CDC Security Program

Giovanni, Patrick, Abdul, Mohamed, Abhinav

4/30/15

Levels 0, 1, and 2

Physical

For these levels not much security is needed. The front door of the business

and the welcome desk of the CDC should be sufficient in ensuring that those who are

entering the business building are workers of the building that are supposed to be

there. If they are not employees of the business then they wouldn’t be permitted

access to either that LAN or Business LAN.

Network

All attempts dealing with network access will be audited and monitored.

Access to secured data will be controlled by administrators. Basic internet access will

be provided on a separate network from the secured data. The network closet will have

a Cisco 5180 chassis, Cisco's first blade-server chassis offering, the Cisco UCS 5108

Blade Server Chassis, is six rack units (6RU) high, can mount in an industry-standard

19-inch rack, and uses standard front-to-back cooling. A chassis can accommodate up

to eight half-width, or four full-width Cisco B-series blade server form factors within the

same chassis. This is where the ISP provides the fiber and is converted and distributed

through the chassis. The blade server will be connect to a router which would have

ACL’s to control the data following in and out of the network. The closet will have two

UPS’s. The switch will consist of 24 ports, they will be configured for VLANs, and all

secure shell will be configured for VPN’s. A Cisco firewall will also be in the network

closet and will be configured to monitor certain traffic coming in and going of the

network. An inline sensor will be inserted into a network segment so that the traffic that

it is monitoring must pass through the sensor. For the inline sensor to work properly, is

to combined NIDS sensor logic with another network device, thus with the firewall. The

NID will be placed inside the external firewall.

Wireless

The wireless will be turned ON, and SSID with WPA2 encryption would be set

up for the business. Also, setup VPN tunnels in order the employees access the

network to work from home. VPN is used to identify and authenticate the employee, as

well as VPN will encrypt the traffic from a client system to the enterprise network or

from site to another, and that will prevent any type of sniffing attacks. IPSec and SSH

are the protocols used to create virtual private network and encrypt all the traffic

flowing in both directions.

PMMD

In this level, the users must have permission before using the portable media to

connect to the system. This requires login information, such as the Passcode or the

Username and password, after that the system will check if the user is legitimate to get

an access, and if the login information is correct, the system will allow using the

portable media.

After that, the transferred data will pass through the kiosk for scanning and transferring

between the levels.

Level 3

Physical

The assets in this level will be physically isolated from the rest of the facility.

This is to ensure that access to this level remains to those with the authority to enter.

By separating them we need to implement different methods of security to limit the

access.

This level requires more security than the prior levels. In order to gain access to

the assets located in this level the workers first need a keycard. The keycard that will

be used is the Cobra Controls PRX-5R that uses RFID key cards to allow access into

the room. Every time someone swipes into the room their name will be logged as well

as the timestamp when the card was used. If someone tries to enter the area without

swiping a card building security will be notified immediately. Building security will also

be notified if a key card that doesn’t have access to that area at all or at that time is

used.

On top of the key cards being required for access the Cobra Controls CC- 3800-

EM will be used to add pass code functionality to the key card. Adding this allows for a

cross check between the card being used and the pass code being entered. This was,

if someone who should not have access to this level acquires someone else's card,

security will be notified when the pass code being used does not match the card being

swiped.

Thermostats will have to be in the room to maintain a cool temperature for the

servers. We will be using a digital thermostat that has no wireless capabilities and has

no usb connections on it. For added protection, they will also have to be locked up to

keep someone from tampering with it in any way.

Network - This level will consist of the multiple devices. Servers, admin work stations,

and printers. The once the PMMD’s pass through kiosk, the confidential data will

plugged into an USB on the servers These UBS’s would have a lock on them and will

require a password to complete the data transfer. The server will have an admin

password and will lock out the user after 2 tries of logging in. Once successful, the

admin will look over the confidential data and have another admin with them at all

times. The admin workstations will be connected to the servers by CAT6 ethernet

cables, and will be half duplex from the server to the admin workstations. FTP will be

the protocol implemented to transfer the data from the server to the admin workstation.

The printer will not has any USB ports and will have wireless turned off also. PMMD’s

will be partitioned the being used, this helps mitigate the threat of an inside attack on

the administrator workstation. The server and admin workstations will use SSD’s to

mitigate data recovery, lock down to white listing, biometrics on workstations. The

server will hold temporary data until it is transferred to level 4.

Wireless

In this level, the wireless will not be allowed by physically removing the NICs

from the assets.

PMMD

The Administrative workstation and the anti virus kiosk will be logically separated from

level four, high secured area and will contain Solarwinds SIEM software. In order to

mitigate the Portable Media Device (PMMD) threat, the only means of transferring data

between the high secured area and secured area will be via company owned portable

USB devices. These devices will be color-coded based on area level. High Secured

Area: Red, Secured Area: Green and Business Area: Blue, To move the information

between levels, you must sign out a USB and it must be run through the anti virus

kiosk upon entry and exit of different levels. Data from the business area will never be

allowed to high secured area (level 4), vice versa. This kiosk will utilize a 16 core virus

scan.

Level 4

Physical

This level will once again be physically isolated from the lower levels. This level

is containing the high security assets so the level of security needs to be higher than

that of the other levels. This will be done in a few different ways.

First, all of the ways we are restricting access to the assets in level 3 utilizing

both the keycard and pass code will remain. Also, thermostats will still be needed

inside the facility so the same safeguards will be in effect at this level as it was in level

3. These are good initial starts to begin screening everyone that enters. In order to

expand on this we need to add biometrics. The plan is to utilize fingerprint scanners.

We will be using a Cobra Controls FPR-700 Biometric Reader to scan the fingerprints

due to it having two-factor authentication that requires both a fingerprint and a pin to go

along with it. This will take the place of the pin code being required with the key card

since it doesn’t need to be entered twice.

Next, any time an outside vendor needs to be let in or someone without the

proper clearance from a lower level needs let into the high security asset area they

need to be chaperoned by someone with the proper clearance at all times. This is to

ensure that the when someone enters the area they are not tampering with any of the

data contained on the servers. Also, before anyone is let into the server room they

need to have a background check done. Therefore, notice is needed so that

arrangements can be made. Vendors who need to come in to make repairs will have

pre approval with a background check already completed and on file in order to make

sure that any malfunctions can be fixed as promptly as possible.

Also, the room will be fitted with video surveillance in order to keep track of everyone in

the room. This way if anything where to go long there is something that can be

reviewed in order to see who was where when an issue occurred. These videos will be

saved to their own drive to be reviewed when and if they are needed.

Network - This level will store the confidential data on the servers. There will be two

servers that will have two SSD drives, they will be encrypted. The drives will be one

terabyte each. A UPS will be right aside the servers to keep them running incase of

power loss due to natural disasters or other cases. To login into the admin workstation

to access the servers, you will need biometrics, another admin along side. There will

be two USB ports, the ports will have passwords on them, they are completely

separate from the logins on the admin workstation. this is where data will be

transferred and extracted when needed. Everything will be hard wired, and the UPS

will be locked up for security reasons. The admin workstation will be hardwired to the

servers with a CAT6 ethernet, and the ethernet will be half-duplex.

Wireless

The wireless will not be allowed also as in level 3 by physically removing the NICs from

the assets. This is because If the wireless is ON, the attacker can access the assets

from outside the building easily, and that could be from the parking spot or any place

near to the building, then the attacker could perform any type of sniffing attacks to steal

confidential information, such as usernames, passwords, or any other type of

confidential information on the network. Thus, the wireless will be turned off in this

level to protect the assets and the data.

PMMD: Antivirus kiosks manufactured by ZIVELO, which are powered by OPSWAT’s

MetaDefender for Media (MD4M) anti-malware software is stationed between HSA and

SA and any portable devices going to HSA will be scanned in upon entering and

scanned out properly upon exiting. If either scan fails, it will be locked out of HSA or

locked in the SA until the threat is mitigated. The MetaDefender is used to audit the

users that transfer data to and from the organization and will create a secure dataflow.

Filters are set to allow or block the content based file size, file types and 32 core

antivirus scan results (powered by Metascan), and even converts the files into safer file

types. Via a simple web-based management dashboard, you can easily configure

tailored security policies for each individual or for groups of users in your organization,

depending on your security needs (“OPSWAT Metadefender,” 2002).

The Metascan implementation within SA will be a server application with a local and

network programming interface that enables customers to detect and prevent

advanced threats by incorporating multi-scanning, data sanitization technology, and

controlled data workflows. Metascan packages can be delivered with a variety of fully

incorporated and licensed anti-malware engines to deliver fast, scalable, and reliable

content scanning to protect against viruses, spyware, and other malware. Metascan

has countless use cases, such as scanning files, uploading to file upload servers,

computer forensic analysis, scanning web traffic through a proxy server, testing data

moving across internal security domains, and Independent Software Vendors (ISV)

evaluating their data analytics for false positives (“Multiple Anti-malware Engine

Scanning,” 2002).

Off-Site Backup Servers

The goal of the offsite backup servers are to just keep a backup of the stored

within level 4. It is not necessary to have a full backup system. To take the place of this

we plan to do use the system that the CDC already has in place when it comes to

backing up the data. The CDC already has a secured storage area so all of the data

stored in level 4 will be moved there by using write once CDs being shipped in security

envelopes. If the envelopes are tampered with in any way they will be safely discarded

and a new CD will have to be sent. They CDs will be loaded up on a server at this

secured area so the data can be recovered if it is lost for any reason.

Physical Layout Diagram