CDK Response Checklist
On Wednesday, June 19, two cyber incidents halted software firm CDK’s core Dealer Management System (DMS)—one of its many dealer-serving components—an event that shut down the operations of nearly 15,000 car dealerships across North America. While much of CDK’s multifaceted system is back online, the fallout led to guidance from several sources.
Taken together, these recommendations can help get your operations running more smoothly in the near term, while helping you prepare should an incident like this occur again.
From Moss Adams, the National Automobile Dealers Association’s (NADA) accounting firm:
- Immediately Address Potentially Compromised Data
Your data within CDK may have been compromised. Not only will this include your customer’s information, but it could also include your user’s account information. There’s a chance that your usernames and passwords have been compromised. If you have not done so, you should immediately change all passwords, API keys/tokens, and any other authentication information that is used to get into the system. - Mitigate “Credential Stuffing”
People will often reuse their passwords across systems. “Credential stuffing” is a type of attack where hackers will use stolen usernames and passwords and attempt to use those on other systems. Because of this, users should be aware that they need to change their passwords if they have used their CDK password elsewhere. You should also enable multi-factor authentication within CDK. This will further limit the possibility that stolen credentials could be used by outside bad actors. - Supply Chain Attack Follow-up
Gone are the days when IT systems used to support the business were hosted and managed internally. Many software solutions have moved to the cloud and IT support has been outsourced to external service providers. While that solves some of the headaches created when managing your own IT, there are also new risks introduced that need to be thought through. Recent changes to cybersecurity frameworks, rules, and regulations have focused on the need to secure the IT supply chain, and this breach highlights that importance. It’s no longer sufficient only to check and make sure that contracts have the right provisions, and the vendor provides some kind of third-party cybersecurity audit report. - What to Plan for
At some point, the CDK event will be in the past, and operations will get back to normal. Don’t lose the opportunity to learn from this event and plan for the next one. First, update your company’s risk assessment. The risk assessment should be more than just an exercise completing a checklist, but a real review of the risks (including cybersecurity risks) inherent to your organization, the controls you have in place to mitigate those risks, and what you plan to do with the residual risk. Your risk assessment should include supply chain risks.Business continuity and incident response plans should be reviewed and updated as needed to reflect how your business will operate the next time an incident occurs. Cybersecurity incidents are unpredictable in their time, magnitude, and the speed at which they occur. Organizations with effective procedures to fall back on will be able to successfully mitigate the impact to their operations.
From Withum, the Massachusetts Auto Dealers Association’s (MSADA) accounting firm:
- Meet with your legal counsel to receive guidance on potential legal impacts and preparation activities. Counsel should understand the impacts on organizational risk and give clear advice on the appropriate response activities.
- Review with your employees to avoid suspicious downloads, being cautious with email attachments, and recognize phishing attempts. Reports of phishing activities have been reported.
- Review your current agreement or contract for CDK services to see if they have any information noted in their liability or limitations for liability.
- Check your cyber policy, to see if it has Third Party liability insurance and/or applicable coverage. This may help to protect from potential lawsuits and legal costs if a data breach occurred on a third party's network or systems. If you're not sure, contact your insurance provider and work with them to discuss current impact and options.
- Prepare your organization to address any potential liabilities for the breach of sensitive customer information.
- What communications are required to notify customers?
- What reporting requirements do I have with respect to laws, and regulations such as FTC safeguards. CDK has been in discussions with FTC to provide an omnibus submission on behalf of dealers to meet this requirements as FTC requires non-banking financial institutions to report security breaches that affect at least 500 consumers to the FTC as soon as possible, but no later than 30 days after discovery.
- Have your technical team review the following security guidance:
- Make sure your operating systems, software, and firmware has been updated.
- Reset all passwords following appropriate password complexity guidelines.
- Ensure Multi Factor Authentication (MFA) is enabled for all services, particularly for webmail, virtual private networks, and accounts accessing critical systems.
- Require administrator credentials for software installations.
- Review account access privileges so only authorized users have access to only the systems they need to accomplish their role/job.
- Review privileged accounts to ensure they are not recent changes to access rights or permissions.
- Monitor your network for abnormal network activity and monitor for unauthorized use of remote access software.
Once operations are up and running it’s time to review strategic initiatives such as FTC safeguards and particularly business resiliency requirements. Understanding your dealership’s critical systems, supporting processes, and assets as well as the impact upon your organization during an incident allows you to identify mitigation strategies so they are effectively applied.
From Cooperative Systems:
“First and foremost, you need to have redundant systems,” asserts Scott Spatz, Cooperative Systems partner and President. “If one cloud goes down, you need a solid backup.”
Another key in dealing with the unimaginable is by preparing as well as possible.
“Table topping—trying to simulate every possible scenario and response—is something that we work on with many customers and this incident was like a live tabletop,” he says. “The more preparation, the faster your response and the least amount of downtime.”
Another critical aspect of response is having a risk management plan for yourself and that you can also push out to your vendors.
“We call that third party-risk management,” Spatz says. “We have a process for doing that internally and it’s basically a platform that guides clients through an incident like this. It includes performing a business impact analysis that helps you understand how any external software or other product that touches your existing processes can affect them. It can be complicated, but it’s something that needs to be addressed.”