By Richard White, PhD
The hacking community is incredibly diverse. At one end of the hacking spectrum are the newbies. Newbies are just starting out, and do not have solid understanding of computers, networks, and applications. Their end game is simply to learn. At the other end of the spectrum are the professional hackers, either state sponsored or part of a criminal enterprise. They rely on stealth, and are motivated by either nationalism, notoriety, or greed. Their goals are typically to steal personally identifiable information or intellectual property, as well as corporate data.
In between these extremes are coders, hacktivists, and cyberpunks. Cyberpunks are one rung up the ladder from newbies, and often are ego-driven. Cyberpunks will brag about their exploits online within the underground and Dark Web, leading to their apprehension. Hacktivists hack for political causes. Examples are Anonymous, and elements of the Animal Liberation Front, and Earth Liberation Front. Coders are the people who develop and sell the tools that most hackers rely on for exploit victims’ vulnerabilities.
The evolution of hacking tools and hacking techniques
Hacking tools have advanced at the same pace as technology. They are faster than the tools used in the past and are becoming increasingly more sophisticated. Hacking tools have become modular and offer selection of functionality that can be customized to each hacker’s purpose. Various modules are used against different operating systems. This way, one tool can be used to attack Windows, Linux, and Apple platforms. Stealth, or anti-forensics, is a key component of these tools. The stealth function allows hackers to cover their digital tracks, even hiding any evidence that an anti-forensic tool was ever used.
Finally, the new generation of hacking tools are dynamic. This capability allows a hacker to change attack vectors and methods. These hacking tools are readily available on the Dark Web, with PayPal or Bitcoin being the preferred payment method.
Inaction in action, cyber legislation at rest
In 2018, nine bills that are focused on cybersecurity were introduced in congress. Six of the bills are stuck in committee. The remaining three bills have passed the House of Representatives. These bills would amend the Homeland Security Act to create the National Computer Forensics Institute, and to assist states to coordinate with the National Cybersecurity and Communications Integration Center, and to enhance information sharing about cyber events, while strengthening privacy protections. It is doubtful that the Senate will pass, or even vote on them.
In 2015, former President Barrack Obama issued an Executive Order authorizing the Treasury Department to place sanctions against foreign hackers whose acts pose a threat to the economy or national security. A spokesman said the sanctions will only be used against the most egregious hackers. Last December (2017), a version of the Cyber Information Sharing Act was included in the trillion-dollar budget deal. The provision protects companies from any civil litigation that could arise from sharing information about cyber-attacks with the Department of Homeland Security, and/or other companies.
What should auto dealerships be concerned about?
Auto dealerships need to evaluate what variety of hacker is attracted to their business (a thorough and complete risk analysis works great here). For example, hackers that are driven by ego do not care about the “pay off.” Successfully hacking your dealership is the payment.
Another example is the hacker that is seeking profit and means to breach your perimeter, steal your valuable data and monetize it in the underground. This is more problematic, though less common, than the ego-driven hack. Though they differ in intensity and intent, protecting yourself against different kinds of hackers takes a similar systematic approach.
Begin by assessing the nature of the business and how transactions are conducted. Do you rely on the continued storage of customer data, financial data, or corporate data to run your business? All have various protective elements that should be in place.
The conventional wisdom to defend against hackers is known as defense in depth. Firewalls at the perimeter, anti-malware installed on hosts and servers, encrypting traffic across local and wide area networks, deploying intrusion detection appliances, use of two-factor authentication, are all part of this solution.
However, defense in depth is designed to mitigate an attack, not prevent it entirely. For this reason alone, having the proposer backups, authentication, and security controls in place prior to an attack with help keep even successful hacks from becoming catastrophic and prolonged.
I recommend that dealerships develop a plan to detect and correct these events in near real-time. By using the term “correct” I mean to mitigate, eradicate, and recover from a breach. Additionally, I recommend using a 4th generation security information and event management (SIEM) tool help provide real time notification of cyber-attacks.
A more cost effective approach would be to seek out a Managed Security Service Provider and outsource this element of the dealerships security program. Using an MSSP provides 24/7 eyes on your network, data, and users and provides a much faster response which correlates to less time and cost to full recovery not to mention brand and reputation damage that is avoided.
Richard D. White is recognized industry expert in the field of cybersecurity. He can be reached at (718) 512-2960 or mobile
(301) 751-7445 or by email at RW@richardawhitephd.com.
50 Comments
Chris Morgan
As a cyber professional who works with blue and red teams, I see the evolution of these tools on an almost daily basis sometimes. The most dangerous thing you can do is drag your feet. With attacker tools evolving as fast as defender tools, it is not hard to image dealerships getting behind quickly if they do not stay relevant.
Kristi Hynes
Cyber crime will continue to rise as hackers continue to get more and more sophisticated. As the article recommends, it’s crucial that IT departments make sure they have a robust defense in depth program. It’s also important that the CISO ensure protections are updated to match the continuously changing threats. Without the defenses being updated in real-time, sophisticated hackers will be able to infiltrate the network and cause havoc in your system.
Richard White
Chris,
Thank you for the comment. Procrastination is indeed the enemy when the focus is cyber.
Sarah Scott
The threat of hackers and vulnerable PII of customer and company data is as prevalent as ever, as mentioned in the article with the emergence of technology rapidly evolving. Without a cyber security strategy and implementation plan in place with proper procedures to follow, any business can expect to face attacks that may be devastating. The recommendations provided are great solutions to address increases in cybercrime which will inevitably happen over time.
Richard White
Sarah,
Thank you for you comment. Great insight regarding a cyber strategy.
Raquel Lewis
I like the term cyberpunks. Would this term mean the same as script kiddies? Great article overall and a clear breakdown of motives for hackers.
Richard White
Hi Raquel
Me too… and yes, in general, the two are the same.
Owen OHare
As an instructor for IT & Network Defense, I think this is a fantastic Article! The writer is completely correct and honestly the situation is getting worse.
New programs and kits, Kali Linux being a great example, of how streamlined and simplistic things can get for newbies or “Script Kitties”. I say this because these people new to the community, have easy access these very powerful tools and kits, yet have no real idea how to use them.
Which would be fine, because the train of thought would be “hey they do not know how to use them so they can not do harm”.
Well that is where the easy access to online forums and how-to-manuals comes in real handy.
Hell, if the user was very determined to really learn how to use these programs to a key, they can work towards the Ethical Hacker certification or go on the dark web via TOR (which is not hard to do nowadays) and learn from the best.
Sincerely believe, that these problems such as ease of use, ease of access and abundance of material is one of the big problems we face today.
-Owen
Richard White
Owen,
Thank you for the comment. I agree that the issue is getting worse both in frequency and success rate. The Ethical Hacker is a great recommendation for these folks but is often not extreme enough nor does it give the bad actor the notereriety that is sometimes being sought.
Cheers,
Rick
Rob Satterfield
This is a great article about something not everyone thinks about for cybersecurity. Car dealerships sell cars, so why do they need to be secure? Anyone that’s bought a car knows that you have to give a wealth of PII, which could be very valuable to hackers.
Richard White
Hi Rob,
Thank you for your comment and your pragmatic example of why auto dealerships must be secure.
Cheers
Jenny Goldston
To get ready to address any digital security dangers, dealerships ought to adjust security going through with the particular dangers recognized in the hazard assessment, and spotlight on financially savvy measures. Having an organized rundown of dangers enables a dealership to concentrate on efforts on areas that matter most and abstain from spending on security technologies or exercises that are less fundamental or irrelevant to fixing recognized issues.
Richard White
Hi Jenny,
Great comment. Yes, the Risk Assessment is a great way to illuminate the actual risks being faced, as well as help develop a strategy to mitigate risk.
Jason Sproesser
Staying vigilant and adaptable are the best countermeasures you can have to mitigate risks associated with cyber threats. The auto sales industry must focus on the cyber solutions more than most industries. In any one transaction at a dealership, a person can have all of their valuable information exposed and jeopardized based on the conducted transaction. In purchasing a vehicle, you are required to provide almost every element of your PII, as well as information regarding your financial institution for down payments and credit checks. The solutions provided within this article are excellent ways for dealerships to remain vigilant and adaptable to protect consumer information and organizational reputation. Failure to protect information provided to you by an entrusted customer is a recipe for organizational extinction.
Richard White
Jason,
Thank you for your comment. I agree that staying vigilant is key when discussing cyber threats. Again, thank you for the pragmatic look into why it is so very critical that dealerships remain cyber vigilant and cyber secure.
Nick Lee
As an individual who is getting ready to begin his career in the cyber field, an article such as this one is a great example of the evolution of hacking tools and techniques, along with the money invested, to make our systems as secure as possible. My biggest takeaway from the post, has to be the cyber legislation and the amount of funds and time put into this project.
Richard White
Nick,
Thank you for your comment. I always try to not cyber laws and proposed legislation in most articles I write. I think that by doing so the reader can get a sense of what’s on the horizon.
Tenisha Carter
Having 24/7 eyes on the network is major and will help protect against the threat of hackers. Organizations will benefit from using MSSP, becasue not only will the network be watched around the clock, but they will benefit from less downtime, saving cost and saving their reputation.
Richard White
Tenisha
Thank you for your comment. I support any business having an MSSP duppprting their cyber program. There is definitely a cost and brand savings attached.
Dane Beichter
I will admit that I hadn’t considered an auto dealership to be a tempting target for hackers. However, I now realize that they volumes of personal information that they handle for everything from verifying proof of insurance to full on credit reports is ripe for hackers. Perhaps, as hacking evolves, cyber security will have to address business functions that had not been previously considered as tempting or vulnerable.
Richard White
Dane,
Thank you for your comment. My thought in writing this article is that it is really all about customer data and PII. And I can think of very few businesses that take in so much in frequent well-defined bunches.
Tiffany Winn
Your suggestion of utilizing a Managed Security Service Provider is genius for so many reasons. First, it provides security experts that will work for you at a fraction of the cost. Secondly, it provides your organization with a larger security footprint that can assist in expansion. Lastly, it provides advanced monitoring and 24/7 assistance.
Richard White
Hi Tiffany,
Thank you for your comment. Glad we agree on the MSSP.
joseph franklin
In addition to hacking tools the emergent of virtual machines, web services, and VPN’s that provide various points of presence allow a cybercriminal to obfuscate their path. This adds complexity to the problem when trying to track down the culprit. This article clearly outlines the different level of hackers and different tools they use. The mitigation techniques provide a great starting point to protecting a company’s networks against an attack.
Richard White
Hi Joseph
Thank you for your comment. I appreciate your insight regarding the tools and complexity – great note regarding obfuscation.
Sincerus A. Kingsly
As a Cybersecurity Practitioner, I do believe that today in 2018, PII needs to be gaurded more than ever. Everyday hackers are coming up with more and more sophisticated was to access an individuals data. Yes, we have the newbie hackers, or script kiddies, who really don’t know how the network really works and just want to hack just to know that it can be done, These ego driven hackers are very clever because they are constantly learning new was to hack systems, and what is the best way to learn? To hack. I can recall when hacking wasn’t a bad term at all, companies hired penetration testers to basically hack into the network to see how hardened the network actually was. More advanced hackers are committing crimes by accessing data for their own malicious intent, stealing data such as credit card information and social security numbers, PII.
Where the auto industry is concerned, if we look around us, we see thousands of automobiles emerging that are so called “Smart Cars”. Practically everything in the vehicle is connected to a computer and the onbaard GPS to a satellite somewhere in the universe.. Like you stated earlier, a lot of hackers hack for a “ego-driven” purpose. This also means that these types of hackers are going to go after whats popular, just to say “I did it”. For instance, do you remember when Apple became really popular and then the APP store was hacked on September 20th 2015? hackers are now accessing cars and most are doing it for the ego, “It would be interesting if i can hack a car”. I’ve seen numerous videos where hackers hack into vehicles and steer the vehicle. Vehicle owners are now storing personal data in their vehicles databases such as contact lists and appointments such as doctor visits. Now imagine If someone can access the vehicles database and obtain that individual’s doctors appointment and then go further by hacking into the doctor’s office’s network and then accessing that individuals patient information, this information can be used in many malicious ways. really scary.
Richard White
Sincerus
Thank you for your comment. Funny that you mention car hacking. I just very recently wrote an article about how to weaponize a self-driving vehicle and noted the cyber implication that go along with. More to come on that….
Jenny Goldston
To get ready to address any cyber security dangers, dealerships ought to adjust security going through with the particular threats recognized in the risk evaluation, and focus on practical measures. Having an organized rundown of threats empowers a dealership to concentrate its efforts on the areas that matter most and abstain from spending on security technologies or exercises that are less essential or insignificant to fixing identified issues.
Richard White
Hi Jenny,
Again, thank you for your thoughts. I can without a doubt agree with you. Any organization should always focus on the pragmatic first. Then if necessary the complex, obscure, and maybe even the esotaric.
Dane Beichter
The importance of cybersecurity cannot be overstated, regardless of industry or economic sector. While many may not see automotive dealerships as targets, one must consider the number of times they access sensitive financial and credit information on their customers. Add to that the POS terminals in most parts and service departments, and they are tempting for hackers. It appears that investing in security is becoming a cost of doing business.
Richard White
Dane
Thank you again for your comments. Agreed PoS systems are valuable indeed…. just ask Target, TJ Max, and many many others.
Anita A-Saunders
As you mentioned in your article, all businesses and organizations have to follow strict laws and regulations regarding cybersecurity. An example of this is Congress, who takes time to evaluate and approve new bills.
The good guy cannot use any unlawful methods or tools, but hackers are free of any restrictions and utilize numerous techniques and technology to circumvent the rules. Therefore, cyber criminals are always a few steps ahead of everyone.
In order to better protect our e-assets, we need to convince the Senate to move faster and make the right decision, in this lose-lose situation.
Richard White
Anita,
Thank you for your comments. The good guys are always fighting with one arm tied. Great insight!
John Jewett
I strongly recommend the contracting of a Managed Security Service Provider for any small to medium sized company that does not have an in house capability. These days cyber crime is within the capabilities of even the more novice “hacker” types. Sadly, an attackers goal of locking out a company’s computers and data with ransomware in order to make money end up costing the company several times what it will pay in lost productivity. A recent Datto survey pegged the costs of a ransomware attack at $8,500 per hour for most small to mid sized businesses. Even worse, the effects generally cause closure of the company 20% of the time. If you’re concerned you don’t have sufficient defense in depth organically, sub-contract it immediately.
Richard White
John,
Thank you for your comments. We are very closely aligned regarding our thoughts on the usefulness of an MSSP.
Christopher Kuchera
With the evolution of hacking capabilities, and technology in general, no one is really 100% safe from cyber attacks anymore. This article really provides a good insight into the capabilities and motivations for hackers, and provides excellent mitigation strategies for these hackers.
Richard White
Christopher
Thank you for your thoughts. I appreciate your comments on the article as well.
April Howard
Great article on the necessity of a business understanding hacker types and their objectives when considering cybersecurity strategies. The advances in hacking tools and techniques is daunting and the Senate’s inaction is quite unfortunate.
Richard White
Hi April
Thank you for your comments and pragmatic insight.
James H
This is a great article. It is well intention that the bottom line remains clear that hackers are evolving at an exponential rate. I would perhaps argue that options with artificial intelligence and the implementation of software defined networking would assist in the fight to stave off the wave of attacks. Hackers, regardless of their financial backing have what most desire most, time. They have the time to determine their “zero day,” that which the “protectors” fear most.
Richard White
James,
Thank you for your comments. Great insight regarding AI, but I wish I could disagree… but I simply can’t. Also, appreciate the Zero-day aspect. Thanks for contributing.
David Prylo
This article accurately detailed how a defense-in-depth strategy, Managed Security Service Providers (MSSPs), and various cybersecurity tools such as firewalls and security information and event management (SIEM) tools can be used by automotive dealerships to improve their security posture. In my opinion, it is financially unfeasible for most dealerships to try and build their own successful cybersecurity suite of personnel, tools, and policies. Dealerships that belong to larger corporations like GM or Ford should look to inherit their security controls from their parents organizations. Local, non-affiliated dealerships would likely find it more cost effective to contract a third-party MSSP for their cybersecurity needs. The MSSP could manage the cybersecurity of the dealership’s internal database as well as the security aspects of its customer-facing website and mobile applications.
Richard White
David,
Thank you for your comments. Excellent thoughts regarding MSSPs and how dealerships can benefit from them. I also appreciate your thoughts regarding the inheriting of security controls from parent organizations – makes cyber more manageable and centralized.
Robert Ada
A 2016 SC Media article, Auto dealerships database leaked unencrypted PII, reported that “Security researchers discovered millions of car dealership customers’ information leaking from an online database. The leaked data originated from a database product known as LightYear.” This breach provided the full names, addresses, phone numbers, social security numbers, payroll data, and other customers’ and employees’ information. Although this was not due to hackers, luckily it was security researchers who discovered it. The ramifications would have been devastating if a hacker got a hold of this treasure throve of PII. For example, financial loss from customer and employee lawsuits, interruption of business operation, loss of reputation.
Whether the auto dealership is large, medium, or small, the instant they connect their business online, they are accepting the risk of their information system being hacked. Dr. White is on point with his recommendation for “dealerships develop a plan to detect and correct these events in near real-time.” He provides excellent information security options that are affordable for a wide range of auto dealerships; the 4th generation security information and event management tool and a Managed Security Service Provider for 24/7 eyes on their network. Automotive dealerships should heed this article!
John Jacobs
Given the complexity of the hacking community and the sophistication and continuous evolution of hacking tools, it would be very advantageous for agencies to work together to develop technologies that can quickly detect intrusions. Also, stating that proper backups would be needed is an excellent point, especially since every attack may not be detected in time to thwart damages that could interrupt the business continuity of an organization.
Richard White
Hi John,
I agree! Teamwork is key if any organization wants to move the security needle. I always try and mention the importance of backing up critical data. Back up, Back up, Back up! Thank you for your contribution.
Joslyn Bartels
Assets that are critical to a business or organization must be protected from cybersecurity vulnerabilities. Security countermeasures against known and emerging cyber attacks are continually evolving, expensive and difficult to keep up with. Involving the services of an MSSP plays a vital role to help safeguard investments, sensitive data as well as meet compliance regulations.
Great article.
Richard White
Hi Joslyn,
Thank you for your comments and contribution. We are indeed aligned regarding the adoption of MSSP services.
Richard White
Hi Robert,
Thank you for your comments. Excellent note regarding LightYear. I even note that specific dealership leak in a previous article. In short, lot’s of valuable data could have been potentially compromised. Thanks for the MSSP validation and kind words and support.
Sean Lohr
Good article. It’s a shame that the nine cybersecurity bills can’t get through Congress. How many compromises must occur before this becomes a higher priority? Good points on cyber-attacks against the auto industry. Protecting the information is key for any business, to include the auto industry, to ensure both private company and customer data is kept private.