Reg Preview: CAPR 120-1 INFORMATION TECHNOLOGY SECURITY

[Holding Pattern]

https://www.capmembers.com/media/cms/CAPR_1201_Information_Technology_Se_3007CE7E168DE.pdf

Currently reading through it now. Thoughts will follow shortly.

[Holding Pattern]

Well the big things to note immediately are that Full Disk Encryption on new laptops is a requirement, and that there is now an IT SUI component.

[Eclipse]

Meh - whatever.  This is a pamphlet masquerading as a reg.  Most of what is prescribed is either a best-practice, the
default, or will be used as a value-add if someone does something dumb, but doesn't mean much day-to-day.

It's basically 13 pages of "Don't do illegal things and if you do", "OHHHH BOY! Are you gonna never hear about it and / or
there will be zero practical ramifications."

Presumably encryption will be enabled from the factory on new stuff.  Couldn't care less.

The inspection elements that were added are for a CI, of the two SUI elements, only one is new, and
if you don't have the default AV enabled already, you probably don't understand the words, or the machine
is so compromised you can't boot into it.

[etodd]

Well the big things to note immediately are that Full Disk Encryption on new laptops is a requirement, and that there is now an IT SUI component.

We've been asking for a new laptop for AP for two years. The old one is a boat anchor. Good thing I carry a 'backup'. 

[Holding Pattern]

Can someone reread this and tell me if they put in a section regarding encryption key management on laptops?

[Eclipse]

Can someone reread this and tell me if they put in a section regarding encryption key management on laptops?

No, and that's not a practical reality in CAP.

[NIN]

No, and that's not a practical reality in CAP.

This x100. I shudder to think how many times a *year* your average squadron laptop will have to be utterly reloaded because someone didn't "get" the encryption and forgot/misplaced/mistyped a password...



Sent from my SM-G920V using Tapatalk

[Holding Pattern]

Where are we going to be storing bitlocker recovery keys then?

[chuckmilam]

Hey, we're part of the total force now, right?  We can totally lean on the DOD PKI/PKE infrastructure with our CACs and everything. 

*ducks incoming fire* 

[Eclipse]

Where are we going to be storing bitlocker recovery keys then?

[Holding Pattern]

Where are we going to be storing bitlocker recovery keys then?

I'm worried about this, people putting recovery keys under batteries and other bad ideas.

We do need a solution though.

[Eclipse]

Why?  The nearest post-it or under the battery (brilliant idea BTW) is fine.

These machines don't NEED encryption, and they certainly don't need to be "real-world" secure.
They are generally glorified web browsers for eServices and testing.  In fact, why NHQ isn't
looking to move over to Chromebooks (assuming they aren't) is beyond me.

You'd get a least 3-4x bang for your buck, and your issues of local systems, etc., go away overnight.

Don't get me wrong, things need to change IT-wise in CAP, and good password management with 2-factor would
be a big step, but encrypting CAP laptops is a waste of time and is just going to cause a pile of machines
in closets or at the various wing HQs that can't be accessed or reloaded because of TPM or related problems.

IF NHQ or more likely, the vendor, rolls out an image with encryption already in place, then they should have the keys.
(probably OEM123), if the wings do it, they will have them, but if NHQ thinks the average CAP unit is going to
enable Bitlocker >after< receiving a new machine, they are very benevolent about the capabilities of the average CAP RocketMOM.

[NIN]

These machines don't NEED encryption, and they certainly don't need to be "real-world" secure.
They are generally glorified web browsers for eServices and testing.  In fact, why NHQ isn't
looking to move over to Chromebooks (assuming they aren't) is beyond me.

I just donated my son's "only a year and a half old" Chromebook to the squadron. Mom got him a spiffy new laptop so he could game his face off do homework, so I said "Gimme, kid."

Thing works just fine for the purposes for which intended.

[Holding Pattern]

Why?  The nearest post-it or under the battery (brilliant idea BTW) is fine.

These machines don't NEED encryption, and they certainly don't need to be "real-world" secure.
They are generally glorified web browsers for eServices and testing.  In fact, why NHQ isn't
looking to move over to Chromebooks (assuming they aren't) is beyond me.

You'd get a least 3-4x bang for your buck, and your issues of local systems, etc., go away overnight.

1. Cyberpatriot images won't run on Chromebooks.
2. Cyberpatriot inquisitive minds will ask (and have) why we don't implement the best practices taught on our own systems.
3. If we are this lax with security, then we surely will NOT be getting more missions of a sensitive nature (or even of non-sensitive natures if this attitude gets out)

Don't get me wrong, things need to change IT-wise in CAP, and good password management with 2-factor would
be a big step, but encrypting CAP laptops is a waste of time and is just going to cause a pile of machines
in closets or at the various wing HQs that can't be accessed or reloaded because of TPM or related problems.

IF NHQ or more likely, the vendor, rolls out an image with encryption already in place, then they should have the keys.
(probably OEM123), if the wings do it, they will have them, but if NHQ thinks the average CAP unit is going to
enable Bitlocker >after< receiving a new machine, they are very benevolent about the capabilities of the average CAP RocketMOM.

Any squadron with more than one year in the cyberpatriot program can set up bitlocker properly (and with a checklist, can do it consistently and correctly.)
A spot in the Internet Operations or Inventory applications would be able to store said key, and recovery now becomes a manageable process.

[Eclipse]

Why?  The nearest post-it or under the battery (brilliant idea BTW) is fine.

These machines don't NEED encryption, and they certainly don't need to be "real-world" secure.
They are generally glorified web browsers for eServices and testing.  In fact, why NHQ isn't
looking to move over to Chromebooks (assuming they aren't) is beyond me.

You'd get a least 3-4x bang for your buck, and your issues of local systems, etc., go away overnight.

1. Cyberpatriot images won't run on Chromebooks.
2. Cyberpatriot inquisitive minds will ask (and have) why we don't implement the best practices taught on our own systems.
3. If we are this lax with security, then we surely will NOT be getting more missions of a sensitive nature (or even of non-sensitive natures if this attitude gets out)

1. Cyberpatriot can use PCs for those very limited cases where they are involved.  The general membership doesn't need a PC any more, especially
in light of NHQ's recent prohibition on systems which duplicate National systems.  The majority of data manipulation most people do can be
done on a Chromebook, and those systems like SIMS, and Encampment Manager, assuming they live past January, will still have plenty of PCs around to use.
More so if NHQ can supply 3 CBs for 1 PC to the rest of the flock.

2. With the proper answer that encryption is not necessarily a best-practice for all cases.  It is not a panacea, and generally is only
a factor if a machine is lost or stolen, >and< contains data which didn't belong there to start with. Otherwise many apps don't like it or support it at all.
(Though the ones CAP uses generally would), and it can cause performance issues far in excess of the "solution" it provides.

3. "Sensitive missions" in the way you are describing would require a lot more then drive encryption and would / should be addressed as edge cases
in the same was they are in the military, LEA and civilian sectors.

Don't get me wrong, things need to change IT-wise in CAP, and good password management with 2-factor would
be a big step, but encrypting CAP laptops is a waste of time and is just going to cause a pile of machines
in closets or at the various wing HQs that can't be accessed or reloaded because of TPM or related problems.

IF NHQ or more likely, the vendor, rolls out an image with encryption already in place, then they should have the keys.
(probably OEM123), if the wings do it, they will have them, but if NHQ thinks the average CAP unit is going to
enable Bitlocker >after< receiving a new machine, they are very benevolent about the capabilities of the average CAP RocketMOM.

Any squadron with more than one year in the cyberpatriot program can set up bitlocker properly (and with a checklist, can do it consistently and correctly.)
A spot in the Internet Operations or Inventory applications would be able to store said key, and recovery now becomes a manageable process.

Maybe - what do the other 95% of squadrons do?  Cyberpatriot isn't any more of a factor in CAP the NCC is.

[Paul Creed III]

Maybe - what do the other 95% of squadrons do?  Cyberpatriot isn't any more of a factor in CAP the NCC is.

Other than to the 400+ CAP teams that were registered for CyberPatriot last year...