The Ipremier Dos Attack
Online websites and business face several security threats from hackers that are aiming to vandalize the website or steal information or at times notify the company about its internet security weaknesses. These threats include malicious code, bots and bot nets, phishing and DDoS or Distributed Denial of Service (Laudon K., Traver C., (2010)). Ipremier, an online business, faced one of these threats, the DDoS attack. iPremier is a successful online retailer of luxury, rare and vintage goods (Austin, R., (July 26, 2007)). The DDos attack begins by the hacker distributing bots on several computers and making these computers botnets (Laudon K., Traver C., (2010)). A botnet is a computer that is controlled by a hacker to perform activates such as participating in a DDoS attack (Laudon K., Traver C., (2010)). The hacker uses these botnets or controlled computers to flood a server with unwanted requests which slows or shutdown the server operations (Laudon K., Traver C., (2010)). This can be costly to an online business because the customers won’t be able to access the website. It can also affect the firm’s reputation if the website doesn’t work for long. However, these attacks can notify or clarify for a company its weakness points in its internet security and infrastructure.
The CIO Bob Turley was in New York when an employee called to inform him that the website is not working and that they have been receiving numerous emails that say “Ha” (Austin, R., (July 26, 2007)). The CIO called Joanne the technical operations team leader to discuss the current situation but she was still on her way to Qdata where the company servers are located and did not know what was going on (Austin, R., (July 26, 2007)). She suspected that the actions were caused by a hacker and that the sender of the e mail was unknown and hard to track (Austin, R., (July 26, 2007)). Unfortunately, their emergency plan was out dated and they couldn’t remember where the document is placed (Austin, R., (July 26, 2007)). A suggestion was made to call the police or FBI but they were concerned about negative publicity (Austin, R., (July 26, 2007)). After a while the CIO called the CTO to take his opinion on the matter (Austin, R., (July 26, 2007)). The CTO refused the idea of pulling the plug because information on the attack might be lost (Austin, R., (July 26, 2007)). The CEO mentioned that the detailed logging was not enabled so the logs won’t provide them with much information (Austin, R., (July 26, 2007)). The legal counselor called as well to provide legal advice on the matter and told the CIO to pull the plug to protect credit card information (Austin, R., (July 26, 2007)). After Joanne arrived at Qdata she wasn’t able to access the NOC for security reasons (Austin, R., (July 26, 2007)). The CEO called a senior in Qdata and Joanne was allowed access to the NOC (Austin, R., (July 26, 2007)). He discovered that the attack is directed at their firewall and it is being directed from multiple IP addresses (Austin, R., (July 26, 2007)). She tried to shutdown traffic from the IP addresses but it didn’t work because when one IP address shuts down another one operates and so on (Austin, R., (July 26, 2007)). The main concern was that customer information was not jeopardized or stolen (Austin, R., (July 26, 2007)). At 5:46 AM the attack stopped and Joanne suggested that they do a thorough audit to be sure that customer information has not been stolen and to know the points of weakness (Austin, R., (July 26, 2007)).
During the attack it was obvious that the employees were shocked by the security threat. They did not know what to do, they never faced a security threat before and they do not have an emergency plan. The employees communicated through phone calls and no one knew what needs to be done or what was happening. Also, there wasn’t a proper emergency communication with Qdata which led to banning the technical team leader from entering the NOC. The team reacted well to the situation despite that they did not have any structured plan to face the problem. They were trying to solve the problem through intuition and experience because there wasn’t any plan. They tried hard and the top managers were awakened at the middle of the night to solve the crisis. However, when looking at the overall situation there hasn’t been any systematic process in solving the problem and instead they relied on intuition and experience.
If I was bob truly, the CIO, the first person I would have contacted is the CTO and I would have cancelled the meeting in New York and went to the company if possible. If it was not possible to find a flight, I would have instructed Leon to get the emergency plan and work on it. Although it is outdated, I would try to modify it as much as I can to match the current situation which can be useful. Also, I would stay in close contact with the CTO and Qdata to solve the problem faster. Some service providers do not respond to customers quickly and require the customer to call them over and over until they perform the request. In addition, after the attack is over I would have called for an emergency meeting to assess the current situation, the company’s technological infrastructure, know what information have been or could have been jeopardized and discuss the modifications on the emergency plan.
After the attack the company should be worried about the customer information and specially credit card and transaction information. Another thing is that the attack might have gone far and installed a bot on one of the servers. If this happens the servers might be used for another attack and the ipremier will be held responsible. Also, the infrastructure and security is not effective against threats so using Qdata as the website host must be changed. Moreover, I have to be sure that there hasn’t been any leak because if the customers know that the website was hacked they may never deal with the company again. They may not understand that these things happen and security threats happen almost all the time, several people are not familiar with the term “Cyber War”.
The company should create a backup customer and transaction database that is disconnected from the internet to prevent it from being attacked from the outside. It is an online business, so the customers and their transaction information should be well protected from any attack. I would recommend that not all the website and its information to be outsourced. The server, website design, and website related information can be outsourced but the customer and transaction information should be handled internally for more control. They have to find another host other than Qdata with more abilities and more technological advancement to handle their operations and protect them from further attacks. Also, I must have a full understanding of the situation so that if there is any leak to the press I can answer their questions and find a way to assure the customers that their data is safe.
In conclusion, ipremier is an example for every online business. They did not expect that an attack may happen and were very confused when it actually happened. What online businesses should learn from ipremier is that an emergency plan is critical for any business. Also, they should know that there isn’t one perfect security system that can protect them from all kinds of attacks. They should keep in mind that since man created these security systems then he is able to break through it.
Do we need a new security system?
What kind of hardware do we need for the new security system?
Who knows the most about the company’s technological infrastructure?
Who will handle the operation of the new security system?
Does the new security system require a relocation of our servers?
What hardware components need to be changed to install the new security system?
What parts of our company’s software will be affected?
Do we need any new software for the new security system?
Who will be affected by installing a new security system?
Who needs to be trained in order to accommodate with the new system?
Does the geographical location of our company affect the installation of the new system?
Will the new security system have the functionality we need?
Does the new security system require a minimum bandwidth?
Can the current network handle the operations of the new security system?
Who will have access to the security system network?
Will any body need access from outside the company’s physical boundaries?
What are the security threats in the company’s current technological architecture?
Where will the company locate the necessary components of the new security system?
Will the current data formats be compatible with the new security system?
Which formats need to be changed?
Who will have access to the data provided by the system?
Who will be responsible for backup and to whom is the access limited?
Where does the current architecture face problems in regards to data flow?
Does the company need to change its current storage devices for the new security system?
Austin, R., (July 26, 2007). The iPremier Company (A): Denial of Service Attack. Harvard Business School.
Laudon K., Traver C., (2010). E-commerce 2010 (6 Ed.), chapter 5. Pearson Education.Order Now