The continuity lessons of the Facebook outage

October 5, 2021 – Article posted on SC Media

Midway through Facebook’s prolonged outage on Monday, reports began to emerge that the problem may have been exacerbated by a series of circular internal dependencies. When services went dark, the things needed to prepare those services also went dark. It was, by most reports, a business continuity ouroboros; a snake eating its own tail, deleting its own DNS records and locking its own recovery technicians out of the building.

Business continuity planning is critical to security, even if, as of this writing, the Facebook outage was not a security issue. One key takeaway for anyone involved in risk: be aware of those internal dependencies.

The Facebook outage was almost definitely not due to a breach. The service appears to have faltered after a BGP misconfiguration snowballed out of control. That snowball was exacerbated by single points of failure along Facebook’s self-sufficient processes.

SC Media spoke with GuidePoint Security’s Ron Brown, who is the company’s Practice Director for Business Resilience. He said that the self-sufficiency from controlling a dependency, rather than outsourcing it to a third party, can sometimes give companies a “false sense of security” despite issues they would detect with a third party vendor. Companies may be attuned to the risk of a vendor hosting a critical restoration tool in the same city as the company itself, but not as attuned to the risk of the company hosting it itself. The solution to being blind to internal threats, said Brown, is simple: get an outside opinion of dependency risks regularly.

Read More HERE.