2. Levels 0, 1, and 2
Physical
For these levels not much security is needed. The front door of the business and
the welcome desk of the CDC should be sufficient in ensuring that those who are
entering the business building are workers of the building that are supposed to be there.
If they are not employees of the business then they wouldn’t be permitted access to
either that LAN or Business LAN.
Network
All attempts dealing with network access will be audited and monitored.
Access to secured data will be controlled by administrators. Basic internet access will
be provided on a separate network from the secured data. The network closet will have
a Cisco 5180 chassis, Cisco's first blade-server chassis offering, the Cisco UCS 5108
Blade Server Chassis, is six rack units (6RU) high, can mount in an industry-standard
19-inch rack, and uses standard front-to-back cooling. A chassis can accommodate up
to eight half-width, or four full-width Cisco B-series blade server form factors within the
same chassis. This is where the ISP provides the fiber and is converted and distributed
through the chassis. The blade server will be connect to a router which would have
ACL’s to control the data following in and out of the network. The closet will have two
UPS’s. The switch will consist of 24 ports, they will be configured for VLANs, and all
secure shell will be configured for VPN’s. A Cisco firewall will also be in the network
closet and will be configured to monitor certain traffic coming in and going of the
network. An inline sensor will be inserted into a network segment so that the traffic that
it is monitoring must pass through the sensor. For the inline sensor to work properly, is
to combined NIDS sensor logic with another network device, thus with the firewall. The
NID will be placed inside the external firewall.
3. Wireless
The wireless will be turned ON, and SSID with WPA2 encryption would be set up
for the business. Also, setup VPN tunnels in order the employees access the network to
work from home. VPN is used to identify and authenticate the employee, as well as
VPN will encrypt the traffic from a client system to the enterprise network or from site to
another, and that will prevent any type of sniffing attacks. IPSec and SSH are the
protocols used to create virtual private network and encrypt all the traffic flowing in both
directions.
PMMD
In this level, the users must have permission before using the portable media to
connect to the system. This requires login information, such as the Passcode or the
Username and password, after that the system will check if the user is legitimate to get
an access, and if the login information is correct, the system will allow using the portable
media.
After that, the transferred data will pass through the kiosk for scanning and transferring
between the levels.
Level 3
Physical
The assets in this level will be physically isolated from the rest of the facility. This
is to ensure that access to this level remains to those with the authority to enter. By
separating them we need to implement different methods of security to limit the access.
4. This level requires more security than the prior levels. In order to gain access to
the assets located in this level the workers first need a keycard. The keycard that will
be used is the Cobra Controls PRX-5R that uses RFID key cards to allow access into
the room. Every time someone swipes into the room their name will be logged as well
as the timestamp when the card was used. If someone tries to enter the area without
swiping a card building security will be notified immediately. Building security will also
be notified if a key card that doesn’t have access to that area at all or at that time is
used.
On top of the key cards being required for access the Cobra Controls CC- 3800-
EM will be used to add pass code functionality to the key card. Adding this allows for a
cross check between the card being used and the pass code being entered. This was, if
someone who should not have access to this level acquires someone else's card,
security will be notified when the pass code being used does not match the card being
swiped.
Thermostats will have to be in the room to maintain a cool temperature for the
servers. We will be using a digital thermostat that has no wireless capabilities and has
no usb connections on it. For added protection, they will also have to be locked up to
keep someone from tampering with it in any way.
Network - This level will consist of the multiple devices. Servers, admin work stations,
and printers. The once the PMMD’s pass through kiosk, the confidential data will
plugged into an USB on the servers These UBS’s would have a lock on them and will
require a password to complete the data transfer. The server will have an admin
password and will lock out the user after 2 tries of logging in. Once successful, the
admin will look over the confidential data and have another admin with them at all times.
The admin workstations will be connected to the servers by CAT6 ethernet cables, and
will be half duplex from the server to the admin workstations. FTP will be the protocol
implemented to transfer the data from the server to the admin workstation. The printer
will not has any USB ports and will have wireless turned off also. PMMD’s will be
partitioned the being used, this helps mitigate the threat of an inside attack on the
administrator workstation. The server and admin workstations will use SSD’s to mitigate
5. data recovery, lock down to white listing, biometrics on workstations. The server will
hold temporary data until it is transferred to level 4.
Wireless
In this level, the wireless will not be allowed by physically removing the NICs
from the assets.
PMMD
The Administrative workstation and the anti virus kiosk will be logically separated from
level four, high secured area and will contain Solarwinds SIEM software. In order to
mitigate the Portable Media Device (PMMD) threat, the only means of transferring data
between the high secured area and secured area will be via company owned portable
USB devices. These devices will be color-coded based on area level. High Secured
Area: Red, Secured Area: Green and Business Area: Blue, To move the information
between levels, you must sign out a USB and it must be run through the anti virus kiosk
6. upon entry and exit of different levels. Data from the business area will never be allowed
to high secured area (level 4), vice versa. This kiosk will utilize a 16 core virus scan.
Level 4
Physical
This level will once again be physically isolated from the lower levels. This level
is containing the high security assets so the level of security needs to be higher than
that of the other levels. This will be done in a few different ways.
First, all of the ways we are restricting access to the assets in level 3 utilizing
both the keycard and pass code will remain. Also, thermostats will still be needed inside
the facility so the same safeguards will be in effect at this level as it was in level 3.
These are good initial starts to begin screening everyone that enters. In order to expand
on this we need to add biometrics. The plan is to utilize fingerprint scanners. We will be
using a Cobra Controls FPR-700 Biometric Reader to scan the fingerprints due to it
having two-factor authentication that requires both a fingerprint and a pin to go along
with it. This will take the place of the pin code being required with the key card since it
doesn’t need to be entered twice.
Next, any time an outside vendor needs to be let in or someone without the
proper clearance from a lower level needs let into the high security asset area they
need to be chaperoned by someone with the proper clearance at all times. This is to
ensure that the when someone enters the area they are not tampering with any of the
data contained on the servers. Also, before anyone is let into the server room they need
to have a background check done. Therefore, notice is needed so that arrangements
can be made. Vendors who need to come in to make repairs will have pre approval with
a background check already completed and on file in order to make sure that any
malfunctions can be fixed as promptly as possible.
Also, the room will be fitted with video surveillance in order to keep track of everyone in
the room. This way if anything where to go long there is something that can be reviewed
in order to see who was where when an issue occurred. These videos will be saved to
their own drive to be reviewed when and if they are needed.
7. Network - This level will store the confidential data on the servers. There will be two
servers that will have two SSD drives, they will be encrypted. The drives will be one
terabyte each. A UPS will be right aside the servers to keep them running incase of
power loss due to natural disasters or other cases. To login into the admin workstation
to access the servers, you will need biometrics, another admin along side. There will be
two USB ports, the ports will have passwords on them, they are completely separate
from the logins on the admin workstation. this is where data will be transferred and
extracted when needed. Everything will be hard wired, and the UPS will be locked up for
security reasons. The admin workstation will be hardwired to the servers with a CAT6
ethernet, and the ethernet will be half-duplex.
Wireless
The wireless will not be allowed also as in level 3 by physically removing the NICs from
the assets. This is because If the wireless is ON, the attacker can access the assets
from outside the building easily, and that could be from the parking spot or any place
near to the building, then the attacker could perform any type of sniffing attacks to steal
confidential information, such as usernames, passwords, or any other type of
confidential information on the network. Thus, the wireless will be turned off in this level
to protect the assets and the data.
PMMD: Antivirus kiosks manufactured by ZIVELO, which are powered by OPSWAT’s
MetaDefender for Media (MD4M) anti-malware software is stationed between HSA and
SA and any portable devices going to HSA will be scanned in upon entering and
scanned out properly upon exiting. If either scan fails, it will be locked out of HSA or
locked in the SA until the threat is mitigated. The MetaDefender is used to audit the
users that transfer data to and from the organization and will create a secure dataflow.
Filters are set to allow or block the content based file size, file types and 32 core
antivirus scan results (powered by Metascan), and even converts the files into safer file
types. Via a simple web-based management dashboard, you can easily configure
8. tailored security policies for each individual or for groups of users in your organization,
depending on your security needs (“OPSWAT Metadefender,” 2002).
The Metascan implementation within SA will be a server application with a local and
network programming interface that enables customers to detect and prevent advanced
threats by incorporating multi-scanning, data sanitization technology, and controlled
data workflows. Metascan packages can be delivered with a variety of fully incorporated
and licensed anti-malware engines to deliver fast, scalable, and reliable content
scanning to protect against viruses, spyware, and other malware. Metascan has
countless use cases, such as scanning files, uploading to file upload servers, computer
forensic analysis, scanning web traffic through a proxy server, testing data moving
across internal security domains, and Independent Software Vendors (ISV) evaluating
their data analytics for false positives (“Multiple Anti-malware Engine Scanning,” 2002).
Off-Site Backup Servers
The goal of the offsite backup servers are to just keep a backup of the stored
within level 4. It is not necessary to have a full backup system. To take the place of this
we plan to do use the system that the CDC already has in place when it comes to
backing up the data. The CDC already has a secured storage area so all of the data
stored in level 4 will be moved there by using write once CDs being shipped in security
envelopes. If the envelopes are tampered with in any way they will be safely discarded
and a new CD will have to be sent. They CDs will be loaded up on a server at this
secured area so the data can be recovered if it is lost for any reason.