Here's a thought

[krnlpanick]

With CAP taking CyberPatriot for the last 2 years (go Colorado Wing!) it seems that maybe there is an opportunity for CAP to expand our missions to include CyberSecurity. There are a great deal of areas we could turn this in to an offering - Education? Forensics for Law Enforcement? What else can you think of?

[Extremepredjudice]

We can't provide forensics. No way

[krnlpanick]

Why exactly? There are plenty of private firms that provide digital forensics for local, state, and federal agencies - there is absolutely no reason that if we developed training and credentialing to do so that we could not provide forensic services.

[Extremepredjudice]

We don't have the equipment.

Those firms have paid staff. With NDAs. Big difference.

[krnlpanick]

My point is that we didn't have the equipment to do DHS missions at one point either - There are federal grant programs specifically designed to provide funding for cyber security initiatives that could be leveraged to fill out the budget and even the possibility to provide further support to the AF Mission in their own Cyber Programs if it were approved. I'm just trying to say that I think we are doing ourselves a disservice by not pursuing this as an extension to our own mission.

[a2capt]

Forensics is not quite defensive in nature. CyberPatriot is a defensive exercise.

Just because "CAP" has won it, doesn't reflect on the entire CAP being able to offer that type of mission/support.

What goes on with CyberPatriot is *nothing* like what goes on out there in the real world intensity wise.

[Extremepredjudice]

Assuming you are talking about computer forensics. We'd need clean rooms, expensive data recovery equipment, "bunny" suits, courriers, phone service, etc.

I wouldn't trust CAP with sensitive legal information. I wouldn't trust CAP to do a CP case.

This is my college major. No way CAP could execute this.

While the Aur Force cyber security program is horrid, using CAP members would just hinder it. The 67th NWW doesn't need CAP members. It needs AD computer people.

CAP members wouldn't be able to keep the tools, infrastructure, and response methods secret.

[krnlpanick]

I am *well aware* of what goes on in the "real-world" as the Chief Architect for an Application Security Firm, Project Leader for the OWASP Enterprise Security API and regular speaker at InfoSec conferences

Also, what you are learning about in college barely scratches the surface of what happens in the "real-world" - not trying to be a jerk, just stating a fact.

The thread got a little hi-jacked, so I want to bring it back around - Forensics was just one aspect (and I still posit that it is possible, there are many different types and aspects to  - even without bunny suits, that's what drive images are for)

I specifically think there is a lot of opportunity in the education sector, the fact that CAP requires OPSEC prior to using eServices is a lesson itself that a lot organizations (public and private) could learn from.

I am also familiar with CyberPatriot, and I am in the process of putting together a team for 2013

Other areas I can think of off-hand are Research, Social Engineering Education and User Security (OPSEC Lite if you will)

[Spaceman3750]

Krnl,

I like the concept, but I'm not sure we have enough IT pros in CAP to pull it off. As it stands many of our members can't figure out how to turn on a computer, and many of the pros are too busy with their own projects.

[a2capt]

Many of them ... ask you for a "Powerpoint Projector" ;-)

(and what, it won't show anything else?)

[krnlpanick]

There is truth in that statement SpaceMan - but it also opens up the recruiting pool a bit. Last year in Las Vegas, DefconKids was among the most successful programs and has since generated a ton of interest. CP itself has grown exponentially over the last several years. I think that expanding and updating our missions is paramount in not only retaining membership but also attracting new members who may not be interested in Flying or ES. While our current membership may not be "up to snuff" per-se, there is a whole slew of potential cadets that we could tap in to.

[AirDX]

The man has a point.  The Air Force mission now takes place in "Air, Space, and Cyberspace".  Should CAP not follow?  I'm not saying it's easy, I'm not saying anything, becasue frankly, I'm not qualified in the cyber world in any capacity.  CyberPatriot is an excellent initiative, perhaps we need to look at folding more Cyberspace training into the cadet program in some fashion.  It's an attractant for cadets.

Not offering a solution, just a suggestion.  I'm sure them new-fangled nose wheel airplanes and radios that didn't have a coffee grinder crank got pooh-poohed at the beginning, too.

[spacecommand]

Sure, CAP should get hand-me down ICBMs to help build it's fledgling model rocketry program to support the USAF in it's space missions.

Seriously though.  Cadet Program wise, we use programs such as model rocketry, cyberpatriot etc to give some exposure to cadets in those particular fields (space, rockets, cyber-security etc) and hopefully some might think this is a particular field they might want to get into in the future.  Just because it is an Air Force mission, our mission is not to actually do cyber-security, nor is it to monitor North Korean missile tests either.

[bflynn]

It would probably be a good start to make sure our own website is secure first...

[krnlpanick]

It would probably be a good start to make sure our own website is secure first...

+1 - word of advice however would be to not go poking through any holes you may run across. The legal and ethical approach is to notify CAP that "Hey I noticed on page X that we are not applying contextual output encoding to data Y which comes from the user - this could leave the site open to XSS attacks. Can you please look into this?

Just because it is an Air Force mission, our mission is not to actually do cyber-security, nor is it to monitor North Korean missile tests either.

The point was that the mission should be updated to include cybersecurity - not that it somehow fit into the existing mission. I'm pretty sure aerial surveillance missions weren't always a part of the mission either but there was an opportunity to provide a service and CAP adapted to provide said service.

[flyingscotsman]

I don't see how CAP could provide any real value to any organization providing information security or forensics services. No offense, but it seems like another solution in search of a problem.

I do, however, see a real opportunity for CAP to take advantage of the interest in this topic that the CP program has generated to help educate it's members on basic InfoSec principles they can use in their CAP work and personal lives. This would tie in nicely with OpSec. A few examples would be:

Risk mitigation strategies for social media
Wireless network security concepts
Email safety (phishing, attachments, spam reduction/prevention)
Overview of proper firewall & anti-virus use
Password security (uniqueness, changing them, secure tools to keep track of them, keeping them private, etc.)

I'm sure others can come up with a host of other interesting and relavent topics for our members.

[Flying Pig]

For computer forensics, who would our customers be?  You mentioned LE.  Now you have issues with testifying in court.  What kind of services would we provide to LE in the way of forensics?  Recovering child porn off of hard drives? Retrieving financial data from some drug dealers lap top?  Researching social media sites, Youtube and everything else to establish flow charts for organized crime connections? The forensics people we have in my agency are all cops.  And they spend days, sometimes weeks in court detailing every key stoke they made in recovering data.   Not trying to turn this into a legal forum.

I specifically think there is a lot of opportunity in the education sector, the fact that CAP requires OPSEC prior to using eServices is a lesson itself that a lot organizations (public and private) could learn from.

I would hardly consider an online OPSEC course where you hit "Agree" anything to brag about.  Thats pretty darn sad if CAP OPSEC has somehow developed a standard in that area!
As far as "surveillance" missions.  I was pretty involved in CD, border missions, training LE in CAP CD.  I never did any surveillance.  In law enforcement, surveillance has a very specific meaning that is often taken out of context. I do surveillance for a living.  We dont do it in CAP. 

Your obviously a computer guy.  I dont know anything about forensics, although I have seen first hand what is involved on the LE side.  If you think there is a niche for CAP, explore it.  I dont think there is in the LE world unless your members are prepared to spend hours volunteering for cases that are very time sensitive, meaning "get here now and do this, we have 48hrs before our suspect gets released" and then resulting in possibly spending weeks in trial testifying several years  later, being called back 5 years after that for an appeal case.....with no pay.  No thanks. 

I think someone would be better off approaching an LE agency as a contractor vs getting CAP involved. 

[manfredvonrichthofen]

Biggest issue here is that while there are private companies that do forensics, we simply cannot. It is against the law for us as CAP to engage in police investigations. A missing person is one thing we go out, perform our mission and if we find the subject deceased the. Law enforcement comes on scene. If they deem it a murder investigation, we are completely hands off.

Talking about computer forensics is a whole other matter, for computer forensics to be needed in the first place a crime has to have occurred.

[Flying Pig]

My point is that we didn't have the equipment to do DHS missions at one point either - There are federal grant programs specifically designed to provide funding for cyber security initiatives that could be leveraged to fill out the budget and even the possibility to provide further support to the AF Mission in their own Cyber Programs if it were approved. I'm just trying to say that I think we are doing ourselves a disservice by not pursuing this as an extension to our own mission.

I cant imagine the nightmare of being a SqCC with forensic equipment assigned to it.  One beat up old 182 and some hand held radios was bad enough!

[krnlpanick]

For computer forensics, who would our customers be?  You mentioned LE.  Now you have issues with testifying in court.  What kind of services would we provide to LE in the way of forensics?  Recovering child porn off of hard drives? Retrieving financial data from some drug dealers lap top?  Researching social media sites, Youtube and everything else to establish flow charts for organized crime connections? The forensics people we have in my agency are all cops.  And they spend days, sometimes weeks in court detailing every key stoke they made in recovering data.   Not trying to turn this into a legal forum.

You make some valid points here, the time-sensitive issue and legal aspects are a completely different ball-game. I suppose we don't generally run into those types of issues during DHS missions - at least the legal side?

I would hardly consider an online OPSEC course where you hit "Agree" anything to brag about.  Thats pretty darn sad if CAP OPSEC has somehow developed a standard in that area!

What did you have to do for your bank when you signed up to use their online banking application? I hardly think that it is completely sufficient, but it is parsecs ahead of where the majority of online applications are (including gov applications).

I do, however, see a real opportunity for CAP to take advantage of the interest in this topic that the CP program has generated to help educate it's members on basic InfoSec principles they can use in their CAP work and personal lives. This would tie in nicely with OpSec. A few examples would be:

Risk mitigation strategies for social media
Wireless network security concepts
Email safety (phishing, attachments, spam reduction/prevention)
Overview of proper firewall & anti-virus use
Password security (uniqueness, changing them, secure tools to keep track of them, keeping them private, etc.)

How are those issues *not* valuable to people outside of CAP - what about training members to go out to schools and do basic security awareness training at schools, or how about establishing a research "division" for a wing that specializes in identifying risks in the tools and processes that we have internally, or as a service provided to the air force to audit a defense contractor application or system? I could go on and on, and I think that the topics you highlighted here are all good candidates for a general security awareness training program but I completely disagree with the "solution searching for a problem" analysis - the problem is quite obviously already here, the decision is whether CAP decides to develop solutions to the existing problem.

And here's yet another idea - Cyber-Surveillance, Social Profiling, etc.  FWIW, the identification and eventual capture of Lulzsec Sabu was a direct result of a citizen using a clever combination of social profiling, digital-foorprint forensics, and a little creative trolling then silently releasing the information discovered on the internet for the FBI to find. He was not required to testify (as a matter of fact I highly doubt that the feds even know his identity) - with some proper training, CAP could have easily provided a similar service in a JO with the FBI or anyone else - or even as a CAP Specific Mission and simply provided the information to the authorities.

Our usefullness is only limited by our own imaginations and reservations.