Practice Breach Scenario

Practice Breach Scenario

It’s important to be able to identify where the weak spots are in an organization’s security so it can be improved.  Read through the background and scenario below and follow along as we pick apart some of the problems the company faces.

iPremier Company’s Denial of Service Attack

Background

iPremier concept – Began in 1996 when Blake Carleton and Rajiv Narayandas were students at Swarthmore College.  After graduation, they moved to Seattle, Washington, secured funding and began operations.  The company went public in 1998.  Their stock tripled with the IPO and almost tripled again in 1999, then came the dot.com bubble.

Year 2000 – iPremier’s stock fell dramatically, but the company still had money from 1999.  The stock eventually stabilized and even climbed again, but not to the pre-2000 levels.  Luckily, they remain one of the surviving companies in the business-to-customer segment of the market.

Pricing – Majority of products between $50 and $100, but there are a few items that are $1000s.  Most people pay with credit cards; credit limits on customer charge cards aren’t usually an issue because the customer base is high-end consumers.

Company’s values – Discipline, professionalism, partnership for achieving profits; intense work environment; unsuccessful managers don’t last long; do whatever it takes to get projects done on time attitude, especially with changes benefiting customers; company has grown and is thinly profitable.

IT dept – known as “the dungeon”

iPremier Gang – software guys playing world of warcraft during working hours against other players

Qdata – The weak security company partnered with iPremier; the data center and hardware employees are located nearby.

Characters

Jack Samuelson – CEO

Lydia Dawson – IT intern, now in marketing; understands the technical and commercial sides of the business; gives Bob Turley a tour on 10/16/2008

Bob Turley – Chief information officer (page 4 says “latest CIO”, so must be high turnover)

Blake Carleton – Founder

Rajiv Narayandas – Founder

Leon Ledbetter– IT Ops employee; doesn’t think Qdata is very good

Joanne Ripley – head of IT ops; doesn’t think Qdata is very good either; thinks company should moved and get new facility, but it would be expensive and hurt profits; also, might be staying with Qdata because Raj (one of the founders) knows the Qdata founders; Mgmt keeps lessening the priority of moving

Warren Spangler– VP of Biz Development; starts thinking of PR stuff so the stock doesn’t take a huge hit

Tim – Chief Technology Officer; doesn’t want to pull power plug b/c it will lose evidence of what’s happening

Pete Stewart – legal counsel; calls Turley and says to pull the plug b/c can’t risk having credit cards stolen (there is no chain of command or emergency prep procedure)

The Story

Leon calls Turley at 4:30 in the morning asking where he is.  Leon is in NY for a Wall Street analysts meeting.  The website has “locked up”.  Leon was doing the systems administration night shift and can’t do anything further from HQ.  Nothing is working.  Customers can’t access the website either and the help desk keeps getting calls.  Leon thinks someone has hacked iPremier.  Support keeps getting emails (~1/second) saying “ha.” Leon asks Turley to call the data center because the company pays for 24/7 monitoring, but Joanne has already called and is on the way. Turley asks who could have done it and Leon originally says “impossible to tell”, but it could be the people they played against in WOW.  Turley asks if they’ve started emergency procedures, but Leon doesn’t know where the binder is with the security procedure.

Joanne calls Qdata and they say that there’s no connectivity problem.  Their night shift is on and no one knows what’s going on.  Racing to the data center in her car, running red lights, Joanne’s eta is 5 minutes.  She doesn’t think the emails can be tracked.  Leon asks if they could be stealing credit cards, but Joanne says there’s not enough info to tell.  Leon suggests disconnecting the communication lines, but Joanne doesn’t want to because it could take a long time for the system to come up.  The business continuity plan (emergency preparation binder) is out of date.  The company doesn’t keep detailed data logs because of the cost of additional disk space; the finance guys didn’t think it was worth it.

Joanne makes it to the Qdata Ops center, but their men won’t let her in.  No one at iPremier knows anything about network monitoring and that’s what Turley needs to see in order to see the traffic coming into the iPremier site.  The guy who monitors the network is in Aruba vacationing.  Joanne reboots the web server, but that doesn’t help.  She thinks someone directly attacked the firewall, but she can’t see because it’s Qdata’s equipment, which they refuse to allow her access to.

Turley tells Jack to call someone senior at Qdata and tell them that iPremier needs their full and immediate support because they’re giving Joanne the runaround.  Jack says okay and tells Turley that his main priority is to get iPremier back up and running.

Joanne gets into the Ops center at Qdata.  It’s a Dos attack from multiple sides directed at the router that runs iPremier’s firewall service.  They’re attacking from 20 sites.  She shuts down one “zombie” site and it spawns 10 new sites.  The attack stops at 5:46 am.  Turley recommends that they check everything over and see if they can figure out what happened.  Joanne says that they can resume business as usual.  Turley asks Joanne to write an email that summarizes where she thinks iPremier stands and what should be done.  Turley needs to decide what to tell Samuelson.

What Are The Problems? | What Happens Next?

Possible attackers:

  1. The people that the iPremier gang were playing against online in WOW
  2. Script kiddies – Vandals playing with software other programmers have created.  The attack seems too sophisticated for that (Dos attack software downloadable on the internet).

Problems:

  1. Emergency preparation procedure – outdated,  Joanne (head of dept.) is the only person who knows where it is.
  2. Chain of Command – There’s no chain of command.  Employees are randomly calling each other to get an update on what’s going on.  Employees from different departments are calling Turley, telling him what they believe he should do.  It appears that the CEO doesn’t help at all.
  3. Qdata – iPremier has outsourced hardware, security, and the data center (most likely because of cost issues).  Some of these features should probably be kept in-house.  Qdata is very incompetent and unorganized, and it appears that iPremier is continuing to work with them, against Leon and Joanne’s judgment, because Raj (one of iPremier’s founders) personally knows the Qdata founders; according to Joanne, Qdata is using weak security measures to protect iPremier.

There are more issues here.  What else do you notice?