Welcome to Cash in the Cyber Sheets. I'm your host, James Bowers, and together we'll work with business leaders and industry experts to dive into the misunderstood business of cybersecurity and compliance to learn how to start making money from being secure and compliant. Welcome to Cash in the Cyber Sheets.
Hello everyone. Welcome to another episode of Cash in the Cyber Sheets. I'm your host, James Bowers, Chief Security and Compliance Architect here at Input Output. Very happy to have you back with us if you're returning and if you're a new guest, just starting to listen in, it's really great to have you.
So today I want to talk about, really continue the conversation about the CrowdStrike issue. We talked about it last week. That was more focused on what happened.
But what I really want to dive in today is draw some similarities between the SolarWinds hack, the SolarWinds Sunburst breach that happened roughly a year ago and really talk about exactly what happened with both. Just a little bit because it's been in the news like crazy. You're probably tired of hearing about it.
But also really get into the liability issues where this is probably going to go for the people at CrowdStrike, where it's gone for those at SolarWinds. And then what's really important is tying that back to what that actually means for you and your companies. If you're in a C-level position, especially a CISO, Chief Information Security Officer or similar, what that means for you because, man, the hammer's fallen.
They're starting to go after CISOs like crazy. And I don't know if we'll get into it today. Maybe a whole other conversation around whether that's right or wrong.
Definitely points on both sides. But nevertheless, a lot of new risk out there and things to consider. So that's what we'll go through.
Before we jump into it, whatever you're listening on, if it's YouTube, Apple Podcasts, Spotify, please click that subscribe button. If you like what you hear, reach out to us. Let us know some things you'd like to hear about.
And if you would actually like to be on the show, if you're a business owner, want to talk about what you're doing, how it's impacted you, I'm more than happy to have you on. Just reach out to us and we'll go through the steps to get you on the show. Get to talking to you.
So before jumping any further, just a shout out to our sponsor, Input Output, shameless little plug there, but they are the ones that keep the lights on. Input Output has a new episode of SecCom Monthly, Security and Compliance Monthly coming out, which it'll talk about actually some of the CrowdStrike things, Proofpoint, Echo spoofing issue that was hitting a lot of companies, and a lot more security related news. But also for all of you that are managing your information security program, it should be all of you for, uh, for the ones that are doing that as well.
Um, it also gives all the different compliance steps, uh, where we're at in the year, things you need to remember and helps keep you on track. So feel free to reach out to us. Happy to get you a subscribe to that so that you can stay up to date on everything.
And what really keeps the lights on is the WISP, our written information security program. If you don't have information security policies, it is a very easy program to get set up. If you already have them and just want to check, is there anything you could be doing better? It's a great reference for that too.
So head on over to inputoutput.com. We have all the information right there and, uh, happy to help get you secure and compliant. So getting into it, let's talk a little bit about what happened now. I don't, I, I don't, I don't want to over not overstep things.
I don't want to make it sound like it's not a big issue because I'm going to, I'm going to go through it quickly, but with CrowdStrike, you've been hearing about it. We talked about it. Essentially they pushed out a bad update, brought a lot of systems down, a lot of airports, um, medical offices, hospitals, government facilities, all kinds of different places were impacted.
Not to mention, um, a lot of other companies, but some critical locations were brought offline. And the, the big point there is that was due to the, the bad update being pushed out. I want to focus a little bit on SolarWinds cause, cause we're going to draw some comparisons here and look at what's happened to SolarWinds and what the future might look like for CrowdStrike and how that's going to relate to us.
So for those of you that don't know, just a quick recap, SolarWinds, uh, their platform is a remote monitoring and management tool. Essentially a lot of IT companies use it to be able to remote into systems, to be able to monitor, to push updates, to, to push patches. Um, basically it's a single pane of glass to manage everything in the organization.
And that's awesome. When it works, when it goes sideways, that is super not awesome because what happens and what happened here is with the Sunburst breach, bad guys got in and that gave them access to over 30,000 public and private firms. That's, that's like giving them the keys to every single company.
They had like a skeleton key. They could just essentially go into multiple companies, access their data. Um, any access essentially that your it provider would have, or that your internal it teams would have the bad actors essentially could have that access.
So key takeaway, major, major, major issue, really, really bad. It's, it's kind of the, the, the biggest, biggest nightmare there is. And I know a lot of, uh, it firms that were using solar winds.
Uh, some of them were affected. Some of them weren't because of just the, the platform set up and the exact setup that they had. But, um, nevertheless, there were a lot of, uh, puckered starfish over that, that, uh, could have turned some coal into diamonds.
So really major issue, but what ended up happening from that, and it's actually still ongoing is the first time ever, this hasn't happened before, but the first time ever with solar winds, the SEC, the security and exchange commission, basically they oversee stocks, financial things like that. They came in and brought action against not only solar winds, but their CISO. And what they're alleging, let me take a look at, I think I've got the exact complaint right here.
I do the complaint that the SEC brought is that they defrauded solar winds, investors, and customers through misstatements, emissions, and schemes. Schemes that concluded both the company's poor cybersecurity practices and it's heightened and increasing cybersecurity risk. So short version, too long, didn't read.
They lied about their cybersecurity controls and how secure they were. Now, solar winds had, I'm not going to get into all this, but they had a lot of, uh, prior issues, things internally that could be shown that you all knew solar winds knew that things were going on and you didn't notify your customers. You didn't notify investors.
So essentially what the SEC is saying is that you manipulated your stock price. You, you gave people this information, this bogus information about how secure your company was about the overall health of your organization. And because of that, people invested, they, they bought your stock, they put money into your company.
But what you told them wasn't what was really going on. Things weren't as stable as you said. So people were investing on a false premise that drove your stock price up.
Inappropriately, you manipulated the stock price. It's, I mean, it fits, but again, it's the first time that the SEC has done this. And at first glance, it seems like a, I mean, quite a shimmy to get into that position, but that's a very bad position to be in one from a company side.
You definitely don't want the SEC coming at you saying that you manipulated your stock price. That's horrible, but also from the CISO's perspective and we'll set up a whole episode on this, but essentially what they're saying with the CISO is that not only should you have informed, which I believe in some cases they did notify internally, but when the higher C level, when your company came out and made these statements, you should have known, you should have seen that those weren't the case, that that wasn't how things were operating, that that wasn't what you reported to them and set the record straight. Basically as a CISO, you should have come out and be the whistleblower on your own company and reach out to the SEC.
Which again, I think that that has an entire episode all on its own. But I find that premise a little bit silly, just not, not only because of how much the cards are stacked against that person doing it. But I guess that's it.
It's just, it's just all the cards stacked against them. That if I do that, I'm going to bomb my own stocks and financial livelihood. I'm going to torpedo my career.
At best, I'm going to be able to leave the company and maybe get to work somewhere else, but things like that travel around. So am I even going to be able to get a job somewhere else? I just think the premise is silly on regulator side to, I mean, they're hot potatoing the risk. Oh, well, you know, this is, this is all the CISO's fault.
It's not. Plus CISO's really should be reporting the risk and upper level management should be making the decision as to what to do and how to proceed. CISO's really in their capacity should be a risk informer, help with the evaluation, but they shouldn't be making the ultimate decision that needs to be senior management.
In a lot of companies, it's not set up that way. We'll talk about that a little bit later, but in any case, SEC's getting involved and that's, that's a major issue for SolarWinds. So that hasn't all played out.
But here's something that correlates directly and why this is going to lean into the CrowdStrike is March 26th, 2020, SolarWinds unknowingly start sending out Orion software updates with hacked code. They sent out a bad update. That sounds familiar.
Now CrowdStrike didn't do that with malicious code. I don't think. Um, it's not what's reported.
They just did it to where it caused a, uh, a logic loop, basically, a bad driver and crashed out windows. So they both pushed out bad updates caused major, major issues. Um, on the SolarWinds side, it was more unauthorized access of data.
On the CrowdStrike side, it was massive availability issues. So the similarities there. So just from looking at that, it seems like the SEC, once they start really looking at it, could, could do the same thing against CrowdStrike.
They come in and, and essentially say, you manipulated your stock price. Uh, you said you had all these processes in place and blah, blah, blah, blah, blah. You, you really did it and it, it drove your stock price up.
So we're so we're not SolarWinds we're CrowdStrikes really going to get into the issue and kind of transitioning over to the liability side is it's not just an update that was pushed out inappropriately. I mean, that, that's what caused the issue. Uh, that's definitely what did it.
That is, um, kind of the catalyst, but where the real liability comes in here, where the real liability is their lack of controls around it. So here's the issue. I'll step through it and step through it badly, but bear with me.
So CrowdStrike has a lot of security certifications, ISO 27,001, SOC2 type two, CMMC level two, uh, FedRAMP. They in a lot more, I don't want to miscredit them. They've got tons of them and good on them.
Those are very, very difficult to do. And when you look at those, that typically will give you the assurance that they've got their act together, that they've got a good information security program in place, or in the case of a ISO 27,001, an information security management system, ISMS, whatever you want to call it. Those certifications give you the, should give you the warm feelings that, that they've got it together, that you don't need to audit them.
An outside company came in and made sure that they've got good access control, they've got good, uh, inventory management. They've got, uh, good encryption and data safeguards with something like CrowdStrike where software is their biggest thing, especially, which is where a lot of, uh, SOC2 type two focuses on is you have a secure development lifecycle, you've got, you've got a development process in place to make sure one, you're putting out good solutions. And also that they work that, that you find the bugs, that you fix the bugs, that you push out stuff.
That's good. That it's secure, that it works and that you can quickly jump on any issues. I've taken a lot of companies through their ISO 27,001, other certifications, software development, lifecycle development side of things in 2013 of ISO 27,001, um, had its own section, um, annex annex 14 in the, in the 2022 revision, they've kind of mashed them all up, but those controls are still there.
There's controls just, just for software development, just for managing that, making sure patches go out. There's controls for making sure when you do patches that you can roll those back, that, that they don't cause these types of issues. There's whole controls in a very big section around change management and segregation of duties.
There's a lot of other controls that, that mash up here. My point is, is that they went through with multiple certification bodies that they were doing these things. There's no way that they could have said, that's not important.
It's, it's our main business function to provide a SAS solution, software as a service, our main focus to provide software, but we don't really need an SDLC. We don't need a good development process. You know, we're just, we're going to make those controls not applicable and ignore those.
We're going to accept that risk. That, that absolutely would not fly with those, especially with the FedRAMP and the CMMC, which is what the government is going to look to, to use to validate that this is good to use on government systems. So at some point, and that some point is at least yearly because these certifications renew and have to be reviewed, they were showing that they had a full process in place and yet they did an update that they push out.
That immediately when windows turns on, it crashes. This isn't an issue that if you're running windows 11 and you have Adobe reader and you have this other software, all those together cause a weird driver instability issue and it crashes. You can only test so much in your quality assurance, so you can't find everything and all, wow, there's, there's a small subset that had these different things and we, we never tested for that.
We can't test for everything. That's, that would be understandable. But as soon as windows comes on, it crashes.
That means at no point before this update was pushed out, did they load it into a system to see if it actually worked? And do I have it right here? I'm not going to search for it if I don't. No. In the short of it is in CrowdStrike's statements, they say that they do a lot of this testing, integration testing, that they actually do dog food, which means eating your own dog food.
I don't, I don't know why they call it that. I feel like it should be called a pudding team. Eat your own pudding, eat your own cake.
I don't know. In any case, it means that they actually use it in their systems. Like when apple was moving over to a word, word processing, they basically said, listen, at a certain date, we're not going to order any more typewriters.
I'm reaching far back. We're not going to order any more typewriters. We're all going to use word processing.
We're going to eat our own, our own dog food, and we're going to, we're going to live what we're preaching. We're going to live what we're selling so we can see how it works. We can make it better and we can live it.
CrowdStrike says that they do that, but not with this update. So all of the different types of testing that they say they do, just turning a system on would have shown them the issue. Literally this is, this is less than a five minute test.
It it's, it's remarkable how quickly this shows up. So to be able to say that, yes, we certified to all these things. We're doing all these things.
This one just fell through the cracks. I don't see how that happens. And especially working with a lot of companies that use tools like Atlassian or other software development, lifecycle tools in that process, you even typically have integrated and encoded segregation of duties to where you have one person that programs the update, they, they, they do the engineering on it, they program it, then that, that gets ticked off.
And I say, yep, I've done this. It goes to somebody to approve it. That person reviews and says, Hey, this looks good.
Perhaps we did our testing. Then they move it to the perhaps the next team that either does more testing. Schedules to push out.
And sometimes there's even another step that actually they, they flick the switch and push it. In any case, there's typically at least three steps involved. It three core pillars, not steps.
There's a lot of steps, but three core jumps, if not four or five that it has to go through before it ever goes into the wild. And for an update like this, it would also typically go into a testing. You would have a development environment, then you would have a testing environment in something this serious.
You'd have a lot of times like a pre-production environment where, Hey, we're going to put it there. We're going to run it, make sure there's no issues. And then we're going to push it out to the wild.
It, it skipped all of that. So there's, there's the questions here of what, what type of issues are the certification bodies going to bring? Is that going to bring up any, any questions or concerns about their viability and their methods? You know, are we actually going to call in the, the, the, the, the the firm that gave the opinion for the SOC two is a CPA at an accounting firm gives an opinion and it says that we checked everything. It's all good.
Here's, here's how it works. Um, are they going to get called in? Is the company that did their ISO certification? Are they going to get called in to see, Hey, we want to see the evidence of where they were doing their development. Did you just give them a check mark? Did you give them a green light, but you didn't really check it.
So here's a section of liability. That's not even CrowdStrike. It's all on the auditors.
So from an auditing perspective, when you say, what are you doing? Great. Now show me trust, but verify, make sure you're getting your evidence. Make sure you're documenting that, that you can, that you can support what it is you're marking down, because even if you're not going so far as like a SOC two or giving a legal opinion, that's essentially what you're doing a lot of times as an auditor to say, Hey, I checked this, this looks good, or here's the issues.
So I guess the point there is be honest in your audits, but also don't just take anybody's word for it. Make sure, make sure you verify, make sure you have objective evidence. But back to CrowdStrike.
So here's an issue, just like here's the parallel to SolarWinds. They said that, Hey, we're doing all of these things. We've got this great development process in place.
We've got all these secure controls. We've got this, this rock solid SDLC. And when we push things out, you can be assured that it works.
It's good. Invest in us. We're a great company.
We, we, we do great, but that's not really the case. And this wasn't just a sidestep. This wasn't just a, Oh man, we, we, we just goofed here.
The amount of things that had to happen for this to get out into the wild, to production systems, to customer systems with such an egregious error almost had to be deliberate to the point of it's either directly malicious, malicious, it's directly malicious, silly rabbit, or at the very, very best. It is grossly, grossly, grossly negligent. I cannot see the SEC looking at the CrowdStrike issue any different than the SolarWinds issue.
I can almost guarantee that they're going to come against CrowdStrike, especially with, as of, I think today, 20% of their market share, not their market share, their stock price has dropped $133 in, in, uh, that they've fallen since when I, when I last looked. The billions of dollars have been lost over this. I can't imagine the SEC not coming after them in the same way that, that they came after SolarWinds.
So I want to put a pin in that because I do want to come back to it. I want to talk about some of the other liability issues. So as of, um, July 30th, Delta actually stated that they're going to sue CrowdStrike.
Well, I can imagine a lot of companies are going to want to, and, and because it's really good reading, um, and it, it really, it really gets my wife going when I read this stuff. I took a look at the, uh, some of the CrowdStrike EULA language, read it out loud, got things really heated. I'm not going to go into details.
It's not that kind of show, but it was a good time. So in their EULA, here's some interesting things. Uh, more details, what the contract boils down to.
The program comes with no warranties that it does anything, including what it's advertised for, or that it even runs reliably. Okay. That's, that's a pretty standard software boilerplate EULA, but for security software, especially something going through FedRAMP and CMMC, that's going to go for government.
That's, that's just wild. They also, I'm paraphrasing. I'm not, I'm not reading the exact, exact language.
Um, it, it would get, it would get, get things too heated on here. If any damages occur from the use of the program, it's loss of data, disrupted operations, injuries, wow. Injuries, um, anything, they're on the client.
Even if a CrowdStrike knows or should have known about the possibility of the issue. So listen, we're not accepting any liability. You accept all liability for this.
Um, I know you're buying the product, but honestly, it may not be what it is. It may be something completely different than what we're selling and that's not on us. Now, typical, all right, not an attorney can't give a legal advice.
Do not base any financial decisions or stock purchases on anything that I'm saying. That's all on you. See how we pass liability, hot potato, but really I don't give legal advice.
Don't, or financial advice anymore. I don't have my licenses anymore. I don't do that.
But, you know, I got, I got sidetracked. Where was I going with that? Um, just, just with those, you, okay, you can't, you can't get out of gross negligence. But here's an issue where I think that I would like to see how this is going to play out in court.
Because true, I can't get out of gross negligence. So that could be a way to sidestep those. But the crown strike program should never be used in sensitive environments where fault tolerance is a prerequisite.
Okay. Wild. Um, but that would be like, uh, power plants, aircraft control systems.
Life support systems, et cetera. Programs should never be used in a sensitive environment where fault tolerance is a prerequisite. Okay.
So that liability statement seems like it goes against the entire premise of the crowd strike platform. Like I'm, I'm specifically using this to protect critical systems. I'm not giving them a hard time.
They're not. Um, I don't think they're priced inappropriately, but they're not inexpensive. It's not something that I can just pick up and not worry about.
I need to evaluate this expense, um, ROI of it. And it shouldn't even be used on my most critical systems. Okay.
And then what's always there is, uh, in the, even in case liabilities can be established, um, it's limited to whatever you paid for, for, for the program. Um, so you, you can't exceed what you've paid us. So how that's going to work out for consumers that try to, to try to sue.
I don't know exactly how that's going to play out. I would actually like to have a business, uh, attorney contract attorney on to talk about that a little bit. Um, but I think it will make it difficult for consumers perhaps to, to really go after this, I, uh, didn't see it in there.
Uh, I actually stopped reading. Um, so I don't know if there's a subrogation of, um, a subrogation clause in there for insurance, but a lot of times insurance companies, even though they'll, uh, pay, pay you out, say you were impacted by CrowdStrike, your insurance company would pay you, you would get your money after your deductible, which isn't small, a lot of times they can go after the, the other company. So then your insurance company would turn around to CrowdStrike and say, Hey, we had to pay this money out.
We took care of our client, but it was your fault. We're coming after you. Uh, subrogation clauses can, uh, help prevent that.
I don't exactly understand why, uh, I can, I can sign off my insurance's ability to do that. Uh, but there it is. Uh, I don't know if that's in there, but even in that case, would they be able to, would they be able to fall and say, yeah, listen, we were grossly negligent, but people you should have never, this should have never been on an airport system.
Why do you have it on there? I mean, we sold it to you and our sales team probably talked a lot about it, but did you read our contract? Cause yeah, no, it wasn't built for that. It was, I don't even know what the argument is there. It was, it was built for, for test environments, test environments that we don't have.
Um, so I don't know how that's going to play out. Going back to that pin though, that we had about the SEC side, any of the investors, well, they can still go, go after them for basically stock manipulation. Listen, you guys said you were doing all this stuff.
I invested in you. We put money into you. You weren't doing that.
You lied. I would have never invested had I known. So that could be a way that, that companies could go after it.
Um, as of now, the, uh, CrowdStrike is actually getting, uh, called in by Congress. They're, they're, uh, going to have to sit in front of the, um, where did I put it? Uh, the U S house committee on, on Homeland Security, uh, to, to basically talk about this, you know, what happened? Why'd this happen? Um, with this major, with this major impact, I don't believe there's a date for that yet. I'm, I don't think they will, but I would love to see them just bring out the ULA and say, listen, it should have never been used on those systems.
I'm out Yahtzee. I don't think that's going to fly. Um, so I'm, I'm curious as to how that's going to work out.
Um, their CEO, George Kurtz. He's the one that's having to go. Interestingly enough, used to be the CTO at McAfee and under his management, a security update for their antivirus system that was pushed out, crashed tens of thousands of computers worldwide.
So this isn't even, even, uh, George's, uh, first rodeo into this type of issue. He's done this basically this exact same thing at another company where he is just a CTO. Now he's CEO.
Um, it just, it, it blows my mind. Absolutely blows my mind. So very curious how this is going to work out, but, uh, I think there's a lot of considerations here and a lot of just beyond, uh, direct liability.
People that other, other institutions that are also going to get pulled into it. I'm, I'm interested to see if, uh, if anybody even notices that the certification bodies, um, have some, have some questions to answer on this. I would, I would definitely like to see that.
So moving on here in the, not even the last half, the last few minutes that we've got together, what does this mean for you? How, how should you look at things? How should you, uh, manage your company? How should you support your clients? I guess one of the biggest things is in that we talk about a lot, you cannot transfer your, the majority of your risk. You cannot transfer any of your fiduciary responsibilities. If you are responsible for maintaining, uh, the confidentiality of PII, you cannot transfer that risk to somebody else.
If you have a fiduciary responsibility to say, provide certain medical care, or to provide certain services, you cannot transfer that and basically hot potato and say, listen, I know that we were supposed to provide that service, but these people messed up. I mean, we didn't vet them effectively enough and structure our systems and our processes in a way that if they messed up, it wouldn't bring us down. But, um, yeah, it's not us.
That, that doesn't apply. So I think the biggest thing is look at every risk that you have as we cannot get rid of this and look at it from that lens of how do we effectively manage this? And like when we, when we take clients through a continuity planning, disaster recovery, risk planning, we don't, we don't go typically the standard way and just look at, Hey, what, what happens if we have a fire or what happens if we have a hurricane and what happens if we have a data breach, we do ask those questions, but what we really look at, what we really start with is what are our key systems and our key processes and our key outputs. All right.
From those, let's say, let's just focus on our key outputs, being able to provide customers with air travel, being able to provide medical services. Okay. What systems and processes support that delivery? Once we identify that, then you can look at what happens if we just take one of those away, let's say it's a Microsoft ecosystem.
Let's say the hand of God comes down and wipes it from existence. What do we do? Are you just going to, are we just going to close our doors as a company, or are we going to have some other way around it in that way, not even from, from that management, high level perspective of looking at all the different ways that could cause that to happen, that could cause that supporting system or supporting process to go offline or be unavailable. But what we would do, then we can push to other subject matter experts and IT and everybody else and say, okay, brainstorm and figure out the different ways that this could happen and let's see how we can tighten those up.
But to be truly resilient, to, to truly be able to weather this type of storm, like the crowd strike or solar winds, to be able to stay viable with something like COVID, you need to identify what it is in our business that we need to operate to deliver our service and how do we do that without the systems and processes that we have in place now and how can we structure in a way that we can pivot to quickly adapt if we need to. Talked about it before, but that'll also help, uh, help you mature from just risk management to opportunity management. Because when you start identifying all those things, you can see different ways that you could capitalize on issues and perhaps new lines of business now.
What I would also say is don't, this is more technical, don't push updates immediately, or at least consider the risk of doing it and not doing it. Perhaps wait three or four days, wait a week on most updates, push them to a few systems rather than all of your systems. So that way, if there's an issue, it's only it's contained and you can manage it.
That's a way that you can help with a lot of these, uh, patch issues. That's typically something that should be in place already with a lot of companies, information security programs. So I think with a lot of the people that are impacted, if you talk to them, please give them our card.
We'll be happy to talk to them. Um, but don't push the, don't push the updates immediately. And then, man, this would be its own conversation, uh, completely, but as a CISO, as a risk manager, don't assume, make sure you document everything that you check.
If you have concerns, bring those up and document those because things are going sideways at an exponentially faster rate and people are looking for feedback. So make sure you have your fingers to point and for people to throw those hot potatoes to, you do not want to be on that seat, like the SolarWinds CISO, um, or like some of the others that are going to get, get nailed by these issues. So always more than happy to connect with you, to talk to you about it.
Um, either on the show or directly in your company, uh, how you can help manage your risk, how you can help protect yourselves. But I think that's all the time that we have for today. So thank you very, very much for listening to this episode of Cash in the Cyber Sheets.
Uh, please click that follow button. If you liked what you heard, whether Apple podcast, um, Spotify, YouTube, subscribe, please, uh, some comments, let us know some things that you want to hear about, and also if you'd like to be a guest on the show. So thank you very much for listening.
We'll see you next week, 10 a.m. Have a great day.
