4@ipremier case powerpoint final
TRANSCRIPT
-
8/10/2019 4@IPremier Case PowerPoint Final
1/19
IPREMIER(A) DENIAL OFSERVICE ATTACKCASESTUDY PRESENTATION
XIAOYUE JIU, DAVID LANTER, SEONARDO SERRANOBRITT BOUKNIGHT, CAITLYN CARNEY
Based on: Austin, R.D. and Short, J.C. (2009) iPremier (A): Denia
(Graphic Novel Version), Harvard School of Business, 9-609-092
-
8/10/2019 4@IPremier Case PowerPoint Final
2/19
IPREMIERBACKGROUND
iPremier- high-end online sales company (mostly credit card t
October 2008- Bob Turley hired as new Chief Information Offi
January 2009- Denial of service attack occurs
-
8/10/2019 4@IPremier Case PowerPoint Final
3/19
-
8/10/2019 4@IPremier Case PowerPoint Final
4/19
IPREMIER ORGANIZATION CHART
JackSamuelson (CEO)
BobTurley(CI
O)
JoanneRipley
LeonLedbetter
TimMandel
PeterStewart
WarrenSpangler
-
8/10/2019 4@IPremier Case PowerPoint Final
5/19
HOW WELL DID IPREMIER
PERFORM?
-
8/10/2019 4@IPremier Case PowerPoint Final
6/19
WHAT THEY DID WRONG
Because of poor preparation iPremier could only react
There was no chain of command
There was no communication plan and no attempt to poolknowledge
The emergency response plan was outdated and useless
No one escalated the issue with Qdata until it was too late
Analysis paralysis
-
8/10/2019 4@IPremier Case PowerPoint Final
7/19
WHAT WOULD YOU HAVE DONE?
-
8/10/2019 4@IPremier Case PowerPoint Final
8/19
WHAT THEY SHOULD HAVE DONE
Take control of communications
Create a conference call with all of the key decision makers to seleccourse of action ( this includes legal counsel)
Disconnect from the Network/ Contact ISP/Shut the down system
Escalate to a Qdata manager Analyze the attack in a more detailed manner
Take action!
-
8/10/2019 4@IPremier Case PowerPoint Final
9/19
WERE THE COMPANYS OPERATINGPROCEDURE DEFICIENT IN RESPONDTO THIS ATTACK?
THE IPREMIER COMPANY CEO, JACK SAMUELSON, HAD ALREADY EXPRESS
TURLEY HIS CONCERN THAT THE COMPANY MIGHT EVENTUALLY SUFFER F
DEFICIT IN OPERATING PROCEDURES.
-
8/10/2019 4@IPremier Case PowerPoint Final
10/19
IPREMIERSCURRENT OPERATINGPROCEDURES
Follow emergency procedure
Although an emergency procedure plan existed it was outdated
plan was not tested recently.
Contact data center for real-time monitoring, physical access, anprocedures for remediation
Although contact was made, physical access to ops center was
denied. Qdatasnetwork monitoring staff were incompetent and staff was on vacation.
Identify status of critical assets
Unsure about the status of customer and credit card information
-
8/10/2019 4@IPremier Case PowerPoint Final
11/19
IPREMIERSCURRENT OPERATINGPROCEDURES
Contact key IT personnel and the processes they should follow
Although key IT personnel were contacted it was not followed th
reporting structure and senior management were contacted with
enough understanding of the situation
Identify and prioritize critical services
Understand the nature of the attack
Unsure if it was a DDoS or a hack / intrusion or both Summarize events
Provide summary about current status and next steps.
-
8/10/2019 4@IPremier Case PowerPoint Final
12/19
WHAT ADDITIONAL PROCEDURES MIGHAVE BEEN IN PLACE TO BETTER HANTHE ATTACK?
IPREMIER HAD THE BAREBONES OF AN OPERATING PROCEDURE THAT WAS
ENFORCED NOR FOLLOWED.
-
8/10/2019 4@IPremier Case PowerPoint Final
13/19
ADDITIONAL PROCEDURES
Conference call bridge with key IT personnel, iPremier executand key Qdata personnel
Contact ISP for additional help
Document everything, all actions taken with details
Establish contact with law enforcement agencies
Check configurations and logs on systems for unusual activitie
Set up and configure a temporarily unavailable page in caseattack continues for a longer period of time
-
8/10/2019 4@IPremier Case PowerPoint Final
14/19
NOW THAT THE ATTACK HAS ENDED, WCAN THE IPREMIER COMPANY DO TOPREPARE FOR ANOTHER SUCH ATTAC
-
8/10/2019 4@IPremier Case PowerPoint Final
15/19
HOW TO PREPARE FOR THE FUTURE
Develop and maintain Business Continuity & Incident Response Plan
Establish when the plan should be put into action
Develop clear reporting lines
Know your infrastructure
Know how to work with your infrastructure
Know how to get back to Normal
Training and Awareness
Testing
Revisions
Get reputable hosting service
-
8/10/2019 4@IPremier Case PowerPoint Final
16/19
IN THE AFTERMATH OF THEATTACK, WHAT WOULD YOU BE
WORRIED ABOUT?
WHAT ACTIONS WOULD YOU
RECOMMEND?
-
8/10/2019 4@IPremier Case PowerPoint Final
17/19
Scope of the Attack: What data was compromised? (credit card information, customer information,
Was intrusion malware was installed onto systems?
Was the attack a diversion attempt to mask criminal activity (i.e. fraud)?
Will another attack occur in the near future?
Business Impact: Public Disclosure Issues
SEC guidelines for cyber-security risks and events (2011)
Public Relations Issues
Brand Reputation
Shareholder Confidence
Potential Litigation Breach of contract
Violation of SLAs
Direct Revenue Loss
KEY AREAS OF CONCERN
-
8/10/2019 4@IPremier Case PowerPoint Final
18/19
IMMEDIATE RECOMMENDED ACTIONS
Assemble an incident response team
Conduct forensic analysis of attack
Document incident details and lessons learned
Adjust plans and defenses (address inadequate firewall)
Hire independent auditor to identify vulnerabilities of current sand processes
Communicate with appropriate parties (legal, shareholders, cvendor, general public & media, regulatory agencies)
CONCLUSIONS
-
8/10/2019 4@IPremier Case PowerPoint Final
19/19
CONCLUSIONSNO IT GOVERNANCE RESULTEDIN Evidence indicating no IS policies, enforcement, suppor
protection:
IT infrastructure outsourced to Qdata, paying for 24/7 supportgetting no 24/7 support on January 12, 2009
IT staff expressed poor impression of quality of Qdata service Bob on October 16, 2008, yet the firm remained outsourced 3
months later IT staff indicate senior management of firm not interested in
spending on improving IT infrastructure
IT staff using company resources for online gaming