ipremier case dpdn

26
THE iPREMIER COMPANY (A): Denial of Service Attack By Robert Austin November 19, 2003 DPDN Brian Dyrud Jennifer Paterson Paul Davidson Lindsay Neal

Upload: juth-lee

Post on 11-Sep-2014

119 views

Category:

Documents


1 download

TRANSCRIPT

Page 1: iPremier Case DPDN

THE iPREMIER COMPANY (A): Denial of Service Attack

By

Robert Austin

November 19, 2003

DPDNBrian Dyrud

Jennifer PatersonPaul DavidsonLindsay Neal

Page 2: iPremier Case DPDN

BACKGROUND:

iPremier, a Seattle based company, was founded in 1994 by two students from

Swathmore College. iPremier had become one of the only success stories of web-based

commerce, selling luxury, rare, and vintage goods over the Internet. Most of iPremier’s

goods sell for under $200 and the customer buys the products online with his or her credit

card. iPremier’s competitive advantage is their flexible return policies which allows the

customer to thoroughly check out the product and make a decision to keep the product or

return it. The majority of iPremier customers are high end and credit limits are not a

problem, which also adds to the competitive advantage of utilizing their entire customer

base. During 1999 the company reached a profit of $2.1 million on sales of $32 million.

Sales had increased by 50% during the last three years and they were in an upward trend.

iPremier’s stock nearly tripled after the company’s Initial Public Offering in 1998 and

had continued to grow since the IPO, and eventually the stock tripled again. iPremier was

one of the few companies to survive the technical stock recession of 2000.

Management at iPremier consisted of young people who had been with the company

from the start and a group of experienced managers that were brought in over time as the

company grew. IPremier’s working environment was dynamic with strong governing

values of “discipline, professionalism, commitment to delivering results, and partnership

for achieving profits.” The company had a strong orientation to “do whatever it takes” to

get projects done on schedule.

Dyrud, Davidson, Neal, Paterson 2

Page 3: iPremier Case DPDN

iPremier had contracted with Qdata, an Internet hosting business. Qdata provided

iPremier with most of their computer equipment and connectivity to the Internet. Qdata

was not an industry leader and was selected because it was located close to iPremier’s

company headquarters and had been serving iPremier throughout the course of its new

and developing business. Qdata did provide basic floor space, power, connectivity,

environmental control, and physical security, and offered some high-level management

services such as monitoring of web sites for customers (at its Network Operations Center)

and Internet security services such as firewall protection. However, new technologies

were being utilized at many companies while Qdata did not take advantage of these new

technologies. iPremier had been planning to outsource management of its “technical

architecture services to a more suitable supplier, but had not done so because the

company was focused on growth, minimizing costs and avoiding a service interruption to

its customers.” iPremier had recently hired Bob Turley as CIO. As the case begins Mr.

Turley is going to find out first hand the security issues of iPremier.

Theme:

On January 21, 2001, iPremier Web servers were brought to a stand still. A denial-of-

service (DoS) attack had occurred. A DoS attack “is a flood of packets that consumes

network resources and causes gridlock.” The gridlock in turn prevents users the

capability of using online services, this is the origin of the term denial-of-service. A DoS

attack may originate from one machine called DoS or it can be from numerous machines

called (Distributed DOS(DDoS)). The group of machines that are involved in DDoS are

called zombies and are distributed in a geographic manner. Loss of service can occur by

Dyrud, Davidson, Neal, Paterson 3

Page 4: iPremier Case DPDN

a loss of a particular service or it can cause a temporary loss of all network service. A

DDoS attack is easily accomplished by the use of script kiddies and hacker websites.

Hackers launched the attack on iPremier. Luckily for iPremier, this was only a denial-of

service attack, possibly launched by a script-kiddie, a disgruntled employee, or even a

competitor trying to disrupt service. The attack could have been a lot worse. iPremier’s

customers pay for their purchases with credit cards, and they keep a data base containing

all credit card information on their customers. The credit card database is advantageous

because it allows iPremier an effective niche in the e-commerce market. However, it

leaves them vulnerable to an attack by hackers. If a hacker had obtained total access to

their system customer credit card numbers could have been in jeopardy.

Information security is the process of protecting data from accidental or intentional

misuse by persons inside or outside of an organization, including employees, consultants,

and hackers. Computer misuse can lead to a breach of security, which can in turn lead to

a financial loss. This can occur through a loss in profits and a loss of confidence by

customers and shareholders. In the last few years, the Internet has brought security

threats that were not as prevalent a few years ago. The extensive use of the Internet has

significantly increased the vulnerability of organizations to information theft, vandalism,

and denial-of-service attacks. With each new company that develops web sites to

advertise their products online, there is a corresponding increase in attacks by those who

want to harm a company’s reputation or steal its resources. The honest nature of the

Internet has created an environment in which hackers can take advantage of security

Dyrud, Davidson, Neal, Paterson 4

Page 5: iPremier Case DPDN

vulnerabilities anywhere knowing that most networks and computer systems are weak

because of useless defense strategies.

INTEGRATION:

Eastman Kodak:

Eastman Kodak, in 1984, reorganized their company into 29 individual business entities

under four main business branches: Photography, Commercial & Imaging Group,

Chemicals, and Health. In 1986 Kodak encountered a lawsuit with Polaroid and had to

cut employment and their operating budget. Kodak then plunged into new businesses in

biotechnology and office equipment in 1989. In spite of the new business ventures,

Kodak’s profits fell 85% in the second quarter of 1989. Based on per employee sales

Kodak was 67% below their archrival Fuji Photo Film Company.

Information technology and the implementation of Partnership in Innovation Process

(PIP) was the way Kodak would reclaim its competitive advantage. In January of 1988

Colby Chandler, CEO, created Corporate Information Systems (CIS) and appointed

Katherine Hudson as vice president and head of CIS. Hudson went through the IT

services and with a portfolio analysis examined the strengths and weaknesses of the IT

function. If value was found in the function it was kept in place; however, if value was

not found, the function was removed or outsourced. Outsourcing is defined as “the act of

purchasing goods and services from an outside supplier” (Russell and Taylor 279).

Outsourcing IT services is more involved than outsourcing in the traditional sense.

Kodak set up alliances with partners that were constantly changing. As the needs and

Dyrud, Davidson, Neal, Paterson 5

Page 6: iPremier Case DPDN

wants changed for Kodak’s partners, Kodak would mirror their partners and implement

changes in their own IT strategies.

Kodak and their IT team came up with the slogan “Partnership in the Innovation Process

(PIP).” This enabled Kodak to effectively communicate with their outsourcing partners.

Each PIP team adopted a code name for their data center. For example, BlueStar

represented their telecommunications sector. Teams contained 8 to10 Kodak employees

from all areas of Kodak’s business sectors. The PIP teams reported to a steering

committee that contained executives from Kodak, and the steering committee offered

advice to the PIP teams. PIP teams used a five-step process on how they would identify,

select, negotiate, and implement outsourcing alliances (Applegate, Montealegre 5). The

implementation of PIP allows Eastman Kodak to effectively choose the best outsourcing

alliance and adapt to the constant changes partners undergo. Kodak’s decision to cut

businesses that were losing value and outsource the others helped to regain some of their

competitive advantage. The decision to outsource had been a good considering there

were cost savings of 18% in Kodak’s data services, telecommunications, and personal

computer services (Applegate, Montealegre 10).

Both Kodak and iPremier used outsourcing in their businesses. iPremier used Qdata to

provide their technical architecture, and Kodak was redefining their outsourcing services

with the implementation of PIP in selecting potential outsourcing clients. Kodak was not

having security problems as in the case of iPremier. But they both realized that their

existing IT infrastructure needed to be modified. Kodak downsized their separate

Dyrud, Davidson, Neal, Paterson 6

Page 7: iPremier Case DPDN

business units and either cut or outsourced those units that were not profitable. iPremier

learned the hard way with a denial-of-service attack that they needed to find a more

effective outsourcing client.

British Columbia’s Pharmanet Project:

The case study on British Columbia’s Pharmanet Project examined the issues that the

British Columbia government faced when creating a Pharmanet network. The purpose of

Pharmanet was to create an electronic network connecting all of the pharmacies in the

province. The network would allow pharmacists access to all of a patient’s prescription

records regardless of where the patient had the prescriptions filled. The idea was to

prevent improper drug interactions, prevent fraud, and reduce paper work. However

many issues regarding patient confidentiality and IT security evolved. This case is similar

to iPremier in that IT security was a major concern that had to be addressed to ensure

patient, or customer confidentiality. In addition to the security issues of a website that

IPremier had to address, Pharmanet also had to address the security of the personnel who

had access to the private information stored on the network. 

The biggest critics of the Pharmanet network were the Information and Privacy

Commissioner, the British Columbia Civil Liberties Association, and the British

Columbia Freedom of information and Privacy Association. They felt that the system was

an unnecessary invasion of privacy. Their primary concerns were database “surfing”,

“function creep”, and the mandatory nature of it. Critics fear that with all of this

confidential information available to pharmacists, that some would use it for unethical or

illegal reasons. The information could be used to report drug abusers to the authorities or

Dyrud, Davidson, Neal, Paterson 7

Page 8: iPremier Case DPDN

embarrassing or career-harming ailments to their employers. In addition to these basic

concerns, there were many concerns regarding the security and integrity of the

information on the database. 

Several security measures had to be developed in order to deal with the privacy concerns.

First, data was to be encrypted before being transmitted over the phone lines. Pharmacists

would need to enter a personal password to access the system, and they would need to

change their password every 42 days. Second, consumers could put a password on their

files so that only the pharmacies that they gave the password to could access their files.

Finally, a data trail would be created for every time a file was accessed, which included

who accessed it and the time they accessed it. This information could be provided to the

consumer upon request. There would be penalties for pharmacists caught doing unethical

practices. 

Lands’ End:

One of iPremier’s competitive advantages is their flexible return policies which allows

the customer to thoroughly check out the product and make a decision to keep the

product or return it. Lands’ End also has a very flexible return policy, if a customer isn’t

completely satisfied they can return the item for only the cost of the shipping. In addition,

the customer is offered a discount on any new customized item. Land’s End encourages

feed back from their dissatisfied customers, and uses this information to make

improvements to the program.

Dyrud, Davidson, Neal, Paterson 8

Page 9: iPremier Case DPDN

Another way that iPremier is similar to Lands’ End is that they both use an internet

provider that is located in close proximity. The act of using a business to host an internet

site is called colocating. iPremeir outsourced management of its technical architecture to

Qdata, a company that hosted most of the computer equipment and provided connectivity

to the Internet. In addition, they provided monitoring of the iPremier website and some

security services such as firewall service. However, iPremier felt that Qdata was

unwilling to invest in technological advancements. Lands’ End and Berbee, Lands’ End

outsource partner, have a far more competitive relationship. Both Wisconsin companies

say the fact that they have grown larger together and their geographic proximity to one

another, Berbee is located in Madison, approximately 40 miles from Dodgeville, help

facilitate running the landsend.com site, which is colocated and co-hosted by the two

companies. Finally, although not discussed in the article, Lands’ End has to address

security issues of storing customer information on the web.

Dell:

When Dell first introduced the Dell Direct Model, IT security was not as big of an issue

as it is today. Before Dell’s use of the Internet to receive orders for PC’s, the primary

security risk would have been internal to the firm. For instance, a disgruntled employee

might smuggle proprietary technology data off of Dell’s premises to sell to a competitor.

Now, however, with customers spending over 30 million dollars per day through Dell’s

website, security of information is a top priority at Dell.

Dyrud, Davidson, Neal, Paterson 9

Page 10: iPremier Case DPDN

During the first few years of operations, Dell began to realize the cons associated with

selling its products through retail chains such as Best Buy, Circuit City and CompUSA.

This became even more apparent in 1993 when Dell realized its first operating loss was

due in part to selling its products through these channels. The Dell Direct Model took an

entirely new approach to selling PCs. Instead of having the consumer come to a retail

store and pick out an already configured system, the consumer could contact Dell directly

and place an order for a customized PC. For several years, this direct contact came in the

form of a telephone call from the customer, but then in 1996 Dell introduced Dell Online,

which gave the consumer the ability to configure and purchase a PC from the comfort of

any Internet connection.

While Dell Online became very successful, a new door was open for hackers and

computer criminals to come through and commit a number of frauds. Dell, like many

other companies who do business online, would have to put hardware and software

security measures in place to protect not only their own financial and proprietary data,

but primarily to protect their customers. As listed in Dell’s online polices, Dell enlists a

number of measures to ensure data privacy and integrity while their customers are

shopping online. First, Dell uses positive identification to enable a customer’s Internet

browser to confirm the Dell Store's identity before any transmission is sent. Secondly,

Dell uses data encryption so that even if a data transmission were intercepted the data

would be very difficult to decrypt and read. To give the customer added confidence in

shopping online with Dell, Dell has implemented The Dell Secure Shopping Guarantee

which states that “In the unlikely event that your credit card company holds you liable for

Dyrud, Davidson, Neal, Paterson 10

Page 11: iPremier Case DPDN

any unauthorized charges to your account resulting from your online purchases at

dell.com, Dell will cover your liability up to $50 (the maximum you can be held liable

for).” 

Providian Trust:

The Providian Trust: Tradition and Technology case study describes a company which

was rich in tradition, experience, and a high level of customer service, but was void of

technology, information management, and therefore also void of an IT competitive

advantage. The company was in need of a dramatic redesigns to their business processes

and intense “reprogramming” of most of the employees as well as the implementation of

leading edge software and information technology solutions if it was to again be

profitable and become a competitive player. Providian was in desperate need of

reengineered business processes. Providian’s business impact report stated, “business

processes would be revised based on effectively using technology as an enabling

mechanism.” The technology to be used was an asset management system by Select One

called Access Plus. If Providian continued to implement more technology to keep up

with its competitors, for instance the use of the Internet to allow clients access to

statements and reports of their holdings, Providian would also have to put in place IT

security measures to keep the firm and it’s clients safe from fraudulent electronic attacks.

Dyrud, Davidson, Neal, Paterson 11

Page 12: iPremier Case DPDN

Vandelay

Dating from World War II, Vandelay Industries is an $8 billion corporation that

manufactures and distributes industrial equipment, which is in turn used with the

production of rubber and latex. Vandelay also has plants in various locations across the

World. Until recently, Vandelay allowed each of its business units to actually “run

itself”. This meant that each location used its own system and methods for conducting

business. As long as the particular business unit was successful, they were left to do

whatever they pleased. For example, when a Vandelay employee transferred from one

business unit to another, his/her employee record had to be reentered in the other business

unit, due to incompatible human resources software. The only corporate-wide integrated

system was the financial information systems. To fix this problem, Vandelay realized the

need for a single ERP system to unite all of its current fragmented IT systems. This

would enable Vandelay to coordinate the practices of all the business units and manage

Vandelay units more tightly than ever before. This case dealt with the implementation of

an ERP system, and therefore, does not integrate well with the iPremier case.

Springs

Springs Industries is a $2.2 billion textile company that mostly produces home

furnishings we know as Springmaid and Wamsutta and has licenses with Disney, Liz at

Home and Bill Bass. Some of Springs’ largest customers are Wal-Mart, Kmart, and

Target. Some products they now produce are towels, bath rugs, shower curtains,

bedding, window coverings, and some baby products. In order for Springs to grow and

expand their product lines into some of these complimentary divisions, they began

acquiring the necessary manufacturing companies. Springs also implemented new IT

Dyrud, Davidson, Neal, Paterson 12

Page 13: iPremier Case DPDN

systems to try to keep their company competitive with others. For example, they

implemented a point of sale data system (POS) and a vendor managed inventory system

(VMI). Both of these new IT systems allowed Springs to better fill their customers needs

and to do it more quickly. Although not addressed in the article, Springs would have to

address IT security issues since they stored so much vendor information on a network.

SUMMARY/RECOMMENDATIONS:

Bob Turley had a hard lesson to learn about the idea of taking security for granted. Most

executives learn this same lesson the hard way. iPremier had planned on moving their

computing services to another location; however, they had not ranked that as their top

priority. In fact, iPremier had even turned off their logging capabilities because running

it would result in a 20% drop in performance. iPremier needs to realize the importance of

security, especially in the e-commerce world where there is unlimited access through the

Internet to valuable customer information. Security needs to be a top priority. Without

executive support, it is unlikely the security problem will be solved.

Some changes need to be undertaken to effectively solve their security problem. Their

existing contract with Qdata needs to be renegotiated. This will allow employees at

iPremier to act as consultants for Qdata and help them upgrade their existing system. The

consulting time will be an added cost, however it is far less expensive to consult rather

than hiring another outsourcing client. Another key recommendation is for iPremier to

separate its webserver from its critical system, this will help to eliminate access to

Dyrud, Davidson, Neal, Paterson 13

Page 14: iPremier Case DPDN

important information by a hacker. No system is totally safe from an attack but the

segregation of systems will help to deter amateur hackers.

iPremier needs to develop a plan of attack if they under go a DoS again. By doing so,

they can have a strategy to implement before, during, and after a denial-of-service. If

their plan is effective system down time will be decreased, and vital information will be

secure again in a timely manner. Also when an attack occurs iPremier needs to have an

expert to call to effectively walk top-level executives through the process of getting their

system up and running. Finally iPremier’s current firewall needs to be revamped with the

addition of a filter or sniffer, to successfully inhibit information packets that will initiate a

DoS attack.

TAKE-AWAYS:

As previously emphasized, security needs to have supremacy over other aspects in a

company. Preventive measures take on many different forms. Physical security

measures are in the form of firewalls and intrusion detective software. If need be,

companies should solicit third party vendors to provide security systems for their

company. However employees in a company need to be effectively trained on the

importance of security. Employees need to understand the importance of changing their

passwords often and not to leave passwords laying around for others to use. It only takes

one incident to cause customers or shareholders to lose confidence in an organization. In

an industry such as the one iPremier is in, that one incident could be fatal, resulting in

them joining the ranks of other failed “dot-com” companies. The iPremier case shows

Dyrud, Davidson, Neal, Paterson 14

Page 15: iPremier Case DPDN

the importance of security in today’s business world. It effectively prepares future

managers and executives for their business careers by demonstrating the importance of

security. It proves the point that cutting corners to save money is a risky endeavor.

Security is one aspect companies should not neglect. iPremier was lucky in that an

amateur had taken their security system hostage. If a professional hacker had obtained

their system, their customers credit database would have been in jeopardy.

KEY TERMS:

Initial Public Offering: when a private firm chooses to go public.

IP Address: corresponds to a particular machine located somewhere on the Internet.

Router: is a hardware platform that routes traffic across internal networks and the

Internet.

Script kiddies: are relatively unsophisticated hackers who use automated routines

“scripts” written by other more sophisticated hackers. These scripts are generally

available to anyone willing to spend a little time searching for them on the Internet.

Secure shell access: allows authorized users to remotely access a computer via an

encrypted connection. Without such access, connecting remotely to the computer would

require sending information across the network in a format that could be intercepted and

read by a third party.

Dyrud, Davidson, Neal, Paterson 15

Page 16: iPremier Case DPDN

SOURCES

http://www.hostingtech.com/eb/01_08_internet.html, accessed on November 16, 2003.

Chee, Emily, and Schneberger, Scott. “British Columbia’s Pharmanet Project.” Ivey Management Services, 1998.

Ives, Blake and Pccoli, Gabriele. “Custom Made Apparel and Individualized Service at Lands’ End”, Communications of the Association for Information Systems, Volume 11, Article 3, January 2003

Dailey, Melissa and McFalrlan, Warren F. Providian Trust: Tradition and Technology (A), Harvard Business School, June 7, 1997. 

Rangan, Kasturi and Marie Bell. Dell Online. Harvard Business School: Boston, 1998. 

 Dell’s Online Policies. http://www1.us.dell.com/content/topics/global.aspx/policy/en/policy?c=us&l=en&s=gen&~section=006 Accessed 11/15/03.

Russell, Roberta and Bernard Taylor. Operations Management. 4th ed. Prentice Hall: New Jersey, 2003.

Applegate, Lynda and Ramiro Montealegre. Eastman Kodak Co.: Managing Information Systems Through Strategic Alliances. Harvard Business School: Boston, 1995.

http://www.uwosh.edu/faculty_staff/wresch/case8b.htm Accessed on 09/14/2003.

Austin, Robert. The iPremier Company (A): Denial of Service Attack. Harvard Business School: Boston, 2001.www.captusnetworks.com Accessed on 11/16/2003.

www.ncr.com Accessed on 11/16/2003.

McAfee, Andrew. Vandelay Industries, Inc. Harvard Business School: Boston, 1998.

McFarlan, Warren, and Melissa Dailey. www.springs.com. Harvard Business School: Boston, 1998.

Dyrud, Davidson, Neal, Paterson 16