Ipremier and Denial of Service Attack – Case Study
In a recent Information Management lecture we went through the case of iPremier (read the full case) which is a popular case study from Harvard Business School. It was a made up case but the recent high profile hacking stories (such as Gawker) show that companies are not taking security seriously.
The background is that iPremier suffered a DOS attack in the middle of the night which caused chaos in the company. After an hour the attack stopped and the company went back to business as normal. Two weeks later another DOS attack was spawned from the company’s server directed at a competitor which proved that their server had been compromised. The FBI became involved, the competitor threatened to sue and the city analysts were thinking of downgrading the stock.
Our role was to come up with recommendations as to how the processes and plans could be improved for the future. Keeping in mind that the security is about more than just technology we needed to brainstorm around people and processes as well.
1. People and processes
Develop a business continuity plan (test it end to end including suppliers and keep it updated) Develop an IT governance framework that includes security in its remit Develop clear reporting lines Better training for emergencies Trust your technical leaders and make sure they have the resources to lead in a crisis Make security part of strategy Hire an independent audit team who report into the board Hire a security and risk expert Develop a better relationship with your hosting provider
2. Technology
Avoid single points of failure. Separate the server stack so that database, web and file servers are not on the same network Use a reputable hosting provider with a world class infrastructure and support Make sure all your software is up to date Use a combination of hardware and or software firewalls Backup and redundancy planning and testing Active monitoring
The background is that iPremier suffered a DOS attack in the middle of the night which caused chaos in the company. After an hour the attack stopped and the company went back to business as normal. Two weeks later another DOS attack was spawned from the company’s server directed at a competitor which proved that their server had been compromised. The FBI became involved, the competitor threatened to sue and the city analysts were thinking of downgrading the stock.
Our role was to come up with recommendations as to how the processes and plans could be improved for the future. Keeping in mind that the security is about more than just technology we needed to brainstorm around people and processes as well.
1. People and processes
Develop a business continuity plan (test it end to end including suppliers and keep it updated) Develop an IT governance framework that includes security in its remit Develop clear reporting lines Better training for emergencies Trust your technical leaders and make sure they have the resources to lead in a crisis Make security part of strategy Hire an independent audit team who report into the board Hire a security and risk expert Develop a better relationship with your hosting provider
2. Technology
Avoid single points of failure. Separate the server stack so that database, web and file servers are not on the same network Use a reputable hosting provider with a world class infrastructure and support Make sure all your software is up to date Use a combination of hardware and or software firewalls Backup and redundancy planning and testing Active monitoring