Welcome, Guest. Please login or register.
Did you miss your activation email?
October 19, 2017, 11:29:23 PM
Home Help Login Register
News:

CAP Talk  |  General Discussion  |  The Lobby  |  Topic: Reg Preview: CAPR 120-1 INFORMATION TECHNOLOGY SECURITY
0 Members and 1 Guest are viewing this topic.
Pages: [1] Print
Author Topic: Reg Preview: CAPR 120-1 INFORMATION TECHNOLOGY SECURITY  (Read 954 times)
Mordecai
Salty & Seasoned Contributor

Posts: 1,052
Unit: SI

« on: July 17, 2017, 02:49:23 PM »

https://www.capmembers.com/media/cms/CAPR_1201_Information_Technology_Se_3007CE7E168DE.pdf

Currently reading through it now. Thoughts will follow shortly.
Logged
Mordecai
Salty & Seasoned Contributor

Posts: 1,052
Unit: SI

« Reply #1 on: July 17, 2017, 02:58:45 PM »

Well the big things to note immediately are that Full Disk Encryption on new laptops is a requirement, and that there is now an IT SUI component.
Logged
Eclipse
Too Much Free Time Award
***
Posts: 27,896

« Reply #2 on: July 17, 2017, 03:29:08 PM »

Meh - whatever.  This is a pamphlet masquerading as a reg.  Most of what is prescribed is either a best-practice, the
default, or will be used as a value-add if someone does something dumb, but doesn't mean much day-to-day.

It's basically 13 pages of "Don't do illegal things and if you do", "OHHHH BOY! Are you gonna never hear about it and / or
there will be zero practical ramifications."

Presumably encryption will be enabled from the factory on new stuff.  Couldn't care less.

The inspection elements that were added are for a CI, of the two SUI elements, only one is new, and
if you don't have the default AV enabled already, you probably don't understand the words, or the machine
is so compromised you can't boot into it.
Logged

"Effort" does not equal "results".
The contents of this post are Copyright © 2017 by eclipse. All rights are reserved. Specific permission is given to quote this post here on CAP-Talk only.

etodd
Salty & Seasoned Contributor

Posts: 789

« Reply #3 on: July 17, 2017, 04:21:37 PM »

Well the big things to note immediately are that Full Disk Encryption on new laptops is a requirement, and that there is now an IT SUI component.

We've been asking for a new laptop for AP for two years. The old one is a boat anchor. Good thing I carry a 'backup'.  ;)
Logged
MS - MO - AP - MP
Mordecai
Salty & Seasoned Contributor

Posts: 1,052
Unit: SI

« Reply #4 on: July 17, 2017, 07:03:54 PM »

Can someone reread this and tell me if they put in a section regarding encryption key management on laptops?
Logged
Eclipse
Too Much Free Time Award
***
Posts: 27,896

« Reply #5 on: July 17, 2017, 07:13:01 PM »

Can someone reread this and tell me if they put in a section regarding encryption key management on laptops?

No, and that's not a practical reality in CAP.
Logged

"Effort" does not equal "results".
The contents of this post are Copyright © 2017 by eclipse. All rights are reserved. Specific permission is given to quote this post here on CAP-Talk only.

NIN
VIP

Posts: 4,613
Unit: of issue

« Reply #6 on: July 17, 2017, 09:51:16 PM »



No, and that's not a practical reality in CAP.

This x100. I shudder to think how many times a *year* your average squadron laptop will have to be utterly reloaded because someone didn't "get" the encryption and forgot/misplaced/mistyped a password...



Sent from my SM-G920V using Tapatalk

Logged
Darin Ninness, Lt Col, CAP
Sq Bubba, Wing Dude, National Guy
I like to have Difficult Adult Conversations™
The contents of this post are Copyright © 2017 by NIN. All rights are reserved. Specific permission is given to quote this post here on CAP-Talk only.
Mordecai
Salty & Seasoned Contributor

Posts: 1,052
Unit: SI

« Reply #7 on: July 18, 2017, 05:38:47 AM »

Where are we going to be storing bitlocker recovery keys then?
Logged
chuckmilam
Recruit

Posts: 45
Unit: GLR-KY-216

« Reply #8 on: July 18, 2017, 08:10:40 AM »

Hey, we're part of the total force now, right?  We can totally lean on the DOD PKI/PKE infrastructure with our CACs and everything. 

*ducks incoming fire* 
Logged
Eclipse
Too Much Free Time Award
***
Posts: 27,896

« Reply #9 on: July 18, 2017, 08:53:07 AM »

Where are we going to be storing bitlocker recovery keys then?

Logged

"Effort" does not equal "results".
The contents of this post are Copyright © 2017 by eclipse. All rights are reserved. Specific permission is given to quote this post here on CAP-Talk only.

Mordecai
Salty & Seasoned Contributor

Posts: 1,052
Unit: SI

« Reply #10 on: July 18, 2017, 03:11:01 PM »

Where are we going to be storing bitlocker recovery keys then?



I'm worried about this, people putting recovery keys under batteries and other bad ideas.

We do need a solution though.
Logged
Eclipse
Too Much Free Time Award
***
Posts: 27,896

« Reply #11 on: July 18, 2017, 03:20:09 PM »

Why?  The nearest post-it or under the battery (brilliant idea BTW) is fine.

These machines don't NEED encryption, and they certainly don't need to be "real-world" secure.
They are generally glorified web browsers for eServices and testing.  In fact, why NHQ isn't
looking to move over to Chromebooks (assuming they aren't) is beyond me.

You'd get a least 3-4x bang for your buck, and your issues of local systems, etc., go away overnight.

Don't get me wrong, things need to change IT-wise in CAP, and good password management with 2-factor would
be a big step, but encrypting CAP laptops is a waste of time and is just going to cause a pile of machines
in closets or at the various wing HQs that can't be accessed or reloaded because of TPM or related problems.

IF NHQ or more likely, the vendor, rolls out an image with encryption already in place, then they should have the keys.
(probably OEM123), if the wings do it, they will have them, but if NHQ thinks the average CAP unit is going to
enable Bitlocker >after< receiving a new machine, they are very benevolent about the capabilities of the average CAP RocketMOM.
« Last Edit: July 18, 2017, 03:24:21 PM by Eclipse » Logged

"Effort" does not equal "results".
The contents of this post are Copyright © 2017 by eclipse. All rights are reserved. Specific permission is given to quote this post here on CAP-Talk only.

NIN
VIP

Posts: 4,613
Unit: of issue

« Reply #12 on: July 18, 2017, 03:30:29 PM »

These machines don't NEED encryption, and they certainly don't need to be "real-world" secure.
They are generally glorified web browsers for eServices and testing.  In fact, why NHQ isn't
looking to move over to Chromebooks (assuming they aren't) is beyond me.

I just donated my son's "only a year and a half old" Chromebook to the squadron. Mom got him a spiffy new laptop so he could game his face off do homework, so I said "Gimme, kid."

Thing works just fine for the purposes for which intended.
Logged
Darin Ninness, Lt Col, CAP
Sq Bubba, Wing Dude, National Guy
I like to have Difficult Adult Conversations™
The contents of this post are Copyright © 2017 by NIN. All rights are reserved. Specific permission is given to quote this post here on CAP-Talk only.
Mordecai
Salty & Seasoned Contributor

Posts: 1,052
Unit: SI

« Reply #13 on: July 18, 2017, 03:33:27 PM »

Why?  The nearest post-it or under the battery (brilliant idea BTW) is fine.

These machines don't NEED encryption, and they certainly don't need to be "real-world" secure.
They are generally glorified web browsers for eServices and testing.  In fact, why NHQ isn't
looking to move over to Chromebooks (assuming they aren't) is beyond me.

You'd get a least 3-4x bang for your buck, and your issues of local systems, etc., go away overnight.


1. Cyberpatriot images won't run on Chromebooks.
2. Cyberpatriot inquisitive minds will ask (and have) why we don't implement the best practices taught on our own systems.
3. If we are this lax with security, then we surely will NOT be getting more missions of a sensitive nature (or even of non-sensitive natures if this attitude gets out)


Quote
Don't get me wrong, things need to change IT-wise in CAP, and good password management with 2-factor would
be a big step, but encrypting CAP laptops is a waste of time and is just going to cause a pile of machines
in closets or at the various wing HQs that can't be accessed or reloaded because of TPM or related problems.

IF NHQ or more likely, the vendor, rolls out an image with encryption already in place, then they should have the keys.
(probably OEM123), if the wings do it, they will have them, but if NHQ thinks the average CAP unit is going to
enable Bitlocker >after< receiving a new machine, they are very benevolent about the capabilities of the average CAP RocketMOM.

Any squadron with more than one year in the cyberpatriot program can set up bitlocker properly (and with a checklist, can do it consistently and correctly.)
A spot in the Internet Operations or Inventory applications would be able to store said key, and recovery now becomes a manageable process.
Logged
Eclipse
Too Much Free Time Award
***
Posts: 27,896

« Reply #14 on: July 18, 2017, 03:43:11 PM »

Why?  The nearest post-it or under the battery (brilliant idea BTW) is fine.

These machines don't NEED encryption, and they certainly don't need to be "real-world" secure.
They are generally glorified web browsers for eServices and testing.  In fact, why NHQ isn't
looking to move over to Chromebooks (assuming they aren't) is beyond me.

You'd get a least 3-4x bang for your buck, and your issues of local systems, etc., go away overnight.


1. Cyberpatriot images won't run on Chromebooks.
2. Cyberpatriot inquisitive minds will ask (and have) why we don't implement the best practices taught on our own systems.
3. If we are this lax with security, then we surely will NOT be getting more missions of a sensitive nature (or even of non-sensitive natures if this attitude gets out)
1. Cyberpatriot can use PCs for those very limited cases where they are involved.  The general membership doesn't need a PC any more, especially
in light of NHQ's recent prohibition on systems which duplicate National systems.  The majority of data manipulation most people do can be
done on a Chromebook, and those systems like SIMS, and Encampment Manager, assuming they live past January, will still have plenty of PCs around to use.
More so if NHQ can supply 3 CBs for 1 PC to the rest of the flock.

2. With the proper answer that encryption is not necessarily a best-practice for all cases.  It is not a panacea, and generally is only
a factor if a machine is lost or stolen, >and< contains data which didn't belong there to start with. Otherwise many apps don't like it or support it at all.
(Though the ones CAP uses generally would), and it can cause performance issues far in excess of the "solution" it provides.

3. "Sensitive missions" in the way you are describing would require a lot more then drive encryption and would / should be addressed as edge cases
in the same was they are in the military, LEA and civilian sectors.

Don't get me wrong, things need to change IT-wise in CAP, and good password management with 2-factor would
be a big step, but encrypting CAP laptops is a waste of time and is just going to cause a pile of machines
in closets or at the various wing HQs that can't be accessed or reloaded because of TPM or related problems.

IF NHQ or more likely, the vendor, rolls out an image with encryption already in place, then they should have the keys.
(probably OEM123), if the wings do it, they will have them, but if NHQ thinks the average CAP unit is going to
enable Bitlocker >after< receiving a new machine, they are very benevolent about the capabilities of the average CAP RocketMOM.

Any squadron with more than one year in the cyberpatriot program can set up bitlocker properly (and with a checklist, can do it consistently and correctly.)
A spot in the Internet Operations or Inventory applications would be able to store said key, and recovery now becomes a manageable process.

Maybe - what do the other 95% of squadrons do?  Cyberpatriot isn't any more of a factor in CAP the NCC is.
Logged

"Effort" does not equal "results".
The contents of this post are Copyright © 2017 by eclipse. All rights are reserved. Specific permission is given to quote this post here on CAP-Talk only.

Paul Creed III
Forum Regular

Posts: 187
Unit: GLR-OH-254

« Reply #15 on: July 19, 2017, 08:25:49 AM »


Maybe - what do the other 95% of squadrons do?  Cyberpatriot isn't any more of a factor in CAP the NCC is.

Other than to the 400+ CAP teams that were registered for CyberPatriot last year...
Logged
Lt Col Paul Creed III, CAP
Great Lakes Region Cyber Programs Officer
Ohio Wing Group 3 Commander
Pages: [1] Print 
CAP Talk  |  General Discussion  |  The Lobby  |  Topic: Reg Preview: CAPR 120-1 INFORMATION TECHNOLOGY SECURITY
 


Powered by MySQL Powered by PHP SMF 2.0.13 | SMF © 2016, Simple Machines Valid XHTML 1.0! Valid CSS!
Page created in 0.385 seconds with 20 queries.
click here to email me