Last month, we discussed how dealership networks can be attacked and what’s required to secure customers’ non-public personal information (NPI). To fully comply with the laws governing the handling of NPI, you first need an understanding of where it resides in a real-world dealership.

It’s true that customer NPI is stored on the DMS itself (Reynolds & Reynolds, ADP, etc.), but it is also stored on the other computers that comprise the dealership’s network. Files containing reports that were run from the DMS can be stored on the local drive. Even if the report isn’t saved on the local machine, the screens you viewed it from are. Your terminal emulator, such as ERA link or Reflections, stores the screens for a time so that you can “scroll back” and look at them again.

If you run monthly reports, sales logs, F&I logs or any kind of sales report, the data gathered from the DMS is probably stored on the local machine’s hard drive as well. If you e-mailed a file containing customers’ NPI, that e-mail is still in your “sent items” file, along with the attachment. If you received any e-mail with customers’ NPI contained, either in the body of the e-mail or attached to it, the data goes wherever the e-mail goes. Some menu applications store the data you enter, at least temporarily. Many credit bureau files — the Holy Grail to identity thieves — are stored on a local computer if the bureau file is downloaded.

With all of this sensitive data kept electronically at the dealership, whose responsibility is it to protect it? It’s the dealer’s, of course.

Any IT guy will tell you that no network is completely secure. Mercifully, the law is written with this in mind. The law requires a conscientious, good-faith effort (properly documented and maintained) to protect customers’ NPI. A perfect result is not required.

The law obligates dealers to “Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information…”

In plain English, with respect to computer security, that means a dealer must conduct a Network Vulnerability Assessment (NVA). An NVA is a complete scan of your network that searches for flaws in a system or device that, if leveraged by an attacker (whether internal or external), could compromise the security of your network. Vulnerabilities might be as easily rectified as strengthening a weak password policy, applying a missing update, updating outdated firmware, or as serious as the presence of active spyware on your network. There are literally thousands of possible vulnerabilities, and more become known each day.

The NVA obligation can be satisfied in a couple of ways. You could hire a company to come in and assess your network. The cost for this type of assessment could range from $5,000 to $50,000.

Alternatively, a dealer could purchase a vulnerability scanner appliance that would scan the entire network from the inside looking for vulnerabilities. It would find all of the weaknesses on the network and report them so you could fix them, thus limiting what a hacker — or rogue employee — will have access to.

This method of reporting vulnerabilities also satisfies the requirement that a dealer periodically audit its information security program. If you own the scanner, it could be configured to scan regularly and compare the current scan to previous scans and provide charts showing your network’s improving health over time as more and more vulnerabilities are detected and eliminated.

The law also holds the dealer responsible for “detecting, preventing and responding to attacks, intrusions, or other systems failures.”

Many dealers believe they satisfy this requirement by having a firewall. They assume wrongly. A firewall — properly configured — is the first component of a security system. It is not, however, a prevention or detection system. Thus, to rely on a firewall alone is to walk around with a “Sue Me!” sign on one’s wallet.

Imagine you wanted to protect your physical dealership, so you put a fence up all the way around it. The fence does a great job keeping out all of the bad guys, but in doing that you’ve also kept out all of the good guys. It’s tough to sell cars if no one can get in at all. The same is true of a firewall. You use it to close all of the unnecessary “gates” or ports into your network.

But remember, the bad guys expect a firewall. They simply scan for open ports. It follows that the fewer ports you leave open, the fewer chances a hacker has of getting in. The fact still remains that you have to leave ports open in order to do business, just like you have to leave gates in your fence.

Response to the law is accomplished by having an intrusion detection system (IDS). An IDS is any device that has the ability to detect attacks, both known and unknown, and prevent the attack from being successful.


Security Requires Regular Updates

Continuing our fence analogy, an IDS is like adding a guard at each of the gates in your fence. This can’t be some rent-a-cop; this must be a trained and powerful guard. He needs to know what to look for. In computer lingo, what needs to be looked for are called “attack signatures.”

You can’t just train this guard once and forget him, either. Every time a new vulnerability comes out, there’s a new attack signature to look for. Not keeping up-to-date attack signatures for your IDS would be like having virus protection and never updating the virus definitions. Your IDS has to know what the bad guys look like and watch for them to come in. To know what the bad guys look like, you have to stay up to date with your attack signature files. The law is clear: if they get in, you have to know it.

With nearly 6,000 new vulnerabilities last year alone to choose from, it’s no wonder more than 95 percent of all intrusions result from exploitation of known vulnerabilities. Your guard, your IDS, needs to be updated every single time there is a new vulnerability discovered.

Once you have your NVAs scheduled regularly and all of your known vulnerabilities corrected and your firewall properly configured and your IDS installed and updated regularly (whew!), you can turn your attention to some other practices.

Be Strict About Passwords

Never let more than one person use the same logon and password to your DMS. Some dealerships use a department-wide logon like SALES or PARTS. A much better practice would be for each employee to have his own logon. Some other applications or vendors issue only one password for everybody who uses that system. In those cases, always change that password anytime there is a change in personnel.

Have rules requiring numbers and letters in a valid password as well as minimum lengths. Force password changes regularly. Never share any employee’s password with an outside vendor. Know where your administrative passwords for all systems are kept and make sure it is a safe place. What would happen if your system administrator were hit by a bus on the way to work?

Now that you have the hardware and the rules in place, all you need is training. The law is clear here, too. It says the dealer is responsible for “employee training and management.” Have a plan, know your plan and then train your people.

Complying with the law and securing your data doesn’t have to be an overwhelming task. You can get a firewall, an IDS and an NVA all separately, or you can install a device that performs all of those functions in one appliance. Either way, start there and bring the network up to compliance.

Alan Andreu is president of Dealership Defense LLC. He began working in the retail automotive industry in 1983 as a finance director. For the past seven years, Alan has used his experience in the industry and his education in computer science to develop methods that support and provide security to dealership management systems for dealerships nationwide.