4@ipremier case powerpoint final

8/10/2019 4@IPremier Case PowerPoint Final

1/19

IPREMIER(A) DENIAL OFSERVICE ATTACKCASESTUDY PRESENTATION

XIAOYUE JIU, DAVID LANTER, SEONARDO SERRANOBRITT BOUKNIGHT, CAITLYN CARNEY

Based on: Austin, R.D. and Short, J.C. (2009) iPremier (A): Denia

(Graphic Novel Version), Harvard School of Business, 9-609-092


2/19

IPREMIERBACKGROUND

iPremier- high-end online sales company (mostly credit card t

October 2008- Bob Turley hired as new Chief Information Offi

January 2009- Denial of service attack occurs


3/19


4/19

IPREMIER ORGANIZATION CHART

JackSamuelson (CEO)

BobTurley(CI

O)

JoanneRipley

LeonLedbetter

TimMandel

PeterStewart

WarrenSpangler


5/19

HOW WELL DID IPREMIER

PERFORM?


6/19

WHAT THEY DID WRONG

Because of poor preparation iPremier could only react

There was no chain of command

There was no communication plan and no attempt to poolknowledge

The emergency response plan was outdated and useless

No one escalated the issue with Qdata until it was too late

Analysis paralysis


7/19

WHAT WOULD YOU HAVE DONE?


8/19

WHAT THEY SHOULD HAVE DONE

Take control of communications

Create a conference call with all of the key decision makers to seleccourse of action ( this includes legal counsel)

Disconnect from the Network/ Contact ISP/Shut the down system

Escalate to a Qdata manager Analyze the attack in a more detailed manner

Take action!


9/19

WERE THE COMPANYS OPERATINGPROCEDURE DEFICIENT IN RESPONDTO THIS ATTACK?

THE IPREMIER COMPANY CEO, JACK SAMUELSON, HAD ALREADY EXPRESS

TURLEY HIS CONCERN THAT THE COMPANY MIGHT EVENTUALLY SUFFER F

DEFICIT IN OPERATING PROCEDURES.


10/19

IPREMIERSCURRENT OPERATINGPROCEDURES

Follow emergency procedure

Although an emergency procedure plan existed it was outdated

plan was not tested recently.

Contact data center for real-time monitoring, physical access, anprocedures for remediation

Although contact was made, physical access to ops center was

denied. Qdatasnetwork monitoring staff were incompetent and staff was on vacation.

Identify status of critical assets

Unsure about the status of customer and credit card information


11/19

IPREMIERSCURRENT OPERATINGPROCEDURES

Contact key IT personnel and the processes they should follow

Although key IT personnel were contacted it was not followed th

reporting structure and senior management were contacted with

enough understanding of the situation

Identify and prioritize critical services

Understand the nature of the attack

Unsure if it was a DDoS or a hack / intrusion or both Summarize events

Provide summary about current status and next steps.


12/19

WHAT ADDITIONAL PROCEDURES MIGHAVE BEEN IN PLACE TO BETTER HANTHE ATTACK?

IPREMIER HAD THE BAREBONES OF AN OPERATING PROCEDURE THAT WAS

ENFORCED NOR FOLLOWED.


13/19

ADDITIONAL PROCEDURES

Conference call bridge with key IT personnel, iPremier executand key Qdata personnel

Contact ISP for additional help

Document everything, all actions taken with details

Establish contact with law enforcement agencies

Check configurations and logs on systems for unusual activitie

Set up and configure a temporarily unavailable page in caseattack continues for a longer period of time


14/19

NOW THAT THE ATTACK HAS ENDED, WCAN THE IPREMIER COMPANY DO TOPREPARE FOR ANOTHER SUCH ATTAC


15/19

HOW TO PREPARE FOR THE FUTURE

Develop and maintain Business Continuity & Incident Response Plan

Establish when the plan should be put into action

Develop clear reporting lines

Know your infrastructure

Know how to work with your infrastructure

Know how to get back to Normal

Training and Awareness

Testing

Revisions

Get reputable hosting service


16/19

IN THE AFTERMATH OF THEATTACK, WHAT WOULD YOU BE

WORRIED ABOUT?

WHAT ACTIONS WOULD YOU

RECOMMEND?


17/19

Scope of the Attack: What data was compromised? (credit card information, customer information,

Was intrusion malware was installed onto systems?

Was the attack a diversion attempt to mask criminal activity (i.e. fraud)?

Will another attack occur in the near future?

Business Impact: Public Disclosure Issues

SEC guidelines for cyber-security risks and events (2011)

Public Relations Issues

Brand Reputation

Shareholder Confidence

Potential Litigation Breach of contract

Violation of SLAs

Direct Revenue Loss

KEY AREAS OF CONCERN


18/19

IMMEDIATE RECOMMENDED ACTIONS

Assemble an incident response team

Conduct forensic analysis of attack

Document incident details and lessons learned

Adjust plans and defenses (address inadequate firewall)

Hire independent auditor to identify vulnerabilities of current sand processes

Communicate with appropriate parties (legal, shareholders, cvendor, general public & media, regulatory agencies)

CONCLUSIONS


19/19

CONCLUSIONSNO IT GOVERNANCE RESULTEDIN Evidence indicating no IS policies, enforcement, suppor

protection:

IT infrastructure outsourced to Qdata, paying for 24/7 supportgetting no 24/7 support on January 12, 2009

IT staff expressed poor impression of quality of Qdata service Bob on October 16, 2008, yet the firm remained outsourced 3

months later IT staff indicate senior management of firm not interested in

spending on improving IT infrastructure

IT staff using company resources for online gaming

4@ipremier case powerpoint final

Documents