IPREMIER(A) DENIAL OF

SERVICE ATTACK CASE

STUDY PRESENTATION
Based on: Austin, R.D. and Short, J.C. (2009) iPremier (A): Denial of Service Attack
(Graphic Novel Version), Harvard School of Business, 9-609-092

XIAOYUE JIU, DAVID LANTER, SEONARDO SERRANO, ABEY JOHN,

BRITT BOUKNIGHT, CAITLYN CARNEY

IPREMIER BACKGROUND
iPremier- high-end online sales company (mostly credit card transactions)
October 2008- Bob Turley hired as new Chief Information Officer
January 2009- Denial of service attack occurs

IPREMIER ORGANIZATION CHART

Jack
Samuelso
n (CEO)

Bob
Turley(CI
O)

Joanne
Ripley

Leon
Ledbetter

Tim
Mandel

Warren
Spangler

Peter
Stewart

HOW WELL DID IPREMIER

PERFORM?

WHAT THEY DID WRONG

Because of poor preparation iPremier could only react
There was no chain of command
There was no communication plan and no attempt to pool
knowledge

The emergency response plan was outdated and useless

No one escalated the issue with Qdata until it was too late
Analysis paralysis

WHAT WOULD YOU HAVE DONE?

WHAT THEY SHOULD HAVE DONE

Take control of communications

Create a conference call with all of the key decision makers to select a
course of action ( this includes legal counsel)

Disconnect from the Network/ Contact ISP/Shut the down system

Escalate to a Qdata manager
Analyze the attack in a more detailed manner
Take action!

WERE THE COMPANYS OPERATING

PROCEDURE DEFICIENT IN RESPONDING
TO THIS ATTACK?
THE IPREMIER COMPANY CEO, JACK SAMUELSON, HAD ALREADY EXPRESSED TO BOB
TURLEY HIS CONCERN THAT THE COMPANY MIGHT EVENTUALLY SUFFER FROM A
DEFICIT IN OPERATING PROCEDURES.

IPREMIERS CURRENT OPERATING

PROCEDURES
Follow emergency procedure
Although an emergency procedure plan existed it was outdated and the
plan was not tested recently.

Contact data center for real-time monitoring, physical access, and

procedures for remediation
Although contact was made, physical access to ops center was initially
denied. Qdatas network monitoring staff were incompetent and their key
staff was on vacation.

Identify status of critical assets

Unsure about the status of customer and credit card information data.

IPREMIERS CURRENT OPERATING

PROCEDURES
Contact key IT personnel and the processes they should follow
Although key IT personnel were contacted it was not followed through a
reporting structure and senior management were contacted without having
enough understanding of the situation

Identify and prioritize critical services

Understand the nature of the attack
Unsure if it was a DDoS or a hack / intrusion or both

Summarize events
Provide summary about current status and next steps.

WHAT ADDITIONAL PROCEDURES MIGHT

HAVE BEEN IN PLACE TO BETTER HANDLE
THE ATTACK?
IPREMIER HAD THE BAREBONES OF AN OPERATING PROCEDURE THAT WAS NOT
ENFORCED NOR FOLLOWED.

ADDITIONAL PROCEDURES
Conference call bridge with key IT personnel, iPremier executives,
and key Qdata personnel

Contact ISP for additional help

Document everything, all actions taken with details
Establish contact with law enforcement agencies
Check configurations and logs on systems for unusual activities.
Set up and configure a temporarily unavailable page in case the
attack continues for a longer period of time

NOW THAT THE ATTACK HAS ENDED, WHAT

CAN THE IPREMIER COMPANY DO TO
PREPARE FOR ANOTHER SUCH ATTACK?

HOW TO PREPARE FOR THE FUTURE

Develop and maintain Business Continuity & Incident Response Plan

Establish when the plan should be put into action
Develop clear reporting lines
Know your infrastructure
Know how to work with your infrastructure
Know how to get back to Normal

Training and Awareness

Testing

Revisions

Get reputable hosting service

IN THE AFTERMATH OF THE

ATTACK, WHAT WOULD YOU BE
WORRIED ABOUT?

WHAT ACTIONS WOULD YOU

RECOMMEND?

KEY AREAS OF CONCERN

Scope of the Attack:

What data was compromised? (credit card information, customer information, email system)
Was intrusion malware was installed onto systems?
Was the attack a diversion attempt to mask criminal activity (i.e. fraud)?
Will another attack occur in the near future?

Business Impact:
Public Disclosure Issues
SEC guidelines for cyber-security risks and events (2011)

Public Relations Issues

Brand
Reputation
Shareholder Confidence

Potential Litigation
Breach of contract
Violation of SLAs

Direct Revenue Loss

IMMEDIATE RECOMMENDED ACTIONS

Assemble an incident response team
Conduct forensic analysis of attack
Document incident details and lessons learned
Adjust plans and defenses (address inadequate firewall)
Hire independent auditor to identify vulnerabilities of current systems
and processes

Communicate with appropriate parties (legal, shareholders, customers,

vendor, general public & media, regulatory agencies)

CONCLUSIONS
NO IT GOVERNANCE RESULTED
IN
Evidence indicating no IS policies, enforcement, support nor
protection:
IT infrastructure outsourced to Qdata, paying for 24/7 support
getting no 24/7 support on January 12, 2009

IT staff expressed poor impression of quality of Qdata service to

Bob on October 16, 2008, yet the firm remained outsourced 3
months later

IT staff indicate senior management of firm not interested in

spending on improving IT infrastructure

IT staff using company resources for online gaming

19