Presentation on theme: "iPremier(A) Denial of Service Attack – Case Study Presentation"— Presentation transcript:
1iPremier(A) Denial of Service Attack – Case Study Presentation Based on: Austin, R.D. and Short, J.C. (2009) “iPremier (A): Denial of Service Attack (Graphic Novel Version), Harvard School of Business,Xiaoyue Jiu, David Lanter, Seonardo Serrano, Abey John, Britt Bouknight, Caitlyn Carney
2iPremier – BackgroundiPremier- high-end online sales company (mostly credit card transactions)October Bob Turley hired as new Chief Information OfficerJanuary Denial of service attack occurs
6What they did wrongBecause of poor preparation iPremier could only reactThere was no chain of commandThere was no communication plan and no attempt to “pool knowledge”The emergency response “plan” was outdated and uselessNo one escalated the issue with Qdata until it was too lateAnalysis paralysis
8What they should have done Take control of communicationsCreate a conference call with all of the key decision makers to select a course of action ( this includes legal counsel)Disconnect from the Network/ Contact ISP/Shut the down systemEscalate to a Qdata managerAnalyze the attack in a more detailed mannerTake action!
9Were the company’s operating procedure deficient in responding to this attack? The iPremier Company CEO, Jack Samuelson, had already expressed to Bob Turley his concern that the company might eventually suffer from a ‘deficit in operating procedures’.
10iPremier’s Current Operating Procedures Follow emergency procedureAlthough an emergency procedure plan existed it was outdated and the plan was not tested recently.Contact data center for real-time monitoring, physical access, and procedures for remediationAlthough contact was made, physical access to ops center was initially denied. Qdata’s network monitoring staff were incompetent and their key staff was on vacation.Identify status of critical assetsUnsure about the status of customer and credit card information data.
11iPremier’s Current Operating Procedures Contact key IT personnel and the processes they should followAlthough key IT personnel were contacted it was not followed through a reporting structure and senior management were contacted without having enough understanding of the situationIdentify and prioritize critical servicesUnderstand the nature of the attackUnsure if it was a DDoS or a hack / intrusion or bothSummarize eventsProvide summary about current status and next steps.
12What additional procedures might have been in place to better handle the attack? iPremier had the barebones of an operating procedure that was not enforced nor followed.
13Additional Procedures Conference call bridge with key IT personnel, iPremier executives, and key Qdata personnelContact ISP for additional helpDocument everything, all actions taken with detailsEstablish contact with law enforcement agenciesCheck configurations and logs on systems for unusual activities.Set up and configure a “temporarily unavailable” page in case the attack continues for a longer period of time
14Now that the attack has ended, what can the iPremier Company do to prepare for another such attack?
15How to prepare for the Future Develop and maintain Business Continuity & Incident Response PlanEstablish when the plan should be put into actionDevelop clear reporting linesKnow your infrastructureKnow how to work with your infrastructureKnow how to get back to NormalTraining and AwarenessTestingRevisionsGet reputable hosting service
16in the aftermath of the attack, what would you be worried about? What actions would you recommend?
17key Areas of Concern Scope of the Attack: Business Impact: What data was compromised? (credit card information, customer information, system)Was intrusion malware was installed onto systems?Was the attack a diversion attempt to mask criminal activity (i.e. fraud)?Will another attack occur in the near future?Business Impact:Public Disclosure IssuesSEC guidelines for cyber-security risks and events (2011)Public Relations IssuesBrandReputationShareholder Confidence Potential LitigationBreach of contractViolation of SLAsDirect Revenue Loss
18Immediate Recommended Actions Assemble an incident response teamConduct forensic analysis of attackDocument incident details and lessons learnedAdjust plans and defenses (address inadequate firewall)Hire independent auditor to identify vulnerabilities of current systems and processesCommunicate with appropriate parties (legal, shareholders, customers, vendor, general public & media, regulatory agencies)
19Conclusions No IT Governance resulted in… Evidence indicating no IS policies, enforcement, support nor protection:IT infrastructure outsourced to Qdata, paying for “24/7 support” getting no 24/7 support on January 12, 2009IT staff expressed poor impression of quality of Qdata service to Bob on October 16, 2008, yet the firm remained outsourced 3 months laterIT staff indicate senior management of firm not interested in spending on improving IT infrastructureIT staff using company resources for online gaming…