40 Comments

  1. 1

    Matthew Ryan

    Really interesting read. I agree with our society having the new obsession with IoT whether it’s smart watch or smart tv and I am guilty as well when it comes to smart tv. Do you think there is a market to have these types of IoT technologies to try and host antimalware or any type of security? If not, I think more money needs to be put into this market considering in the future, everything could possibly be connected to the Internet. Great article! I enjoyed reading it.

    Reply
    1. 1.1

      Richard White

      Matthew – Thank you for you comments and thoughts regarding IoT…. appears that we are aligned in our thoughts.

      Cheers,

      Reply
  2. 2

    Ramon Grullon

    The use of phishing attacks is simply too easy to ever go away. Its like crimes of opportunity where a person leaves their car unlocked and valuables in plain sight. Until more emphasis in placed on the users of systems as the weakest link in security, lack of knowledge will lead to these successful phishing attacks.

    Reply
    1. 2.1

      Richard White

      Ramon – Great thoughts. I agree Phishing is still around simply because it is easy to deploy, works well, and has very little risk to the bad guy.

      Reply
  3. 3

    serge saa-lapnet

    Innovative cybersecurity analysis addressing serious threats and attack patterns. Mentions to the IoT are poignant, especially as we are entering in the era of the internet of everything (IoE).
    Great applicabilities of cybersecurity recommendations to the auto dealership industry for the upcoming cyber season. This is a great read!

    Reply
    1. 3.1

      Olivia Atkinson

      Hello Professor White,
      I agree that ransomware is here to stay. There are so many cyber criminals that get a kick out of holding the user’s information hostage. Users should be cautious when they are opening their email and don’t click on unrecognizable links. Ensure protection for the system by purchasing security software. There is no sure way to prevent ransomware from occurring. I enjoyed reading your article it was very informative.

      Reply
    2. 3.2

      Richard White

      Serge – Thank you for the feedback. I agree that IoT is here to stay…. at least for the foreseeable future.

      Reply
    1. 4.1

      Richard White

      Tiffany – Thank you.

      Rick

      Reply
  4. 5

    David Burdyck

    Dr. White,

    I feel that attribution naming the host or persistent threat identity will consistently continue to be an issue and near next to impossible to nail down. Part of the problem is even if you were to actually trace back the threat actor to its point of origin; there is a large possibility that this threat actor (non-nation state, individual, group, etc) is acting on behalf of a larger entity; Perhaps a Nation-State actor that represent one of the big four. The IOT is definitely going to be the next major highway avenue of approach for threat adversaries (bad-actors). So many technologies exist without the proper encryption and security technology that it presents the most viable target source to launch attacks from. I foresee big technology industry distributors being forced into having to relook their security angles with products they produce. This will be fueled by the number of sophisticated attacks that we will experience across the IOT platform. Which major industries are currently using (Siem) technology within their organizations now and will this be the next focus for hackers to debunk its validity for capturing threats on a network. Thanks for sharing your insight with the community of Cyber Professionals.

    V/R
    David Burdyck (Go Panthers) “had to do it”

    Reply
    1. 5.1

      Richard White

      David,

      Great feedback and thoughts. Good insight regarding production and distribution reexamination.

      Reply
  5. 6

    Charity

    Not many people think of the car dealers when they are talking about hacking, people go in and put all of the information that is needed to buy a car down and doesn’t think more about it. This is a very vulnerable place for people, no one thinks too much about what information they were just giving the dealers when they were shopping. If you want to test drive a car, you have to hand over your license, and it is copied. That one document has all of the information someone needs to cause damage. Any company that deals with computer systems need to be aware that their systems could be compromised and take protective measures.

    Reply
  6. 7

    Dave McD.

    Dr. White captured the threat landscape that exists, not only for the automotive industry, but all industries. As hackers exploits, and albeit, successes become more publicized in specific industry verticals, those industry participants feel the sense of urgency and pressure to improve cybersecurity practices, even if they were not directly affected by a breach. Hackers will often follow the path of least resistance to capitalize on high risk and high rewards and move into new areas with less battle-tested defenses. The automotive industry has dramatically evolved in the recent years from an information technology perspective. There are now innumerable end points in the environment and the failure to apply sound security principles in the environment could be catastrophic for an organization.

    The recommendations provided by Dr. White are comprehensive and attainable. Understanding the business and assessing the need for data is paramount. If sensitive data is needed to support business functions, then additional security measures need built around that data in for the form of policies, procedures, and security appliances. Further, accepting that defense-in-depth through prevention is not realistic. Organizations should place equal emphasis on detecting events, incidents, and breaches in their networks to minimize impacts. Lastly, communication is critical among industry participants. Sharing threat intelligence not only improves your neighbor’s security practices, but it also improves individual efforts to security – as long as you’re committed.

    Dave McD.
    A+, Net+., Sec+, CEH, GISF, GSEC, GCIH, GCFE, CAP, CISSP

    Reply
    1. 7.1

      Richard White

      Dave – Thank you for your thoughts. I particularly appreciate your insight regarding defense-in-depth and detection.

      Thank You,

      Rick

      Reply
  7. 8

    A. Carter

    In addition to backups cyber tools employee education is big part of security as well. As you mentioned phishing attempts are the most popular method of attack (and probably always will be) due to the lack of effort required for the attacker. It only takes one unaware user to click a link they shouldn’t or provide their password to “system administrator” for the attacker to gain entry and start working on data collection. The unaware user is essentially able to assist the attacker in negating all the security controls put in place by security personnel.

    Reply
    1. 8.1

      Richard White

      Great insight and thoughts. We (the cyber good guys) have to be right every time an attempt is made to breach our data. The bad actor only has to right once. Terrible odds, but we fight on.

      Cheers,

      Rick

      Reply
  8. 9

    George Myers

    Dr. White,

    Interesting take on attribution of advanced persistent threats (APT). Just a few years ago, we were at this juncture regarding attribution and we eventually figured out a solution. Now that capabilities and APT trade-craft and behavior has been modified, we’re back to the point where attribution is hard again…unless you’re in the inner circle.

    That brings me to the point of government/commercial partnerships. Since essentially any business in the US is a potential target for APTs, it is beneficial for expansion of these partnerships. Countries impacted by sanctions will continue to use state-sanctioned cyber actors to aid in monetary gain to help them meet various national requirements. These countries are not too selective with their targets as their only goal is to expeditiously earn money. The techniques used here can help put together an entire picture for attribution across many APTs.

    Reply
    1. 9.1

      Richard White

      George,

      Awesome operational insight and depth. I could not agree more regarding the need to expand the federal and commercial partnerships for the purpose of exchanging threat intel and real-time threat Indicators of Compromise.

      Best,

      Rick

      Reply
    2. 9.2

      Richard White

      George,

      Great thoughts. Thank you. Agreed! Most cyber threat select their targets in an opportunistic fashion rather than conventional efforts focused on tactical gains.

      Rick

      Reply
  9. 10

    T. Walker

    Interesting article. At first I was curious as to why the focus on automotive dealerships. Then I started to think about the potential monetary gain. While it’s been sometime since I purchased a vehicle, I assume there is a wealth (pun intended) of customer information stored at, or transmitted from, dealerships. This information would likely include social security numbers for credit checks, credit card numbers from sales and service departments, and banking information for loans. I also assess the infrastructure at the average dealership may not be as hardened as that of a bank or financial institute, thus making them more vulnerable to attack. I then began to consider the vehicles themselves and the risk they present. Technologies like GPS, in dash hard drives, Bluetooth, and WiFi hotspots are becoming more common in vehicles. Similarly, vehicle-to-infrastructure, telematics, and fully autonomous vehicles represent an increased reliance on technology in the automotive industry. These “conveniences” present additional attack vectors for bad actors looking to either prove their hacking prowess or inflict harm. Regarding DDoS attacks, to what extend can vehicles be used as bots in these scenarios? Especially given the common practice of having multiple dealerships located in close proximity. Spoofing a dealership via email for a phishing attack would undoubtedly reap a higher than average success rate. Folks are use to a large amount of paperwork and customer service surveys when purchasing a vehicle. It wouldn’t be hard to use some social engineering to obtain email addresses of new care owners and send them an email to the effect of, “we need to verify your account number” or something along those lines. What is the likelihood that we see a form of ransom ware attacks on vehicles? Imagine trying to get to work and your vehicle won’t start unless you pay X amount. Lastly, while perhaps a greater risk in rentals, individuals who use a loaner car from a dealer, are at risk of divulging information unintentionally by connecting via Bluetooth or USB and downloading their contacts or information associated to their smart device(s). Thank you for a thought provoking article highlighting the fact that any industry is at risk and must take the appropriate measures to protect themselves and their customers.

    Reply
    1. 10.1

      Richard White

      Excellent insight regarding DDoS you are spot-on. Most, if not all, IoT devices can be compromised so that it participates unwillingly in a DDoS attack. We will see more of this soon…. SOON! 🙂

      Rick

      Reply
  10. 11

    Simon Liu

    The article put several things into perspective, the first is the importance of understanding that we need to consider the long game. This means that more and more complex attacks will be in the future, we need to ensure that we are prepared to meet those challenge and act appropriately. The second is that there are only two things that drive a hacker, ego, and money. The latter is what drives ransomware attacks and why I believe they will grow as long as they remain lucrative. The other point it drives thought is the “same line different hook”, humans are curious by nature and in a sense very unsuspecting because they can be presented with something that might be off or dangerous but if you dangle it in front of us, eventually someone will bite.

    I agree with Dr. White’s assessment and recommendation that the best defense is defense in depth. By having a serious of defenses, there are other layers of defenses even if a hacker can breach one layer. Having a backup system in case a recovery is required is also a good idea, regardless if a cloud-based backup system or if a hardware backup is desired, as long as there’s a plan to recover data that could critical to business operations.

    Reply
    1. 11.1

      Richard White

      Simon,

      Thank you for your input and feedback. Back-up and recovery…. can go wrong there particularly when critical systems are in play.

      Rick

      Reply
  11. 12

    Mary

    Great read! Mr. White, really knows his stuff. Great Job Mr. White, and for keeping us informed.

    Reply
    1. 12.1

      Richard White

      Thank you, Mary.

      Reply
  12. 13

    Andrea S.

    This is an eye-opening article. Purchasing IoT products has its challenges as defined by the article. Because of free enterprise, companies that produce and sell IoT products can do so aware of the security concerns. It is up to the consumer to determine whether to accept the risk by purchasing the IoT product or moving onto a non-IoT product.
    Consumers would probably choose convenience over security especially with a product like an IoT refrigerator. The thought process, who cares if someone hacks my IoT refrigerator? As a consumer, you might not care unless or until your refrigerator is hacked (forced to turn off) and you have to replace its contents. As a consumer, I would be weary of IoT products until security is addressed.

    Reply
    1. 13.1

      Richard White

      Andrea,

      Thank you for the comment. IoT will rise to prominence within the hacking realm – easy to hack, no security agents installed, and very prolific already – a hacker’s dream.

      Cheers

      Reply
  13. 14

    Olivia Atkinson

    Hello Professor White,

    I agree that ransomware is here to stay. There are so many cyber criminals that get a kick out of holding the user’s information hostage. Users should be cautious when they are opening their email and don’t click on unrecognizable links. Ensure protection for the system by purchasing security software. There is no sure way to prevent ransomware from occurring. I enjoyed reading your article it was very informative.

    Reply
    1. 14.1

      Richard White

      Hi Olivia,

      Great comments. The thrill of the attack is indeed a motivating factor for the bad actor – rhymes!

      Cheers

      Reply
  14. 15

    Olivia Atkinson

    Hello Professor White,
    I agree that ransomware is here to stay. There are so many cyber criminals that get a kick out of holding the user’s information hostage. Users should be cautious when they are opening their email and don’t click on unrecognizable links. Ensure protection for the system by purchasing security software. There is no sure way to prevent ransomware from occurring. I enjoyed reading your article it was very informative.

    Reply
  15. 16

    Pedro Rosa

    This is a very interesting article. You bring up some great examples of attacks that will remain and those on the rise. It is true that the IoT, albeit a convenient tool for us all is very vulnerable to attack. With respect to automobile dealerships, I agree with everything you had to say but I think a bigger concern is the IoT as it pertains to smart technology in vehicles. not too long ago I saw a report on 60 minutes that discussed the dangers of adding smart technology to the automobile industry. I consider this a big danger and am very skeptical to buy in to the prospect of having my vehicle perform actions previously reserved for licensed drivers. I would like to knoe your opinions on this topic.

    Reply
    1. 16.1

      Richard White

      Pedro,

      We are 100 percent aligned. I agree that IoT internal to a vehicle is an issue and should be dealt with ASAP. Technology and convenience do tend to move fast than security ans sensibility.

      Reply
  16. 17

    C. Afeowrk

    Great article Dr. White
    Even most other business industries face a security breaches, and hacking activities, now a day, hackers looking automotive industry as well. Automotive industry is targeted because its suppliers and vendors have a large database of consumer information, and location based data. Automotive industry such as dealerships and carmakers have big data that includes financial information and also driving statistics which is most hackers and cyber criminals looking for. Due to its big amount of data, hackers targeted automotive industry and it is drawing the attention of lawmakers, regulators and security experts.

    Reply
    1. 17.1

      Richard White

      A. Afeowrk,

      Thank you for your comments. You nailed it, the large amount of juicy data within the automotive industry makes it a real and viable target. Look for the hacker to move into the smaller and mid-sized organizations (like auto dealerships) this year and continuing into the foreseeable future.

      Reply
  17. 18

    Richard White

    Matthew – IoT is, in my opinion, the next shiny thing for the bad guy to exploit and consumers to chase. Let’s see how close I am at the end of the year. Great comments.

    Rick

    Reply
  18. 19

    Richard White

    Charity,

    Thank you for the comments. My opinion…. I think auto dealerships and similar orgs are the new battlefront regarding the cyber threat.

    Reply
  19. 20

    Sarah Scott

    Great article with expert insights with regard to imminent threats businesses like automotive dealers are facing in terms of the increasing risks of cyber threats creating vulnerabilities. Over the years consumers have watched as many businesses and their data have been compromised due to lack of cyber security infrastructure and planning. Protecting small businesses from disasters as a result of hackers becoming more and more sophisticated is important to stay vigilant against cyber attacks. Some dealerships could be vulnerable to the mentioned issues that endanger the personal information of customers and employees alike.

    Such data breaches not only would prove an immediate business threat to dealerships, they also could result in spooked consumers never doing business with hacked stores again. An auditing firm recently surveyed a variety of dealerships in five states to show the impact of data security on the sales and reputations of dealerships, that regularly conducts security audits for all areas of dealerships. The survey found that nearly 84 percent of consumers would not buy another car from a dealership after their data had been compromised by a breach at the dealership. The study also found that around 33 percent of consumers lack confidence in the security of their personal and financial data when buying a vehicle at a dealership.

    Car dealerships can be prime locations for hackers looking for personal data. Dealerships, in some cases, could have more information on consumers than their local banks do. From a hacker’s perspective, it’s much easier to hack a dealership than a bank.
    For example, service departments, which usually have Wi-Fi connections available for customers, as potential weak spots that hackers can exploit. If the Wi-Fi is not separate from the main network of a dealership, it would take a sophisticated hacker only six minutes to break into it. It often takes a dealership much longer to discover the breach — the average is 208 days.

    Cash is one issue holding some stores back. Dedicated security personnel on staff can be an expensive prospect for smaller stores. Only 30 percent of the surveyed dealerships employ a network engineer with computer security certifications and training. Some stores can open themselves up to security failings by not being vigilant. For instance, the survey conducted found that more than 70 percent of dealerships are not up to date on their anti-virus software. The majority of surveyed dealerships aren’t confronting their weaknesses to see where improvement is needed; The survey also reported that only 25 percent of dealerships have hired third-party vendors to try to hack into their networks to test their vulnerability. Dealerships are under pressure to hit sales targets, so their primary focus is on delivering cars. This can lead to stores making mistakes.

    Reply
    1. 20.1

      Richard White

      Sarah – Great insight and practical view. I particularly appreciate your last paragraph were you discuss cost and resource statistics. Thank you for your comments.

      Rick

      Reply
  20. 21

    Sincerus A. Kingsly

    As always, This is a must read. Ransomware attacks are going to keep growing throughout our cyber universe because companies will just pay attackers, especially to decrypt their sensitive data and the attackers know this. Whats worse is that once an attacker gets paid, sometimes they will request an even larger sum of money. In a lot of cases, even if the attacker is paid, they will still destroy the data and make it inaccessible. Phishing will always continue because that’s how victims are lured, and its a great method.

    When it comes to car dealerships, client’s Personally Identifiable Information (PII) is stored all throughout their database. to add insult to injury, automobiles now a days offer attackers many methods to attack the vehicle as well as the dealership and/or financial institution that the buyer of the auto has his/her loan through. For instance, We all understand that that dealership and/or the finance company has to have tracking on the vehicle “just in case”. Dealership’s and or financial institution’s data is stored in the vehicle’s database. a hacker can hack that vehicle, gain unauthorized access, and from there access the vehicle’s computer system where the dealership’s and/or financial institution’s information is stored. from there, the attacker could possibly gain access into the dealership and/or financial institution to possible steal data or any other malicious activities deemed appropriate by the attacker.

    Reply
    1. 21.1

      Richard White

      Sincerus,

      Great feedback. I see that we are aligned regarding our concern over the growing Ransomware problem and what the future holds in kind. I recently wrote an article regarding the hacking of autonomous vehicles and how they can be hacked and weaponized – scary stuff. Thank you again for your excellent insight and perspective.

      Cheers,

      Rick

      Reply

Leave a Comment (We Greatly Value Your Input)

Dealership-specific comments or reviews regarding sales or services should be posted on Yelp, Google, etc. where they are frequently monitored and addressed.

Your email address will not be published. Required fields are marked *

Related Articles

© Copyright 2019       All Rights Reserved       View Legal Notice