Security Basics mailing list archives
RE: Passwords in a disaster
From: "Ackley, Alex" <aackley () epmgpc com>
Date: Thu, 24 Jan 2008 11:26:58 -0500
There should always be a key thing to look at when implementing any DR situation like this. Inexpensive and Easy. You don't want to worry about having IDs with passwords on them...what if the reader isn't working? Does it require a server to authenticate with? What if that is down? A USB key is simple, cheap works in any USB port. The bank is far enough away to be safe from same attack situations unless it's city wide in that case... we've decided it's an acceptable risk. I can't state it strongly enough... EASY. Every DR plan needs to be as easy to operate and follow as possible. It won't always be the best people following it; it's entirely possible it may be some out of town no-nothing consultant who was hired on the spot. It may even be your boss who knew computers 15 years ago but only has operator knowledge now. Add onto this, the stress environment and how people react in disaster situations and everything needs to be as easy as possible. As universal as possible and as documented as possible. I've always been told and tell folks... write your documents and evaluate your plan based on the idea that the janitor is the one who has to follow it. -----Original Message----- From: Jeptha.Gibbs () jpmorgan com [mailto:Jeptha.Gibbs () jpmorgan com] Sent: Thursday, January 24, 2008 11:18 AM To: Ackley, Alex Cc: listbounce () securityfocus com; security-basics () securityfocus com; Stephen Tanner Subject: RE: Passwords in a disaster Alex, In a true OMG, the building is gone situation, do you think that would really work? Is the bank located in the same city as the building would you be able to access it, etc. A USB token held by that team, or utilizing a Card Reader at the DR site and each member of the Team having the Password embedded in their IDs via a Chip might be a cleaner solution. The token can then be updated as necessary as members of the team leave/lose IDs, etc. J ________________________________________________________________________ ____ P Please consider the environment before printing this e-mail Jeptha M. Gibbs V JPMorgan Chase | Investment Bank | Information Risk Management 277 Park Ave 24 Fl| ( GDP 622-1576| ( Ext. 212 622-1576| * jeptha.gibbs () jpmorgan com "Ackley, Alex" <aackley@epmgpc.c om> To Sent by: "Stephen Tanner" listbounce@securi <stanner () leeclerk org>, tyfocus.com <security-basics () securityfocus com> cc 01/24/2008 10:24 Subject AM RE: Passwords in a disaster Well it all depends on what you mean by a DR situation. If you're talking a full blown, OMG the building is gone type situation what we've done is used a pair of secure USB keys. They get swapped out on a weekly basis into a local bank safety deposit box. Each member of management and the security team have access to this box. The USB Drive is encrypted with a known password to these team members. Inside we hold a password protected access database file that contains just the needed passwords to recover in this situation. Along with docs needed that lay out what needs to be restored, in what order and how to do it. The password to the access DB is known only to the members of the security team. Of course, all the passwords here are changed according to policy and meet strict requirements. It's not the most elegant of solutions, but in a fairly small organization (under 10 managers and a 2 person security team) it works well in testing and has an added benefit of being very low cost to implement, keep going and test. Alex Ackley, CISSP Security Administrator EPMG, PC -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Stephen Tanner Sent: Thursday, January 24, 2008 9:50 AM To: security-basics () securityfocus com Subject: Passwords in a disaster I'm trying to get a consensus on what people think is the best solution to sending a shared password or passphrase in a DR situation where phones are not a viable option. Any thoughts? =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Stephen Tanner Information Security Administrator Network Support Services Lee County Clerk of Courts =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Florida has a very broad Public Records Law. Most written communications to or from State and Local Officials regarding State or Local business are public records available to the public and media upon request. Your email communications may therefore be subject to public disclosure. Generally, this communication is for informational purposes only and it is not intended as an offer or solicitation for the purchase or sale of any financial instrument or as an official confirmation of any transaction. In the event you are receiving the offering materials attached below related to your interest in hedge funds or private equity, this communication may be intended as an offer or solicitation for the purchase or sale of such fund(s). All market prices, data and other information are not warranted as to completeness or accuracy and are subject to change without notice. Any comments or statements made herein do not necessarily reflect those of JPMorgan Chase & Co., its subsidiaries and affiliates. This transmission may contain information that is privileged, confidential, legally privileged, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by JPMorgan Chase & Co., its subsidiaries and affiliates, as applicable, for any loss or damage arising in any way from its use. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. Please refer to http://www.jpmorgan.com/pages/disclosures for disclosures relating to UK legal entities.
Current thread:
- Passwords in a disaster Stephen Tanner (Jan 24)
- Message not available
- RE: Passwords in a disaster Stephen Tanner (Jan 24)
- RE: Passwords in a disaster Sheldon Malm (Jan 24)
- RE: Passwords in a disaster Stephen Tanner (Jan 24)
- RE: Passwords in a disaster Petter Bruland (Jan 24)
- RE: Passwords in a disaster Enquiries Globalart4u (Jan 28)
- RE: Passwords in a disaster Stephen Tanner (Jan 24)
- Message not available
- RE: Passwords in a disaster Stephen Tanner (Jan 24)
- RE: Passwords in a disaster Jeptha . Gibbs (Jan 24)
- RE: Passwords in a disaster Ackley, Alex (Jan 24)
- Re: Passwords in a disaster jam (Jan 24)