IPREMIER(A) DENIAL OF SERVICE ATTACK – CASE STUDY PRESENTATION Based on: Austin, R.D. and Short, J.C. (2009) “iPremier (A): Denial of Service Attack (Graphic Novel Version), Harvard School of Business, 9-609-092 XIAOYUE JIU, DAVID LANTER, SEONARDO SERRANO, ABEY JOHN, BRITT BOUKNIGHT, CAITLYN CARNEY 1 IPREMIER – BACKGROUND • iPremier- high-end online sales company (mostly credit card transactions) • October 2008- Bob Turley hired as new Chief Information Officer • January 2009- Denial of service attack occurs 2 IPREMIER ORGANIZATION CHART Jack Samuelson (CEO) Bob Turley(CIO) Joanne Ripley Leon Ledbetter Tim Mandel Warren Spangler Peter Stewart HOW WELL DID IPREMIER PERFORM? WHAT THEY DID WRONG • Because of poor preparation iPremier could only react • There was no chain of command • There was no communication plan and no attempt to “pool knowledge” • The emergency response “plan” was outdated and useless • No one escalated the issue with Qdata until it was too late • Analysis paralysis WHAT WOULD YOU HAVE DONE? WHAT THEY SHOULD HAVE DONE • • Take control of communications Create a conference call with all of the key decision makers to select a course of action ( this includes legal counsel) • Disconnect from the Network/ Contact ISP/Shut the down system • Escalate to a Qdata manager • Analyze the attack in a more detailed manner • Take action! WERE THE COMPANY’S OPERATING PROCEDURE DEFICIENT IN RESPONDING TO THIS ATTACK? THE IPREMIER COMPANY CEO, JACK SAMUELSON, HAD ALREADY EXPRESSED TO BOB TURLEY HIS CONCERN THAT THE COMPANY MIGHT EVENTUALLY SUFFER FROM A ‘DEFICIT IN OPERATING PROCEDURES’. IPREMIER’S CURRENT OPERATING PROCEDURES • Follow emergency procedure Although an emergency procedure plan existed it was outdated and the plan was not tested recently. • Contact data center for real-time monitoring, physical access, and procedures for remediation Although contact was made, physical access to ops center was initially denied. Qdata’s network monitoring staff were incompetent and their key staff was on vacation. • Identify status of critical assets Unsure about the status of customer and credit card information data. IPREMIER’S CURRENT OPERATING PROCEDURES • Contact key IT personnel and the processes they should follow Although key IT personnel were contacted it was not followed through a reporting structure and senior management were contacted without having enough understanding of the situation • Identify and prioritize critical services • Understand the nature of the attack Unsure if it was a DDoS or a hack / intrusion or both • Summarize events Provide summary about current status and next steps. WHAT ADDITIONAL PROCEDURES MIGHT HAVE BEEN IN PLACE TO BETTER HANDLE THE ATTACK? IPREMIER HAD THE BAREBONES OF AN OPERATING PROCEDURE THAT WAS NOT ENFORCED NOR FOLLOWED. ADDITIONAL PROCEDURES • Conference call bridge with key IT personnel, iPremier executives, and key Qdata personnel • Contact ISP for additional help • Document everything, all actions taken with details • Establish contact with law enforcement agencies • Check configurations and logs on systems for unusual activities. • Set up and configure a “temporarily unavailable” page in case the attack continues for a longer period of time NOW THAT THE ATTACK HAS ENDED, WHAT CAN THE IPREMIER COMPANY DO TO PREPARE FOR ANOTHER SUCH ATTACK? HOW TO PREPARE FOR THE FUTURE • • • • • • Develop and maintain Business Continuity & Incident Response Plan Establish when the plan should be put into action Develop clear reporting lines Know your infrastructure Know how to work with your infrastructure Know how to get back to Normal • Training and Awareness • Testing • Revisions • Get reputable hosting service IN THE AFTERMATH OF THE ATTACK, WHAT WOULD YOU BE WORRIED ABOUT? WHAT ACTIONS WOULD YOU RECOMMEND? KEY AREAS OF CONCERN • Scope of the Attack: • • • • What data was compromised? (credit card information, customer information, email system) Was intrusion malware was installed onto systems? Was the attack a diversion attempt to mask criminal activity (i.e. fraud)? Will another attack occur in the near future? • Business Impact: • Public Disclosure Issues • SEC guidelines for cyber-security risks and events (2011) • Public Relations Issues • Brand • Reputation • Shareholder Confidence • Potential Litigation • Breach of contract • Violation of SLAs • Direct Revenue Loss IMMEDIATE RECOMMENDED ACTIONS • Assemble an incident response team • Conduct forensic analysis of attack • Document incident details and lessons learned • Adjust plans and defenses (address inadequate firewall) • Hire independent auditor to identify vulnerabilities of current systems and processes • Communicate with appropriate parties (legal, shareholders, customers, vendor, general public & media, regulatory agencies) CONCLUSIONS NO IT GOVERNANCE RESULTED IN… • Evidence indicating no IS policies, enforcement, support nor protection: • IT infrastructure outsourced to Qdata, paying for “24/7 support” getting no 24/7 support on January 12, 2009 • IT staff expressed poor impression of quality of Qdata service to Bob on October 16, 2008, yet the firm remained outsourced 3 months later • IT staff indicate senior management of firm not interested in spending on improving IT infrastructure • IT staff using company resources for online gaming… 19