Assignment 9: Review the 2024 Crowdstrike Incident

For this assignment, you will review the 2024 Crowdstrike incident and pick one aspect in either the timeline or the software supply chain on which to focus.

Page Contents

Background Material
Initial Post Requirements
Completion Standards
Assessment

Background Material

Just after midnight EDT on July 19, 2024, cybersecurity company CrowdStike pushed an update to its Falcon Sensor product. This update contained an error in a data file that resulted in over 8 million Windows systems experiencing a “blue screen of death” over the following hours. The resulting fix was quite cumbersome, as it often meant manually going around to each system to apply a patch. While this incident was the result of an innocent mistake, it had the scope and cost of a major cyberattack.

The CrowdStrike incident is a real-life example of the potential havoc that a large, complex piece of software that is highly privileged in the system can cause. It is also a cautionary example of “following the crowd” in terms of selecting software, as evidenced by the large number of different companies that were simultaneously affected by it. Although the CrowdStrike Falcon Sensor in question primarily crippled Windows systems, the underlying security principles are the same as those for systemd on Linux in Assignment 7. As such, this particular piece of software makes for a second case study on the same principles of software size and complexity.

However, this case study expands upon the previous one in pointing out the irony that CrowdStrike markets security software that is explicitly trying to mitigate cybersecurity threats. In this particular case, the security software became a self-exploiting vulnerability that essentially created a distributed denial of service (DDoS) attack on the companies that chose to deploy it. It is a cautionary tale that there is no single, off-the-shelf magic bullet solution to the problem of cybersecurity.

In addition to functioning as an example of a DDoS attack (albeit an accidental one), the Crowdstrike incident would also quality as a Software Supply Chain Attack had it been intentional. A Software Supply Chain Attack occurs when a malicious actor is able to introduce a vulnerability into a piece of software intentionally, with the goal of either an immediate attack or a plan for a future exploit. It should be noted that this type of attack is not limited to Windows or even to proprietary, closed-source applications, as the attack against XZ on Linux also demonstrated in 2024. Fortunately, the latter attack was discovered before it could be successfully exploited on a large number of systems, unlike what happened (unintentionally) with CrowdStike.

The CrowdStrike incident affected a large number of companies in various different sectors of the economy. One company that was greatly affected was Delta Air Lines, which canceled over 7000 flights during a 5 day period as a result of the CrowdStike incident affecting many of its systems. Delta subsequently filed a lawsuit against CrowdStrike, resulting in a trading of blame between the two companies. CrowdStike blamed Delta’s own response as the chief reason for disrupting travel for over a million people.

Initial Post Requirements

For your initial post for this discussion, read the background material about CrowdStrike and focus on a single aspect of the incident that is NOT directly related to Delta Air Lines. You will be addressing Delta’s response in the next assignment. Instead:

A single “aspect” of the incident could be an instant in time (like an event that happened in chronological order and led to a future consequence) or a single failure in the process that caused the faulty update to be pushed into the software supply chain.
When considering the aspect of the incident, think about how that aspect contributed to the overall outcome. How would the outcome potentially have been different had the aspect been different?
Do some of your own research to find more detailed sources that will help you narrow your post to a single aspect.

In your initial post, describe the aspect that you selected. Explain how it contributed to the outcome experienced over the days that followed. Cite at least 2 sources in your post.

As a reminder, you must do your own writing. Use of ChatGPT or other artificial intelligence tools is NOT PERMITTED, beyond the use of the automated word completion and grammar checking that may be available in Microsoft Teams.

Completion Standards

A complete initial post for this assignment:

Focuses on a single aspect of the 2024 Crowdstrike incident. This single aspect could be a single chronological event or a single failure in the software supply chain that led to the incident.
Explains how the selected aspect contributed to the overall damage caused by the incident.
Cites at least 2 sources, some of which may come from the background section. Citations may be informal – a link is sufficient.

There are no word limits or targets (minimum or maximum), but try to make the post both complete and concise.

Assessment

Successful completion of this assignment satisfies the following course student learning outcome:

SLO 2. Explore and extend creative use of emerging information systems technologies in a secure manner.