How did Ipremier Perform?

advertisement
IPREMIER(A) DENIAL OF SERVICE
ATTACK – CASE STUDY PRESENTATION
Based on: Austin, R.D. and Short, J.C. (2009) “iPremier (A): Denial of Service Attack (Graphic
Novel Version), Harvard School of Business, 9-609-092
XIAOYUE JIU, DAVID LANTER, SEONARDO SERRANO, ABEY JOHN, BRITT
BOUKNIGHT, CAITLYN CARNEY
1
IPREMIER – BACKGROUND
• iPremier- high-end online sales company (mostly credit card transactions)
• October 2008- Bob Turley hired as new Chief Information Officer
• January 2009- Denial of service attack occurs
2
IPREMIER ORGANIZATION CHART
Jack
Samuelson
(CEO)
Bob
Turley(CIO)
Joanne
Ripley
Leon
Ledbetter
Tim Mandel
Warren
Spangler
Peter
Stewart
HOW WELL DID IPREMIER
PERFORM?
WHAT THEY DID WRONG
• Because of poor preparation iPremier could only react
• There was no chain of command
• There was no communication plan and no attempt to “pool knowledge”
• The emergency response “plan” was outdated and useless
• No one escalated the issue with Qdata until it was too late
• Analysis paralysis
WHAT WOULD YOU HAVE DONE?
WHAT THEY SHOULD HAVE DONE
•
•
Take control of communications
Create a conference call with all of the key decision makers to select a course of
action ( this includes legal counsel)
• Disconnect from the Network/ Contact ISP/Shut the down system
• Escalate to a Qdata manager
• Analyze the attack in a more detailed manner
• Take action!
WERE THE COMPANY’S OPERATING PROCEDURE
DEFICIENT IN RESPONDING TO THIS ATTACK?
THE IPREMIER COMPANY CEO, JACK SAMUELSON, HAD ALREADY EXPRESSED TO BOB TURLEY HIS
CONCERN THAT THE COMPANY MIGHT EVENTUALLY SUFFER FROM A ‘DEFICIT IN OPERATING
PROCEDURES’.
IPREMIER’S CURRENT OPERATING PROCEDURES
• Follow emergency procedure
Although an emergency procedure plan existed it was outdated and the plan was not
tested recently.
• Contact data center for real-time monitoring, physical access, and procedures for
remediation
Although contact was made, physical access to ops center was initially denied.
Qdata’s network monitoring staff were incompetent and their key staff was on
vacation.
• Identify status of critical assets
Unsure about the status of customer and credit card information data.
IPREMIER’S CURRENT OPERATING PROCEDURES
• Contact key IT personnel and the processes they should follow
Although key IT personnel were contacted it was not followed through a reporting
structure and senior management were contacted without having enough
understanding of the situation
• Identify and prioritize critical services
• Understand the nature of the attack
Unsure if it was a DDoS or a hack / intrusion or both
• Summarize events
Provide summary about current status and next steps.
WHAT ADDITIONAL PROCEDURES MIGHT HAVE
BEEN IN PLACE TO BETTER HANDLE THE ATTACK?
IPREMIER HAD THE BAREBONES OF AN OPERATING PROCEDURE THAT WAS NOT ENFORCED NOR
FOLLOWED.
ADDITIONAL PROCEDURES
• Conference call bridge with key IT personnel, iPremier executives, and key
Qdata personnel
• Contact ISP for additional help
• Document everything, all actions taken with details
• Establish contact with law enforcement agencies
• Check configurations and logs on systems for unusual activities.
• Set up and configure a “temporarily unavailable” page in case the attack
continues for a longer period of time
NOW THAT THE ATTACK HAS ENDED, WHAT CAN
THE IPREMIER COMPANY DO TO PREPARE FOR
ANOTHER SUCH ATTACK?
HOW TO PREPARE FOR THE FUTURE
•
•
•
•
•
•
Develop and maintain Business Continuity & Incident Response Plan
Establish when the plan should be put into action
Develop clear reporting lines
Know your infrastructure
Know how to work with your infrastructure
Know how to get back to Normal
•
Training and Awareness
•
Testing
•
Revisions
•
Get reputable hosting service
IN THE AFTERMATH OF THE ATTACK,
WHAT WOULD YOU BE WORRIED
ABOUT?
WHAT ACTIONS WOULD YOU
RECOMMEND?
KEY AREAS OF CONCERN
• Scope of the Attack:
•
•
•
•
What data was compromised? (credit card information, customer information, email system)
Was intrusion malware was installed onto systems?
Was the attack a diversion attempt to mask criminal activity (i.e. fraud)?
Will another attack occur in the near future?
• Business Impact:
• Public Disclosure Issues
• SEC guidelines for cyber-security risks and events (2011)
• Public Relations Issues
• Brand
• Reputation
• Shareholder Confidence
• Potential Litigation
• Breach of contract
• Violation of SLAs
• Direct Revenue Loss
IMMEDIATE RECOMMENDED ACTIONS
• Assemble an incident response team
• Conduct forensic analysis of attack
• Document incident details and lessons learned
• Adjust plans and defenses (address inadequate firewall)
• Hire independent auditor to identify vulnerabilities of current systems and
processes
• Communicate with appropriate parties (legal, shareholders, customers, vendor,
general public & media, regulatory agencies)
CONCLUSIONS
NO IT GOVERNANCE RESULTED IN…
• Evidence indicating no IS policies, enforcement, support nor
protection:
• IT infrastructure outsourced to Qdata, paying for “24/7 support” getting no
24/7 support on January 12, 2009
• IT staff expressed poor impression of quality of Qdata service to Bob on
October 16, 2008, yet the firm remained outsourced 3 months later
• IT staff indicate senior management of firm not interested in spending on
improving IT infrastructure
• IT staff using company resources for online gaming…
19
Download