SECTION 1: ANALYSIS SUMMARY
GM dealers are becoming more dependent on the internet. Security
threats are of critical importance for dealerships nation wide.
The technology that the dealership uses affects the level of security.
Security analysts have recently compiled the latest "GM Attack Stats"
from the security appliances managed by GMDIT in place at GM dealers
nationwide (using a random sampling of approximately 30).
To gain some understanding of the IP threat facing dealers and some
of the factors that contribute to that threat an arbitrary time period
of one month was selected, and the intrusion and attack information
was complied and analyzed. In the 30-day period, an average of 4,800
attacks was recorded at the dealers with business-class T1 Internet
access services. Where cable or residential-class DSL circuits are
used, this average increased to 11,000 attacks in the same 30-day
period (An attack is defined as any Internet traffic attempting to
enter the dealership's network which was not specifically invited
by an application, such as a web browser).
Additionally, the appliances in place at these GM dealerships stopped
an average of 52 email-based viruses during the 30 days, any one of
which could have been potentially damaging.
Attacks are indiscriminate.
Every Internet connection, whether it is a bank, an apartment complex,
a house, or a dealership, is identified only by an IP address. Attacks
are indiscriminate and usually "automated"; in actuality, targeted
assaults are actually very rare.
There are many ways in which networks can be compromised. At Nuspire,
we have labeled this as "Blended Threats". A small list of examples includes:
Many past and current manufacturers are not equipped to handle today's
more sophisticated "Blended Threats". For example, suppose a user
wants to download a file from an FTP site or even a web mail message.
A typical firewall will see that a user is trying to use an FTP or
HTTP service and allow this to occur. A firewall that is designed to
protect against "Blended Threats" will actually analyze this traffic
to make sure it is safe from viruses or other malicious application
(i.e. grey ware).
- Virus Activity
- Spyware (Grey Ware)
- Port scans
- Denial of Service
- Key Loggers
- Packet Sniffing
Every day, criminals are getting more and more sophisticated in their
attempts to compromise devices on the Internet. Because of this,
businesses must also become more sophisticated in order to protect
their assets and privacy. Security is not a destination. It is a
repeating process of monitoring, analysis, and modifying/upgrading.
A "Blended Threat" management service is the best method of protecting
an infrastructure for businesses that do not have the resources to
take this task on by themselves.
SECTION 2: LEGAL IMPLICATIONS
When customer information is compromised the dealership becomes
liable for both civil lawsuits and federal penalties.
The Federal Trade Commission (FTC), under President Clinton's 1999
Gramm-Leach-Bliley Act (GLBA), issued two rules applying to auto
dealers. First, the Safeguards Rule establishes standards relating
to administrative, technical and physical information safeguards for
financial institutions. This Rule, specifically states auto dealers
who finance or lease to customers fall under this jurisdiction.
Second, the Privacy Rule is intended to raise customer awareness of
the different ways their non-public, personal information may be used.
This rule requires dealers to present certain paperwork on the
dealership's information sharing policies, or information notices,
to the customer during the information-gathering process.
SECTION 3: CONCLUSIONS AND RECOMMENDATIONS
- The Privacy Rule
Entities Covered by the Privacy Rule? Car dealers who:
- Extend credit to someone
- Arrange for someone to finance or lease a car for personal, family or household use.
- Provide financial advise or counseling to individuals
The privacy notice must be a clear and
accurate statement of the company's privacy practices; it
should include what information the company collects about
its consumers and customers, with whom it shares the
information, and how it protects or safeguards the information.
Customers have the right to opt out of, or say no to having
their personal information shared with certain parties or
affiliates. This does not include the GM company. By law
dealers have to report some aspects of their sales to
GM, for example to insurance warranty work or recall notices.
Bound to Rule
Even if right after a customer agrees to finance the purchase
of a car and the dealership immediately assigns the contract
to a third party lender the dealer is still bound to the
privacy rule. In this instance there is a document called a
"Privacy Notice" that the dealer must give to the purchaser.
Required Statement of Dealership Safeguarding Information:
Dealerships must have a statement of how they safeguard personal
information. The FTC has even offered the following "model"
language for privacy notices. "We maintain physical,
electronic, and procedural safeguards that comply with federal
regulations to guard your nonpublic personal information."
- The Safeguards Rule
The Safeguards Rule is intended to protect the financial
institution's customers from identity theft and other harm
by requiring financial institutions to assess their data and
information from misappropriation, alteration, tampering,
etc. The Safeguards Rule compliance is mandatory as of
May 23, 2003.
Who is covered under the safeguards rule?
Dealers are specifically identified as a financial institution.
A financial institution is any dealer who is "significantly
engaged in financing activities."
What information is covered?
Physical, paper, and electronic information handled or viewed
by anyone at the dealership or their affiliates must use
proper safeguards to insure customer personal information
- Information contained in a customer's credit report or credit application
- Account numbers
- Bank account numbers
- Social security numbers
- Any other information the dealer receives from other financial institutions
This does not apply to information related to insurance
(covered in another law) and also does not cover
potential finance or lease information, only the
actual financing agreement itself.
A Comprehensive, Written Information Program. By law the
Safeguards Rule of the GLB Act requires dealers to implement
and maintain a written security program. It also requires
that you ensure your affiliates (i.e. vendor or partner
companies handling sensitive data) maintain appropriate
information safeguards as well. The written program must
outline the dealer's physical, administrative, and technical
policies as they apply to safeguarding customer information.
The objectives of this documentation must be to ensure
confidentiality of customer information, protect that
information against threats, and guard against unauthorized
access to that personal information. There are five elements
to this Security Program:
Designate an employee as program coordinator for
your information security program.
This person must be an employee of the dealership.
This program coordinator is in charge of assessment,
implementation, and updates to the physical and
electronic security of the dealership. They are in
charge of managing security policies, procedures,
and FTC required paperwork
Identify reasonably foreseeable internal and external
risks to the security, confidentiality, and integrity
of customer information.
This process of identification should be done by the
program coordinator through a process of risk assessment.
Under the Safeguards Rule risk assessment is not an option,
it is the law. Foreseeable risks include:
Attacks through Internet hackers or other grey
ware applications. As shown in section 4 this
happens hundreds of times per day, and is a
very serious, foreseeable risk.
Virus downloaded by employees inadvertently.
GMDIT data shows on average there are one or
two email viruses sent to a dealership everyday.
Compromises to the physical security. Open
PCs with no password protection or shared
"common" passwords poses a great risk to
You must design and implement customer safeguards
to control the risks you identify through risk
To protect from outside threats, the dealership must
take "reasonable measures" to implement a system for
For electronic data, this is an up-to-date
security device that continually monitors
threats through intrusion detection system
(IDS) and other mechanisms.
To control the risks from within the dealership,
every dealership should at least protect each
PC with anti-virus software and unique passwords.
What is recommended by GMDIT is a corporate
antivirus solution because it is designed to
protect the entire network from viruses, as
opposed to just the individual PC. The
recommended solution to password protection
is to limit the data each user has permission
to see. This would allow customer information
to only be viewed on a "need to know" basis.
Reporting on the activity of data going into
and out of the dealership is a key element
to monitoring, detecting and responding to
threats. Only timely reports specific to the
dealership give the project security
coordinator a true sense of the threats the
dealership's electronic data is faced with.
Customized reporting is the only way to
monitor the security program and its effectiveness.
You must oversee service providers by taking
reasonable steps to select and retain service
providers that are capable of protecting the dealer's
You must maintain customer's information by requiring
these providers by contract to implement and maintain
You must evaluate, adjust, and reevaluate your
information security program.
- Compliance Standards
The FTC has tried to make the standards as flexible as
possible when referring to the dealer's size and complexity
of their information systems. As a reference to information
systems the FTC uses the National Institute of Standards and
Technology (NIST) when enforcing compliance among government
and financial institutions. The current NIST standards for
protection of electronic data include not only a firewall,
but a firewall that can detect, and respond to, intrusions
into the network.
"Continually monitoring threats through intrusion detection
system (IDS) and other mechanisms is essential" (Executive
Summary NIST 800-61 Computer Security Handling Guide Pages ES-1)
Fines and penalties enforced by the FTC for not complying
with NIST regulations can vary from bi-annual audits over
10 years to $11,000 per day that the dealership is out of
compliance. Even more importantly, the dealership is liable
for any personal information inappropriately used in a
harmful manner (identity theft). Lawsuits have been filed
against dealerships whose customer information has gotten
into the wrong hands. These lawsuits have been filed for an
excess of $15 million dollars.
As more and more dealers adopt broadband technologies, and as the GM
company opens more conduits to the dealer LAN, the risk increases
not only for the dealer's business but to GM as well. The priority
on security should be reflected by becoming more prominent in dealer
communications and policy.
General Motors has data specific to GM dealers that shows that the
average dealer is attacked between four and eleven thousand times
per month. If one of these attacks or viruses is successful in
compromising customer information the dealership is legally liable
and is in breach of the FTC rule. The cost to properly secure the
dealership is minimal compared to the results that could come from
a compromise in the electronic network.
"For those of you with sophisticated computer systems and
information management tools (e.g. DMS, F&I, CRM and business partners
who host call centers and websites), it is likely you will need to
turn to outside help in order to accomplish the tasks required of
you under the Safeguards Rule. Even if your systems are not state
of the art, you will probably need some outside assistance to help
you determine the potential risks to your Customer information and
the appropriate fixes. In most, if not all, cases you will need to
revisit your budget to ensure that adequate funds will be available
to meet your compliance obligations on an ongoing basis."
~A dealer Guide to Safeguarding Customer Information. (Published by the National Automotive Dealer's Association ©2003)
Understanding that it is imperative that each dealership is secure
and that the typical software and/or basic router with firewall
capabilities may not be sufficient, then compounded by the fact that
most dealers do not have the technical resources "in house" to
address these issues, it is important that GM construct a strategy
for dealers to follow.
DEALERS NEED TO: Adopt a Multi-Layer Security Strategy:
While no dealership can be "completely" safe, securing each layer
of the dealership is the best way to reduce their risk against
threats from within and outside the dealership and mitigate any
liability acts committed by attackers. Turning to experts in security,
technology, and dealership infrastructure is the best way to make
sure the dealership is better protected.
Layer 1 - A dedicated, private Internet connection.
A dedicated Internet connection like a T1 service will reduce
the amount of unwanted attacks by about half.
- Layer 2 - Securing the LAN with a reliable firewall
capable of handling today's "Blended Threats"
A firewall that analyses data in real-time and monitors all
traffic coming in and out of the dealership's Internet
connection will help in protecting sensitive data. Intrusion
methods change with technology. Dealership firewalls must
be able to identify the traffic going through the firewall
and be able to determine if this data is wanted, safe, and
secure enough to deliver to the end user. Moreover, a managed
firewall with timely updates will keep the dealership
up-to-date with the newest technologies and threats.
Layer 3 - Securing the LAN through a repeating process
of monitoring and adjusting
A security program is only as good as the party that monitors
the attacks and adjusts the security policy appropriately.
Without this continual process of monitoring and adjusting,
a dealership will become further and further behind putting
themselves at a high risk.
Layer 4 - Securing PCs with reliable anti-virus/spy ware
Security starts from within the dealership. Since a network
will be compromised at its weakest link. each PC must have
up-to-date anti-virus protection. A corporate anti-virus
solution is the best fit for dealerships of all sizes. Many
of today's current corporate anti-virus solutions also
include spy ware protection and key logger protection.
Layer 5 - Employee monitoring and education
Many theft occurrences start from the inside out. Usually
this can be prevented by properly educating employees on
ways in which they can help to protect the companies privacy
and their customer's privacy. Examples include social
engineering, proper passwords and storage of passwords,
remembering to logout or lock their workstation when they
SECTION 4: THE GMDIT SECURITY SOLUTION
GMDIT has developed a product line that is the most accurate, cost
effective, and best adapted security solution for the automotive
industry. We've tailored our security offerings to dealership networks,
operations, and FTC regulations. The FTC requires active intrusion
detection, risk assessment, a security policy, and a good portion of
paperwork. GMDIT has developed an easy way to accomplish all these
goals while keeping your employees selling cars. This multi-layered
approach to customer security embodies the FTC's definition of
incorporating a "reasonable measure to safeguard customer information."