[00:00:00] Stan Wisseman: Welcome to another episode of the Reimagining Cyber podcast. Uh, Stan Wissoman here, along with my co host, Rob Arago. And today we're going to be diving into a recent cyber attack on CDK Global. And this incident has had a pretty profound impact on the auto sector, disrupting operations for thousands of car dealerships across the United States.
[00:00:23] And we'll explore the details of the attack. The immediate and long term repercussions to the automotive industry, as well as some of the broader lessons that we can learn for cybersecurity and resilience. And for those of you that are not familiar with CDK Global, like I wasn't, um, it is one of the leading providers of cloud based software solutions for auto dealerships in the United States.
[00:00:47] And they provide this comprehensive software suite. That's vital to their day to day operations. Um, you know, going from, you know, the actual acquisition of the vehicle for the dealership, the sales process itself, financing. And ensuring that the repairs and maintenance side of the equation as well. And so these CDK global systems serve as the operational backbone for over 15, 000 retail locations nationwide.
[00:01:19] And so it is very impactful in this kind of event occurs. And I will note that if you go to the CDK website, Global's website, they also highlight their robust cyber security. Now they have a three tiered cyber security strategy designed to help prevent, protect, and respond to cyber attacks. But Rob, that's being shortly tested right now, isn't it?
[00:01:44] Rob Aragao: Indeed, Stan. We see a lot of situations where organizations are trying to do the best they can to prevent and protect from different cyber attacks from occurring. But unfortunately, obviously, we have yet another situation here in front of us with CDK. CDK's, um, unfortunate event, let's say, actually was two separate events.
[00:02:05] Breaches that occurred in the same day, by the way, so as they were going through and they identified that this actual breach was in place and occurring under attack. At that point in time, you know, one of the things that they decided to do was to try to minimize the impact. And therefore, they started shutting down some of the systems that were being impacted to avoid that, obviously, from going across and causing greater havoc across the organization.
[00:02:29] Um, as they started that process, Stan, you know, they, they, they started basically the negotiation with the, uh, attackers themselves. So it's a understood at this point in time, at least that it is a ransomware gang called, uh, black suit. Um, it's actually believed to be the successor of the notorious, if you recall, Conti.
[00:02:48] Ransomware group, ransomware as a service. Very, very,
[00:02:51] Stan Wisseman: very active
[00:02:51] Rob Aragao: in the ransomware area. Extremely. So if you think about it, right, so as they're dealing with the, uh, understanding that there's an incident occurring, they get in touch with the ransomware group behind it, again, black suit, they start the negotiation to actually pay the ransom, um, and they're taking down their own systems to try to, again, minimize the impact.
[00:03:14] Then, a little bit later that evening, as they're in this process, yet again, they come under attack. Um, and so, you know, again, they're going through this, this, this kind of back and forth trying to figure out exactly what they can do to minimize, as we discussed earlier, the impact. And, and, and just,
[00:03:31] Stan Wisseman: this happened
[00:03:32] Rob Aragao: on a U.
[00:03:32] S. holiday, Juneteenth, right? Juneteenth. That's right. Exactly. Yeah. And, and I remember the next day, actually, it was that, uh, at a cybersecurity event, And first thing in the morning, that was the topic of conversation, you know, look, look at what's happening. You know, one of the things that you called out too, you go to their website, and this is what some people were saying.
[00:03:51] Look at this organization, you know, and, and they're sharing exactly the different things that they are really doing to emphasize the security of their, their software as a service model. But obviously things are not as secured as maybe they had thought initially.
[00:04:04] Stan Wisseman: You know, and, and Rob, when this attack hit.
[00:04:08] Um, it led to an immediate breakdown in the daily operations dealerships. I can imagine folks being at the car dealership and all of a sudden they're unable to process transactions. You know, they're unable to schedule service or access customer data. I mean, it must have been a shock as the system started going down and faced with these disruptions in dealerships across the country.
[00:04:30] Have been forced to revert to manual operations and employees are filling out their sales form by hand, you know, very labor intensive process that, as we all know, if we've purchased cars has been streamlined over the years. Um, and it, and it definitely is prone to errors and. And slowing down the, the transaction times, um, you know, the impact financially of this outage is, is significant and will probably go on for months, if not years.
[00:05:00] But if you think about the scale of what kind of income is brought in from the dealerships across the United States, you know, it's an impressive 1. 2 trillion last year. So that, that tells you that kind of the, the scale of the industry that's impacted and this kind of disruption was causing, um, the inability to process transactions certainly has, um, led to delays, but also potential losses that will continue to, to trickle through the system.
[00:05:26] Um, both sales and service operations were impacted, right. And they've gone analog. And so, you know, as they were relying on these pen and paper processes, It's, it's, it's taking not only longer to, you know, complete the transactions, but some of the logistics that they're facing is interesting. Logistical challenges as far as closing these deals.
[00:05:48] One aspect of which is the vehicle registration process, right? And so, in your home state, I saw an example of this in Massachusetts. Um, you know, they were initially directing customers to the local RMV, which is their Department of Motor Vehicles. Office, right? You probably have gone there on a somewhat regular basis, or you do business, right?
[00:06:13] Um, and so they would send people there, but they were getting flooded, and then they, the R V offices started to turn people away. And, you know, even though dealers were sending couriers there and the couriers were not allowed to wait. Um, and so these, these. Delays are certainly frustrating, um, both the dealerships and the customers because the customers can't really drive their car without having this registration.
[00:06:36] And then in Massachusetts, right? I think there's a seven day window that if you purchase a car, you have to have your car registered. And that's just one state.
[00:06:45] Rob Aragao: That's exactly right. Yeah. Yeah. So it's, it's, it's all the impacts, right? Um, I'll say this. So there's the impact to the business operations of all the different dealerships that they support, as you discussed, uh, over 15, 000.
[00:07:00] The other aspect is that, you know, CDK provides, uh, CDK almost runs the dealerships. From not just the consumer side selling and supporting the transaction and through all, all of the different steps, as you said earlier, registration, insurance, and so on, but also CDK provides the key kind of back office functions to support the dealerships in their, um, CRM systems, but also the HR systems and other things, but they are in essence, kind of running the operation, both front to the customer as well as back office.
[00:07:31] So it was, it was a major impact. Now I will draw. A little bit of a conclusion to another cyber attack, major cyber attack earlier this year. We actually did an episode on this one around change healthcare, if you recall, Stan, a major incident that occurred earlier the year, major obviously in the impact as it relates to patient healthcare and safety.
[00:07:52] Now we're not going to tightly couple those things specifically because it obviously Patient health and safety are major differences than buying a vehicle, getting it serviced and getting it out the door type of thing, but the point of the matter is the, the, the kind of ecosystem of all the different operations and service capability that change healthcare, for example, provides in that particular vertical.
[00:08:15] And the trickle effect of the cyber incident that occurred there.
[00:08:18] Stan Wisseman: It's another digital platform that's supporting a broad, um, set of providers and connective tissue.
[00:08:25] Rob Aragao: That's exactly right. Which kind of shines the light on, you know, the need to understand of what security best practices control mechanisms actually are being put in place.
[00:08:39] With the different SAS providers that organizations are contracting with, right? And looking at beyond that, what are the business continuity aspects that that SAS provider actually has in place when and if something unfortunately occurs. But the responsibility still falls back on the actual end client, right?
[00:08:57] So like these dealers, as an example, to have the know how and understanding of if something like this actually. Happens again. How do we ensure that we're continuing to operate as best we can? So this whole manual kind of shift was very, very difficult for many. Are there other elements that they can maybe offload?
[00:09:15] Are there may be some service capabilities that they actually do have to turn to another provider? So they're kind of, you know, leveling out that, that concern that they have in dealing with that single provider, if you will. Right.
[00:09:25] Stan Wisseman: And in this particular instance, I know that like Ford and Honda and perhaps other OEMs are.
[00:09:29] Car manufacturers are, are trying to fill some of the gap by other software, authorizing the dealerships under their umbrella to use other softwares as an alternative. Um, you know, but that's easier said than done when you look at how integrated in the, the CDK Global Suite was and, you know, I, I think, you know, if you, if you look at.
[00:09:55] Some of the security measures in general that you want to be, um, cognizant of, whether it's the dealers or again. Um, it's, it's, you know, you and I both know when you think about car dealerships, they aren't necessarily savvy in a lot of cases. So it's sort of like, in that context, it may be difficult, but there are some things as far as security measures that I think can help.
[00:10:21] And I, and I don't have inside knowledge to, you know, the CDK incident, or honestly, that whole sector isn't necessarily that, um, uh, I have experience with car dealership software or anything like that. But, you know, getting on my high horse a little bit and push back, Rob, if you think I'm off base, but, you know, there's certain security measures you could take in general.
[00:10:41] And, and a couple of that to start with, um, are really a focus on understanding the threats. Thanks. And being proactive also with reducing your attack surface. So, um, organizations really do need to think about, um, how you can effectively detect and respond to potential threats and knowing what those threats are for your sector.
[00:11:02] And, you know, certainly ransomware is 1 of those that's hitting many sectors and you also need to be proactive as, you know, on your attack surface again, the kind of weaknesses and vulnerabilities that can be exploited that you're exposed. To the Internet to the environment, um, and reduce those vulnerabilities as much as possible, you know, and, and as, as far as the topic on threat intelligence and having that proactive mindset are episode 100 with Mark Fernandez.
[00:11:33] You know, really emphasize that importance of that multi space kind of intelligence, right? And being able to anticipate and counteract potential cyber attacks. And I think his insights for those that want to go back and listen to that, um, really give insights on what you can do with that information. To be able to in his case, um, he's addressing that in the aviation space.
[00:11:55] So a similar, you know, context of, you know, different part of the transportation sector. Um, but he's trying to apply it there.
[00:12:04] Rob Aragao: Yeah, for sure. And I mean, another kind of linkage back to a very recent episode is the one we did, uh, on connected vehicle security with Arun D'Souza. You know, again, same vertical, different aspects.
[00:12:16] We talked a lot more about, um, security by design embedding security into the, the, the different components of the vehicle. But again, there's, there's a linkage. Um, I want to go backstand to, to a point. I was kind of touching on a little bit of pun earlier, which is as if you think about it again from the dealer, it's, it's, it's a little difficult, difficult because some of them are.
[00:12:36] relatively small in using and leveraging the services that CDK provides and offers. But ultimately, I do have to call out, it's important for everyone to understand that it's still at the end of the day, their responsibility. They are the ones accountable when and if something does occur. So pushing back, honestly, at the point of contracting with the SAS providers to make sure that they're doing things on an ongoing basis, they're doing security assessments, and you have visibility and awareness to what those report findings Ensuring that though, you have mechanisms in place to support and protect the data that you may hold on to yourself is, is important.
[00:13:18] So it's again, for the smaller dealers, difficult for some of the larger ones, like the franchisees of a Ford, as an example, you know, there's more backing and support for them to be able to do some of the big
[00:13:28] Stan Wisseman: dealership companies like group one and Sonic automotive and those are, those are big.
[00:13:35] Dealerships that perhaps have a larger I. T. staff that can actually do some instant response or crisis management planning. Um, you know, again, that's part of this as well as they aren't responsible for C. D. K. software. They're consuming it as a service. You know, what is their IR plan? You know, have they done the tabletop exercises?
[00:13:55] And I remember Brent Hanson, you know, we, we talked about that and that planning for an incident or Sean Tuma, you know, where you're again, you have had an incident. What are you going to do? And, and I think it's to some degree, some of the aspects of this are outside of their control. If you think about the, um, potentially the, um, the, the, the design flaw of, uh, A critical dependency on a platform, um, that is so well accepted across the industry.
[00:14:26] Right? Yeah. It's sort of like, well, everybody uses this software. So can you really question the decision there? But at the same time, looking at having, um, redundancies. That would enable you to, um, in the case of an incident like this, operate more effectively than just a manual pen and paper approach.
[00:14:50] Right? And again, it goes back as a different context, but we're just sprinkling episodes in here for folks to reference. Right? But in the context of of energy, right? We're talking to ginger, right? Of Idaho National Labs, and she really had to focus obviously on these single points of failure, right? And failure analysis.
[00:15:11] And so if you look at these kind of digital platforms, whether it be in the health care context with, you know, change health care and its major role or in CDK Global's context, it's sort of like, okay, what if This goes down. Yeah. What do we have as that redundant system that can enable us to continue to operate beyond, you know, Joe, take out your pad of paper and try to, you know, capture the deal and maybe three days from now you can close a transaction.
[00:15:41] Rob Aragao: That's right. That's right. You know, I think things like this, unfortunately, you know, CDK change health care earlier this year and others for sure. The key aspect of it all is that the, um, the lessons truly are learned. And the evolution of what we're trying to do around security best practices definitely continues to evolve a lot of these pieces of, um, the learnings will influence continue to influence different standards, especially privacy standards, because of getting a lot of the information that sits behind the scene.
[00:16:12] scenes in like a CD case situation does contain actual you know PII information. Alright, so it depends on what's going to get out there. We'll see over time it comes out of this, but um, that's another area, right? The frameworks and the evolution of these different regulatory, um, standards they're going to continue to Take these, I hope, take these lessons learned and embed them back in to be better.
[00:16:34] Stan Wisseman: But an added complication that it hits CDK Global as well as other companies that go incidents is that it doesn't take much time before all of a sudden the lawsuits start coming in. Yeah. You're dealing with the incident and the fallout from that. And part of the fallout, unfortunately, is lawsuits. And they already have a couple of potential class action lawsuits Filed against him in Illinois and, you know, they're alleging the company failed to adequately safeguard their personal information.
[00:17:02] And, you know, the, the customers and employees names, addresses, social security numbers and other financial data. And so, you know, they're going to have to do at the same time of dealing with this major incident. That's still ongoing now have to with the right hand or left hand juggle legal
[00:17:20] Rob Aragao: ramifications.
[00:17:22] You, you, you're absolutely right. And the other thing to call out is the, um, the breach disclosures required by the SEC that we've talked about many times in the past. And so I know that there were several entities "Ultimately,the 8K saying there is a breach and here's what it's tied to specifically, right, CDK as our service provider.
[00:17:45] Um, so that trickle effect. Of the lawsuits, as you talked about, and exactly these other aspects around SEC filings. It's again, the ecosystem, all the different elements are really being touched in a negative way in many cases, but hopefully again, we'll drive better outcomes going forward.
[00:18:01] Stan Wisseman: Again, we've talked about this in the past, but I think if you look at these kind of impactful incidents across different sectors, in this case, automotive, we've Talked about change healthcare in the context of healthcare sector.
[00:18:14] Um, but it, it really does emphasize the importance of how cybersecurity, um, is a business imperative, you know. Absolutely. And, and you just finished speaking at an event to CIOs, right? And, and trying to emphasize to them digital resilience in that context.
[00:18:34] Rob Aragao: That was actually the event that happened the next day.
[00:18:37] So it was pretty kind of, um, you know, relevant obviously coming out of it. But to your point, it was a CIO audience. And on the cyber side of things, we've been talking about cyber resiliency for the past several years, very much kind of being, um, you know, appreciated with open arms. To apply a resiliency based approach on the CIO audience.
[00:18:59] It still was a little relatively new. They can all tie it back into business continuity, right? Disaster recovery planning, but really being very precise with that cyber lens on kind of breaking down the different areas,
[00:19:11] Stan Wisseman: those use cases, don't use cases. Don't
[00:19:13] Rob Aragao: overthink this stuff. Like if you can just focus on these particular areas to start.
[00:19:18] It builds the foundation, and then from there you continue to build upon that to be more successful, right? Immature capability. You called out one of the key aspects, actually I started the talk around, which is around threat intelligence. Be aware of what's happening out there that could be specifically targeting others within your particular vertical, right?
[00:19:35] And then extend that into other areas around embedding security capabilities, the secure by design principles. Again, we've had conversations many times on that topic. Um, tie that back into. What type of data do we actually have out there? Perfect example in CDK, PII information gets out there, right? Is it properly protected so that if the breach does even occur, we don't have to worry about it?
[00:19:55] Well, obviously not the case here. And then the identity interactions, how many of the different types of breaches we've seen over the course of this past year alone actually centered around coming in through the identity tier if you will, right? So yeah, it was it was a pretty well received conversation for sure because um, One, it was front and center on some of the things that we've been seeing.
[00:20:12] But two, I think again, different audience, right. And they, they were able to kind of really absorb that. And, um, I try to simplify as much as possible and had some good discussions afterwards, then realizing that the framework is important.
[00:20:25] Stan Wisseman: Right. That's the right kind of audience to address this message too, because they have to embrace.
[00:20:30] That message of resilience at that higher level, um, beyond just the typical security controls. Um, going back to CDK, and we can wrap this up, but you know, this is obviously an evolving, um, response activity that's going on at the moment. CDK is, is communicating to his dealers, and this is on the 20, we're recording this on the 26th of June and, you know, this is going to go out, um, a bit later from now.
[00:20:56] But it, it, it, it. It doesn't look like they're going to be able to restore their systems before the end of June, um, and they are collaborating with law enforcement and third party services to investigate the cyber attack. And they've started restoring their services. But as you pointed out, they've had that start stop action before.
[00:21:15] Um, right. And they may be hit. Again, by something unexpected, um, and so it's going to be an incident that's going to be remembered by a lot of folks, including those in the public who are trying to purchase a car on sale. You know, so, you know, I guess my advice at the moment is wait if you want to help purchase an automobile.
[00:21:41] Rob Aragao: Exactly, exactly. Well, good conversation, Stan. I think it's, uh, it's You know, we don't always want to shine a spotlight on the breaches, but when it's something that we can connect back into, you know, what we can think about it to do better going forward, it's important, right? And this is another example, similar to the one we discussed again previously on Change Healthcare, that ecosystem, that supply chain and the impacts of that.
[00:22:02] So just thinking differently and how we actually maybe start diversifying some of the different, um, services we get from these platform providers. It's probably a good way to think about it. But also again, what can you do to better prepare going forward?
[00:22:15] Stan Wisseman: All right, rob. Great talk.
[00:22:16] Rob Aragao: Definitely great conversation until next time stan.
[00:22:18] Thanks