Digital Systems Security

Center for Disease Control - Genetics Research Project

Brandan Boggs, Daniel Moyal, Martha Carr, Gowri Alekhya Chintalapudi, Srujan Reddy, Siddhartha Kalyanapu

CDC - Genetics Research Project

Data Collected:

• SSN
• Personal Addresses
• Contact Information
• Medical Information
• Disability Information

Mandatory Compliance with:

• Federal privacy rules
• Sarbanes Oxley
• HIPAA
• Information Security Advisory Board (ISAB)

​

CDC - Genetics Research Project

Business Area (BA):

• Business and Lab LAN
• Levels: 0, 1, 2
• Color: green

Secured Area (SA):

• Data Collection Network
• Levels: 3
• Color: yellow

High Security Area (HSA):

• Servers
• Levels: 4
• Color: red

​

High Security Area (HSA)

Security Area (SA)

Data Center

Business Area (BA)

Data Collection Site

Offsite Security Office

PHYSICAL DIAGRAM

LOGICAL DIAGRAM

Level 0, 1, 2 - Physical Security

• Background checks and info checks
• Guard station
• ID Cards for employees and passes issued to contractors and guests with exception tracking
• Metal detectors
• Anti-Virus Kiosk

​

​

Level 3 - Physical Security

• Privacy windows
• Scannable ID card with PIN
• PIN requires changing every month based upon user
• Locked doors
• Anti-Virus Kiosk

Level 4 - Physical Security

• Guarded door
• Retina scanner for employees plus scannable ID and PIN

Direct

Level 0, 1 and 2 (Green):

​

All the customers and employees can access the general purpose computers by using their username and password or customer ID.

​

1. Passwords expiries for every 2 months.
2. Failure of continuous 3 login attempts will alert IT security.

​

Can access the systems with their own USB or Cat cables.

​

Level 3 (Yellow):

​

Password Policy

1. Proactive password checking.
2. Password must be at least 8 characters and at most 15 characters which includes uppercase and lowercase letters, numbers and special characters.

Only limited employees can use cat or USB cables.

​

Level 4 (Red):

​

1. NIDS is used for intrusion protection to detect the malware.

​

• Firewall allows only one way traffic which does not allow anything out.

​

​

Virtual

• Levels 0, 1 and 2 (Green) :

No remote access :

Check IP addresses.

Detect spoofing.

​

• Level 3 (Yellow)

​

Usage of a secured password:

Check for authentication by using more secure passwords.

Password with at least 10 and maximum 15 characters.

Password should contain an uppercase letter, a lowercase letter, a number and a special character.

​

Fingerprint recognition:

The use of ridges and valleys found on the surface tips of

a human finger.

​

No two individuals have a same pattern of ridges and valleys

which are found on the finger tips.

​

​

​

​

​

• Level 4 (Red):

Eyes - Iris Recognition

The use of the features found in the iris to identify an individual.

Most advanced option which increases the security level.

Hand Geometry Recognition

The use of the geometric features of the hand such as the lengths.

of the finger and width of the hand to identify an individual.

​

​

​

​

​

​

​

Securing the CDC for levels

1. Level 0,1,2

2.Level 3

3. Level 4

​

Level 0, 1, 2 :

• All devices whoever wants to connect to the wireless cannot connect as they encrypted wireless before firewall. If they are connected in these levels they do not have any authority to move to other levels.
• They are also authenticated by unique identity and password and the maximum login attempts for that will be three.

​

• installing all anti-virus in the systems of organization.
• printers should only be from admission office only.
• change of SSID(Service Set Identifier ) that is very secure and it changes every time.

Level 3:

• Encryption is done by WPA2(WIFI Protected Access).
• There are no physical wireless ports.
• Use DHCP(Dynamic Host Control Protocol) which allows limited number of IP addresses.

Level 4:

• Wireless is disabled in this level4.

strong encryption

firewall

user 1

wireless signal passing through firewall

user 2

​

firewall

strong encryption

​

PMMD

• Level Green (0,1,2):
• Portable Media
• no outside portable media allowed in without being scanned at Olea kiosk
• checks against 30 antivirus scans and prints a receipt
• disable autorun
• Mobile Devices
• must use encrypted wifi
• Level Yellow (3):
• Portable Media
• designated thumbdrives marked uniquely not allow out of area
• signed out from toolcrib with 2 signature chain of custody
• Mobile Devices
• provided laptops not permitted to leave facility, signed out from toolcrib with 2 signature chain of custody
• encrypted wifi access only

​

PMMD

• Level Red (4):
• Portable Media
• none allowed beyond checkpoint except for patches
• patch procedure
• loaded to designated green-level USB, scanned at kiosk immediately before and after
• transferred to yellow-level USB, scanned in kiosk immediately before and after
• transferred to designated USB kept in safe, scanned before and after, scrubbed after use
• Mobile Devices
• none allowed beyond checkpoint
• lockboxes for storage

​

SIEM - AlienVault USM

SIEM Functions

​

• Log Management
• Event Correlation
• Incident Response
• Reporting and Alarms

​

Source: https://www.alienvault.com/products

Staff Education

• Business Area - green
• new hire education - signature
• yearly renewal
• Secured Area - yellow
• new hire education - test
• renewal every 6 months
• High Security Area - red
• new hire education - test
• renewal every 6 months

Staff Education

• Security Committee
• team at each security level
• led by a member of management
• counselled by IT security representative
• monthly inservice meetings
• responsible for promoting culture of awareness

The End