> GM Dealer IT > Home > Security Center > Security Threat Information
Network Security Solutions
QUICK LINKS: SECTION 1: ANALYSIS SUMMARY

GM dealers are becoming more dependent on the internet. Security threats are of critical importance for dealerships nation wide.

The technology that the dealership uses affects the level of security.

Security analysts have recently compiled the latest "GM Attack Stats" from the security appliances managed by GMDIT in place at GM dealers nationwide (using a random sampling of approximately 30).

To gain some understanding of the IP threat facing dealers and some of the factors that contribute to that threat an arbitrary time period of one month was selected, and the intrusion and attack information was complied and analyzed. In the 30-day period, an average of 4,800 attacks was recorded at the dealers with business-class T1 Internet access services. Where cable or residential-class DSL circuits are used, this average increased to 11,000 attacks in the same 30-day period (An attack is defined as any Internet traffic attempting to enter the dealership's network which was not specifically invited by an application, such as a web browser).

Additionally, the appliances in place at these GM dealerships stopped an average of 52 email-based viruses during the 30 days, any one of which could have been potentially damaging.

Attacks are indiscriminate.

Every Internet connection, whether it is a bank, an apartment complex, a house, or a dealership, is identified only by an IP address. Attacks are indiscriminate and usually "automated"; in actuality, targeted assaults are actually very rare.

There are many ways in which networks can be compromised. At Nuspire, we have labeled this as "Blended Threats". A small list of examples includes:
  • Virus Activity
  • Spyware (Grey Ware)
  • Port scans
  • Denial of Service
  • Key Loggers
  • Packet Sniffing
Many past and current manufacturers are not equipped to handle today's more sophisticated "Blended Threats". For example, suppose a user wants to download a file from an FTP site or even a web mail message. A typical firewall will see that a user is trying to use an FTP or HTTP service and allow this to occur. A firewall that is designed to protect against "Blended Threats" will actually analyze this traffic to make sure it is safe from viruses or other malicious application (i.e. grey ware).

Every day, criminals are getting more and more sophisticated in their attempts to compromise devices on the Internet. Because of this, businesses must also become more sophisticated in order to protect their assets and privacy. Security is not a destination. It is a repeating process of monitoring, analysis, and modifying/upgrading. A "Blended Threat" management service is the best method of protecting an infrastructure for businesses that do not have the resources to take this task on by themselves.


SECTION 2: LEGAL IMPLICATIONS

When customer information is compromised the dealership becomes liable for both civil lawsuits and federal penalties.

The Federal Trade Commission (FTC), under President Clinton's 1999 Gramm-Leach-Bliley Act (GLBA), issued two rules applying to auto dealers. First, the Safeguards Rule establishes standards relating to administrative, technical and physical information safeguards for financial institutions. This Rule, specifically states auto dealers who finance or lease to customers fall under this jurisdiction. Second, the Privacy Rule is intended to raise customer awareness of the different ways their non-public, personal information may be used. This rule requires dealers to present certain paperwork on the dealership's information sharing policies, or information notices, to the customer during the information-gathering process.

  1. The Privacy Rule

    Entities Covered by the Privacy Rule? Car dealers who:
    • Extend credit to someone
    • Arrange for someone to finance or lease a car for personal, family or household use.
    • Provide financial advise or counseling to individuals


    Privacy Notice: The privacy notice must be a clear and accurate statement of the company's privacy practices; it should include what information the company collects about its consumers and customers, with whom it shares the information, and how it protects or safeguards the information.

    Opt-Out Rights: Customers have the right to opt out of, or say no to having their personal information shared with certain parties or affiliates. This does not include the GM company. By law dealers have to report some aspects of their sales to GM, for example to insurance warranty work or recall notices.

    Bound to Rule Even if right after a customer agrees to finance the purchase of a car and the dealership immediately assigns the contract to a third party lender the dealer is still bound to the privacy rule. In this instance there is a document called a "Privacy Notice" that the dealer must give to the purchaser.

    Required Statement of Dealership Safeguarding Information: Dealerships must have a statement of how they safeguard personal information. The FTC has even offered the following "model" language for privacy notices. "We maintain physical, electronic, and procedural safeguards that comply with federal regulations to guard your nonpublic personal information."

  2. The Safeguards Rule

    The Safeguards Rule is intended to protect the financial institution's customers from identity theft and other harm by requiring financial institutions to assess their data and information from misappropriation, alteration, tampering, etc. The Safeguards Rule compliance is mandatory as of May 23, 2003.

    Who is covered under the safeguards rule? Dealers are specifically identified as a financial institution. A financial institution is any dealer who is "significantly engaged in financing activities."

    What information is covered? Physical, paper, and electronic information handled or viewed by anyone at the dealership or their affiliates must use proper safeguards to insure customer personal information is safe.

    This includes:
    • Information contained in a customer's credit report or credit application
    • Account numbers
    • Bank account numbers
    • Social security numbers
    • Any other information the dealer receives from other financial institutions

    *Important note: This does not apply to information related to insurance (covered in another law) and also does not cover potential finance or lease information, only the actual financing agreement itself.

    Requirements: A Comprehensive, Written Information Program. By law the Safeguards Rule of the GLB Act requires dealers to implement and maintain a written security program. It also requires that you ensure your affiliates (i.e. vendor or partner companies handling sensitive data) maintain appropriate information safeguards as well. The written program must outline the dealer's physical, administrative, and technical policies as they apply to safeguarding customer information. The objectives of this documentation must be to ensure confidentiality of customer information, protect that information against threats, and guard against unauthorized access to that personal information. There are five elements to this Security Program:

    1. Designate an employee as program coordinator for your information security program. This person must be an employee of the dealership. This program coordinator is in charge of assessment, implementation, and updates to the physical and electronic security of the dealership. They are in charge of managing security policies, procedures, and FTC required paperwork
    2. Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information. This process of identification should be done by the program coordinator through a process of risk assessment. Under the Safeguards Rule risk assessment is not an option, it is the law. Foreseeable risks include:
      • Attacks through Internet hackers or other grey ware applications. As shown in section 4 this happens hundreds of times per day, and is a very serious, foreseeable risk.
      • Virus downloaded by employees inadvertently. GMDIT data shows on average there are one or two email viruses sent to a dealership everyday.
      • Compromises to the physical security. Open PCs with no password protection or shared "common" passwords poses a great risk to customer information.
    3. You must design and implement customer safeguards to control the risks you identify through risk assessment. To protect from outside threats, the dealership must take "reasonable measures" to implement a system for intrusion detection.
      • For electronic data, this is an up-to-date security device that continually monitors threats through intrusion detection system (IDS) and other mechanisms.
      • To control the risks from within the dealership, every dealership should at least protect each PC with anti-virus software and unique passwords. What is recommended by GMDIT is a corporate antivirus solution because it is designed to protect the entire network from viruses, as opposed to just the individual PC. The recommended solution to password protection is to limit the data each user has permission to see. This would allow customer information to only be viewed on a "need to know" basis.
      • Reporting on the activity of data going into and out of the dealership is a key element to monitoring, detecting and responding to threats. Only timely reports specific to the dealership give the project security coordinator a true sense of the threats the dealership's electronic data is faced with. Customized reporting is the only way to monitor the security program and its effectiveness.
    4. You must oversee service providers by taking reasonable steps to select and retain service providers that are capable of protecting the dealer's customer information. You must maintain customer's information by requiring these providers by contract to implement and maintain such safeguards.
    5. You must evaluate, adjust, and reevaluate your information security program.

  3. Compliance Standards

    The FTC has tried to make the standards as flexible as possible when referring to the dealer's size and complexity of their information systems. As a reference to information systems the FTC uses the National Institute of Standards and Technology (NIST) when enforcing compliance among government and financial institutions. The current NIST standards for protection of electronic data include not only a firewall, but a firewall that can detect, and respond to, intrusions into the network.

    "Continually monitoring threats through intrusion detection system (IDS) and other mechanisms is essential" (Executive Summary NIST 800-61 Computer Security Handling Guide Pages ES-1)

  4. Penalties

    Fines and penalties enforced by the FTC for not complying with NIST regulations can vary from bi-annual audits over 10 years to $11,000 per day that the dealership is out of compliance. Even more importantly, the dealership is liable for any personal information inappropriately used in a harmful manner (identity theft). Lawsuits have been filed against dealerships whose customer information has gotten into the wrong hands. These lawsuits have been filed for an excess of $15 million dollars.
SECTION 3: CONCLUSIONS AND RECOMMENDATIONS

As more and more dealers adopt broadband technologies, and as the GM company opens more conduits to the dealer LAN, the risk increases not only for the dealer's business but to GM as well. The priority on security should be reflected by becoming more prominent in dealer communications and policy.

General Motors has data specific to GM dealers that shows that the average dealer is attacked between four and eleven thousand times per month. If one of these attacks or viruses is successful in compromising customer information the dealership is legally liable and is in breach of the FTC rule. The cost to properly secure the dealership is minimal compared to the results that could come from a compromise in the electronic network.

"For those of you with sophisticated computer systems and information management tools (e.g. DMS, F&I, CRM and business partners who host call centers and websites), it is likely you will need to turn to outside help in order to accomplish the tasks required of you under the Safeguards Rule. Even if your systems are not state of the art, you will probably need some outside assistance to help you determine the potential risks to your Customer information and the appropriate fixes. In most, if not all, cases you will need to revisit your budget to ensure that adequate funds will be available to meet your compliance obligations on an ongoing basis."
~A dealer Guide to Safeguarding Customer Information. (Published by the National Automotive Dealer's Association ©2003)

Understanding that it is imperative that each dealership is secure and that the typical software and/or basic router with firewall capabilities may not be sufficient, then compounded by the fact that most dealers do not have the technical resources "in house" to address these issues, it is important that GM construct a strategy for dealers to follow.

DEALERS NEED TO: Adopt a Multi-Layer Security Strategy:

  • Layer 1 - A dedicated, private Internet connection. A dedicated Internet connection like a T1 service will reduce the amount of unwanted attacks by about half.
  • Layer 2 - Securing the LAN with a reliable firewall capable of handling today's "Blended Threats" A firewall that analyses data in real-time and monitors all traffic coming in and out of the dealership's Internet connection will help in protecting sensitive data. Intrusion methods change with technology. Dealership firewalls must be able to identify the traffic going through the firewall and be able to determine if this data is wanted, safe, and secure enough to deliver to the end user. Moreover, a managed firewall with timely updates will keep the dealership up-to-date with the newest technologies and threats.
  • Layer 3 - Securing the LAN through a repeating process of monitoring and adjusting A security program is only as good as the party that monitors the attacks and adjusts the security policy appropriately. Without this continual process of monitoring and adjusting, a dealership will become further and further behind putting themselves at a high risk.
  • Layer 4 - Securing PCs with reliable anti-virus/spy ware protection. Security starts from within the dealership. Since a network will be compromised at its weakest link. each PC must have up-to-date anti-virus protection. A corporate anti-virus solution is the best fit for dealerships of all sizes. Many of today's current corporate anti-virus solutions also include spy ware protection and key logger protection.
  • Layer 5 - Employee monitoring and education Many theft occurrences start from the inside out. Usually this can be prevented by properly educating employees on ways in which they can help to protect the companies privacy and their customer's privacy. Examples include social engineering, proper passwords and storage of passwords, remembering to logout or lock their workstation when they leave, etc…
While no dealership can be "completely" safe, securing each layer of the dealership is the best way to reduce their risk against threats from within and outside the dealership and mitigate any liability acts committed by attackers. Turning to experts in security, technology, and dealership infrastructure is the best way to make sure the dealership is better protected.

SECTION 4: THE GMDIT SECURITY SOLUTION

GMDIT has developed a product line that is the most accurate, cost effective, and best adapted security solution for the automotive industry. We've tailored our security offerings to dealership networks, operations, and FTC regulations. The FTC requires active intrusion detection, risk assessment, a security policy, and a good portion of paperwork. GMDIT has developed an easy way to accomplish all these goals while keeping your employees selling cars. This multi-layered approach to customer security embodies the FTC's definition of incorporating a "reasonable measure to safeguard customer information."

  Terms of Use © 2016 General Motors Company. All Rights Reserved.