STAR Guidelines (Annotated by Rook Security)

Standards for Technology in Automotive Retails (STAR), is a nonprofit organization who has recently published suggested guidelines encouraging more attention to cybersecurity within the automotive industry. The guidelines contain two major stages included in securing digital data, within which we have highlighted some gaps and added notes.

STAR Dealer Data Security Guidelines

INDUSTRY BEST PRACTICES AND RECOMMENDATIONS FOR AUTOMOTIVE RETAIL DATA SECURITY

Overview
The purpose of this document is to assist automotive retailers with implementing practical and effective data security controls that support industry best practices. The goal of this document is to provide industry minimum security controls that should be adopted. These range from simple process reviews, to robust security information monitoring solutions.

It is important to note that this is only a minimum set of controls and should not be taken as the final stage for an auto dealer’s security program. It should be thought of as a foundation to build upon.

The various approaches are broken into two “stages.” The first stage is comprised of simple actions such as policies and procedures that may be implemented with little to no expense. The second stage involves more complex safeguards, such as managed security solutions and technologies.

Disclaimer
Any company name, application, website link, or technology reference mentioned in this document should not be considered an endorsement by the OEMs or by STAR unless that endorsement is expressly stated.

Rook Security also does not endorse any of the companies, applications, website links, or technologies mentioned in this document unless expressly stated. We do endorse Rook Security, our applications, our website links, and our technologies.

This document provides a guideline for dealers to establish sound data security practices. It is important to note that network infrastructure, dealer data, and system security is the dealership’s responsibility. Third-party organizations such as service providers and partners may provide guidance and recommendations. Some organizations may provide software, hardware, or proprietary network elements to help streamline network operations and secure data. However, these applications, recommendations, or tools are not a substitute for network management.

STAGE I

Security Policies
Implementing, maintaining and adhering to a security policy is an important first step in achieving effective data security. A security policy is a formal plan that addresses how security will be implemented within an organization. The policy should describe the approaches taken to ensure the confidentiality, availability and integrity of sensitive data and resources, including the physical environment, network infrastructure, applications and data (both physical and digital).

Consider who will be responsible for owning and maintaining this policy. Typically, this should be owned by a high-ranking representative of the company. Additionally, the policy should be reviewed periodically to ensure established policies/procedures are effective.

An effective security policy should be tailored to the needs of the organization and identify what threats the business faces and how the business will handle these. A security policy facilitates proactive data security management by enabling the business to anticipate its threats and prepare accordingly, opposed to responding to an incident after it has occurred.

A security policy typically consists of several individual security policies. For instance, the below policies are commonly found within an organization’s security policy:

• Acceptable Use Policy: outlines the acceptable use of a business’s physical and digital resources
• Audit Policy: describes the requirements for risk assessment and audits of the business’s information and resources
• Extranet Policy: defines the requirements for third parties that access the business’s network
• Password Policy: provides the specific requirements for creating secure passwords and keeping passwords private
• Wireless Standards Policy: describes what wireless devices may connect to the business’s network and how to use these devices in a safe manner.

Aside from the examples listed above, there are other security policies and procedures an organization should consider implementing in order to safeguard data. More information on such policies may be found throughout this document. Additionally, the SANS Institute is great resource for developing and implementing such policies; for a variety of sample Security Policy templates, please visit: https://www.sans.org/security- resources/policies.

Referencing, ISO and NIST requirements are another good way to build out a comprehensive policy set. ISO even has templates that can be leveraged. They can be found here: https://www.iso.org/iso-templates.html

Data Collection, Retention and Use
As part of the security policy, the organization should also develop standards governing appropriate data collection, retention and use. These standards should consider what information is collected, how long it’s kept, how it’s stored, who may access it and how access is achieved. Understanding these items, along with how data enters, moves through and exits the business is essential to assessing and mitigating security vulnerabilities.

Beyond simply identifying the need, it is crucial to understand the costs and feasibility of the policy defined around data collection and retention. This is an area Rook always assists with when on-boarding MSS clients, or as a standalone advisory project.

These policies should take the following into consideration:

• Only collect data there is a legitimate need for
• Retain information only as long as there is a legitimate business need
• Don’t use sensitive information when it’s not necessary
• Properly dispose of data in a secure fashion

Security Incident Response Plan

The steps below are largely tactical items that are important, but there are also higher-level items that need to be addressed at a strategic organizational level.

Taking steps to protect data can go a long way toward preventing a security breach. Nevertheless, breaches may happen. To minimize the effects of a breach, the security policy should contain an incident response plan. Below are steps that may be taken to reduce the impact on the business, employees and customers in the event of a security incident:

• Have a plan in place to respond to security incidents. Designate a senior staff member to coordinate and implement the response plan.

Plans should be built for different types of events that may need to be handled differently.

• If a computer is compromised, disconnect it immediately from the network.
• Investigate security incidents immediately and take steps to close off existing vulnerabilities or threats to sensitive data and information.

Do not power off the machine, log the user out, or close any windows. Engage a security team immediately and ensure no one comes into contact with the machine until doing so.

• Consider whom to notify in the event of an incident, both inside and outside the organization. The following parties may need to be informed: consumers, law enforcement, customers, credit bureaus and other businesses that may be affected by the breach. Additionally, many states and the federal bank regulatory agencies have laws or guidelines addressing data breaches. It may be beneficial to seek legal guidance in these situations.

Access Control
Access Control is a security technique that refers to the process of regulating who and what has access to resources, objects or data. Access control can be both physical and logical. Physical access control limits access to buildings, rooms and physical IT assets. Logical access limits connections to computer networks, files and data.

Additionally, shared system account access should be avoided. Shared accounts reduce accountability and audibility.

Retailers should put controls in place to ensure that employees and users have access to data and company resources on a “need to know” basis, meaning access to these resources should be given only if there is a business need. A documented process should be developed that ensures: (1) appropriate access is granted to users, based on job role or business need, (2) access is revoked or modified anytime an employee departs the company or changes positions; user rights/access should be updated in a timely manner, and (3) access should be assessed periodically on a documented cadence (quarterly, semiannually, annually). This evaluation, not prompted by employee exit or transition, is to determine if level of access presently granted corresponds with the person’s position in the business. Also whether some “right” should be modified.

Password Management

Promote the use of ‘passphrases’ rather than ‘passwords’. This helps users think of longer passwords, which is the single most important factor of a strong password.

Employees have multiple user ID’s and passwords used to access the tools that support user’s job roles. Implementing a password management policy is a significant piece of data security and access control. Such policy may include the following:

• Specify password requirements, such as: minimum password length, initial assignment, restricted words and format, password life cycle, and include guidelines on suitable system and user password selection. The following is an example of such: Expire every 60 days, 8-character minimum using 3 of the following 4: 1) Uppercase, 2) Lowercase 3) numeric and 4) special characters
• Change all vendor-supplied default passwords before any information system in put into operation
• All passwords should be promptly changed if suspected of/are being comprised, or disclosed to vendors for maintenance/support.

Consider monitoring for 3rd-party compromises through on hacker dump sites, IRC channels, etc.

• Refrain from divulging passwords unless absolutely necessary (i.e., helpdesk assistance)
• Protect stored passwords — discourage employees from writing down access information and keeping it in plain sight of passerby (i.e., username & password written on post it note nearby workspace). Passwords should be encrypted when transmitted electronically.

Strongly consider investing in a password management system such as LastPass, OnePassword, etc.

Two-factor authentication should be strongly considered. There are a number of possible solutions to accomplish this including a number of free options.

Physical Security Controls

• Server/equipment rooms should be locked; employee access should be limited to only those who have a legitimate business need. Mechanisms should be in place to know if and when someone accesses the site.
• Require that files containing sensitive data and information be kept in locked file cabinets at all times, other than when an employee is working on the file.
• Remind employees not to leave sensitive documents/information out on desks when away from workstations.
• Require employees to put files away, log off computers, and lock file cabinets and office doors at the end of the day.

Admins should configure computers to log off or go to sleep after a period of inactivity to enforce the company’s policy.

• Implement appropriate access controls for your building. Tell employees what to do and whom to notify if an unfamiliar person is seen on the premises.
• If offsite storage facilities are maintained, limit employee access to those with a legitimate business need. Mechanisms should be in place to know if and when someone accesses the site.
• If devices that collect sensitive information are used, such as PIN pads, secure the equipment to reduce the risk of it being tampered with. Such equipment should also be secured to reduce the risk of an attacker switching equipment with a dummy device.

Email Security

• Outbound Email Security: identify and respond to malware, inappropriate emails, unauthorized content, and company-private information before it leaves the network.
• Inbound Email Security: Apply filters to stop malware, phishing, or malicious emails before entering the network.
• Encryption: TLS Email encryption is recommended in order to make it more difficult for third parties to read email in transit.

Network Security
Encryption and Segmentation of Business and Guest WIFI Network:

• Payment Card information, customer information, dealership traffic, and customer traffic should be segmented via network segmentation (such as VLAN, layer 2 switch, etc.) or a different network (such as a dedicated circuit for guests) to ensure no communication can take place between the networks.
• Wireless networks should be encrypted with the most current and secure encryption standard (such as WPA2 with RADIUS authentication and AES Encryption).

Internet Usage Policy:

• An internet usage policy stipulates the rules and guidelines related to appropriate use of company equipment, network and Internet access. Having such a policy in place helps to not only protect the business, but its employees as well. The policy will help to inform employees that certain behaviors are prohibited (such as downloading files, visiting certain websites, etc.) and failure to comply with the policy could result in serious repercussions.
• The Internet Usage Policy is an important document that should be signed by all employees upon employment commencement.

Consider making this a yearly requirement rather just during onboarding. This keeps the information fresh in employees’ minds and increases likelihood of compliance.

Security Awareness Training
Have a formal, written, security training program for employees. Training should cover aspects including:

• Social engineering awareness
• Password management
• Data sharing and acceptable use policies
• Sensitive data handling procedures
• Mobile device security

Regularly review training programs and adjust for new technologies, dealer business changes, and employee feedback.

Consider tracking key metrics for security awareness to monitor for program effectiveness.

Compliance with Federal Legislations
Ensure the dealer complies with all federal, state, local, and industry regulations for financial and retail institutions, such as the Gramm-Leach-Bliley Act, Safeguards Rule, PCI DDS, etc.

Gramm-Leach-Bliley(GLB) Act and Safeguards Rule:
The Gramm-Leach-Bliley (GLB) Act requires businesses defined as “financial institutions” to ensure the security and confidentiality of sensitive information.

The Safeguards Rule was issued by the Federal Trade Commission (FTC), as part of the GLB Act. The Safeguards Rule requires financial institutions to have measures in place to keep customer information secure.

For more information on these legislations and the requirements, please visit: http://www.ftc.gov/privacy/privacyinitiatives/glbact.html

https://www.ftc.gov/tips-advice/business-center/guidance/financial- institutions-customer-information-complying

Payment Card Industry Data Security Standard (PCI DSS)
All merchants storing, accepting, processing and/or transmitting cardholder data must comply with technical and operational requirements set forth by PCI DSS. For more information on PCI DSS and these requirements, please visit: https://www.pcisecuritystandards.org

Additional Resources
The following organizations have information to help implement appropriate safeguards for data:

• Computer Security Resource Center National Institute for Standards and Technology (NIST): http://csrc.nist.gov
• National Strategy to Secure Cyberspace, Department of Homeland Security: http://www.dhs.gov/files/publications/editorial_0329.shtm
• The SysAdmin, Audit, Network, Security (SANS) Institute The Twenty Most Critical Internet Security Vulnerabilities: www.sans.org/top20
• United States Computer Emergency Readiness Team (US CERT): www.us- cert.gov/resources.html
• Carnegie Mellon Software Engineering Institute CERT Coordination Center: www.cert.org

Items belonging to Stage I should be considered DO IT YOURSELF, no cost process options.

STAGE II

Antivirus

• Maintain active subscription to Enterprise class antivirus solution that uses regular automatic signature updates.
• Software should be used on all firewalls, servers and clients to help prevent damage to dealership data

Antivirus can be thought of as a subset of endpoint protection, which can go far beyond just AV. There are several options for more advanced endpoint protection such as Palo Alto Firewall Traps or Bit9/Carbon Black.

Patch Management
The operating systems on the local servers/computers requires updates from time to time, many of which are due to security risks:

A vulnerability management program or at least regular recurring vulnerability scans is highly recommended. This will allow prioritization of patches.

• Keeping current with End of Life(EOL) of operating systems will assist in making sure the location isn’t using operating systems that no longer receive security updates or other kinds of updates because the supplier discontinued support
• Generally, suppliers provide notice of EOL and this can always be verified on their respective websites

Disaster Recovery
How will business continue to be conducted if something fails? Business continuity better describes the circumstances to an entity engaged in providing products or services. Disaster recovery is the answer to the question: how would the organization continue to operate if a business essential service/asset was not available (i.e., internet, telephones, computer access, power and etc.)?

Much like the incident response planning, consider having different plans to correspond with different potential events and testing them annually.

• The solution does not have to provide for all services 100% of the time, but it should enable a business to continue to conduct business in a “limp” mode until the issue is resolved
• Essential retailer data should be backed up and verified regularly, using a backup service that has the following capabilities:
• Offsite secured storage of media
• Regular daily backups along with daily reviews of all system recovery events
• Monthly reports summarizing the previous month’s activities should be kept and reviewed by the Retailer

Unified Threat Management (UTM)/Firewall/Intrusion Detection System (IDS)

• At a minimum, implement at the network edge with regular subscription signature updates
• Ideally, the solution should include the following features:
• Fully-managed security device that continually monitors threats through Intrusion Detection System “IDS” and Intrusion Prevention System “IPS” and other mechanisms such as packet filtering, anti-virus, and stateful packet inspection.
• Firewalls should support Network Address Translation/Process Analytical Technology (NAT/PAT).
• Firewalls should also support dynamic routing using RIPv2, OSPF and BGP.
• Change the device password at the time of installation, and on an ongoing, regular basis.
• Keep on backup configuration on file in the case of a software failure or hardware replacement.

Security Information Event Management(SIEM)

• Proactive, real-time event monitoring that utilizes a SIEM service.
• SIEM needs to be able to collect data with capability to aggregate and correlate varying security data from the network in real-time.
• The SIEM service provider needs to be able to notify the network administrator in the case of a security event, as well as provide the proper documentation for compliance purposes.
• The ultimate purpose of a SIEM service is to aid in identifying or preventing an intrusion into your network. Immediate response to a breach can greatly reduce or prevent data loss.
• Note: Reactive management software (i.e. Desktop firewall or antivirus) is not to be confused with a proactive SIEM service

Wireless Detection Systems

• Scan, identify, and remove any rogue wireless access points that may be on the retailer network. A rogue wireless access point is defined as a wireless point of entry into the dealership network that has is not authorized, secured, or known about by dealer IT, management, and ownership.
• All rogue wireless networks must be detected, found, and removed immediately.
• STAR recommends the use of a managed wireless detection service that is continuously scanning the network for wireless threats.

We hosted a webinar where Director of Security Operations, Tom Gorup and Advisory Manager, Ben Gordon discuss the STAR guidelines and cybersecurity for auto dealers.
A recording can be found here: Auto Dealers’ Cybersecurity