ADVERTISEMENT
	The Nokbox Estate Planning & Organization If something were to happen to you tomorrow, would your next of kin be prepared to manage all of your assets, finances, and wishes? They will if you have a Nokbox: a Next of Kin box. www.thenokbox.com

ON SECURITY

By Susan Bradley • Comment about this article

It’s been over a week since the technology meltdown that impacted airlines, some banks, and even my sister’s Starbucks order through Uber Eats on Friday morning.

Despite the carnage, only a very small segment of computer systems was impacted. In the Official Microsoft Blog, the post Helping our customers through the CrowdStrike outage pointed out that less than one percent of all Windows machines were affected.

So why was this so impactful? More important, what lessons have we learned from this event? Is there anything we can do better next time?

Understanding the nature of the incident is important in this case. Microsoft was not the culprit — this was not a bug or something induced by an update. It was not caused by a black-hat hacker or a dark Web attacker. It appears to be the result of carelessness and poor testing on the part of CrowdStrike.

Nonetheless, it serves as a reminder to all of us that the businesses we rely on are not taking proper steps to secure our technology. Whether an issue is caused by a bug, an attack, or an accident, the end result is the same — our systems can become bricks and leave us confounded as to why.

If you’ve ever had your personal information stolen, you know that one of the credit agencies will offer to provide services to monitor your credit history. I’m not convinced these services work. If you are like me, you probably have had several of these offers sent to you over the course of a year.

One simple thing you can do is use credit cards instead of debit cards. Credit cards have greater protections; you are more likely to get refunds for fraudulent usage faster and more easily. But even with credit cards, I recommend that you review your credit history. Lock the account so that scammers can’t apply for loans or credit cards under your name. (You may also want to consider locking your debit card.)

My sister always insists that she doesn’t have a debit card because she cut it up and never activated it. But there is still a debit card number tied to her bank account. Not having the card in hand can make it more difficult when you visit the bank for whatever reason; for many banks, your debit card is your ID.

The best thing you can do to thwart an attacker is to not respond to lures, texts, emails, and phishing scams. Don’t blindly click links. Don’t blindly open email attachments. Add two-factor authentication to as many Web logins as possible. Never hesitate to get in touch with a bank if you find something that doesn’t feel right — banks are as eager as you to stop fraud as soon as possible.

Just recently, I was informed that my phone calls (but not the details of the calls) and the numbers I’ve texted were shared to a third-party vendor by ATT. Then that vendor was attacked and lost the data. Although there was little I could do about this after the fact, it does emphasize my point about being aware of the types of threats present, especially with those texts.

When the problem is a bug triggered by software, as with the CrowdStrike problem, just be patient and let the company’s technology teams work through the issues to develop a solution. For example, Starbucks and Uber Eats were operational one day later. And keep your eye on your inbox — two days after the CrowdStrike catastrophe, we published one of our special Plus Alerts about the problem, including remediation steps.

Unfortunately, airline travelers were not so lucky. A huge number of flights were canceled, and many passengers were told that it might take days before they could be accommodated. It reminded me of the movie Planes, Trains and Automobiles. The best advice I can offer travelers is to prepare for the unexpected by putting your medications and other necessities in a carry-on, perhaps with a change of underwear. I learned that lesson the hard way when traveling coast-to-coast for technology conferences. Sometimes I missed connection in Denver or Las Vegas, but somehow my luggage made it. Having the basics at hand took the edge off the inconvenience.

A key CrowdStrike lesson is that businesses must do more testing of all third-party software used by their organizations. I already recommend delaying installation of Microsoft patches until they can be tested thoroughly. But what about updates to security software, such as CrowdStrike? Can you limit the risk of those updates?

In a word, yes. As an example, consider Microsoft Defender. You can segregate your users into groups. Some will get definition updates as soon as possible, and others will get them later. These Defender updating rings can be controlled with Group policy or with Intune. Other antivirus and security software should offer similar testing-ring options.

Even though CrowdStrike is an endpoint detection solution — meaning it is more than just an antivirus scanner and will react to unusual actions occurring on the operating system — the same rules apply. You need to check with the vendor to review your options. Microsoft has come out with automated boot media documentation to assist in the recovery process. If you are wondering why vendors are allowed to code into the kernel like this and thus trigger a BSOD, Microsoft’s Frank Shaw explains on social media:

A Microsoft spokesman said it cannot legally wall off its operating system in the same way Apple does because of an understanding it reached with the European Commission following a complaint. In 2009, Microsoft agreed it would give makers of security software the same level of access to Windows that Microsoft gets.

Next, identify which resources you were lacking during an incident. Was it people? Was it information? Was it vendor resources? Perform this analysis so you will be prepared the next time this happens. There will be a next time.

An issue that came up during the CrowdStrike incident was the difficulty some had in recovering because BitLocker was enabled. Finding the recover keys was a process that had not been documented. As I noted in the alert:

BitLocker once again rears its head as a potential obstacle to recovery. I’ve discussed this many times before, and the “key” is having a record of all the BitLocker recovery keys for all the systems you manage.

I also mentioned this from X poster @LetheForgot:

What we did was use the advanced restart options to launch the command prompt, skip the bitlocker key ask which then brought us to drive X and ran bcdedit /set {default} safeboot minimal, which let us boot into safemode and delete the sys file causing the bsod. Don’t forget to renable normal booting afterwards by doing the same but running bcdedit /deletevalue {default} safeboot.

If you get no other takeaway from this event, take the time to document and understand the impact of drive encryption. Drive encryption protects systems at rest, not systems in use. Thus it will protect that laptop if someone steals it from you — by preventing attackers from reading the data. But if you are using that laptop, encryption will not stop attackers from phishing your users, obtaining passwords, and gaining entry. Think of BitLocker as a check box on an insurance form, not an actual protection. Thus when booting issues occur and BitLocker asks you for a recovery key, you must have a process to recover that key, then get it into the hands of users or IT staff that need it. You must replace that BitLocker key you just handed out with a new one. Don’t forget that last step.

You may have implemented BitLocker, but did you consider that someday you might need to change those keys? If you use tools such as Intune, you can use policies to enable rotation. If you’ve just sent an email or a text to someone — one that included information about how to get into that drive offline and possibly also shared local administrator usernames and passwords — so be sure you’ve rotated that information to be secure again.

For consumers, my advice is simpler. Ask yourself whether you need the stress of finding a BitLocker recovery key, especially in an unexpected event. We already know that Windows will often ask for a recovery key after installing patches that impact secure boot patches. CVE-2024-26184 and CVE-2024-28899 are included in the July updates. On some machines, they triggered the request for a BitLocker recovery key.

You must consider whether you really need drive encryption. Home computers are protected by a yappy dog or protective cat, so the risk that someone will gain physical access to your computer in order to steal it is probably low. But human nature sometimes gets in the way of best intentions. If you use drive encryption and then forget where you’ve stored the recovery key, your risk is higher.

To turn off BitLocker or drive encryption in the GUI, follow the steps in this AskWoody KB article. To turn off BitLocker or drive encryption via command line, follow the steps in this AskWoody KB article.

We even have a script to verify BitLocker’s status. Once BitLocker or drive encryption has been disabled, I have not seen it re-enabled with an update. However, Microsoft will be enabling drive encryption by default in 24H2 and later. Be aware.

I’m all for ensuring that things are secure. But I once had to scramble to find recovery keys on an important server in the office, and the key wasn’t where I thought it was. I found it. But if I hadn’t, I would have been up late, rebuilding that computer or restoring it from a backup. (You do have a backup, right?)

Even though my dad wanted BitLocker on his home computer, which contains sensitive information, because he is often away from the house. We know the risks and thus have backups of the recovery key. I just don’t recommend BitLocker or other drive encryption unless you are positive you know the risks, know where the recovery key is, and know the recovery key process.

Microsoft is being reckless by pushing BitLocker so hard for consumer machines, yet not making users more aware of the risks. Use it when and where appropriate. It is not always appropriate. Can you tell I’m on my soapbox?

Better security shouldn’t lock you out of your own device.

Contribute your thoughts in this article’s forum!

Susan Bradley is the publisher of the AskWoody newsletters.

ADVERTISEMENT

Enjoying the newsletter? Become a PLUS member and get it all!
	Don’t miss any of our great content about Windows, Microsoft, Office, 365, PCs, hardware, software, privacy, security, safety, useful and safe freeware, important news, analysis, and Susan Bradley’s popular and sought-after patch advice. PLUS, these exclusive benefits: Every article, delivered to your inbox Four bonus issues per year, with original content MS-DEFCON Alerts, delivered to your inbox MS-DEFCON Alerts available via TEXT message Special Plus Alerts, delivered to your inbox Access to the complete archive of nearly two decades of newsletters Identification as a Plus member in our popular forums No ads We’re supported by donations — choose any amount of $6 or more for a one-year membership.