Even as Microsoft outage created havoc across the world disrupting businesses, cybersecurity companies have called for a cautious approach while rolling out such updates. They wanted the organisations to create a simulated environment to test the updates and go for a granular or phase-wise roll-out instead of going for a full blown update.

Cybersecurity experts are trying to assess the reasons behind the massive disruption and how to salvage the issue quickly. They felt that the hook that Crowdstrike uses as it injects into other processes had resulted in the outage.

When the CrowdStrike sensor, a critical endpoint protection agent, was updated, it conflicted with changes introduced in the latest Windows update.

“The way CrowdStrike injects itself into other processes is the main reason for the crash. The hooks they perform is known to be bug-prone,” Santosh Kumar Jha, Co-founder and CTO of Zeron said.

The company released a step-by-step guide that allows organisations to get over the crisis and resume the application.

“These sorts of untested bugs, if pushed to the production, would cause a domino effect across the globe and would cause major disruption in this connected world,” he said.

He said the deployment of the basic principles of secure development would help reduce such effects in the future. He asserted that the companies should have a proper Business Continuity and Data Recovery (BCDR) plan with full coverage to help themselves recover from such disasters.

CERT.in advice

CERT.in, the country’s emergency cyber response agency, has asked the victims to boot Windows into Safe Mode or the Windows Recovery Environment. It gave a how-to guide to delete a particular file that is causing the problem.

Kumar Ritesh, CEO and Founder of external threat landscape management company CYFIRMA, said that the outage was caused due to a compatibility issue between CrowdStrike’s Falcon sensor and a Windows update.

“Such incidents underscore the importance of rigorous compatibility testing between security solutions and operating system updates to prevent widespread disruptions,” he pointed out.

Testing environment

He felt that organisations should create a testing environment that mirrors production systems before deploying any security update or software patch.

“Test the update thoroughly in this environment to identify any compatibility issues or unexpected behavior. Avoid deploying updates across all systems simultaneously,” he advised.

He suggested that these updates should be rolled out gradually to a subset of machines. “Monitor these systems closely for any adverse effects. If everything looks good, proceed with a wider rollout. Regularly back up critical systems so that in case an update causes problems like the current situation with Crowdstrike updates, you can restore the system to a previous state,” he said.