Well the big things to note immediately are that Full Disk Encryption on new laptops is a requirement, and that there is now an IT SUI component.
Can someone reread this and tell me if they put in a section regarding encryption key management on laptops?
No, and that's not a practical reality in CAP.
Where are we going to be storing bitlocker recovery keys then?
Quote from: Mordecai on July 18, 2017, 09:38:47 AMWhere are we going to be storing bitlocker recovery keys then?
These machines don't NEED encryption, and they certainly don't need to be "real-world" secure.They are generally glorified web browsers for eServices and testing. In fact, why NHQ isn't looking to move over to Chromebooks (assuming they aren't) is beyond me.
Why? The nearest post-it or under the battery (brilliant idea BTW) is fine.These machines don't NEED encryption, and they certainly don't need to be "real-world" secure.They are generally glorified web browsers for eServices and testing. In fact, why NHQ isn't looking to move over to Chromebooks (assuming they aren't) is beyond me.You'd get a least 3-4x bang for your buck, and your issues of local systems, etc., go away overnight.
Don't get me wrong, things need to change IT-wise in CAP, and good password management with 2-factor would be a big step, but encrypting CAP laptops is a waste of time and is just going to cause a pile of machines in closets or at the various wing HQs that can't be accessed or reloaded because of TPM or related problems.IF NHQ or more likely, the vendor, rolls out an image with encryption already in place, then they should have the keys.(probably OEM123), if the wings do it, they will have them, but if NHQ thinks the average CAP unit is going to enable Bitlocker >after< receiving a new machine, they are very benevolent about the capabilities of the average CAP RocketMOM.
Quote from: Eclipse on July 18, 2017, 07:20:09 PMWhy? The nearest post-it or under the battery (brilliant idea BTW) is fine.These machines don't NEED encryption, and they certainly don't need to be "real-world" secure.They are generally glorified web browsers for eServices and testing. In fact, why NHQ isn't looking to move over to Chromebooks (assuming they aren't) is beyond me.You'd get a least 3-4x bang for your buck, and your issues of local systems, etc., go away overnight.1. Cyberpatriot images won't run on Chromebooks.2. Cyberpatriot inquisitive minds will ask (and have) why we don't implement the best practices taught on our own systems.3. If we are this lax with security, then we surely will NOT be getting more missions of a sensitive nature (or even of non-sensitive natures if this attitude gets out)
Quote from: Eclipse on July 18, 2017, 07:20:09 PMDon't get me wrong, things need to change IT-wise in CAP, and good password management with 2-factor would be a big step, but encrypting CAP laptops is a waste of time and is just going to cause a pile of machines in closets or at the various wing HQs that can't be accessed or reloaded because of TPM or related problems.IF NHQ or more likely, the vendor, rolls out an image with encryption already in place, then they should have the keys.(probably OEM123), if the wings do it, they will have them, but if NHQ thinks the average CAP unit is going to enable Bitlocker >after< receiving a new machine, they are very benevolent about the capabilities of the average CAP RocketMOM.Any squadron with more than one year in the cyberpatriot program can set up bitlocker properly (and with a checklist, can do it consistently and correctly.)A spot in the Internet Operations or Inventory applications would be able to store said key, and recovery now becomes a manageable process.
Maybe - what do the other 95% of squadrons do? Cyberpatriot isn't any more of a factor in CAP the NCC is.