Auto Dealerships: is Your Private Information Safe?

When you think about it, automobile dealerships can have a lot of very detailed and private information about you. For example, when you buy a car, the dealer may collect your identity and location information (name, address, telephone number, email address and even information about family members and pets). If you finance the vehicle through them, they also may collect a great deal of financial information about you (Social Security Number, credit history, bank(s) you use, account numbers and credit rating). And, of course, they have detailed information about at least one of your vehicles such as make, model, accessories, vehicle identification numbers, etc. All of this information is very desirable to cyber-criminals and hackers.

Not only do auto dealerships have a lot of your private information, the nature of the business gives online and on-site attackers numerous opportunities to access and compromise this information. Employees and customers move about a great deal in automobile dealerships often leaving their work areas unattended. There are numerous workstations around a dealership from the parts department to the service department to the finance department to the sales departments. If users share their passwords with fellow employees for convenience sake or leave their computers active when they are away from them, compromise of private information is made easy. In addition, auto dealership networks are usually connected to numerous service providers, partners and information systems. If these systems are compromised, then compromise of the dealership system could soon ensue. There are also liable to be paper documents containing private information that could be left exposed on desks or in unlocked drawers.

Luckily, auto dealerships that extend credit to someone, arrange for someone to finance or lease a car for personal, family or household use, or that provide financial advice or counseling to individuals are identified as financial institutions and are regulated by the Federal Trade Commission (FTC) under the Gramm-Leach-Bliley Act of 1999 (GLBA). These businesses therefore are required to comply with the FTC Privacy Rule and the FTC Safeguards Rule. Auto dealerships may also be subject to state or local ordinance, or some private regulatory body such as the PCI DSS. This is a good thing for the consumer.

Under the FTC Privacy Rule, dealerships are required to protect private customer financial information, and are required to provide customers with a number of written notices detailing their rights under the Privacy Rule. Under the FTC Safeguards Rule, dealerships must protect physical, paper and electronic customer information. They are also required to have an information security program designed to protect the confidentiality, integrity and availability of private customer information. Since dealerships are considered to be financial institutions, these security requirements are much the same as those your bank must adhere to. There are fines in place for failure to comply with these regulations, and lawsuits may also be filed against dealerships that fail to adequately protect your private information.

Although these regulations don’t guarantee your private information won’t be compromised, they do put a big roadblock in the path of information thieves. Plus, auto dealers know that 84% of those surveyed said they wouldn’t do business with a dealership that has had a customer data breach incident. That surely helps inspire dealers to take information security seriously.

The New MicroSolved 80/20 Rule of Information Security

In 2009, there was a big effort on the Federal level to establish a consensus among a varied group of information security experts from all sectors as to which information security controls were most effective in the modern computing and networking environment. This was driven by the perception that the Federal Information Security Management Act (FISMA) was ponderous and unable to effectively protect the confidentiality, integrity and availability of private information.

This effort initially led to the publication of the 20 Most Important Controls for Continuous Cyber Security Enforcement: Consensus Audit Guidelines. It also stimulated thinking among organizations and information security professionals about possible variations and adaptations of this guidance. One such effort was the MicroSolved 80/20 Rule of Information Security (2009). While very similar to the Consensus Audit Guidelines, the focus of the 80/20 Rule was to establish a group of security control projects that provided the most “bang for the buck” for the small and medium-sized organizations that don’t typically have the resources of the Federal Government or other large organizations.

Continue reading

Phishers Continue to Capitalize on Covid 19 Emergency

They say that every cloud has a silver lining. That has certainly been true for cyber-criminals during the Covid 19 emergency! While the country as a whole is experiencing 20% unemployment and general hardship, these folks continue to reap the rewards chaos inevitably brings to the larcenous. Here are some of the shenanigans that have darkened the news this week:

One article this week talks about “Hack for Hire” groups in India that are spoofing World Health Organization (WHO) emails to steal access credentials from businesses around the world (including the U. S.). These hacking emails come from hosted websites that are crafted to look like the official WHO website, and claim to provide direct notification from the WHO on Covid 19-related announcements. They are targeting financial services, consulting and healthcare organizations.

Continue reading

Proper Network Segmentation & Configuration Control Keys to Resisting Ransomware

In the news this week was an article about a successful ransomware attack. It detailed how network access was achieved using email phishing and then went on to explain how the attackers leveraged this low-level network access to compromise the entire network. It was done by breaking password hashes in an attempt to gain access to local admin accounts, then trying these passwords on other hosts and domain administrator accounts. Compromise of a domain admin account then allowed the attackers to take control of the domain, which led to game over. This kind of attack scenario has been around for years and continues to work for a variety of reasons, two of which are inadequate network segmentation and configuration control.

Many of the networks we see are “flat.” In other words, there is no appreciable network segmentation in place. This woeful state of affairs allows any user on the network to see the entire setup, including “server space.” It also provides cyber criminals with many attack surfaces and helps them maneuver around the network. Such network implementations make it very difficult indeed to meet two of the hallmark principles of information security: need to know and least privilege.

Continue reading

Crisis Highlights Need for MFA

Since World Password Day is the big news this week, there are a ton of study reports about password woes in the news. According to a Balbix study report, 99% of enterprise users reuse passwords either across work accounts, or between work and personal accounts. The report goes on to give statistics about password sharing, and states that the rapid uptick of remote working due to the Covid19 crisis has shifted the balance of control away from IT and towards employees.

Another report, released by SecureAuth, shows that management is worse than junior staff at practicing good password hygiene. Their survey states that 53% percent of people admitted to reusing passwords across multiple accounts. Among respondents using the same password, 62% said that they are using it across three to seven accounts; 10% said that they are using over 10 accounts with the same password. The article also highlights that people are so bad about this simply because keeping track of a number of different passwords is difficult and time consuming. Not to mention the fact that users need to change all those passwords regularly!

Continue reading

Uptick in Covid19 Related Attacks Makes Strong Security Measures and IR Planning Even More Important

Every week during the last couple of months I have seen an ever-increasing number of cyber-attacks designed to exploit the present Covid19 crisis. Some recent instances include:

Fake websites that promise to provide vital information about Covid19 include videos that contain the Grandoreiro Trojan. Attempting to play the videos leads to a nasty and sophisticated payload being installed on visitor devices. A variety of techniques such as keystroke logging, blocking access to websites, unwanted restarts, access credential thefts and more are possible. This trojan is also very difficult to detect and remove.

Phishing emails supposedly from popular package carriers such as FedEx and UPS claim to be notifying customers about delivery delays due to a variety of reasons. These emails ask the recipient to open an attachment to fill in missing details or to follow links, but they actually contain the Remcos RAT or Bsymem Trojan.

Continue reading

Security Measures Need to Tighten During a Pandemic

One thing that cyber-criminals love to see is businesses operating outside of their normal routines. Non-routine operations can cause confusion and chaos. New ways of operating must be developed and fielded on the fly. Personnel are often required to work from remote locations and may need to undertake duties that are new and unfamiliar to them. This is almost sure to cause IT personnel to become overwhelmed, which can cause delays that can seriously affect business operations.

And when it becomes a question of providing services or maintaining security, most businesses will opt for continuing services and dealing with security matters later. Such situations not only greatly increase the number of attack surfaces and vectors available for cyber-criminals to exploit, it also increases their chances of success in any given attack. The current pandemic situation has them all licking their chops!

Outside of war, I can’t think of more widespread and disruptive disaster scenario than a pandemic response of this magnitude. Unlike earthquakes or hurricanes or floods or most other catastrophes, pandemic interruptions are anything but localized; they affect virtually every business and person on the planet.

People are afraid of getting the flu, and of course they are also afraid of losing income and not being able to pay their bills. They fear that perhaps their employer companies will fold, and that they won’t be able to catch up once things settle back down. Such fears can lead to mistakes and security failures. That is why businesses should be increasing their security efforts, not letting them fall along the wayside.

Businesses should ensure that all their systems have logging enabled, and that monitoring of those logs is being undertaken. If possible, the number of employees dedicated to security monitoring should be increased. This effort will be much easier to implement if cross-training of personnel and full written operating procedures are in place; a lesson that should be learned from the current emergency and implemented in written pandemic planning.

In addition, businesses should ensure that secure mechanisms for remote working are in place. It is important that not only secure connection mechanisms are in place, but that multipart authentication techniques are used to the greatest extent possible. Whitelisting of authorized devices, tokens, digital certificates and biometrics should all be considered.

Just as important as technical security, businesses should ensure that all personnel are receiving security and awareness training. They should be fully trained in how to secure their laptops and home computers, how to connect to business assets securely and how to respond if they suspect they are vulnerable or being hacked. Responding to incidents quickly and correctly are key factors in minimizing damage from a security event.

Pandemic Planning: Different Types of Businesses Need Different Types of Plans

Pandemics are fairly rare, so organizations may not give them as much attention as other kinds of potential business interruptions. That means that pandemics such as COVID-19 (Coronavirus) can catch them unprepared. Of course, pandemic planning is highly dependent on the type of organization that is involved. This makes appropriate policies and procedures very different for different organizations.

Close contact (within 6 feet) between individuals is the number one factor in the spread of pandemic viruses. Any business environment that brings people into close contact are the most susceptible to the flu. For example, essential job types such as health care workers and first responders are obviously at very high risk since they are dealing directly with affected persons in many instances. Other businesses that are essential for day to day living such as banks, grocery stores and other retail organizations also pose a high risk of infection to customers and employees. After all, people in these businesses pass closely by one another, and what is worse, must stand in line to pay for their purchases or to do their banking business. Employees such as tellers or check out/counter workers have it worse since they must come in close contact with a large number of different people during the day.

Protecting yourself and your staff is most problematic for such organizations and workers. This is largely because of the manner in which flu viruses are transmitted. The number one vector is droplets from coughs or sneezes. These are introduced into the environment by people that don’t or can’t cover their mouths and noses when they cough or sneeze. If these droplets are inhaled or get in your eyes you may become infected. More insidiously, coughs or sneezes can also produce micro-droplets or aerosols. These can be so small that they are largely unaffected by gravity and may waft about the environment for some distance, and can even be small enough to penetrate dust masks and tissues. These are very hard to protect against, requiring high efficiency respirators/masks and face shields or goggles. In addition, infection may also be possible from touching infected surfaces and then touching your eyes, nose or mouth.

There are also many non-essential organizations or businesses that pose a high to medium risk of infection by pandemic viruses. These include concert venues, airlines, conventions, casinos, cruise ships, churches, and other venues where people are in close contact. There is an answer for these organizations, as unsavory as it is: simply cancel these types of gatherings. Unfortunately, the economic consequences of canceling such things can be very high (as can be seen in the recent downturns of the stock market). On the bright side, pandemics are usually of fairly short duration. This allows most businesses and organizations to recover once the threat has passed.

In contrast to these types of organizations are those that have little or no interaction with the public or suppliers. For example, offices and organizations that provide services over the internet or telephone are considered to be at low risk. They basically have to worry most about infection spreading among their employees. Fixes for these types of organizations include teleworking (preferred), employee awareness training, putting barriers or distance between employees, mandating that workers who are sick (or who suspect that they may have been infected) take sick leave/work remotely and ensuring that basic health and sanitation measures are in place at the workplace. In addition, anyone who becomes sick at work should be provided with a face mask and sent home or to a health care facility immediately. Businesses should also pay special attention to personnel that live with or have close contact with those who are at very high risk such as health care professional. These personnel should work remotely or should be tested for infection if at all possible. The latest studies suggest that Coronavirus may possibly be spread by infected people that do not yet have symptoms, or those whose symptoms have disappeared.

The number one rule for all people is this: if you are sick or think you may have been exposed to a pandemic virus, stay away from other people. If you must interact, wear a face mask (N95 or better if possible) and clean your hands often. And remember, you should continue to be careful for some time after your symptoms disappear. You may still be infectious.

The Importance of Information Sharing Among IT Departments

One thing I notice while doing information security work is that organizations tend to segment IT responsibilities into separate departments or areas of responsibility. There will be employees or groups responsible for networks, applications, servers, desktops, databases, help desks and information security. This is perfectly understandable given the complexity of handling even modestly-sized information systems. Such specialization allows individuals or groups to concentrate on their areas of responsibility and become efficient and expert in their specialties.

However, this very segmentation of duties usually has a big downside for information security at such organizations. The problem is that for an information security program to be successful it must be managed in a holistic manner, accounting for and amalgamating each mechanism and process in the entire program. If not, neglected systems or systems that are misconfigured for the environment occur and suddenly there are exploitable security holes in the network. And like a dike holding back the sea, just one hole can lead to disaster. That is why it is imperative that each IT function be fully aware of what all the other IT functions are doing. In other words, they need to communicate among themselves in an inclusive and professional manner.

Unfortunately, human weaknesses such as ego, hubris, complacency and ignorance come into play when trying to facilitate such intercommunication. Often in the organizations I’ve worked with, the information security department is well aware of the problems I detailed above but are helpless to correct them. This is because IT security departments are usually treated like poor relatives by the other IT departments and senior management. They just don’t have the clout needed to get their programs and processes implemented in an effective manner. To other IT departments and management, information security processes are just a roadblock to functionality and a drain on the budget.

Or perhaps, even if IT and senior management are interested in backing information security, the corporate processes in place for requesting and implementing changes to network systems and processes are so ponderous and full of contention that they lose all effectiveness. It may take weeks or months to implement one simple policy change for example.

That is why I champion the need for a C-level individual (or group) to deal with the problem. I would call them information security coordinators or something similar. Their job would be to bring departments together to discuss what they do and how it could affect the security of systems and information. It would also be their job to coordinate this information and identify holes in the information security program. With C-level authority, they can then better remediate the identified problems without undue bureaucratic entanglement or having to deal with rice-bowl mentality. One thing I learned well when I first started in this profession is that without senior management backing and approval, an information security program is going nowhere!

Mobile Device Security a Must

More and more businesses are allowing the use of mobile devices for business purposes. Mobile/portable devices used for business are not only laptops and smart phones, but include devices such as meter readers, bar code scanners, medical devices and PDAs. Most of these devices communicate remotely using wi-fi, Bluetooth or cellular communications. They can also contain a variety sensors and mechanisms such as microphones, cameras, radios and GPS systems. Just looking at this list of capabilities, it is obvious that mobile devices can be very dangerous to the security of private business information.

Whether these devices are the property of the individual user or are issued by the business, robust security mechanisms must be maintained to provide any sort of proper data protection. That means designing and implementing both mobile device security policies and technical security mechanisms.

Mobile devices security policies should address the responsibilities of both the hosting organization and the individual users. The hosting organization is responsible for determining what types of mobile devices are acceptable in their environment, which individuals/job types should be allowed to use them, which individuals will implement and oversee the program, proper training programs for providers and users, acceptable and unacceptable use of devices, security and monitoring techniques and discipline measures for failure to comply. They should also ensure that mobile device use is included in their incident response and disaster recovery programs.

Technical security measures may vary according to the types of devices in question and how they are to be used. On the less dangerous side are personal mobile devices such as smart phones used by individuals for tasks such as web surfing and social media. To protect their information, the organization should set up separate networks for such use that in no way connect to their production networks. They should employ security mechanisms adequate to protect the network and users, and should ensure that users understand the acceptable and unacceptable uses of this privilege.

On the other side are those mobile devices that are used for processing, storing or transmitting private business information. Use of these devices should employ security mechanisms commensurate with those used on the internal network. There are many mobile device management (MDM) solutions out there designed to aid businesses in this endeavor. However, ultimately, information security is the responsibility of the organization itself, not the managed services or application providers. Because of this, those executives and line personnel responsible for the program should have a clear understanding of the capabilities of the mobile devices and security solutions that are available, and the particular uses that mobile devices will be performing in their environment. To be sure that your business is getting this right, I suggest taking the time to perform research of the devices and security solutions available followed by risk assessment and business impact analysis. Like a good pair of shoes, they should be a perfect fit!

 

If you have any questions, comments or would just like to talk more about it you can reach us at info@microsolved.com.