Information Security
V.T. Raja, Ph.D.,
Oregon State University
Outline
• Example: iPremier Company (HBR article)
– Background about company
– Business Implications
– Some recommendations for future
• Management’s role in information security
• Framework for a balanced approach to security Example: DDoS attack on iPremier Company
• For a background about the company - refer to
MS Word Document distributed in class.
• Problems at Colocation facility:
• iPremier employees could not get access to
Qdata’s Network Operations Center (NOC)
• Cannot telnet using T1 line which was supposed to permit iPremier employees to connect to Qdata
• Qdata night shift personnel not very responsive to situation and not that competent (no one who knew anything about network monitoring software – except for one individual who was on vacation)
iPremier Example (Continued)
• Unable to determine extent of damage (firewall penetrated? How deep is the penetration?)
• Unable to determine if customer data was stolen
(CIO’s main immediate concern)
• Unable to track (in a reasonable time frame) where
‘Ha, ha, ha’ e-mails received by “support” folks are originating – Even if e-mail is tracked eventually – leads to another “Zombie
iPremier’s Response to Attack: Very Poor
• Try to shut down traffic from “Zombies” – didn’t work – for every zombie that was shut down – two new zombies joined the
“party” automatically
• Shut down Web Server
• Unable to determine if they should call
“Seattle Police” or “FBI”?
iPremier’s Response to Attack: Very Poor
• Unable to determine if they should
“disconnect the communication lines”
• initially CIO and CTO had discussion - may lose logging data that could help them figure out what happened
(preserving evidence to find root cause of problem; and what to disclose publicly);
• later concluded that detailed logs have not been enabled
• Unable to determine if they should call
“Seattle Police” or “FBI”?
iPremier’s Response to Attack: