Professional Documents
Culture Documents
THE iPREMIER COMPANY A Denial of Service
THE iPREMIER COMPANY A Denial of Service
THE iPREMIER COMPANY A Denial of Service
Service Attack
By
Robert Austin
DPDN
Brian Dyrud
Jennifer Paterson
Paul Davidson
Lindsay Neal
BACKGROUND:
iPremier, a Seattle based company, was founded in 1994 by two students from
Swathmore College. iPremier had become one of the only success stories of web-based
commerce, selling luxury, rare, and vintage goods over the Internet. Most of iPremier’s
goods sell for under $200 and the customer buys the products online with his or her credit
card. iPremier’s competitive advantage is their flexible return policies which allows the
customer to thoroughly check out the product and make a decision to keep the product or
return it. The majority of iPremier customers are high end and credit limits are not a
problem, which also adds to the competitive advantage of utilizing their entire customer
base. During 1999 the company reached a profit of $2.1 million on sales of $32 million.
Sales had increased by 50% during the last three years and they were in an upward trend.
iPremier’s stock nearly tripled after the company’s Initial Public Offering in 1998 and
had continued to grow since the IPO, and eventually the stock tripled again. iPremier was
one of the few companies to survive the technical stock recession of 2000.
Management at iPremier consisted of young people who had been with the company
from the start and a group of experienced managers that were brought in over time as the
company grew. IPremier’s working environment was dynamic with strong governing
for achieving profits.” The company had a strong orientation to “do whatever it takes” to
iPremier with most of their computer equipment and connectivity to the Internet. Qdata
was not an industry leader and was selected because it was located close to iPremier’s
company headquarters and had been serving iPremier throughout the course of its new
and developing business. Qdata did provide basic floor space, power, connectivity,
environmental control, and physical security, and offered some high-level management
services such as monitoring of web sites for customers (at its Network Operations Center)
and Internet security services such as firewall protection. However, new technologies
were being utilized at many companies while Qdata did not take advantage of these new
architecture services to a more suitable supplier, but had not done so because the
company was focused on growth, minimizing costs and avoiding a service interruption to
its customers.” iPremier had recently hired Bob Turley as CIO. As the case begins Mr.
Turley is going to find out first hand the security issues of iPremier.
Theme:
On January 21, 2001, iPremier Web servers were brought to a stand still. A denial-of-
service (DoS) attack had occurred. A DoS attack “is a flood of packets that consumes
network resources and causes gridlock.” The gridlock in turn prevents users the
capability of using online services, this is the origin of the term denial-of-service. A DoS
attack may originate from one machine called DoS or it can be from numerous machines
called (Distributed DOS(DDoS)). The group of machines that are involved in DDoS are
called zombies and are distributed in a geographic manner. Loss of service can occur by
DDoS attack is easily accomplished by the use of script kiddies and hacker websites.
Hackers launched the attack on iPremier. Luckily for iPremier, this was only a denial-of
competitor trying to disrupt service. The attack could have been a lot worse. iPremier’s
customers pay for their purchases with credit cards, and they keep a data base containing
all credit card information on their customers. The credit card database is advantageous
leaves them vulnerable to an attack by hackers. If a hacker had obtained total access to
their system customer credit card numbers could have been in jeopardy.
and hackers. Computer misuse can lead to a breach of security, which can in turn lead to
a financial loss. This can occur through a loss in profits and a loss of confidence by
customers and shareholders. In the last few years, the Internet has brought security
threats that were not as prevalent a few years ago. The extensive use of the Internet has
and denial-of-service attacks. With each new company that develops web sites to
advertise their products online, there is a corresponding increase in attacks by those who
want to harm a company’s reputation or steal its resources. The honest nature of the
Internet has created an environment in which hackers can take advantage of security
INTEGRATION:
Eastman Kodak:
Eastman Kodak, in 1984, reorganized their company into 29 individual business entities
under four main business branches: Photography, Commercial & Imaging Group,
Chemicals, and Health. In 1986 Kodak encountered a lawsuit with Polaroid and had to
cut employment and their operating budget. Kodak then plunged into new businesses in
biotechnology and office equipment in 1989. In spite of the new business ventures,
Kodak’s profits fell 85% in the second quarter of 1989. Based on per employee sales
Kodak was 67% below their archrival Fuji Photo Film Company.
(PIP) was the way Kodak would reclaim its competitive advantage. In January of 1988
Colby Chandler, CEO, created Corporate Information Systems (CIS) and appointed
Katherine Hudson as vice president and head of CIS. Hudson went through the IT
services and with a portfolio analysis examined the strengths and weaknesses of the IT
function. If value was found in the function it was kept in place; however, if value was
not found, the function was removed or outsourced. Outsourcing is defined as “the act of
purchasing goods and services from an outside supplier” (Russell and Taylor 279).
Kodak set up alliances with partners that were constantly changing. As the needs and
Kodak and their IT team came up with the slogan “Partnership in the Innovation Process
(PIP).” This enabled Kodak to effectively communicate with their outsourcing partners.
Each PIP team adopted a code name for their data center. For example, BlueStar
from all areas of Kodak’s business sectors. The PIP teams reported to a steering
committee that contained executives from Kodak, and the steering committee offered
advice to the PIP teams. PIP teams used a five-step process on how they would identify,
select, negotiate, and implement outsourcing alliances (Applegate, Montealegre 5). The
implementation of PIP allows Eastman Kodak to effectively choose the best outsourcing
alliance and adapt to the constant changes partners undergo. Kodak’s decision to cut
businesses that were losing value and outsource the others helped to regain some of their
competitive advantage. The decision to outsource had been a good considering there
were cost savings of 18% in Kodak’s data services, telecommunications, and personal
Both Kodak and iPremier used outsourcing in their businesses. iPremier used Qdata to
provide their technical architecture, and Kodak was redefining their outsourcing services
with the implementation of PIP in selecting potential outsourcing clients. Kodak was not
having security problems as in the case of iPremier. But they both realized that their
learned the hard way with a denial-of-service attack that they needed to find a more
British Columbia government faced when creating a Pharmanet network. The purpose of
Pharmanet was to create an electronic network connecting all of the pharmacies in the
province. The network would allow pharmacists access to all of a patient’s prescription
records regardless of where the patient had the prescriptions filled. The idea was to
prevent improper drug interactions, prevent fraud, and reduce paper work. However
many issues regarding patient confidentiality and IT security evolved. This case is similar
to iPremier in that IT security was a major concern that had to be addressed to ensure
IPremier had to address, Pharmanet also had to address the security of the personnel who
The biggest critics of the Pharmanet network were the Information and Privacy
Commissioner, the British Columbia Civil Liberties Association, and the British
Columbia Freedom of information and Privacy Association. They felt that the system was
“function creep”, and the mandatory nature of it. Critics fear that with all of this
confidential information available to pharmacists, that some would use it for unethical or
illegal reasons. The information could be used to report drug abusers to the authorities or
concerns, there were many concerns regarding the security and integrity of the
Several security measures had to be developed in order to deal with the privacy concerns.
First, data was to be encrypted before being transmitted over the phone lines. Pharmacists
would need to enter a personal password to access the system, and they would need to
change their password every 42 days. Second, consumers could put a password on their
files so that only the pharmacies that they gave the password to could access their files.
Finally, a data trail would be created for every time a file was accessed, which included
who accessed it and the time they accessed it. This information could be provided to the
consumer upon request. There would be penalties for pharmacists caught doing unethical
practices.
Lands’ End:
One of iPremier’s competitive advantages is their flexible return policies which allows
the customer to thoroughly check out the product and make a decision to keep the
product or return it. Lands’ End also has a very flexible return policy, if a customer isn’t
completely satisfied they can return the item for only the cost of the shipping. In addition,
the customer is offered a discount on any new customized item. Land’s End encourages
feed back from their dissatisfied customers, and uses this information to make
provider that is located in close proximity. The act of using a business to host an internet
Qdata, a company that hosted most of the computer equipment and provided connectivity
to the Internet. In addition, they provided monitoring of the iPremier website and some
security services such as firewall service. However, iPremier felt that Qdata was
unwilling to invest in technological advancements. Lands’ End and Berbee, Lands’ End
outsource partner, have a far more competitive relationship. Both Wisconsin companies
say the fact that they have grown larger together and their geographic proximity to one
facilitate running the landsend.com site, which is colocated and co-hosted by the two
companies. Finally, although not discussed in the article, Lands’ End has to address
Dell:
When Dell first introduced the Dell Direct Model, IT security was not as big of an issue
as it is today. Before Dell’s use of the Internet to receive orders for PC’s, the primary
security risk would have been internal to the firm. For instance, a disgruntled employee
might smuggle proprietary technology data off of Dell’s premises to sell to a competitor.
Now, however, with customers spending over 30 million dollars per day through Dell’s
selling its products through retail chains such as Best Buy, Circuit City and CompUSA.
This became even more apparent in 1993 when Dell realized its first operating loss was
due in part to selling its products through these channels. The Dell Direct Model took an
entirely new approach to selling PCs. Instead of having the consumer come to a retail
store and pick out an already configured system, the consumer could contact Dell directly
and place an order for a customized PC. For several years, this direct contact came in the
form of a telephone call from the customer, but then in 1996 Dell introduced Dell Online,
which gave the consumer the ability to configure and purchase a PC from the comfort of
While Dell Online became very successful, a new door was open for hackers and
computer criminals to come through and commit a number of frauds. Dell, like many
other companies who do business online, would have to put hardware and software
security measures in place to protect not only their own financial and proprietary data,
but primarily to protect their customers. As listed in Dell’s online polices, Dell enlists a
number of measures to ensure data privacy and integrity while their customers are
shopping online. First, Dell uses positive identification to enable a customer’s Internet
browser to confirm the Dell Store's identity before any transmission is sent. Secondly,
Dell uses data encryption so that even if a data transmission were intercepted the data
would be very difficult to decrypt and read. To give the customer added confidence in
shopping online with Dell, Dell has implemented The Dell Secure Shopping Guarantee
which states that “In the unlikely event that your credit card company holds you liable for
dell.com, Dell will cover your liability up to $50 (the maximum you can be held liable
for).”
Providian Trust:
The Providian Trust: Tradition and Technology case study describes a company which
was rich in tradition, experience, and a high level of customer service, but was void of
advantage. The company was in need of a dramatic redesigns to their business processes
mechanism.” The technology to be used was an asset management system by Select One
with its competitors, for instance the use of the Internet to allow clients access to
statements and reports of their holdings, Providian would also have to put in place IT
security measures to keep the firm and it’s clients safe from fraudulent electronic attacks.
Dating from World War II, Vandelay Industries is an $8 billion corporation that
manufactures and distributes industrial equipment, which is in turn used with the
production of rubber and latex. Vandelay also has plants in various locations across the
World. Until recently, Vandelay allowed each of its business units to actually “run
itself”. This meant that each location used its own system and methods for conducting
business. As long as the particular business unit was successful, they were left to do
whatever they pleased. For example, when a Vandelay employee transferred from one
business unit to another, his/her employee record had to be reentered in the other business
unit, due to incompatible human resources software. The only corporate-wide integrated
system was the financial information systems. To fix this problem, Vandelay realized the
need for a single ERP system to unite all of its current fragmented IT systems. This
would enable Vandelay to coordinate the practices of all the business units and manage
Vandelay units more tightly than ever before. This case dealt with the implementation of
an ERP system, and therefore, does not integrate well with the iPremier case.
Springs
Springs Industries is a $2.2 billion textile company that mostly produces home
furnishings we know as Springmaid and Wamsutta and has licenses with Disney, Liz at
Home and Bill Bass. Some of Springs’ largest customers are Wal-Mart, Kmart, and
Target. Some products they now produce are towels, bath rugs, shower curtains,
bedding, window coverings, and some baby products. In order for Springs to grow and
expand their product lines into some of these complimentary divisions, they began
implemented a point of sale data system (POS) and a vendor managed inventory system
(VMI). Both of these new IT systems allowed Springs to better fill their customers needs
and to do it more quickly. Although not addressed in the article, Springs would have to
address IT security issues since they stored so much vendor information on a network.
SUMMARY/RECOMMENDATIONS:
Bob Turley had a hard lesson to learn about the idea of taking security for granted. Most
executives learn this same lesson the hard way. iPremier had planned on moving their
computing services to another location; however, they had not ranked that as their top
priority. In fact, iPremier had even turned off their logging capabilities because running
it would result in a 20% drop in performance. iPremier needs to realize the importance of
security, especially in the e-commerce world where there is unlimited access through the
Some changes need to be undertaken to effectively solve their security problem. Their
existing contract with Qdata needs to be renegotiated. This will allow employees at
iPremier to act as consultants for Qdata and help them upgrade their existing system. The
consulting time will be an added cost, however it is far less expensive to consult rather
than hiring another outsourcing client. Another key recommendation is for iPremier to
separate its webserver from its critical system, this will help to eliminate access to
iPremier needs to develop a plan of attack if they under go a DoS again. By doing so,
they can have a strategy to implement before, during, and after a denial-of-service. If
their plan is effective system down time will be decreased, and vital information will be
secure again in a timely manner. Also when an attack occurs iPremier needs to have an
expert to call to effectively walk top-level executives through the process of getting their
system up and running. Finally iPremier’s current firewall needs to be revamped with the
addition of a filter or sniffer, to successfully inhibit information packets that will initiate a
DoS attack.
TAKE-AWAYS:
measures are in the form of firewalls and intrusion detective software. If need be,
companies should solicit third party vendors to provide security systems for their
passwords often and not to leave passwords laying around for others to use. It only takes
an industry such as the one iPremier is in, that one incident could be fatal, resulting in
them joining the ranks of other failed “dot-com” companies. The iPremier case shows
managers and executives for their business careers by demonstrating the importance of
security. It proves the point that cutting corners to save money is a risky endeavor.
Security is one aspect companies should not neglect. iPremier was lucky in that an
amateur had taken their security system hostage. If a professional hacker had obtained
their system, their customers credit database would have been in jeopardy.
KEY TERMS:
Router: is a hardware platform that routes traffic across internal networks and the
Internet.
Script kiddies: are relatively unsophisticated hackers who use automated routines
“scripts” written by other more sophisticated hackers. These scripts are generally
available to anyone willing to spend a little time searching for them on the Internet.
Secure shell access: allows authorized users to remotely access a computer via an
encrypted connection. Without such access, connecting remotely to the computer would
require sending information across the network in a format that could be intercepted and
Rangan, Kasturi and Marie Bell. Dell Online. Harvard Business School: Boston, 1998.
Russell, Roberta and Bernard Taylor. Operations Management. 4th ed. Prentice Hall: New
Jersey, 2003.
Applegate, Lynda and Ramiro Montealegre. Eastman Kodak Co.: Managing Information
Systems Through Strategic Alliances. Harvard Business School: Boston, 1995.
Austin, Robert. The iPremier Company (A): Denial of Service Attack. Harvard Business
School: Boston, 2001.
www.captusnetworks.com Accessed on 11/16/2003.
www.ncr.com Accessed on 11/16/2003.
McAfee, Andrew. Vandelay Industries, Inc. Harvard Business School: Boston, 1998.
McFarlan, Warren, and Melissa Dailey. www.springs.com. Harvard Business School:
Boston, 1998.