how to avoid a CDK style cyber attack that shuts down your dealership

[Generic Salesperson]

We are coming off the summer RefreshFriday break this week to focus on this topic! Brain Trust Partners (Cyber Security Firm) and the Horne Auto Group (CDK Client) are guests this Friday.

Link to the video: Learnings from CDK's Cyber Attack | Tim Hayden & April Simmons July 11, 2024


Here's a solution to the OP... pay $25 million ransom:
CNN Report: How did the auto dealer outage end? CDK almost certainly paid a $25 million ransom

 

[Terry Dortch]

First and Foremost Dealers have no say in what CDK does about their Cyber Security or anything else for that matter except through purchasing decisions. Dealers have to make sure that they are protected and need to have processes and programs in place to protect them against any loss due to an uncontrollable breach from a third party IE CDK and this third party could be any one of the many platforms that Dealers employ. Dealers need to be implementing a phishing campaign which will be more prevalent now after the breach, run vulnerability scans, follow up on the information provided by the scan not just assume that the scan is enough we must remediate, and conduct regular physical audits so that the trail sets the dealer up for an "Affirmative Defense" should anything happen. We just need to be as prepared as possible because this will not be the last one of these.

 

[TScheer]

The "cyber attack" has become main stream news as dealerships struggle to operate.

What steps can be taken to avoid being at the mercy of a CDK style takedown?

Would it make sense to run two competing systems side by side so that WHEN one gets attacked the other will work?

Is there a business opportunity here, or an opportunity to provide consulting services?

Vendors, dealers, others... what is your take on this?

While my big picture answer to this question is let's talk about how implementing a master data management plan will protect you as much as humanly possible. Here are 7 more tactical answers to your question:

1. Implement Multi-Layered Security
   • Adopt a comprehensive cybersecurity strategy that includes prevention, protection, and response capabilities 3
   • Use firewalls, antivirus software, and intrusion detection systems
2. Regular Software Updates and Patch Management
   • Ensure all systems and software are regularly updated to address known vulnerabilities
3. Employee Training and Awareness
   • Educate staff about phishing attacks and other social engineering tactics (it is quite possible that the CDK hack started within a dealership somewhere)
   • Implement strict password policies and multi-factor authentication
4. Data Backup and Recovery Plans
   • Maintain regular, secure backups of critical data
   • Develop and test disaster recovery plans to ensure quick restoration of services
5. Third-Party Risk Management
   • Carefully vet software providers and other vendors for their security practices
   • Consider using multiple providers to avoid single points of failure
6. Network Segmentation
   • Isolate critical systems and limit access to sensitive data
7. Incident Response Planning
   • Develop and regularly update an incident response plan
   • Conduct tabletop exercises to practice responding to potential cyberattacks

 

[Carsten]

Those are great solutions! Basically companies need to do this or pay a company to do it for them.

But let's consider something.
I have been to dealerships that make their sales folks buy their own drinks from vending machines. Others, they provide a coffee maker.

How big would a dealership need to be to afford at least 1 FT IT security specialist and can afford to pay for 3rd services and training?

1. In a way, I can see chromebooks as great tools to assist in securing your company; data gets stored on the cloud.
2. Then put a major focus on phising and social engineering prevention.
3. IF possible, provide cell phones for all staff to be used while at work and prevent all personal phones from being used.

 

[kasra.appech]

Nothing is perfect, and it really comes down to how solid your disaster recovery plan is.

Should you switch platforms? Maybe, depending on your situation.Build your own system? Definitely not.Go back to old methods? No way.

Keep back ups and don’t rely on just one backup—have multiple. If you have your data and CDK goes under, you’re covered (with the exception of down time, but with out your data..there is no recovery). You can move to another platform and import your data without losing too much time.

 

[Fullsend]

The "cyber attack" has become main stream news as dealerships struggle to operate.

What steps can be taken to avoid being at the mercy of a CDK style takedown?

Would it make sense to run two competing systems side by side so that WHEN one gets attacked the other will work?

Is there a business opportunity here, or an opportunity to provide consulting services?

Vendors, dealers, others... what is your take on this?

Best thing is to have regular back ups of there database. You can do this on CDK, PBS, Etc.
Next is CDK take down is only the DMS. Nothing else would be affected. Regardless of what other software you use like word and excel.

If you are scared of a crowd strike event then have atleast 1 or 2 Macs on hand If you don't own one. Ask you marketing department. Usually the only department that has them (we have 3 of them).

Have a list of procedures or develop procedures. Not for DMS down, but for internet being down. That usually is more common. So have the following:
-sheets that for service RO's
-Alternative card machine Like Square (fees are higher, But losing a sale cost more)
-Have a internal only server that host mission critical files like back ups of the database & Template of forms like test drives, Quotes, etc.
-When doing a database back up make sure there is a way for you to see whats in it. Like MS access.

A DMS is part of the game. Sucks for CDK user but the reality is this was beyond expected. It's based on software that was released over a decade ago. Our IT guy said "I'm shocked it took this long for someone to do it". No DMS is perfect. CDK is great at sales but sucks at service, PBS is great at service but sucks at sales, RR is also outdated, Dealertrack is a literal meme most of the time. These are all softwares that are developed by companies who focus more on selling to dealers then fixing software. You can decompile PBS very easily and see how it works. It's all .net frame work. DMS is nothings special, its software developed by mid tier programers.

We as a dealer switch to PBS at the beginning of the year.
But we still have procedures incase of Power out, No Internet, No DMS, All windows Failure (Crowd Strike), Network hack.
These are all easy to do.

 

[Carsten]

@Fullsend are you a developer on in the IT department?

the only thing I could question with this is about the back up. You would need to be running software that doesn't connect to the mother ship to run. Net based systems this wouldn't work out.

But, if you are running the application locally and storing data in the cloud ... why weren't you doing daily backups?

 

[Fullsend]

@Fullsend are you a developer on in the IT department?

the only thing I could question with this is about the back up. You would need to be running software that doesn't connect to the mother ship to run. Net based systems this wouldn't work out.

But, if you are running the application locally and storing data in the cloud ... why weren't you doing daily backups?

I am not a developer, nor do I work in IT.
I run the marketing department at a small dealer group. I just like tech and know a bit of programming. For a bit we did have a marketing assistant who was also a IOS/Macos Dev & website programmer so we had even more custom solutions.

For being able to run software that can read the database with out using the DMS you can use a million different options. Back ups are just large docs that are usually just in SQL so you can use MS access to see them and use them.

As per the back ups. On DMS systems you can’t really pull a headless data pull via a third party software. In theory you can on PBS because it just connects to a SQL database. So you could just develop a simple app even in Python to just connect and duplicate data. (Might be something I look at doing)

For the most part you have to do a manual pull. So login enter the database password and then do a download. Because of that we can’t do a pull request every day. It’s too slow.

Usually I say once per quarter or once per month backups are pretty good. The idea is to minimize damage. So if let’s say CDK goes down you have a copy of the data base that’s only up to 3 months old max. We are not high volume dealers so this works fine. First service interval for us is not until 1 year after purchase. For anything more recent then that we can easily look back at paper dockets we have. But when you need to know about a customer who’s lease ended we can easily check the database back up.

 

[TScheer]

Those are great solutions! Basically companies need to do this or pay a company to do it for them.

But let's consider something.
I have been to dealerships that make their sales folks buy their own drinks from vending machines. Others, they provide a coffee maker.

How big would a dealership need to be to afford at least 1 FT IT security specialist and can afford to pay for 3rd services and training?

1. In a way, I can see chromebooks as great tools to assist in securing your company; data gets stored on the cloud.
2. Then put a major focus on phising and social engineering prevention.
3. IF possible, provide cell phones for all staff to be used while at work and prevent all personal phones from being used.

While implementing a full MDM system with a composable CDP is the best solution, it may be financially challenging for small auto dealerships. However, there are several affordable alternatives and strategies available. By focusing on data governance, starting with pilot implementations, engaging external partners, and fostering a data-driven culture, smaller dealerships can manage their data effectively and achieve significant business benefits. But there has to be an investment of time and money. No free lunch.