FACTS
Summary of iPremier
• Founded in 1996 by students at Swathmore college
• One of a few web-commerce success stories • Sells luxury, rare, and vintage goods online
INTERNET RELIABILITY IS CRITICAL!!
• Fiscal Year 2006
• Profits were $2.1 million
• Sales of $32 million

QData
• Steady provider of:
• basic floor space
• power
• connectivity
• environmental control
• physical security and
• high-level “management services”
• Hosted most of iPremier’s computer equipment
• “Colo”
• QData’s hosting facility close to office
• Network Operations Center (NOC)
• Secured Monitoring Location
• Qdata had not been quick to invest in advanced technology and had been experienced difficulty in retaining staff
PEOPLE
BOB Turley- CIO
Joanne Ripley – technical operations team lead
Wanda Spangler – VP business developments
Leon Ledbetter – Ops
Jack Samuelson – CEO
Tim Mandel – CTO
Peter Stwart – legal counsel
• 4:31 AM: Leon Ledbetter reports the website is locked up, customer support is receiving calls and support has been getting
“ha” emails.
•  5:27 AM: Joanne Ripley realized shortly after she reached a Qdata console that iPremier was the recipient of a SYN flood from multiple sites that was directed at the router that runs the firewall.
• “Ha” emails received every second iPremier’s Choices
• At the time of the attack, pull the plug?
• Could lose logging data
• Only way to assure credit card data is not being stolen
• After the attack: rebuild the system? • Would shut down business for, at a minimum, 24-36 hours
• “The only way to be sure”
Ending The Attack
 Every time Joanne tried to shut off the attacking IP address it would automatically trigger attack from two other “zombie” sites  The emails stopped at 5:46 AM

Aftermath actions iPremier instituted several security measures after the DoS attack:
• Restarted all production equipment
• File-by-file examination
• Plan to move to more modern hosting facility • Created an incident-response team
Backup and redundancy planning and testing / disaster recovery
• Encrypt critical customer data
Updated Virus signature files and security patches
• Actively monitor for future attacks
Develop a business continuity plan (test it end to end including suppliers and keep it updated)
Hire an independent audit team who report into the board/ security audit
A risk management program should identify, analyze, evaluate, treat, monitor and communicate the impact of risk on IT processes.
The IT risk framework also has three major domains- risk governance, risk evaluation and risk response.
Develop an IT governance framework
• Unclear of who is in charge of decision making
• Bad relationship with colocation facility
• Poor firewall to prevent intrusion
• No formal internal emergency plan
• Limited information as to what transpired

In computing, a denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a machine or network resource unavailable to its intended users.

CONCERNS FOR THE COMPANY
Busy growing and protecting its profits and delivering new features to benefit customers
The cost of more modern facilities was considerably higher, two to three times as expensive on a per square foot basis
Move might risk service interruption
Felt personal commitment to Qdata

PROBLEM IS POOR PLANNING ON THE COMPANIES BEHALF

BUSINESS CONTINUITY PLAN
Business continuity planning (BCP) "identifies an organization's exposure to internal and external threats and synthesizes hard and soft assets to provide effective prevention and recovery for the organization, while maintaining competitive advantage and value system integrity

Risk management
Creating a business continuity plan
A BCP typically includes five sections:
1. BCP Governance
2. Business Impact Analysis (BIA)
3. Plans, measures, and arrangements for business continuity
4. Readiness