About Andy Jenkinson
Group CEO CIP. Fellow Cyber Theory Institute. Director Fintech & Cyber Security Alliance (FITCA) working with Governments. Recognised Expert in Internet Asset & DNS Vulnerabilities.
Andy Jenkinson is a senior and seasoned innovative Executive with over 30 years’ experience as a hands-on lateral thinking CEO, coach, and leader. A ‘big deal’ business accelerator, and inspirational, lateral thinker, Andy has crafted, created, and been responsible for delivering 100’s £ millions of projects within the Cyber, Technical, Risk and Compliance markets for some of the world’s largest, leading organisations. Andy has a demonstrable track record of largescale technical delivery and management within many sectors including the Professional, Managed, and Financial Services.
A Wake-Up Call Long Overdue: The Cost of Ignoring Cybersecurity Failures.
Last Week’s global IT outages may not have been as a result of a cyberattack, but the fallout was just as catastrophic.
George Kurtz’s apology for CrowdStrike‘s flawed software updates, which crashed millions of Wintel Operating Systems, underscores a glaring oversight in our Quality Control and digital defenses.
Whilst the incident may not have been a hack, it was, and is a colossal security failure and issue. It is one that echoes the infamous SolarWinds debacle of December 2020.
The similarities do not end there.
SolarWinds, whose subdomains and DNS servers were exploited provided complete access to SolarWinds infrastructure due to their insecurity resulting in the largest Cyberattack in history. Despite warnings and insights we shared with Tim Brown of SolarWinds and thereafter with George Kurtz of CrowdStrike, both companies exhibited a staggering lapse in addressing those vulnerabilities.
On the 14 May 2021 SolarWinds addressed their DNS. It wasn’t until nearly two years later on March 11, 2023, that CrowdStrike finally tackled their insecure DNS servers—after multiple notifications from us about the exposure.
These incidents reveal a systemic problem: arrogance in the industry, and software vendors’ updates lack rigorous quality control. Clients naively assume updates are secure. It does not matter if it is an Orion or Falcon, or any other software for that matter.
Software, like all digital packets, go from A to B and typically require servers to do so. If those servers are compromised, so can the update be.
Both companies’ servers remain on the DNS blacklist, indicating they’ve been misused for malicious activities. We have continuously informed SolarWinds and CrowdStrike.