看,微软今年的表现很糟糕,必须赢得生态系统的信任。”微软没有回应置评请求,只是指出了关于此次故障的声明。

CrowdStrike首席执行官乔治·库尔茨(George Kurtz)7月19日在网上发表声明,为这一事件道歉,他说此次事件涉及到“Windows主机的内容更新”,并指出Mac和Linux主机不受影响。

“CrowdStrike的全体员工都明白这一事件的严重性和影响。我们迅速查明了问题所在,并部署了修复程序,从而能够专注于恢复客户系统,这是我们的首要任务。”

事后分析

捷蛙科技的戴维斯反驳了一般企业可以不使用 Windows 的观点。他说:“Windows仍然是占主导地位的操作系统。当你加入一家公司时,(通常)会提供给你一台Windows电脑或Mac电脑。”

身份安全公司Silverfort的首席信息安全官约翰·保罗·坎宁安(John Paul Cunningham)表示,7月19日的宕机事件应该给企业敲响警钟,让企业对自动软件更新更加谨慎。在坎宁安看来,并非所有的威胁都是一样的,企业需要更加谨慎,不要总是默认进行自动更新。

他表示:“像CrowdStrike这样的公司经常建议进行自动更新,但是这一前提是使用最新版本的产品更安全。”但他说,公司可以在推送之前花更多时间测试,即使这需要多花点功夫。“只要安全团队知道有更新,他们就可以手动推送,而更新本身仍是自动进行的。”

RingCentral的阿默表示,对于大多数网络安全领导者来说,如何在风险和速度之间以及各大操作系统之间取得平衡,需要进行一些事后分析和决策。

虽然进行软件更新很重要,但他指出,公司也应庆幸7月19日的宕机没有带来更糟糕的后果。他说:“我个人很庆幸,这不是一次国家支持的攻击。”(财富中文网)

译者:中慧言-王芳

When Michael Armer’s phone started blowing up at 4 a.m. Friday morning, he “freaked out.” Armer, the chief information security officer at RingCentral, was receiving notifications about a stunning computer outage that was knocking down airport, bank, and hospital tech systems like dominos.

The scope of the chaos raised fears of a major cybersecurity breach or a state-sponsored attack. “That’s enough to get your blood flowing really quickly,” Armer said.

It turns out that the massive computer outage was not the work of nefarious hackers. It was the result of a glitch in a routine software update by security company CrowdStrike. “We were all very fortunate that this was related to one of their standardized and automated software deployments,” Armer says of the CrowdStrike update snafu.

But along with the relief that the disruption was not a cyber attack, the incident has highlighted the fragility and frightening interconnectedness of the technology modern society depends on — and the extent of the danger posed by today’s convoluted system of software updates which security experts say stretches staff thin at even the largest organizations and forces a constant balancing act of risky trade-offs.

The problem with patches

Security software like CrowdStrike provide “patches,” or software updates, when threats are detected. Given the number of hackers probing companies’ systems and devising new lines of attack, the need for patches is constant — sometimes as many as several times a day. Organizations move quickly and often automate these updates to ensure that there are no holes in their protective shields.

The problem is that new software is like an untested pharmaceutical drug – each new line of code could have a bug or defect that causes problems, unexpected side effects, and dangerous interactions with other software. In an ideal situation, a company would take the time to test each software update before deploying it to all their computers.

“It’s a really difficult conundrum, you cannot keep up with the number,” said a CISO at a top law firm in New York City. “Sometimes you have to put out a security patch because it’s critical and you’ve got vendors breathing down your neck and there’s no way to [test] it,” he said. “Sometimes there are several updates within a 24-hour period so you’d be caught in a recursive circle of testing where you would just never be done.”

For many in-house security teams, that means striking a balance between speed and risk. “The antivirus products are pushing up multiple updates per day because in some ways we’ve pushed them into a corner,” said Paul Davis, field CISO at software supply chain platform JFrog. “The faster that they can respond to detect a piece of software or malicious activity, the better they are. So that being the case, then the requirement to test multiple times a day becomes onerous.”

The real challenge, he said, is how to protect the organization that is responding to cybersecurity threats which can spread in hours, or even minutes, and at the same time make sure those software updates are tested. “We have to test the basic functionality of the software, but we rely on these automated updates to be safe, and it’s almost like a calculated risk.”

Hands-on CPR for each affected computer

The New York City law firm uses more than 30 separate security tools from a variety of vendors that run on laptops, desktops or servers. Normally, if an update causes problems, the software vendor will deploy a fix that an organization can quickly push to thousands of computers within the same day.

But because of the nature of the CrowdStrike flaw however, that wasn’t possible. The flaw essentially caused computers running Microsoft Windows to freeze up and display the dreaded “blue screen of death.” Affected systems needed to be brought back to life, one by one.

“You have to physically walk over to every computer and power it down and then bring it up, and when the screen comes up, you have to hit F3 to go into what they call Safe Mode and then go and delete a file somewhere,” the New York law firm CISO explained. “It’s just a nightmare.”

Some CISOs, however, put the bulk of the blame on Microsoft, not on Crowdstrike– and even avoid Windows altogether if they can. “In Silicon Valley, tech companies tend to avoid Windows,” said the CISO of a medium-sized AI company, who requested anonymity due to the sensitivity of discussing security mitigations. He said that it is because of the design of Windows in its core architecture that leads to malware, spyware and the driver instability that occurred today as a result of the Crowdstrike flawed update.

“CrowdStrike has clear process improvements to make, obviously, but it should not be possible in 2024 to have a kernel [core architecture] which is destabilized by a third party,” he said. “Microsoft has had a bad year, from a security perspective, and they have to win the trust of the ecosystem back.” Microsoft did not respond to a request for comment other than pointing to its existing statement about the outage.

In a statement posted online Friday, CrowdStrike CEO George Kurtz apologized for the incident, which he said involved a “content update for Windows hosts,” noting that Mac and Linux hosts were not affected.

“All of CrowdStrike understands the gravity and impact of the situation. We quickly identified the issue and deployed a fix, allowing us to focus diligently on restoring customer systems as our highest priority.”

Post-game analysis

JFrog’s Davis pushed back on the idea that a typical organization could get away with not using Windows. “Windows is still the predominant operating system,” he said. “When you join a company, you’re [usually] offered either a Windows machine or a Mac machine.”

John Paul Cunningham, CISO at identity security company Silverfort, said that Friday’s outage should be a wake-up for call for organizations, and make companies more leery of automated software updates. In Cunningham’s view, all threats are not created equal and companies can exercise more discretion by not always defaulting to the automated updates.

“Companies like CrowdStrike often suggest doing auto updates with this premise that staying on the most current release of the product is more secure,” he said. But companies can take more time to test it before pushing it out, he said, even if it takes a little more work. “As long as the security team knows there is an update, they can push it out manually–the update itself is still automatic.”

The bottom line is that for most cybersecurity leaders, figuring out how to strike a balance—between risk and speed, and between operating systems—will require some post-game analysis and decision-making, said RingCentral’s Armer.

And while getting a grip on software updates is important, he noted that companies should also be thankful Friday’s outage was not even worse. “I personally am thankful that it wasn’t a state-sponsored attack,” he said.

财富中文网所刊载内容之知识产权为财富媒体知识产权有限公司及/或相关权利人专属所有或持有。未经许可,禁止进行转载、摘编、复制及建立镜像等任何使用。
0条Plus
精彩评论
评论

撰写或查看更多评论

请打开财富Plus APP

前往打开