Management’s Role in
Information Security
V.T. Raja, Ph.D.,
Oregon State University
Outline
• Example: iPremier Company (HBR article)
– Background about company
– Business Implications
– Some recommendations for future
• Management’s role in information security
• Framework for a balanced approach to security Example: DDoS attack on iPremier Company
• For a background about the company - refer to
MS Word Document distributed in class.
• Problems at Colocation facility:
• iPremier employees could not get access to
Qdata’s Network Operations Center (NOC)
• Cannot telnet using T1 line which was supposed to permit iPremier employees to connect to Qdata
• Qdata night shift personnel not very responsive to situation and not that competent (no one who knew anything about network monitoring software – except for one individual who was on vacation)
iPremier Example (Continued)
• Unable to determine extent of damage (firewall penetrated? How deep is the penetration?)
• Unable to determine if customer data was stolen
(CIO’s main immediate concern)
• Unable to track (in a reasonable time frame) where
‘Ha, ha, ha’ e-mails received by “support” folks are originating – Even if e-mail is tracked eventually – leads to another “Zombie
iPremier’s Response to Attack: Very Poor
• Try to shut down traffic from “Zombies” – didn’t work – for every zombie that was shut down – two new zombies joined the
“party” automatically
• Shut down Web Server
• Unable to determine if they should call
“Seattle Police” or “FBI”?
iPremier’s Response to Attack: Very Poor
• Unable to determine if they should
“disconnect the communication lines”
• initially CIO and CTO had discussion - may lose logging data that could help them figure out what happened
(preserving evidence to find root cause of problem; and what to disclose publicly);
• later concluded that detailed logs have not been enabled
• Unable to determine if they should call
“Seattle Police” or “FBI”?
iPremier’s Response to Attack: Very Poor
• How to handle PR (before info about security breach leaks out)?
• Unable to decide if all systems need to be rebuilt • What if competitor files a law suit after FBI determined that iPremier computers were performing DoS attack?
• Would system rebuild imply wiping out any remaining proof of iPremier’s innocence?
Some Business Implications for IPremier
• Web server unavailable to legitimate customers
• Unable to determine “Cost of downtime”
• Bad reputation for the business
• Lost customers
• Loss of customer goodwill
• Legal issues if customer data was compromised
• Impact on stock price
• Unknown damages to the network/business?
• Attack stopped after about 75 minutes – without any intervention from iPremier or from Qdata
• What if there was another attack?
Some recommendations for iPremier
• Revisit choice of ‘colocation’ partner
• Although an early entrant in the industry, Qdata lost any prospect of market leadership
• Had not been quick to invest in advance technology • Had experienced difficulty in retaining qualified staff • Create an incident response team
• Enable secure remote access of network management software for security team
Some recommendations for iPremier
• Discuss/implement procedures for:
•
•
•
•
Performing Risk Assessment
Measuring cost of downtime
Filing a complaint with appropriate authorities
Handling PR and legal issues
Some recommendations for iPremier
• Other examples of appropriate
Security/Privacy measures
• More sophisticated firewall
• Cryptography for sensitive data
• Message Integrity algorithms to determine if files have been modified/corrupted
• Enable logging and determine level of logging
• Purchase disk space to enable higher levels of logging
• Updated Virus signature files and security patches
Some recommendations for iPremier
•
•
•
•
•
Design and document recovery plan
Practice a simulated attack
Educate users about security and threats
Hire a good Chief Security Officer
Institute periodic third-party
