The iPremier Compant (A): Denial of Service Attack
Summary of the case: iPremier, a Seattle based company, was founded in 1996 by two students from Swathmore College. iPremier had become one of a few success web-based commerce, selling luxury, rare, and vintage goods over the Internet. Most of iPremier’s goods sell between fifty and a few hundred dollars, and the customer buys the products online with his or her credit card. iPremier’s competitive advantage is their flexible return policies which allows the customer to thoroughly check out the product and make a decision to keep the product or return it. The majority of iPremier customers are high end, and credit limits are not a problem. iPremier had contracted with Qdata, an
…show more content…
1. How well did this company perform during the attack?
The company did not perform as well as they should have been able to. There were multiple areas where problems arose, such as the technical architecture of the IT system, relying only on the 3rd party, Qdata, to monitor their IT infrastructure, keeping out of date manuals, and not maintaining their emergency procedures.
However, some people trying to fix the attack did an adequate job considering the problems the company had. Joanne and Leon Ledbetter did everything in their power to restore the website and protect the customer data, which even included running red lights. Leon was so new that he didn’t know exactly what to do. Training for an emergency would have proven useful. The CIO, Bob Turley, knew of the emergency protocol and out of date manuals, but never did anything to alleviate these problems. This put the company in a significant disadvantage, and created a bigger problem than what was necessary. Faced with this problem, Turley was able to facilitate direction for the company as best as he could, which ended with the security breach stopping.
Even after the attack, when the company did not know whether the customer information, which included credit card information, the company had no intention to announce the security breach to the public. This can be detrimental to the company if customers became
A week after the last security breach, Sony announced to its PlayStation Network users that certain information may have been compromised. Many users were very upset because their personal and financial information had been compromised for over a week and they were unaware. There was a significant delay between when the card information was compromised and when Sony notified its users. Many users who did not give credit card information to Sony were still upset because they use the same login and password for multiple sites, and now their information on other sites may have been accessed without their knowledge. After the breaches, Sony did not just patch the holes in its network security, it had to rebuild from the ground up, further upsetting users by causing the network to be
The Target Corporation has undergone many changes due to the 2013 security breach where hackers stole personal information from credit and debit cards of at least 70 million customers. Target sales and reputation has dropped from this instance, thus eliciting changes in their security systems, changes in management, and a few policy changes in handling customer information. With the public eye on the corporation’s handling of the situation, Target has been communicating these changes through various means. The changes they needed to communicate were informing customers of the security breach, addressing the bad press coverage to shareholders, downsizing of employees, and
The correct measure or solution was to use malware defenses. In this case, vendors should use commercial virus software to check and protect the system as well as employ firewalls and other security measures on the systems used to interact with the vendor (Bejtlich, 2004). By doing that Target would have prevented any unwanted attacks and thus prevent the damages caused by the data breach.
The Target data breach remains one of the most notable breaches in history, it was the first time a CEO of a major corporation was fired due to a security event. The breach received an enormous amount of attention, it caused corporations and individuals to change the way they think about information security and data protection. Between Thanksgiving and Christmas 2013 hackers gained access to 40 million customer credit cards and personal data of 70 million Target customers. The intruders slipped in by using stolen credentials and from there gained access to vulnerable servers on Targets network to launch their attack and steal sensitive customer data from the POS cash registers. All this occurred without a response from Targets security operations center, even though security systems notified them of suspicious activity. The data was then sold on the black market for an estimated $53 million dollars. However, the cost to Target, creditors, and banks exceeded half of a billion dollars. This report will review how the infiltration occurred, what allowed the breach to occur including Targets response, and finally who was impacted by the security event.
In December 2013, Target was attacked by a cyber-attack due to a data breach. Target is a widely known retailer that has millions of consumers flocking every day to the retailer to partake in the stores wonders. The Target Data Breach is now known as the largest data breach/attack surpassing the TJX data breach in 2007. “The second-biggest attack struck TJX Companies, the parent company of TJMaxx and Marshall’s, which said in 2007 that about 45 million credit cards and debit cards had been compromised.” (Timberg, Yang, & Tsukayama, 2013) The data breach occurred to Target was a strong swift kick to the guts to not only the retailer/corporation, but to employees and consumers. The December 2013 data breach, exposed Target in a way that many
This company in the first place began an initiative without gaining proper knowledge on the benefits and cost of this new venture. They had not done the proper research for just how well this venture would work for them. In doing so, they are expected to be ready for anything that comes their way. Any entrepreneur understands that business is just a matter of taking chances. Anything can happen at any time. When this disappointment happens, the leadership should have sat down to evaluate and discuss the options available to them. They should have counted their opportunity cost. If they would have done this efficiently, then it would have been planned to see that several other options were available to them. Instead of pulling out, they should have looked for other implementation methods available. They should have also invested in security software that would ensure customer information safety.
The IT folks couldn’t communicate properly with the business about their ideas and strategy that confused the business and made them reject the ideas that were actually worth trying.
The CEO and the board are responsible for “good business judgment” in guarding against the threat. So Paul’s first mistake was to dismiss the original e-mail message. All IT threats should be taken seriously, and he would have let Jacob Dale know about no IT system is “bulletproof.” Sunnylake should have had a workable, fully tested backup system to ensure uninterrupted patient service and protect everyone affected. Doctors and nurses are trained to diagnose, problem solve, and dynamically treat their patients. IT systems facilitate, but are not substitutes for, patient treatment. The fact that the hospital did not have up-to-date security software installed, or a reliable security outsourcer and an emergency plan in place, is inexcusable.
All the consumers affected were also made vulnerable to subsequent identity theft given malicious attackers stole their personal data. Equifax was directly affected since its stock began to plunge immediately the news was made public. Additionally, the corporate governance of the company was tarnished given three Equifax executives sold shares worth around $2 million days after the breach discovery, and the “retiring” of the chief security information officers is questionable (Surane & Melin, 2017). Also, the company was exposed to litigations with some lobbyists and interest groups pushing regulators to hold Equifax accountable for the negligence and poor treatment of affected consumers. The proposed new data security laws will present a greater burden to other corporations. Two such laws are the Promoting Responsible Oversight of Transactions and Examinations of Credit Technology (PROTECT), and Freedom From Equifax Exploitation (FREE) will attract more government scrutiny and limit the type of personal data that companies can collect from customers (Alperan, Carter, & Sofio, 2017).
There were a number of factors that contributed to the breach, which had they been addressed or had corresponding mitigation responses in place, would have reduced the likelihood that the breach would have taken place, or at a minimum reduce the impact of the attack. These items range from policy related issues, technology implementations, and security management and maintenance. Although I believe a number of these areas were in the process of being addressed, based on the information gathered regarding the details of the incident, it appears that it was still in many areas insufficient and would not have prevented an incident even if there had been more time available to perform the implementations.
Normally, a company would follow emergency procedures while dealing with crises, but in iPremier’s case, there was no emergency procedure available. Under these circumstances, and with no prior experience with security breaches, I believe the company performed well. Bob Turley communicated well with the other members of the company, but if I were in his shoes, I would have been more conservative and acted faster.
Straight after the incident taking place, Ebay didn’t notify their customers of what had happened. Instead the news had leaked out that the company had been under attack from hacktivists. The actions that the company took to patch up the compromise was by investing more money into securing their own servers. This should have been done formally before the incident, however Ebay’s excuse was their IT infrastructure was too big. Ebay carried out additional and through testing after the breach to check if there has been any unauthorised access, but results had shown that there had not been any evidence of unauthorised access (LLP, 2014). Ebay is also looking at different forensic tools and methods to protect their customers
The project did not achieve desirable standards as far as customer requirements, scope, environment and execution were concerned. It was important that the project integrators to ensure customers do not escalate during the implementation of the project, being the first adopters of the software FoxMeyer should have exercised caution by adopting the software in phases rather than implementing the project directly, furthermore, execution was the biggest problem, despite knowing that the project needed skilled personnel FoxMeyer did not train staff during the early stages of the project and had to rely on consultants. Finally the company should have gained control over the project from the start to ensure that all the staff and management were involved but in this case despite knowing that the project would not work as envisaged the management did not take control or stop the implementation of the project.
It’s noticeable how the company’s operations have been deteriorating as they are having a more difficult time translating sales into cash. Their A/R turnover is not where it needs to be, and in line with that, their liabilities are increasing as well. The company has also been inefficient with the use of their assets as their current activity ratios are not up to par with the industry standards.
It is important to note that whether an attack is perpetrated by a hacker group, other corporations or individuals, organizations must always prepare adequately through intrusion detection and prevention systems in place. Data breaches can have very devastating business and social impact to large businesses and their customers – the users. For instance, were Cloudflare attacked by a competing company, their trade secrets could have given the opponents ammunition to take them out of the field. In addition, lost data could influence criminal activity if for instance particular client information, for