The iPremier

Company
DI ST R IB U TE D D ENI AL O F SE R VIC E AT TAC K

BY
AN SHU L S ET H ( 19 PG P1 62)
EL EA US H R ANG KH AWL ( 1 9 PG P1 6 8 )
G A UR AV OG RE Y (1 9 PG P 174)
HR I SHI KE SH S AIK IA ( 1 9 PG P1 8 0 )
IM TI MO NG B A (1 9 PG P1 8 1 )
J AB EZ R OS HAN (1 9 PG P1 82)
PR AS HAN T JO HN TOP PO ( 1 9 PG P20 1 )
Problem Statement
• I-Premier was mainly focused on customer’s benefit and not on
expanding their facility
• Lack of Back-Up Plan and Emergency Protocol
Background
• iPremier founded in 1996.
• Success story in web based commerce industry.
• Online retailer selling luxury, rare and vintage goods.
• Management consisted mostly of young people,
managers were experienced.
• Outsources most of its management of technical architecture to
Qdata.
• On 12th January, 2007, iPremier’s website had a Denial of Service
Attack.
Background
• CIO Bob Turley was out of town & the situation was not handled in
the best possible manner.
• The colocation facility at Qdata did not have the required personal to
deal with the problem.
• The standard operating procedures in such emergencies was
unknown & everyone in the company started acting in their own way
being mindful of their interests only.
• Problem escalation was unstructured & everyone started calling
everyone.
DOS Attack Timeline

5.27 am
5.46am
4.39 am Bob receives The
Joanne a call from attack
contacts the CEO Jack stops.
Bob & Samuelson.
4.31 am
promises to
Bob receives a
keep him
call about • Asks the
updated on
an attack on CEO to
the
iPremier’s contact
webserver situation.
Qdata’s
• Upper upper
managem manageme
• Discovers
ent nt to let
from Leon contacts Joanne get
that Joanne is Bob.
access to
on her way to
the
Qdata.
Network
Operation
Centre.
How well did the iPremier Company perform
during the 75min attack?
• Because of poor preparation iPremier could only react
• There was no chain of command
• There was no communication plan and no attempt to “pool
knowledge”
• The emergency response “plan” was outdated and useless
• No one escalated the issue with Qdata until it was too late
• Analysis paralysis
What would you have done?
• Take control of communications
• Create a conference call with all of the key decision makers to select a
course of action ( this includes legal counsel)
• Disconnect from the Network/ Contact ISP/Shut the down system
• Escalate to a Qdata manager
• Analyze the attack in a more detailed manner
• Take action!
Were the company’s operating procedure
deficient in responding to this attack?
• The iPremier Company CEO, Jack Samuelson, had already expressed
to Bob Turley his concern that the company might eventually suffer
from a ‘deficit in operating procedures’.
What additional procedures might have
been in place to better handle the attack?
• Conference call bridge with key IT personnel, iPremier executives,
and key Qdata personnel
• Contact ISP for additional help
• Document everything, all actions taken with details
• Establish contact with law enforcement agencies
• Check configurations and logs on systems for unusual activities.
• Set up and configure a “temporarily unavailable” page in case the
attack continues for a longer period of time
Now that the attack has ended, what can the
iPremier Company do to prepare for another such
attack?
• Develop and maintain Business Continuity Plan
• Incident Response Plan (IRP): Address issues like cybercrime, data
loss, and service outages that threaten daily work.
• Disaster Recovery Plan (DRP): Set of procedures to execute an
organization's disaster recovery processes and recover and protect a
business IT infrastructure in the event of a disaster.
• Develop clear reporting lines
• Training and Awareness to get back to Normal
• Need to find a better internet service provider if Qdata fails to update
its infrastructure and technology
In the aftermath of the attack, what would
you be worried about?
• Public Disclosure Issues
• Public Relations Issues
• Brand and Reputation
• Shareholder Confidence
• Direct Revenue Loss
Immediate Recommended Actions and
Conclusions
• Assemble an incident response team
• Conduct forensic analysis of attack
• Document incident details and lessons learned
• Adjust plans and defenses (address inadequate firewall)
• Hire independent auditor to identify vulnerabilities of current systems
and processes
• Communicate with appropriate parties (legal, shareholders,
customers, vendor, general public & media, regulatory agencies)