RE: Passwords in a disaster

["Ackley, Alex" <aackley () epmgpc com>]

There should always be a key thing to look at when implementing any DR
situation like this.  Inexpensive and Easy.

You don't want to worry about having IDs with passwords on them...what
if the reader isn't working? Does it require a server to authenticate
with? What if that is down?

A USB key is simple, cheap works in any USB port.  

The bank is far enough away to be safe from same attack situations
unless it's city wide in that case... we've decided it's an acceptable
risk.  

I can't state it strongly enough... EASY.  Every DR plan needs to be as
easy to operate and follow as possible.  It won't always be the best
people following it; it's entirely possible it may be some out of town
no-nothing consultant who was hired on the spot.  It may even be your
boss who knew computers 15 years ago but only has operator knowledge
now.  

Add onto this, the stress environment and how people react in disaster
situations and everything needs to be as easy as possible.  As universal
as possible and as documented as possible.  

I've always been told and tell folks... write your documents and
evaluate your plan based on the idea that the janitor is the one who has
to follow it.


-----Original Message-----
From: Jeptha.Gibbs () jpmorgan com [mailto:Jeptha.Gibbs () jpmorgan com] 
Sent: Thursday, January 24, 2008 11:18 AM
To: Ackley, Alex
Cc: listbounce () securityfocus com; security-basics () securityfocus com;
Stephen Tanner
Subject: RE: Passwords in a disaster


Alex,

      In a true OMG, the building is gone situation, do you think that
would really work?  Is the bank located in the same city as the building
would you be able to access it, etc.

      A USB token held by that team, or utilizing a Card Reader at the
DR
site and each member of the Team having the Password embedded in their
IDs
via a Chip might be a cleaner solution.  The token can then be updated
as
necessary as members of the team leave/lose IDs, etc.

J
________________________________________________________________________
____


P Please consider the environment before printing this e-mail


Jeptha M. Gibbs V


JPMorgan Chase | Investment Bank | Information Risk Management


277 Park Ave 24 Fl| ( GDP 622-1576| ( Ext. 212 622-1576| *
jeptha.gibbs () jpmorgan com





 

             "Ackley, Alex"

             <aackley@epmgpc.c

             om>
To 
             Sent by:                  "Stephen Tanner"

             listbounce@securi         <stanner () leeclerk org>,

             tyfocus.com
<security-basics () securityfocus com> 
 
cc 
 

             01/24/2008 10:24
Subject 
             AM                        RE: Passwords in a disaster

 

 

 

 

 

 





Well it all depends on what you mean by a DR situation.  If you're
talking a full blown, OMG the building is gone type situation what we've
done is used a pair of secure USB keys.  They get swapped out on a
weekly basis into a local bank safety deposit box.

Each member of management and the security team have access to this box.
The USB Drive is encrypted with a known password to these team members.
Inside we hold a password protected access database file that contains
just the needed passwords to recover in this situation.  Along with docs
needed that lay out what needs to be restored, in what order and how to
do it.
The password to the access DB is known only to the members of the
security team.

Of course, all the passwords here are changed according to policy and
meet strict requirements.

It's not the most elegant of solutions, but in a fairly small
organization (under 10 managers and a 2 person security team) it works
well in testing and has an added benefit of being very low cost to
implement, keep going and test.

Alex Ackley, CISSP
Security Administrator
EPMG, PC

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Stephen Tanner
Sent: Thursday, January 24, 2008 9:50 AM
To: security-basics () securityfocus com
Subject: Passwords in a disaster

I'm trying to get a consensus on what people think is the best solution
to sending a shared password or passphrase in a DR situation where
phones are not a viable option.  Any thoughts?

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Stephen Tanner
Information Security Administrator
Network Support Services
Lee County Clerk of Courts
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=




 Florida has a very broad Public Records Law.  Most written
communications to or from State and Local Officials regarding State or
Local business are public records available to the public and media upon
request. Your email communications may therefore be subject to public
disclosure.


Generally, this communication is for informational purposes only
and it is not intended as an offer or solicitation for the purchase
or sale of any financial instrument or as an official confirmation
of any transaction. In the event you are receiving the offering
materials attached below related to your interest in hedge funds or
private equity, this communication may be intended as an offer or
solicitation for the purchase or sale of such fund(s).  All market
prices, data and other information are not warranted as to
completeness or accuracy and are subject to change without notice.
Any comments or statements made herein do not necessarily reflect
those of JPMorgan Chase & Co., its subsidiaries and affiliates.

This transmission may contain information that is privileged,
confidential, legally privileged, and/or exempt from disclosure
under applicable law. If you are not the intended recipient, you
are hereby notified that any disclosure, copying, distribution, or
use of the information contained herein (including any reliance
thereon) is STRICTLY PROHIBITED. Although this transmission and any
attachments are believed to be free of any virus or other defect
that might affect any computer system into which it is received and
opened, it is the responsibility of the recipient to ensure that it
is virus free and no responsibility is accepted by JPMorgan Chase &
Co., its subsidiaries and affiliates, as applicable, for any loss
or damage arising in any way from its use. If you received this
transmission in error, please immediately contact the sender and
destroy the material in its entirety, whether in electronic or hard
copy format. Thank you.
Please refer to http://www.jpmorgan.com/pages/disclosures for
disclosures relating to UK legal entities.