Timothy J. Miller wrote:
Roy Keene (Contractor) wrote:
CAC in a Personal (i.e., potentially not managed by someone who meets
DISA requirements for a system administrator, and on a network that
follows DISA guidelines to mitigate risk) machine mostly defeats the
purpose of it.
That's a hell of a claim. Care to back it up?
-- Tim
------------------------------------------------------------------------
_______________________________________________
Muscle mailing list
[email protected]
http://lists.drizzle.com/mailman/listinfo/muscle
Once you give the process your PIN, it can modify the data however it wishes
before passing it to the CAC to be signed/encrypted.
Thus if your workstation is in a significantly increased position of risk (i.e.,
you do not apply security patches, and are not on a network that blocks
known-bad attackers, and there is no IDS/IPS) then any e-mail you send is at a
significantly increased risk of being tampered with, and any encrypted
transmission are at a significantly increased risk of being intercepted with.
The purpose of CAC is to provide relatively secure transmission and verification
of data. To achieve this, DISA has guidelines to mitigate risk and decrease the
risk of a workstation being compromised without detection.
Certainly, it still happens on a network that follows DISA guidelines, but it
happens very infrequently and is almost always detected.
--
Roy Keene (Contractor)
Office of Network Management (Code 7030.8)
Naval Research Laboratory
Stennis Space Center, MS 39529
DSN 828-4827
_______________________________________________
Muscle mailing list
[email protected]
http://lists.drizzle.com/mailman/listinfo/muscle
