S01E02 - Cybersecuring Your Dealership - How to Protect Against Ransomeware, Phishing & Social Engineering

Show Notes

S01E02 - Cybersecuring Your Dealership - How to Protect Against Ransomeware, Phishing & Social Engineering

Dealer Tech Tuesday is a podcast and Clubhouse room on the Automotive Innovations Club. It airs at 2pm EST every Tuesday. It is a discussion and QA for anyone in the automotive space. VTech Dealer IT hosts the show, bringing in experts in their respective field. 

This week's guest is Steve Arcoleo who works for Skout Security. In this episode we go over the growing problem with ransomware attacks, and other hacks that can cripple any business. Tune in and find out how to better secure your IT infrastructure to prevent this from happening to you. 

Song: For Today by Jaialai 

Visit us at: https://www.vtechdealerit.com/247-it-support/

Your Auto Dealership IT Experts
Your Auto Dealership IT Experts: Providing SERVICE, SAVINGS, AND SECURITY to Auto Dealers!

Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.

Chapters

• 0:00: Ransomware Attacks in Dealerships
• 6:57: Cybersecurity Protection for Auto Dealerships
• 21:14: Cybersecurity Best Practices for Dealerships
• 37:31: Cybersecurity Threats and Prevention
• 47:29: Cybersecurity Insurance and Best Practices

Transcript

Speaker 1: 0:00

Oh my God, Did they say the extent of it.

Speaker 2: 0:06

Yeah, I mean they literally got into it. And again, that's a separate system from Cox Automotive, because, remember, it's sold, yeah, it's a media version.

Speaker 3: 0:15

It's a media site.

Speaker 2: 0:16

Yeah, but plus it's been sold, but they're completely shut down for two to three weeks now. It's a real shit show.

Speaker 1: 0:25

Wow, that's terrible.

Speaker 2: 0:31

Probably couldn't have happened to nicer people.

Speaker 1: 0:35

Yeah, that's absolutely terrible. Unfortunately, those guys don't discriminate right.

Speaker 2: 0:42

No, it's just a business model to them. Yeah, they don't's. That's what they've said. So, um, that's a pretty present on my mind with what they're going through right here in atlanta man, that's, that's terrible uh, now it did leak, so you can can Google CMG ransom and you'll get it. I think CNN had it, so did somebody else.

Speaker 1: 1:21

Yeah, I'm looking it up now. Cmg streams remain offline for fifth day in apparent ransomware attack looks like.

Speaker 4: 1:33

I mean we got hit here at the dealership, I want to say maybe a year or two ago right before the pandemic.

Speaker 1: 1:42

Wow Gray, how bad was it for the dealership.

Speaker 3: 1:49

We were locked out pretty deep but we have an IT guy in-house. He was able to get in there and do some of the wizardry stuff that you guys do and get around it and reopen up our system.

Speaker 1: 1:59

That's good. Yeah, Backups are king right.

Speaker 4: 2:03

Yeah, that's exactly it, I mean it probably does, and he kind of sits around waiting for shit like that to happen.

Speaker 3: 2:09

But yeah, they wanted. I can't remember what the ransom was, it was like a million dollars or something. It was ridiculous.

Speaker 1: 2:14

No, that's terrible.

Speaker 4: 2:18

Yeah, if you know. And then they, I guess a little bit later they hit one of our Acura stores. But we're usually pretty quiet about it. Just take care of her.

Speaker 2: 2:28

You don't want it to get out, because the public says, well, wait a minute. They got 30,000 people in their database and now all my shit's been exposed.

Speaker 4: 2:37

Yeah, exactly, Kevin.

Speaker 1: 2:41

So if you guys know of anybody that would probably benefit from this conversation, if you can ping them into the room. I'm trying to ping people in so we can get a crowd going. I know a lot of people are in Napa doing the driving sales. You might get some stragglers in. I am driving in a rainstorm, oh. Wow, I am driving in a rainstorm, oh wow, it's called the south.

Speaker 2: 3:07

In the summer, about 2 o'clock every afternoon, that's how Miami is. I'm in clear water 50%. It's just as bad.

Speaker 1: 3:22

Yeah, especially All the humidity down here. It gets it.

Speaker 2: 3:26

It gets it pretty bad speaking of uh south florida, then you're familiar about uh, about the bremen attack, right yeah, absolutely.

Speaker 1: 3:36

I was, I was well aware of it um, kind of at the, at the genesis of it. So always, you know, thinking about those guys, we know their IT director really well. It's always just a difficult situation to be in, whether you're super prepared for it or not. It's just a terrible situation, it's like a natural disaster, okay.

Speaker 2: 3:59

Yeah, I've got a group in my 20 group. It cost them about $6 million to get out of it.

Speaker 1: 4:03

Wow, that's terrible. That is terrible. All right, so I think people are starting to drag in, to come in a little bit. Yeah, today's conversation is pretty exciting. We've got some experts up here from the Scout Secure Intelligence team that are experts in the cybersecurity world. So I think they've got some pretty cool war stories on attacks that have happened and how to protect the dealership. So we'll be talking a little bit about that today and we'll get kicked off. So welcome everybody to Dealer Tech Tuesdays, where we talk about everything related to dealership technology the good, the bad and the ugly.

Speaker 1: 4:52

Today we're going to be having a conversation with Scout Secure Intelligence. They are a cybersecurity company that we've partnered with for the past five years. At this point they're exclusive providers in the dealership space. Our philosophy at the company is that we let the experts do their thing and really leverage our partnerships and let them really be our eyes and ears as far as network monitoring and security goes. If we have something that even seems suspicious, we reach out to these guys and they help us out. So I figured for the Dealer Tech Tuesday's talk. With everything going on with the ransomware attacks, the Colonial Pipeline and the big events that have been happening lately. Kaseya Tech wanted to jump in and have some conversations, so I think we'd start off with Steve and John introducing themselves to the team. Steve, if you can talk about yourself a little bit and talk about, you, know your background and your role at Scout.

Speaker 2: 6:02

Sure, I'd be happy to Thank you, john, and thanks everyone everyone for hopping on today's call, looking forward to our conversation today. So, as John had mentioned, he's been with Scout for five years and I've been with Scout a little over five years, so John and I actually started with Scout pretty much together and really my job is to work with organizations like VTech to provide cybersecurity solutions for small and medium-sized businesses. You know, in my role here at Scout, I not only help our partners deliver cybersecurity solutions, but I also advise them on cybersecurity best practices and different ideas that we've seen across the cyber landscape that could help protect your business. So it's pretty much what I do here at Scout.

Speaker 1: 6:55

Thanks, steve, appreciate it. So, steve, can you tell us a little bit about the background of Scout and how did you guys get into the into this business, into, how did you guys get into the cybersecurity business?

Speaker 2: 7:09

sure. So we've actually been helping small and medium-sized businesses manage their cybersecurity risk for going on eight years. So you know, one of the ways we do that is to, as John had mentioned, provide advice and best practices, but we also provide a wide array of cybersecurity products as a service. So for more small businesses and medium-sized businesses, like an auto dealership, it's not realistic for them to plunk down a ton of cash on a cybersecurity solution. So what we do is we make it a manageable event for an auto dealership where, for a small monthly fee, we can layer in various degrees of protection to keep your data secure.

Speaker 2: 7:58

You know, and in terms of you know, what we're seeing across the cyber landscape. You know, kevin, you kind of hit the nail on the head there. You know we're seeing a lot more activity and unfortunately, hackers have actually become emboldened over the last 12 months. You know they see the success that other hackers are having and they're also emboldened by the fact that there's really no consequence to hacking a client. I mean, we don't see anyone brought to justice. Now we heard about the clawback of $4 million from Colonial Pipeline, but other than that it's pretty much a crime with no consequences. So that's been emboldening the recent attacks we've seen, and when you put it all together, it then is compounded because there's a tremendous shortage of cybersecurity talent. You know, we're talking about people with fingers on keyboard, experience working on sophisticated hacks, and there's just not enough of them out there, john. So that's kind of where you come in. Just not enough of them out there, john.

Speaker 1: 9:05

So that's kind of where you come in.

Speaker 1: 9:09

Yeah, I mean, that's kind of the you guys for us are the warm and fuzzy blanket that we're kind of dealing with the day-to-day technology issues and getting dealerships to operate a little bit more efficiently.

Speaker 1: 9:18

And then you guys come in and when it's 4 o'clock in the morning and see some crazy activity happening, you guys give us a call. We shut down the ports, you know, do kind of the remediation that we have to do at the dealership. And I can I'll tell you what having you guys take a keep an eye on our network and our infrastructure helps me sleep at night. Literally helps me sleep at night is that that I have some guys that are as invested in our success as as we are to be able to make sure that our customers are protected. So you know that's huge. So I wanted to transfer a little bit to John Donino. John, you know, I know that you're more on the you know kind of hands-on side of Scout and I wanted to see if you could give us a little bit of background about yourself and what you've been seeing in the landscape with cybersecurity.

Speaker 3: 10:12

Yeah, absolutely. Thanks, john Acosta. Hey everyone, I'm really excited to be here. My name is John Danino. With Scout, I am a sales engineer. Before Scout, I've done really a myriad of things. I've dealt a lot with cybersecurity frameworks so all the big name ones NAS 853, iso 27001, ccmc, you name it Also did a lot with cloud security, so big into AWS security, to be more specific, and SIM technologies. So I have a large background on working with various different types of SIMs for security, information and event management tools.

Speaker 3: 10:58

A lot of this stuff sounds sophisticated and you know a lot of this stuff is funded, you know, at an advanced, persistent threat level. You know nation states funding this, but the techniques that they're using, the attacks that they're carrying out, are really not that sophisticated. Of course, we're all hearing about ransomware right now, but the way these ransomware attacks happen or how they're executed is really through the same tried and true methods, right? A phishing email with a malicious file, right? That's how a lot of this stuff starts. So, yeah, and really the preventative measures, it's not something big and expensive and complicated, it's really just the basics. To really be quite honest with you, many people don't have the basic protection in place to stop these kinds of threats.

Speaker 1: 12:06

And John, just for kind of the uninitiated or hopefully you know, somebody that hasn't run into this type of issue before at their business what's a ransomware attack? Like let's break it down to, let's assume nobody knows what that is, and like let's talk about kind of the mechanics, a little bit of the basic definition of what a ransomware attack is yeah, right, so a ransomware attack is a piece.

Speaker 3: 12:33

It's a type of malware that's going to lock up your files and and demand a ransom to unlock those files. Right? Um, if you you want, we can kind of walk through the six stages of how an attack like this happens. Would that sound interesting?

Speaker 1: 12:52

Yeah, that would be brilliant.

Speaker 3: 12:53

Awesome, yeah, so typically there's, you know, typically six stages when it comes to ransomware, right? The first one is a campaign, the campaign step. So how is the attacker going to exploit the environment? There's many methods, but the popular one that we hear about is ransomware via an email, right? So you know, according to one of the Verizon data breach investigations, 94% of malware is delivered via email, right? So that's kind of the first layer, right, protecting that inbox, because a lot of these attacks, a lot of these ransomware attacks or malware in general, is happening via email. It's the easiest way and the goal is to trick the email recipient into downloading that malware.

Speaker 3: 13:46

And users are the weakest link when it comes to cybersecurity, and the attackers know this and that's why they're using it. Right, technology is getting good, firewalls are getting good, so why go through and try and defeat those great pieces of technology when you can just shoot off a spear phishing email to the secretary, they click the link and that's it, right? So that's the first step. After that you have the installation and infection stage. So this is where the, the malware is executed, and it doesn't necessarily mean that the data is encrypted yet, right, some variations of the malware won't even encrypt right away. They'll kind of sit on the system right, and the reason they do this is they don't want to tip anyone off yet, because they want to infect as many machines as possible.

Speaker 1: 14:36

So, john, just to kind of clarify a little bit. So this is I receive a relatively inconspicuous email, right? So your UPS delivery has arrived. I click on the link. Maybe it goes to 404, you know, webpage not found. I close up the website, keep on my day and I've, in the background, downloaded the malware package and it's already starting to sniff through my network and start looking at something. Is that correct?

Speaker 3: 15:08

Yeah, exactly Right. I mean there's many different types of email based attacks, right. But it could be a general phishing email that they spam out to everybody, or it could be more targeted, right, if anyone's familiar with spear phishing. Or it could be more targeted, right, if anyone's familiar with spear phishing. That's when they do a lot of research on, let's say, the secretary or the CEO and they target an email specifically to that person and that's popular because you have a higher chance of it being clicked right. A lot of us are starting to wise up to. You know what to look for. If it's a general, if it says high employee, you know maybe someone's not going to click on that because it's not, it's general. People know that. But if you do your research on somebody, get their name, their title, what they do and really figure out who they are, you can craft that spear phishing email to really get a high click rate on there.

Speaker 1: 16:07

Yeah, and these guys are professionals, right, it's not like it's a couple guys in a basement down somewhere, it's. You know, these are well-trained, professional, highly technical guys that have gone through technical trading and are now using their spare time to develop these programs. Right, it's not your run-of-the-mill kind of unsophisticated criminal gang. This is a relatively sophisticated operation, right?

Speaker 3: 16:38

Yeah, I mean to be completely honest with you. There's a mix, right. Of course you're going to have your what we call script kitties, or people that don't necessarily know how to craft malware, but they'll go online and they'll pull malware that's already been created and then ship that off. But then you have, like I mentioned before, those ATPs or those advanced persistent threats, and you know those are funded by nation states, right? So they have unlimited amount of resources, unlimited amount of capital to carry out these types of attacks. So I would say a little bit of both.

Speaker 2: 17:16

And John, you'd be surprised at how little federal and state do to prevent this from happening. So I'll give you a quick example. It's not against the law to write malware. There's no civil or government penalties to write that stuff. It's also not against the law to sell malware. So you know, there's really a cottage industry on the dark web of hackers who have the skill to write these scripts and this malware and they're allowed to sell it with impunity. It's not against the law to sell malware. When it becomes illegal is when someone takes that malware and executes it against the company. Then it becomes a prosecutable offense. But the fact that there's nothing in place to prevent someone from writing malware or someone from selling it just shows you how little state and local government and federal agencies have done to protect the average business.

Speaker 1: 18:22

And we were having a conversation with a cybersecurity friend of the companies and you know we were talking about. They even have a support infrastructure for companies that are executing these ransomware attacks, right. So they almost have like a help desk for the bad guys, right? If you're wondering how mature this market already is, it almost has ancillary businesses around them already that provide support, training, infrastructure, platforms to support malicious actors out there in the wild to do a business, and that's what this is at the end of the day, right.

Speaker 3: 19:05

Right, exactly. And then you know, continuing this, right. So we've gone to that campaign stage. We've gone to that installation phase. That's when we move on to the staging aspect, right? So at this point, you know the ransom is on the system and it's going to begin communicating with a command and control server, right? So this is where the attacker is sending commands to that unique key and you need that key to you know. Go ahead and unlock the files once they get encrypted. Once you get past that stage, right, there's the scanning phase. So this is where it starts to take a little bit more action. So this is where the ransomware is going to be scanning the compromised host to find those files, and it starts with the local files and then looks for files on file shares and cloud storage.

Speaker 3: 20:12

Now, that's an important topic and I would love to have a conversation about this, because I hear a lot. Oh, we have backups in place, right? Everyone says, you know, I'm safe from ransomware, I have backups in place. But while that's true, while backups are absolutely necessary, you know, ransomware doesn't discriminate. It's going to look, it's smart enough to look for things that are in cloud storage, right? Or a lot of people, or a lot of organizations, I should say, have backups, but there's one key point that they miss they don't isolate those backups. This ransomware knows to look for those backups. If they're connected, if those backups are on the same network, the ransomware is going to find it. And now your backups are encrypted. So now they're useless at this point. So just because you're in the cloud, just because you have backups, you have to do it properly and it's not always foolproof.

Speaker 1: 21:14

Yeah, if a backup takes, if the ransomware has been in the environment long enough and you backup a file that's already been encrypted and you have a very simple and pretty straightforward backup solution. There's not much mitigation there, right?

Speaker 3: 21:33

Right, right, and that brings us to the next phase, which is the encryption. So and this is going to expand on a little bit more about what we're talking about here so after the data is inventoried right, we just came from the scanning phase. So after we inventory, the encryption process begins, right. So the local files are encrypted first, and then network files happen after that. So the encryption of the network files works by basically downloading a copy locally and then it encrypts that and then it uploads it back to the drive replacing the original document. So that's how something like this would work.

Speaker 1: 22:16

Yeah, that's terrifying.

Speaker 3: 22:20

Right, exactly. So, again, backups are very important when it comes to kind of not defending yourself, but, you know, having that postmortem right, that cleanup of a ransomware attack but it has to be done, right, those backups have to be, you know, segregated on a different network, different service, different service. And even so, right, even if you do have backups, we're seeing a lot of ransomware and the attackers don't even care, right, they're going to take your proprietary information and use that against you. So, yeah, you can go ahead and restore from your backups, but they have all your secrets now, they have all your proprietary data, right, your personal information, and they'll hold that as the ransom and say if you don't pay us, you may have the backups, but if you don't pay us, we're going to release this. Right. You know, we've seen that with one of the game developer hacks that happened. Right, they had a whole bunch of, you know, trade secrets or proprietary information, and the attackers said we're going to release that to your competitors, right, even though they had backups. So it's not foolproof?

Speaker 2: 23:29

definitely so, John. I think it'd be interesting for the listeners to understand how fast this actually happened. So earlier, Kevin, before the call started. You know, an auto dealership could have 30 000 records on file. How, how long does it take for this ransomware to uh lock up and encrypt that number of files?

Speaker 3: 23:53

um, it really depends, right as we talked about in the earlier stages. Sometimes the the ransomware is going to sit there, it's going to try and get itself on as many systems as possible, but once it starts going, you know, it can be again, depending on the number of files minutes to hours, right, but it just all depends on the type of ransomware that's being executed.

Speaker 2: 24:22

Yeah, so again, it's important to realize we're talking about something that could actually happen. Within one business day you can have your entire system locked up, I guess.

Speaker 3: 24:33

All right, and then that's when we move on. Yeah, go ahead, john.

Speaker 1: 24:36

No, what I was going to say is that the fear is that we've gotten more reliant on technology and more attack vectors have kind of opened right, rather than it getting more consolidated. People are working from home now and the pandemic has opened many avenues where these guys can jump in from right.

Speaker 3: 25:00

Yeah, yeah absolutely.

Speaker 3: 25:16

Yeah, yeah, absolutely Like this is. This is such an interesting topic, right, because for years before this whole pandemic, organizations were starting to put a lot of wasn't quote unquote needed, right, it was a nice to have. But as these threats have been getting more and more sophisticated and causing more harm right, like fucking up all your files, and the only way to get them back is to pay the ransom. And if you don't have the ransom now, you got a close-up shop. Um, that it. You know it's sad because these are people's livelihoods, right? Um, and then it's really.

Speaker 3: 25:49

It really just comes down to a layered approach. You have to. You have to establish what you want to protect, right for going into. You know, how do we defend ourselves against this? Establishing what you need to protect, that's having an inventory of your systems, right. So I talked about how I had a background in a lot of cybersecurity frameworks. So almost across all these different frameworks is the requirement to have some sort of inventory of what you have. You have to know what you have in order to protect it. So you got to pick a framework, right? Look into some of these frameworks NIST 800-53,.

Speaker 1: 26:48

ISO 27001. Start there. That's a good starting point to give you a solid baseline of what you need to do. So, john, with that point, what I want to do today and I think it's going to be important for dealers and doesn't know what multi-factor authentication is that once you log into a system, you set up another way. You put your username and your password and then you set up an alternate way that you verify that you're that person. That might be a text message, that might be an authenticator app. That might be an email to your inbox with a code. That might be an email to your inbox with a code Doing that provides an extra layer of attention or a security for your login process. I think, if you don't have multi-factor authentication enabled on your work environment now, do it in as many systems as possible, right, and as soon as possible. John, can I go back?

Speaker 4: 27:47

Yeah, of course, tom. Hi everybody, I'm Tom Klein, at Better Advantage Point, I'm a risk mitigation consultant and I think, before we start talking and I think two-factor authentication is great, when was the last time the general manager walked around to take a look at whether everybody had their password written on their blotter?

Speaker 4: 28:08

on their desk. Some very basic things, that's. One Second thing is using three apps like one password that is encrypted. So you have an encrypted password that you have to remember and then you put in all your other passwords there and then it's. And I'm sure Steve and John can speak more to that and that's not my area of expertise, but you know, two-factor authentication is great, but you have to start with some really basic things, yeah absolutely.

Speaker 4: 28:51

And as we get further in this conversation, we can talk about data breach response plans and cyber insurance. When you're ready to, John, at your discretion.

Speaker 1: 29:04

Tom, those are great points. I mean it almost goes into like normal personal identifiable information hygiene. It's like you can't imagine how many times my team has gone to either install, repair a printer and somebody's driver's license is still there, or copies of driver's license is still there, or copies of driver's license are still there. Or you walk on somebody's, you walk up to somebody's computer and they're all their passwords are on this. Oh yeah, you have you. You know your password. Yep, it's right here on this, this sticky note that has been spilled coffee's been spilt in and it's crumpled up and it's just sitting there right in front of the computer like no, you have to make sure that you put that in a safe place. We can't do this. Um. So the you know. It's a very good point that at the end of the day, the user is the biggest vulnerability, the you know you could have when we talk about this in the cyber security world. A lot is that you could have adt a doberman. Um, you could have SEAL team six protecting your house. You could have a moat and if you open the door to the guy dressed in FedEx and you give him the keys to your house, there's no way that anybody can protect you. So the user is really the biggest point. And that goes to my next point, which is information assurance, training right is to always be training constantly and constantly. Have it be part of your day to day. I, fortunately, was trained by a US government to be aware of that. It's part of when I was. I was in the military, I was in the Air Force and I was part of the nuke world. So it was always trust but verify it was. That's kind of the same. And the same thing goes into the cybersecurity world is always trust, trust but verify. That's kind of the same. And the same theme goes into the cybersecurity world. It's always trust but verify, verify that you are who you are. You can't imagine how many times we've gone to a dealership. It's like, oh, we're the IT guy and you just walk into the IT room to the most critical system that that dealership's operating in and nobody asks us for credentials to call into our main office to ask for the information. We say, hey, please ask us for credentials to call into our main office to ask for the information. We say, hey, please call our main office and verify that we're who we are. That guy might be dressed as a air conditioning um repairman and is walking into the it room and plugging a usb into the, into the main server, and you're in. You're in trouble, um.

Speaker 1: 31:18

So just keeping keeping general security housekeeping is a very, very important step, and the other piece is an email protection that is looking for spam and looking for spoofing, because a lot of these guys are. You know, if I work at Kevin's dealership and I'm spoofing that I'm Kevin, I might reach out to his assistant and say, hey, buy me some gift cards Apple gift cards, that's one that we see a lot. Buy me six Apple gift cards. I want to make a surprise gift for the team and I want to make sure that nobody knows about it. Can you run out and buy $4,000 worth of Apple gift cards and then scratch the numbers off and send them to me? That happens on a regular basis. Imagine if that was a malicious actor that was trying to download something on your network. But I digress, john. What else can we do as far as cyber hygiene for kind of some quick tips that we can do now for for making sure that our dealerships are are secure?

Speaker 3: 32:27

so, yeah, I I have three. So before I jump into the three, I I love this conversation because, uh, two factors is, uh, it's a favorite topic of mine. So to expand on that before I jump into the other ones, um, you know, absolutely right. So someone has their password written down. We talked about two things passwords being written down, right. Well, two factor is going to kind of mitigate a little bit of that risk, right, of course we don't want people writing down their passwords on a sticky note, but if they did which they're not supposed to, but if they did two factor is going to be that method. So if someone swipes that post-it note with the email and password, well, they don't have the two-factor authentication code, right. So that's kind of that's that layered approach there and that kind of mitigates that.

Speaker 3: 33:13

But not all 2FA or MFA is created equal. We have to remember that right Now. Of course, anything is better, better than nothing. But you really want to stray away from sms or text message based two-factor authentication because it's the easiest 2fa to get around, right? So we just saw I don't know if you guys saw this but um, uh, mint mobile, mint mobile, uh, got hacked right and they were able to port numbers over um. Go ahead and google sim swapping, right.

Speaker 3: 33:49

This stuff happens. I'm an attacker, I go and I get your number and your, your social security number and your basic information, right, that's out there, and I could port your number over to a SIM card that I have and put it in my phone. And now, if I have your username and password, which I can get from a data breach, now I have your text message 2FA code. So, again, better than nothing. But you know, choosing more of an app based, right, like a Google authenticator or a hardware token based 2FA system is, you know, better than SMS, but you know. Just a tip there on that one.

Speaker 3: 34:34

But getting into really the three that I have, right. So there's a reason. I walked everyone through the six stages of how this ransomware attack happens, right, because the first protection is email, right. Again, how did this happen? We talked about that when we covered the campaign and the installation, right, it's usually crafted via an email, so you have to have something that's going to be filtering that email, looking for those spear phishing attacks, scanning those attachments, right. The second one is endpoint protection, if something does get through email, and nothing is 100 if anyone tells you they can protect you%, spin them around and send them out the door because they are lying to you.

Speaker 1: 35:28

Yeah, absolutely right, exactly.

Speaker 3: 35:37

And then that endpoint protection right, in case it does get through, you have something that's going to block scripts. That's how a lot of this ransomware starts up, via script or a malicious executable. And then the third piece is network monitoring, so seeing if that ransomware opened up Remember, the ransomware opens up a command and control connection, a CNC connection, right. So a network monitoring solution that is looking for that command and control communication, right. So to wrap it up, it's email protection, endpoint protection and network monitoring, right, and kind of the basics with all this.

Speaker 1: 36:19

John, just to kind of elaborate on what network monitoring means to me as a guy that runs an IT company.

Speaker 1: 36:26

That's the call that I get at 4 o'clock in the morning on a Sunday that says, hey, we see some activity going to insert eastern block country here and it's a known command and control server. We need to do something about this. And my team engages blocks that off, mitigates, does an investigation of where that was coming from, where it could potentially be compromised, and we're safe and secure. And that's really what that means to me is that I'm sitting, you know, kind of running my business, making sure that dealerships can sell and service cars at an effective way, in an effective way, and I have you guys protecting us, looking at that perimeter and saying, hey, if this happens, this is what you're going to do, this is how you're going to do it. Wake you up, knock, knock. Hey, sir, we need to talk to you and we need to take some action. So you can't imagine how valuable that is to me and to my customer base, because I have that warm and fuzzy feeling that I know that somebody has my back.

Speaker 3: 37:29

Exactly, yep, someone Again. Talent we hear about this all the time. The skills gap right. You need someone who you know, who has trained personnel. They're hard to find. Right. There's money being thrown at cybersecurity professionals because the skills, the knowledge is in demand right and the tools right. You want to be partnered with somebody who, on the network monitoring side or really anything, has a great SIEM tool and who is feeding that SIEM tool. Great threat intelligence, the up-to-date threat intelligence of those command and control servers, ips and domains right. So that way, if a packet does come through, we're able to match that up with that specific intrusion detection system. You know alert or that. You know that threat intelligence that we're feeding the system. Absolutely.

Speaker 1: 38:28

And guys, just to kind of clarify something a little bit, is that you know, if you put so, if everybody knows what an IP address is, it's like an external IP address is what your internet service provider says. This is your like street address as far as the internet world is concerned. And those IP addresses, all day, every day, at all hours, relentlessly, are getting tested for brute force attacks. And brute force attacks are they just put in normal passwords like admin, admin, admin, one, two, three, four, and they're constantly. These teams create these programs that are just scouring the internet, every single available internet address out there, and are just testing the perimeters for those.

Speaker 1: 39:13

So you see, you know the guys from our cybersecurity team see firewalls getting 5 million hits a month and then they're just constantly getting tested at a low threat level like sharks in the dark, right, just kind of bumping into things and biting and seeing if anything is food. And then our team and scout takes that information, distills it down to some threats that eyeballs are looking at on a screen and then that's distilled to a couple actionable items that we have to do on housekeeping side. Or it is that call at four o'clock in the morning saying hey, hey guys, we need to do something about this and we take action and remediate immediately. So if anybody's out there telling you it's oh no, these systems are safe and secure, it's like they're getting tested all day, every day, at any point, anything that's on the Internet, for just basic password security. So just to put in what this looks like in perspective and it's not that it's happening, it's constantly happening. And what is the sophistication of that activity is going to be?

Speaker 2: 40:21

So one other point on that, john, from a password perspective is and I'm not going to be popular on this call for saying it but all dealerships should have a strong password policy, and by that I mean, you know, they shouldn't be allowed to use admin admin one. They need to use a sophisticated, complex password for all their business applications. What you use for your personal, you know, facebook page, that's your business. But for businesses, you know, you should have your employees use strong passwords, sophisticated, complex passwords. And then you're really not going to like me for this one, but I'll say it anyway you should change those passwords every 60 days. And really that's the crux of not only not having your employees put Post-it notes on a sticky note posted to their computer screen. You should have a strong password policy in place that changes it out every 60 days, doesn't let you repeat a password for 90 days and again uses a complex series of numbers and letters and symbols for your passwords.

Speaker 3: 41:37

And we have exactly Steve. And then we have proof of why that's important, right. Why are we always hearing that? Right? It sounds like such a basic, basic thing, but the reason is is because attackers are exploiting this. Look at the. Of course, I'm pretty sure all of us on here have seen or heard of the JBS ransomware attack that happened. If you look into how that started, it was from a dormant account that the password was reused. That password was found in a data breach, right. So having a strong password, but also a password that is different for every single account and system because if the breach happens and it gets out on there, it's super easy. You could go and you could pull up a website that had these passwords that were breached, right? It's basically public knowledge. So, really, really big point on there knowledge.

Speaker 1: 42:37

So really, really big point on there. Yeah, john, I'm glad you bring the kind of the dark web assessments up, because you know LinkedIn, myspace, ashley Madison the list goes on and on of companies that have had data breaches, data leaks. And if you, you know we do this for dealerships all the time. They say, hey, can you check, if, can you run a dark web breach assessment for us and tell me what kind of information is out there? And you can't imagine how many people log into Ashley Madison. That was a huge leak. You know, as embarrassing as that was, that was a huge data leak.

Speaker 1: 43:12

People logging into Ashley Madison with their work account because they didn't want to get their spouse involved. Maybe their spouse monitors their personal account, but logging into Ashley Madison with a work email and then that password is compromised. And in the dealership space, if you're on one of those websites and your password gets compromised, you're set up for blackmail already and your password gets compromised. You're set up for blackmail already. Like if you're dealing with social security numbers, you're dealing with personal information and I'm, as a social engineer or a hacker, if I reach out to one of those guys and all that information is public knowledge. If I reach out to somebody that's key in the dealership and I say, hey, give me two or three social security numbers a month and I won't say anything, it's like here's the blackmail.

Speaker 1: 43:52

Like they already do that with those random emails that say, hey, we've been monitoring your activity on the Internet and that's just a spray-and-pray method to blackmail people. Imagine if it's a little bit more sophisticated. It's not hard to imagine one or two steps more sophisticated than that. That's. I know who you are in the dealership, I know what you do, I know what you do. I know the information that you handle on a daily basis.

Speaker 3: 44:25

Just through social engineering and no hacking whatsoever, I can start getting that information and put the dealership in an extremely compromising position. Yeah, exactly Like you know you brought up the LinkedIn right there was. You know a lot of people are calling it. You know LinkedIn was hacked, but you know what? It wasn't hacked right per se. It was through data scraping. So that information is freely out there. And you know attackers didn't break into LinkedIn or you know Microsoft owns them. Now Microsoft servers right, all they did was create a script. It scours the Internet, scrapes all the information that's publicly available. And you're exactly right, that's where they start crafting again that spear phishing email. They go on your LinkedIn. They find out all the information about you to better craft that spear phishing email that pertains to you.

Speaker 1: 45:12

Yeah, the big point of this guys is that you know there's I don't want to be the, I guess, the bearer of bad news, so this is the current landscape that we live in. There's some basic stuff that you can do. There's some basic takeaways that you can do. We'll jump into Q&A here in a little bit and kind of answer questions that anybody has, but there's some really basic things that people can do. That's multi-factor authentication. That's have some type of advanced email protection on your email servers. A lot of people have seen the banner where it says be cautious, this email originated from outside of your organization. Be aware of attachments or the sender. Verify the sender. Endpoint protection, advance endpoint protection.

Speaker 1: 45:59

We're not talking about any of the traditional antiviruses. Like, step it up a little bit. Go to the big boys. You know we're dealing with businesses that handle millions of dollars worth of transactions on a yearly basis. Let's invest a little bit in the antivirus on a yearly basis. Let's invest a little bit in the antivirus and then a pretty basic, straightforward cybersecurity training or cybersecurity awareness program.

Speaker 1: 46:25

That can be something that is simple as once a year, and then you get tips throughout the year. Throughout the week it says, hey, make sure that you're changing your password on a regular basis just to keep information assurance at top of mind. Talk about it in your meetings. It takes two or three seconds to have a conversation to say, hey, remember, change your passwords. Hey guys, remember there's hackers out there that are trying to trick us on a regular basis. Just fold cybersecurity into your regular language, because cybersecurity is everybody's responsibility, really. With that said, I wanted to kind of transition a little bit into Q&A, if anybody had. You know there's no questions that are too basic, but let's do a little bit of Q&A. Tom, you had something.

Speaker 4: 47:12

Yeah, I just was going to say, if it's okay with you, I'll spend a couple of minutes on cyber insurance absolutely why it's, why it's important and and some of the pieces and parts on that, and and I'll still leave plenty of time for q a, um. So um, this is tom klein. First thing I want to mention is microsoft this morning announced they bought a cybersecurity firm called Risk IQ out of San Francisco. Even Microsoft I don't know, john, you'd remember, maybe it was last week or the week before just had a breach. So I think that's important to note, because it's not a question of if you're going to get hacked, it's a question of when. If Microsoft, who all they do is sell essentially what they're selling is security in their software, if they can get breached and they're still out buying cybersecurity companies, then we can take precautions to try to keep the amateurs out. And Steve and John may have different opinions about this, and Steve and John may have different opinions about this, but I want to protect your backside and make sure you have cyber insurance so that if you do get hacked, you'll be able to leverage the insurance company to unlock your system.

Speaker 4: 48:35

A couple of things that you want to ask companies when you're, if you're, shopping for cyber insurance is do they pay for the business interruption loss resulting from security breaches and system failures? Will they pay for forensics and public relations and crisis management expenses? Will they pay for legal expenses? Will they also, separately from that, will they pay for legal expenses related to regulatory issues? Because often you can get fined it's not just the breach that's bad. If the regulators find that you didn't have the right systems and didn't practice the prudent man rule, the regulators will then come in and issue penalties, and so it's adding insult to injury there.

Speaker 4: 49:27

Will the insurance company pay for extortion losses, data recovery losses, funds transfer fraud, invoice manipulation, telephone fraud? And then a really important one is employee device endorsements. An employee device endorsement means will they cover if the breach starts with an employee on their cell phone, will they cover that breach? Some policies will include that and some policies will exclude that. Also, will they cover reputational losses as a result of an adverse event and computer hardware expenses? These are all things that you really need to look for. Cyber coverage is not expensive relatively. Of course, the price is going up crazily, if that's a word right now, because of all the hacks, but that's just a couple of basics.

Speaker 4: 50:33

Actually, one other basic is consider having a data breach response plan so that everyone in the dealership knows who to go to, what their responsibilities are and who's calling the shots. It may be the dealer, it may be the controller, it may be the GM, it could be whoever it is, but make sure that, especially from a public relations perspective, you'll have reporters calling, you'll have customers calling. There needs to be a clear chain of command and everybody needs to understand and have a process for that. So I'm Tom Klein and I'm done talking for now.

Speaker 1: 51:09

Thank you, tom. Those are very good points. You know when it's not really the question, it's, if it's the question isn't. If it's, when that's going to happen. And having a plan, having a clear, delineated set of actions that need to happen, are extremely important. Understanding your cybersecurity policy, what is covered, what is not covered, you know, and where your limits of liability lie, are very important, tom, and you're an expert in that world and your insight is extremely valuable. So I really appreciate your input. But with that said, does anybody have you know? I'd like to kind of transition into Q&A and see if anybody had any questions about cybersecurity, general housekeeping, it, anything of that nature. I'd love to hear your guys' questions.

Speaker 5: 52:07

Hey John, it's Kelly. I have a question. Hey Kelly, yeah, shoot, hey love. So my question is and it might be a two-part question so for sales associates or advisors or whoever that happen to have their own personal branding website that may link somehow, or mirror, to the dealership's website, how can that advisor or, you know, consultant ensure that their website is protected as much as humanly possible so that a potential, I guess, hacker, for lack of a better word cannot backdoor into the dealership programs or whatnot through theirs? Does that make sense?

Speaker 1: 53:10

Yeah. So it really depends on how that website is set up right. So if you have a website that you're taking in basic information, like first, last email and a phone number, that's not an extremely profound amount of personal identifiable information, profound amount of personal identifiable information. And if that's basically sending a lead or like what vehicle you're interested in, that, basically sending a lead to the dealership through an email, that's pretty straightforward and it's not terribly dangerous.

Speaker 1: 53:49

The danger comes in if you have a website that you're managing and you're putting in social security number, the, you know maybe a cosigner social security number, income, you're putting in the person's address, you're putting in you know, really filling out like a, like a credit application on that website.

Speaker 1: 54:06

That's where you want to be, that's where you really you want to be cautious. And then your if, if, if somebody has a website that's connected to the dealer's website and there's an exchange of information there and there's a two-way street going back and forth, you want to make sure that both of those are secure, because that could be a huge point of vulnerability between the outside world and the dealership. So it really depends on what the level of access that website would have and what information is exchanged there, because the devil really lies in the details on this. Um. So, kelly, if you have, if you want to jump into a little bit more of that, you can contact me offline and we can talk about that. I know we don't want to put your business out there, but if, if you want to tell me and we can have a private conversation and say, hey, this is exactly the information that is exchanged, I'll tell you kind of where that line lies.

Speaker 5: 55:01

Thank, you Will do.

Speaker 1: 55:03

All right, thank you, kelly. Appreciate it. Does anybody have any questions? Comments concerns horror stories Could probably go on and on right.

Speaker 4: 55:23

Lots of horror stories, john, yeah right, lots of information.

Speaker 1: 55:31

Yeah, I'm glad we were able to put this together. This is kind of going to be an ongoing series with you know, cybersecurity-related, dealer technology-related. Next week we're going to be talking about buy-sells in the dealership world. That's going to be a super fun one, because our guest is one of my favorite people in the world, paul Jensen from the Cavalli Auto Group, and we're going to be talking about the good, the bad, the ugly on buy cells, how to prepare for them, how to set yourself up for them and some strategies around them which are really fun and kind of covering those subjects.

Speaker 1: 56:06

Does anybody like to jump in and have some final thoughts or questions of Steve, jared or John or Tom? All right. So if you guys don't have anything and you want to contact myself or the scout team directly for some questions or I would imagine I'll speak out of turn here, but Tom for you as well Tom has a wealth of knowledge in the compliance world. He's a favorite person of mine in the dealership space, so he has a deep, deep and wide well of information on compliance. He's an incredible resource. So, please, I would imagine Tom is your information in your bio. I would imagine Tom is your information in your bio.

Speaker 4: 56:58

Yeah, it's in my profile, but if anybody needs my phone number, I'll give it now. It's 757-434-7656.

Speaker 1: 57:17

It's on my website, betteradvantagepointcom or I'm on LinkedIn at Tom Klein and the phone number's listed there too. All right, perfect. Yeah, and guys, if you guys have any questions or know anybody that needs cybersecurity consulting, dealership operation consulting on the IT side, let us know and we'll be more than happy to give our expertise and our information. The guys at Scout pride themselves with customer service. I've lived it firsthand for the last five years at this point. These guys are great. They're always available. Any question, comment, concern anything, any doubt that I have. I always run it by those guys and their team is truly extraordinary and I'm very happy to be partnered with them. So, with that said, we're going to wrap up and we'll see everybody next Tuesday at 2 pm for Dealer Tech Tuesday and for the buy-sell show with Paul Jensen. Thank you everybody, I appreciate it and have a great week.

Speaker 4: 58:42

At least I know how to know. Rest your head, make a mess. Believe now. Show true colors, the actual True colors. Make up.