What the 2024 CrowdStrike Incident Means for MSPs/MSSPs

The CrowdStrike Incident is the most large-scale computing incident to occur in the past 14 years, impacting millions of businesses worldwide. Fixing this issue requires extensive IT efforts, but  is also impacted by how each organization practices cybersecurity hygiene. In this article, we explain why MSPs and MSSPs should be involved in fixing efforts and how they can help their SMB clients in the short and long-term.

Why Should CyberSecurity Experts and MSSPs/MSPs Care?

The 2024 CrowdStrike incident resulted from a bug in the release. This seems to be a development/IT issue. Why should professionals engaged in cyber security take notice of this event? There are four main reasons:

1. First and foremost, the ability to fix the issue partially depends on cyber security hygiene. We provide more details below, but the main idea is that an organization’s cyber security practices directly impacted their ability to bounce back, making security teams and MSPs/MSSPs key players in this incident.
2. While the CrowdStrike incident is not a cyber security incident, its implications are similar. Security teams can leverage this incident to develop a plan to prevent similar incidents and an incident response tools that deals with them.
3. The incident compromised the availability of systems and information. Since cybersecurity deals with information confidentiality, integrity and availability, security teams should consider being involved in the fixing process and in the long-term plans to prevent such incidents from recurring in the future.
4. This bug was part of a security tool release, to a vulnerability scanner, which is part of the security stack and in their realm of responsibility.

Here’s more on why you should care, from William Birchet, founder of the vCISO network and vCISO consultant, and David Primore, CEO and co-founder of Cynomi.

What Happened?

On July 19, CrowdStrike issued a software update to their Falcon Sensor vulnerability scanner. The update was intended to fix a high memory utilization issue. A bug in the release disrupted dozens of millions of Windows users worldwide, showcasing the “blue screen of death”. Systems were forced into a bootloop of constant rebooting..

CrowdStrike issued an updated release to fix the issue. However, since many of the impacted devices were unable to connect to the internet to download the update, they remained stuck in the blue screen of death.

To overcome this, Microsoft has advised customers to reboot in Safe Mode or Windows recovery Mode. Then, admins could go into the Windows System Directory, remove the infected file, reboot and obtain the updated release. However, doing so requires local account access and privileges. Another option enables recovering from WinPE, but this requires BitLocker encryption keys, which are not always available. As of now, there is no other immediate available fix, though Microsoft and CrowdStrike are constantly working on new solutions.

There are millions of impacted businesses. These include airline providers, healthcare services, financial services, emergency call centers, news, SMBs and many more.

The Importance of Cybersecurity Hygiene

Fixing the corrupted CrowdStrike file touches upon two cybersecurity best practices.

1. Local admin access and privileges – Accessing Windows System Directory and rebooting through Safe Mode requires proper management of local admins and their ability to access sensitive files. This involves PAM – Privileges Access Management. However, many organizations have removed these local accounts, resulting in their inability to reboot in Safe Mode.
2. Storing backup encryption keys – To recover from WinPE, organizations might need their BitLocker keys. These are often stored in the Domain Controller, but in this case it is also stuck in the blue screen of death. If the organizations didn’t store their backup recovery keys elsewhere, they cannot use this option.

If you are dealing with these issues, continue to follow Microsoft and CrowdStrike updates for more future solutions.

How MSPs/MSSPs can Help Their SMB Clients: Short-Term

Small and medium businesses are exceptionally vulnerable to this incident, since they lack the resources to fix the issue or the pockets to sustain until it is. For security, many of them rely on MSPs and MSSPs. This is an opportunity for these service providers to act as trusted business and security partners and assist their clients until the issue is resolved.

One of the challenges MSPs/MSSPs face is how to access impacted devices. In most cases, you are probably accessing your clients’ networks remotely. However, in such an outage Remote Management tools are also offline. This requires MSPs and MSSPs to come to every site and touch every computer.

How MSPs/MSSPs can Help Their SMB Clients: Long-Term Business Planning

In addition to the immediate fix, this is an opportunity for MSPs/MSSPs to help build and develop their clients’ long-term business continuity plan (BCP).

Don’t start from scratch. Download the BCP template and sample and hit the ground running.

Ensure you execute every step correctly by downloading the XLS risk assessment template. 

Why BCP?

Various types of incidents – attacks, outages, wars, natural disasters, and more – can impact industries and businesses around the globe. A business continuity plan ensures that despite such incidents, businesses can continue to operate and deliver goods and services to their clients. A good business continuity plan can be the difference between whether your client’s business survives or not.

A business continuity plan consists of business impact analysis, risk assessment, recovery strategies, actionable plans, roles and responsibilities, incident response, communication plans, employee training, drills, IT disaster recovery, and more.

Cynomi offers a customizable business continuity plan policy, enabling you to develop, plan and track the implementation of the BCP for your clients’ specific needs. With Cynomi, you can scan and understand your clients’ readiness, build detailed policies with actionable tasks, track and measure progress and report the status to your clients’ leadership. To learn more about how to get started, click here.