iPremier and Denial Of Service Attack — Case Study
In a recent Information Management lecture we went through the case of iPremier (read the full case) which is a popular case study from Harvard Business School. It was a made up case but the recent high profile hacking stories (such as Gawker) show that companies are not taking security seriously.
The background is that iPremier suffered a DOS attack in the middle of the night which caused chaos in the company. After an hour the attack stopped and the company went back to business as normal. Two weeks later another DOS attack was spawned from the company’s server directed at a competitor which proved that their server had been compromised. The FBI became involved, the competitor threatened to sue and the city analysts were thinking of downgrading the stock.
Our role was to come up with recommendations as to how the processes and plans could be improved for the future. Keeping in mind that the security is about more than just technology we needed to brainstorm around people and processes as well.
1. People and processes
- Develop a business continuity plan (test it end to end including suppliers and keep it updated)
- Develop an IT governance framework that includes security in its remit
- Develop clear reporting lines
- Better training for emergencies
- Trust your technical leaders and make sure they have the resources to lead in a crisis
- Make security part of strategy
- Hire an independent audit team who report into the board
- Hire a security and risk expert
- Develop a better relationship with your hosting provider
- Avoid single points of failure. Separate the server stack so that database, web and file servers are not on the same network
- Use a reputable hosting provider with a world class infrastructure and support
- Make sure all your software is up to date
- Use a combination of hardware and or software firewalls
- Backup and redundancy planning and testing
- Active monitoring
- Strong one-way encryption of passwords
- Use open auth systems such as Facebook connect
I know there are lots and lots of other things you can do but this was the result of a very quick group collaboration.
The Ipremier Company: Denial of Serivice Attack. Case Analysis
1528 WordsNov 16th, 20107 Pages
The iPremier Compant (A): Denial of Service Attack
Summary of the case: iPremier, a Seattle based company, was founded in 1996 by two students from Swathmore College. iPremier had become one of a few success web-based commerce, selling luxury, rare, and vintage goods over the Internet. Most of iPremier’s goods sell between fifty and a few hundred dollars, and the customer buys the products online with his or her credit card. iPremier’s competitive advantage is their flexible return policies which allows the customer to thoroughly check out the product and make a decision to keep the product or return it. The majority of iPremier customers are high end, and credit limits are not a problem. iPremier had contracted with Qdata, an…show more content…
1. How well did this company perform during the attack?
The company did not perform as well as they should have been able to. There were multiple areas where problems arose, such as the technical architecture of the IT system, relying only on the 3rd party, Qdata, to monitor their IT infrastructure, keeping out of date manuals, and not maintaining their emergency procedures.
However, some people trying to fix the attack did an adequate job considering the problems the company had. Joanne and Leon Ledbetter did everything in their power to restore the website and protect the customer data, which even included running red lights. Leon was so new that he didn’t know exactly what to do. Training for an emergency would have proven useful. The CIO, Bob Turley, knew of the emergency protocol and out of date manuals, but never did anything to alleviate these problems. This put the company in a significant disadvantage, and created a bigger problem than what was necessary. Faced with this problem, Turley was able to facilitate direction for the company as best as he could, which ended with the security breach stopping.
Even after the attack, when the company did not know whether the customer information, which included credit card information, the company had no intention to announce the security breach to the public. This can be detrimental to the company if customers became