{"id":12366,"date":"2024-08-08T22:00:00","date_gmt":"2024-08-08T22:00:00","guid":{"rendered":"https:\/\/modernsciences.org\/staging\/4414\/?p=12366"},"modified":"2024-07-24T17:10:29","modified_gmt":"2024-07-24T17:10:29","slug":"crowdstrike-crash-showed-us-how-invasive-cyber-security-software-is-is-there-a-better-way","status":"publish","type":"post","link":"https:\/\/modernsciences.org\/staging\/4414\/crowdstrike-crash-showed-us-how-invasive-cyber-security-software-is-is-there-a-better-way\/","title":{"rendered":"CrowdStrike crash showed us how invasive cyber security software is. Is there a better way?"},"content":{"rendered":"\n
\n
\n \n
\n \n Tippa Patt\/Shutterstock<\/a><\/span>\n <\/figcaption>\n <\/figure>\n\n Toby Murray<\/a>, The University of Melbourne<\/a><\/em><\/span>\n\n

On Friday, the world suffered what many have described<\/a> as the largest IT outage in history, when 8.5 million<\/a> Windows computers crashed and wouldn\u2019t restart.<\/p>\n\n

The cause was a bug triggered by an automatic update for a piece of software that until Friday nobody beyond cyber security nerds had heard of: CrowdStrike\u2019s Falcon<\/a>.<\/p>\n\n

<\/p>\n\n

Falcon is a type of software known as \u201cendpoint detection and response\u201d, or EDR for short. It\u2019s somewhat like an anti-virus on steroids. When installed, Falcon monitors a computer for signs of cyber attacks. <\/p>\n\n

It can collect data about what files you open, what programs you run, what websites you visit, and so on. This makes it highly privileged software<\/a>. When an employee accidentally opens a malicious email attachment, Falcon is watching \u2013 eternally vigilant.<\/p>\n\n

EDR programs are considered best practice, recommended<\/a> by the Australian government\u2019s chief cyber defence agency.<\/p>\n\n

Which means that in 2024, the best strategy that cyber security experts recommend involves software that spies on everything that happens on our computers. <\/p>\n\n

How did we get here, and is there a better way forward?<\/p>\n\n

The case for EDR<\/h2>\n\n

CrowdStrike is a market leader in EDR, hence why so many systems went down late last week. And there are good reasons for recommending EDR technologies like Falcon. For individual organisations, they are invaluable for alerting IT security teams to signs of cyber intrusion. <\/p>\n\n

This helps IT teams to thwart an attacker before they can cause significant damage. In the case of more stealthy attacks, it helps flag suspicious behaviour that could point to a long-standing intrusion. The Medibank hack<\/a> of 2022 is a good example. After initially gaining access, the hacker spent weeks inside Medibank\u2019s networks undetected.<\/p>\n\n

Technologies like CrowdStrike\u2019s Falcon also provide valuable intelligence about emerging cyber threats globally. Because its software is deployed in so many organisations around the world, CrowdStrike has a bird\u2019s eye view that \u2013 at least in theory \u2013 allows it to identify patterns of malicious behaviour beyond what any individual organisation can see.<\/p>\n\n

For this reason, it\u2019s also a leader in cyber threat intelligence<\/a>, providing information to IT teams about what to look out for. If an organisation detects a cyber attack, data collected by EDR tools like Falcon can also help figure out exactly how the intrusion occurred. <\/p>\n\n

Again, the Medibank hack serves as a good example. Federal Court<\/a> filings contain detailed information about the timeline of events that led to the hack, including how the initial intrusion occurred and what the attacker did once they gained access to Medibank\u2019s networks.<\/p>\n\n

Without the omniscient view provided by surveillance tools like EDR, assembling this kind of information would be incredibly challenging.<\/p>\n\n

What are the downsides?<\/h2>\n\n

In the wake of Friday\u2019s outage, it\u2019s worth questioning the downsides of EDR technologies. Many have already<\/a> raised the obvious questions about our society\u2019s dependence on too few global tech giants, and the risks of tech monocoltures<\/a>. <\/p>\n\n

But we\u2019ve known of these risks for over two decades<\/a>. We likely can\u2019t expect this incident to undo the monopolies that pervade technology markets. <\/p>\n\n

Another downside is the sheer technical risk. EDR software like Falcon gains its omniscience by being tightly integrated into the core of Microsoft Windows: the fundamental software that controls most of our computers. This is why it could cause the crashes we saw in the first place.<\/p>\n\n

As a maker of highly privileged software, CrowdStrike had a responsibility to ensure its updates were safe. It demonstrably failed and we should all demand much higher standards of accountability from the makers of critical software.<\/p>\n\n

<\/p>\n\n

Privacy tradeoffs<\/h2>\n\n

All of these issues have been widely canvassed in the days following the incident. Less discussed have been the privacy tradeoffs.<\/p>\n\n

If you ask a cyber security professional to name what type of software spies on everything you do on your computer, chances are they\u2019ll name spyware before mentioning EDR. <\/p>\n\n

Spyware is malicious software hackers install on victims\u2019 computers to capture sensitive information, such as passwords<\/a>, banking information<\/a>, or nude photos<\/a>, among other things. <\/p>\n\n

Indeed, some privacy-conscious computer scientists equate EDR with spyware<\/a>. <\/p>\n\n

As with other forms of corporate surveillance<\/a>, there is a clear tension between the individual right to privacy and the organisational imperative to protect itself from cyber intrusions.<\/p>\n\n

EDR technologies have been rolled out across major organisations with little debate about their impact on user privacy and trust. This outage may provide an opportunity to finally have those debates. <\/p>\n\n

Is there a better way?<\/h2>\n\n

In the wake of this incident it\u2019s worth considering whether the tradeoffs made by current EDR technology are the right ones. <\/p>\n\n

Abandoning EDR would be a gift to cyber criminals. But cyber security technology can \u2013 and should \u2013 be done much better.<\/p>\n\n

From a technical standpoint, Microsoft and CrowdStrike should work together to ensure tools like Falcon operate at arm\u2019s length from the core of Microsoft Windows. That would greatly reduce the risk posed by future faulty updates. Some mechanisms<\/a> already exist that may allow this. Competing technology to CrowdStrike\u2019s Falcon already works this way<\/a>. <\/p>\n\n

To protect user privacy, EDR solutions should adopt privacy-preserving methods for data collection and analysis. Apple has shown how data can be collected at scale from iPhones without invading user privacy<\/a>. To apply such methods to EDR, though, we\u2019ll likely need new research.<\/p>\n\n

More fundamentally, this incident raises questions about why society continues to rely on computer software that is so demonstrably unreliable. Especially in Australia where we are internationally recognised<\/a> world leaders<\/a> in engineering highly secure computer systems, such as those that protect highly classified information<\/a>. <\/p>\n\n

In the long term, we should reduce our dependence on invasive technologies like EDR by focusing our efforts on building software that\u2019s reliable and secure in the first place.\"The<\/p>\n\n

Toby Murray<\/a>, Associate Professor of Cybersecurity, School of Computing and Information Systems, The University of Melbourne<\/a><\/em><\/span><\/p>\n\n

This article is republished from The Conversation<\/a> under a Creative Commons license. Read the original article<\/a>.<\/p>\n<\/div>\n\n","protected":false},"excerpt":{"rendered":"Tippa Patt\/Shutterstock Toby Murray, The University of Melbourne On Friday, the world suffered what many have described as…\n","protected":false},"author":901,"featured_media":12368,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"nf_dc_page":"","fifu_image_url":"https:\/\/upload.wikimedia.org\/wikipedia\/commons\/thumb\/d\/d9\/Windows_10_Version_1703_Blue_Screen_of_Death.jpg\/2560px-Windows_10_Version_1703_Blue_Screen_of_Death.jpg","fifu_image_alt":"","footnotes":""},"categories":[16],"tags":[694,474],"class_list":{"0":"post-12366","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-tech","8":"tag-cybersecurity","9":"tag-the-conversation","10":"cs-entry","11":"cs-video-wrap"},"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/modernsciences.org\/staging\/4414\/wp-json\/wp\/v2\/posts\/12366","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/modernsciences.org\/staging\/4414\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/modernsciences.org\/staging\/4414\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/modernsciences.org\/staging\/4414\/wp-json\/wp\/v2\/users\/901"}],"replies":[{"embeddable":true,"href":"https:\/\/modernsciences.org\/staging\/4414\/wp-json\/wp\/v2\/comments?post=12366"}],"version-history":[{"count":1,"href":"https:\/\/modernsciences.org\/staging\/4414\/wp-json\/wp\/v2\/posts\/12366\/revisions"}],"predecessor-version":[{"id":12367,"href":"https:\/\/modernsciences.org\/staging\/4414\/wp-json\/wp\/v2\/posts\/12366\/revisions\/12367"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/modernsciences.org\/staging\/4414\/wp-json\/wp\/v2\/media\/12368"}],"wp:attachment":[{"href":"https:\/\/modernsciences.org\/staging\/4414\/wp-json\/wp\/v2\/media?parent=12366"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/modernsciences.org\/staging\/4414\/wp-json\/wp\/v2\/categories?post=12366"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/modernsciences.org\/staging\/4414\/wp-json\/wp\/v2\/tags?post=12366"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}