By Richard White, PhD
The hacking community is incredibly diverse. At one end of the hacking spectrum are the newbies. Newbies are just starting out, and do not have solid understanding of computers, networks, and applications. Their end game is simply to learn. At the other end of the spectrum are the professional hackers, either state sponsored or part of a criminal enterprise. They rely on stealth, and are motivated by either nationalism, notoriety, or greed. Their goals are typically to steal personally identifiable information or intellectual property, as well as corporate data.
In between these extremes are coders, hacktivists, and cyberpunks. Cyberpunks are one rung up the ladder from newbies, and often are ego-driven. Cyberpunks will brag about their exploits online within the underground and Dark Web, leading to their apprehension. Hacktivists hack for political causes. Examples are Anonymous, and elements of the Animal Liberation Front, and Earth Liberation Front. Coders are the people who develop and sell the tools that most hackers rely on for exploit victims’ vulnerabilities.
The evolution of hacking tools and hacking techniques
Hacking tools have advanced at the same pace as technology. They are faster than the tools used in the past and are becoming increasingly more sophisticated. Hacking tools have become modular and offer selection of functionality that can be customized to each hacker’s purpose. Various modules are used against different operating systems. This way, one tool can be used to attack Windows, Linux, and Apple platforms. Stealth, or anti-forensics, is a key component of these tools. The stealth function allows hackers to cover their digital tracks, even hiding any evidence that an anti-forensic tool was ever used.
Finally, the new generation of hacking tools are dynamic. This capability allows a hacker to change attack vectors and methods. These hacking tools are readily available on the Dark Web, with PayPal or Bitcoin being the preferred payment method.
Inaction in action, cyber legislation at rest
In 2018, nine bills that are focused on cybersecurity were introduced in congress. Six of the bills are stuck in committee. The remaining three bills have passed the House of Representatives. These bills would amend the Homeland Security Act to create the National Computer Forensics Institute, and to assist states to coordinate with the National Cybersecurity and Communications Integration Center, and to enhance information sharing about cyber events, while strengthening privacy protections. It is doubtful that the Senate will pass, or even vote on them.
In 2015, former President Barrack Obama issued an Executive Order authorizing the Treasury Department to place sanctions against foreign hackers whose acts pose a threat to the economy or national security. A spokesman said the sanctions will only be used against the most egregious hackers. Last December (2017), a version of the Cyber Information Sharing Act was included in the trillion-dollar budget deal. The provision protects companies from any civil litigation that could arise from sharing information about cyber-attacks with the Department of Homeland Security, and/or other companies.
What should auto dealerships be concerned about?
Auto dealerships need to evaluate what variety of hacker is attracted to their business (a thorough and complete risk analysis works great here). For example, hackers that are driven by ego do not care about the “pay off.” Successfully hacking your dealership is the payment.
Another example is the hacker that is seeking profit and means to breach your perimeter, steal your valuable data and monetize it in the underground. This is more problematic, though less common, than the ego-driven hack. Though they differ in intensity and intent, protecting yourself against different kinds of hackers takes a similar systematic approach.
Begin by assessing the nature of the business and how transactions are conducted. Do you rely on the continued storage of customer data, financial data, or corporate data to run your business? All have various protective elements that should be in place.
The conventional wisdom to defend against hackers is known as defense in depth. Firewalls at the perimeter, anti-malware installed on hosts and servers, encrypting traffic across local and wide area networks, deploying intrusion detection appliances, use of two-factor authentication, are all part of this solution.
However, defense in depth is designed to mitigate an attack, not prevent it entirely. For this reason alone, having the proposer backups, authentication, and security controls in place prior to an attack with help keep even successful hacks from becoming catastrophic and prolonged.
I recommend that dealerships develop a plan to detect and correct these events in near real-time. By using the term “correct” I mean to mitigate, eradicate, and recover from a breach. Additionally, I recommend using a 4th generation security information and event management (SIEM) tool help provide real time notification of cyber-attacks.
A more cost effective approach would be to seek out a Managed Security Service Provider and outsource this element of the dealerships security program. Using an MSSP provides 24/7 eyes on your network, data, and users and provides a much faster response which correlates to less time and cost to full recovery not to mention brand and reputation damage that is avoided.
Richard D. White is recognized industry expert in the field of cybersecurity. He can be reached at (718) 512-2960 or mobile 301 751-7445.