3 Steps To Increase Cyber Security At Your Dealership

Car dealerships and automotive groups are juicy targets for cybercriminals with their wealth of identity and financial information. Cyber security in many dealerships is lax, and many don’t even have full time IT teams, with even fewer having cybersecurity risk management skills in house. While this is changing, for the better, as dealerships become more data-centric and more automated, many are moving to become more proactive against cybersecurity threats. 

In addition to organized criminals seeking to capture and sell personal information,  global threats stemming from phishing, malware, ransomware and social engineering also plague dealerships. Phishing and ransomware are among the leading causes of financial losses tied to cybersecurity in the dealership space. Even as the federal regulators refine their focus on dealerships as financial institutions, more and more attackers have shifted some of their attention in the automotive sales direction.

Additionally, a short walk through social media doesn’t require much effort to identify dealerships as a common target for consumer anger, frustration and threats. Some of the anger shown toward car dealerships has proven to turn into physical security concerns, while it is almost assured that some of the industry’s network breaches and data breaches can also be tied back to this form of “hacktivism”. In fact, spend some time on Twitter or chat rooms, and you can find conversations and a variety of information of hacking dealership wireless networks and WiFi cameras. These types of cybersecurity incidents are proving to be more and more popular. 

With all of this cybersecurity attention to dealerships, are there any quick wins to be had? We asked our MSI team and the folks we work with at the SecureDrive Alliance that very question. Here’s the best 3 tips they could put forth:

1) Perform a yearly cybersecurity risk assessment – this should be a comprehensive view of your network architecture, security posture, defenses, detection tools, incident response plans and disaster recovery/business continuity plan capabilities. It should include a complete inventory of all PII and threats that your dealership faces. Usually this is combined with penetration testing and vulnerability assessment of your information systems to measure network security and computer security, as well as address issues with applications and social engineering. 

2) Ensure that all customer wireless networks and physical security systems are logically and physically segmented from operations networks – all networks should be hardened in accordance with information security best practices and separated from the networks used for normal operations, especially finance and other PII related processes. Network traffic from the customer wireless networks should only be allowed to traverse the firewall to the Internet, and may even have its own Internet connection such as a cable modem or the like. Cameras and physical security systems should be hardened against attacks and all common credentials and default passwords should be changed. Software updates for all systems should be applied on a regular basis.

3) Train your staff to recognize phishing, eliminate password re-use among systems and applications and reportcybersecurity attacks to the proper team members – your staff is your single best means of detecting cyber threats. The more you train them to identify and resist dangerous behaviors, the stronger your cybersecurity maturity will be. Training staff members to recognize, handle, report and resist cyber risks is one of the strongest value propositions in information security today. The more your team members know about your dealership’s security protocols, service providers and threats, the more effective they can be at protecting the company and themselves. Buidling a training resource center, and setting up a single point of contact for reporting issues, along with sending out email blasts about the latest threats are all great ways to keep your team on top of the issues.

There you have it, three quick and easy wins to help your dealership do the due diligence of keeping things cyber secure. These three basic steps will go a long way to protecting the business, meeting the requirements of your regulatory authority and reduce the chances of substantial harm from cyber attacks. As always, remaining vigilant and attentive can turn the tide. 

If you need any assistance with cybersecurity, risk management, penetration testing or training, MicroSolved and the SecureDrive Alliance are here to help. No matter if you’re a small business or a large auto group, our risk management and information security processes based on the cybersecurity framework from the National Institute of Standards and Technology (NIST) will get you on the road to effective data security. Simply contact MSI via this web form, or the SecureDrive Alliance via our site, and we will be happy to have a no cost, no hassle discussion to see how we can assist you.  

Quick Wireless Network Reminders

I recently tested a couple of Android network stumblers on a drive around the city and I found that not a lot has changed for consumer wireless networks since I last stumbled.

There are still a TON of unprotected networks, default SSIDs and WEP networks out there. It appears that WPA(x) and WPS have been slower to be adopted than I had expected. I don’t know if that is consumer apathy, ignorance or just a continued use of legacy hardware before the ease of push button WPS. Either way, it was quickly clear that we still have a long way to go to deprive criminals of consumer-based wireless network access.

The good news is that it appears from this non-comprehensive sample that the businesses in our area ARE taking WiFi security seriously. Most networks easily coordinated with a business were using modern security mechanisms, though we did not perform any penetration testing and can’t speak to their password policies or detection capabilities. But for the most part, their SSIDs made sense, they used effective crypto and in most cases were even paying attention to channel spread to maximize the reliability of the network. This is good news for most organizations and shows that much of the corporate awareness and focus on WiFi security by vendors seems to be working. It makes the business risk of these easy-to-deploy systems more acceptable.
 
I also noted that it was apparent on the consumer side that some folks deploying WiFi networks are paying attention. We saw SSIDs like “DontHackMe”, “DontLeechMeN3rds”,”Secured”, “StayOut”., etc. Sadly, we also saw plenty of SSIDs that were people’s names, addresses, children’s names and in one case “PasswordIsPassword1”. Clearly, some installers or consumers still haven’t seen the dangers of social engineering that some of these names can bring. So, while we have seen some improvement in SSID selection, there is still work to be done to educate folks that they need to pick non-identifiable information for broadcast.
 
That said, how can we better teach consumers about the basics of WiFi security? What additional things could we do as an industry to make their data safer at home?
 
 

Level One WBR-3460A Wireless Router Telnet Vulnerability

This device presents a telnet prompt on the standard port (23/tcp). This instance of telnet allows local users to login without authenticating. This gives the user access to the file system where they are able to manipulate files or grab the administrator password for the web interface. A fix is in development.

A Couple of Interesting Developments

First, a couple of new tools are available specifically geared at cracking Oracle 11g password hashes. These are specifically aimed at attacking the newest features that 11g introduces to better protect the passwords. They also have some short cuts for those folks still making the old style DES passwords available (likely for backwards compatibility with older apps or uses). Essentially, these new mechanisms are slower than old hash attacks, but are still effective. In today’s world of computational power and bot-net distributed password cracking capability, it is pretty darn safe to assume that if the attacker can get the hash – they can get the password.

Another issue that is likely to be an annoyance for some folks is that a new remote Denial of Service attack has been identified in Ubuntu 6.06 DHCP server. While the attacker can’t really gain access to the system using it, they can replace the dead DHCP server with their own, which could include malicious entries and other annoyances. This DHCP server is popular in many cyber cafes I have visited – particularly outside of the US. Just another reminder that you have to pay attention to network connectivity. It might seem like ubiquitous wireless access is a boon, but without the capability to trust the network you use, you have little reason to trust the content you receive!  — Just a reminder!