close
close

CyberCube provides additional insights into the CrowdStrike incident –


Some additional findings from CyberCube on this CrowdStrike incident;

The faulty CrowdStrike Falcon sensor update and the subsequent outage – the CrowdOut Event – highlight the potential of Single Point of Failure (SPoF) technology outages that can impact the global digital economy. CyberCube advises clients on how to use SPoF Intelligence to identify insureds at risk and assess the event’s exposure profile. SPoF Intelligence is the definitive source for a portfolio’s digital supply chain analysis, integrated with the industry’s leading cyber model.

What happened?

A global IT system outage was triggered by a faulty software update from CrowdStrike that caused widespread disruptions to various Windows operating system types. The problem was caused by a defective kernel driver included in the update, which caused numerous systems worldwide to crash and display the “Blue Screen of Death” (BSoD).

The problem began with a CrowdStrike update that was intended to improve security but inadvertently contained a logic error in a configuration file. Invalid operations caused by the logic error caused the operating system to encounter conditions it could not resolve. This resulted in system crashes that manifested as a BSoD. The BSoD is a protective measure to prevent further damage to the operating system by stopping all operations.​

Who is affected?

The faulty update affects organizations that use CrowdStrike’s Falcon software on machines running Windows operating systems, both desktop computers (including Windows 10 and 11) and Windows Server. These are the organizations primarily affected by the event. With its global position in cybersecurity, CrowdStrike’s own customer base includes many other organizations that CyberCube identifies as SPoFs. Organizations that rely on any of these SPoFs may be secondary victims of the event, even if they do not use CrowdStrike and Windows directly. In addition, CrowdStrike Falcon is deployed by Managed Security Service Providers (MSSPs) on the networks of other – usually smaller – organizations that they oversee. These organizations that use such MSSPs are also secondary victims of the event. In particular, financial institutions, healthcare providers, and transportation networks have experienced disruptions.

Applying the SPoF Intelligence tool to search for insureds dependent on CrowdStrike Falcon indicates that all users of the core components of the CrowdStrike Falcon platform associated with the Windows operating system are likely to be affected.

An analysis of the number of affected companies in CyberCube’s US Industry Exposure Database (IED) shows that large companies in manufacturing, IT, healthcare and finance are most likely to be affected. An examination of the boundaries at risk shows an outsized risk in the aviation, banking and retail sectors.

CyberCube has provided its customers with a list of SPoFs that are dependent on both CrowdStrike Falcon and Windows OS. The outage affects various versions of Windows operating systems. This broad scope means that any organization or individual using these operating systems in conjunction with CrowdStrike Falcon is at risk of system crashes and operational disruptions.

Modelling catastrophic losses

The primary impacts of the CrowdOut event closely resemble two scenarios in CyberCube’s Portfolio Manager aggregation model. Modeling of scenario classes 41 (Operating System Outages on Endpoints) and 42 (Operating System Outages on Servers) in CyberCube’s Event Catalog shows that the CrowdOut event is primarily a system outage or business interruption (BI) event.

Customers may experience secondary impacts in the form of additional SPoFs that fall within this primary scope. SPoFs for scenario classes 4, 9, 10, 11, and 18 (primarily related to financial services and payment system technologies) have been observed among users of CrowdStrike and Windows operating systems. This exposes organizations that rely on these SPoFs to potential outages due to Contingent Business Interruptions (CBI).

What to expect?

Affected organizations can expect immediate remediation and recovery efforts. Organizations that have the IT resources to handle large-scale incidents are likely to recover more quickly. There may be ongoing disruption as organizations implement patches and verify the stability of their systems. Rolling back the update and applying patches requires specialized knowledge. For small and medium-sized businesses, a lack of access to IT staff can delay the remediation process. Organizations that lack robust disaster recovery or IT backup plans could also face additional disruption.

CyberCube support

CyberCube’s Cyber ​​Aggregation Event Response Service (CAERS) was activated as a result of the CrowdStrike event. CAERS provides up-to-date information on major cyber disasters worldwide as they occur to ensure CyberCube’s clients have the most relevant information. CyberCube will continue to monitor this developing event and assist clients in calculating the impact on their own cyber insurance portfolios.