RE: Passwords in a disaster

[Jeptha.Gibbs () jpmorgan com]

Alex,

      In a true OMG, the building is gone situation, do you think that
would really work?  Is the bank located in the same city as the building
would you be able to access it, etc.

      A USB token held by that team, or utilizing a Card Reader at the DR
site and each member of the Team having the Password embedded in their IDs
via a Chip might be a cleaner solution.  The token can then be updated as
necessary as members of the team leave/lose IDs, etc.

J
____________________________________________________________________________


P Please consider the environment before printing this e-mail


Jeptha M. Gibbs V


JPMorgan Chase | Investment Bank | Information Risk Management


277 Park Ave 24 Fl| ( GDP 622-1576| ( Ext. 212 622-1576| *
jeptha.gibbs () jpmorgan com





                                                                           
             "Ackley, Alex"                                                
             <aackley@epmgpc.c                                             
             om>                                                        To 
             Sent by:                  "Stephen Tanner"                    
             listbounce@securi         <stanner () leeclerk org>,             
             tyfocus.com               <security-basics () securityfocus com> 
                                                                        cc 
                                                                           
             01/24/2008 10:24                                      Subject 
             AM                        RE: Passwords in a disaster         
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           




Well it all depends on what you mean by a DR situation.  If you're
talking a full blown, OMG the building is gone type situation what we've
done is used a pair of secure USB keys.  They get swapped out on a
weekly basis into a local bank safety deposit box.

Each member of management and the security team have access to this box.
The USB Drive is encrypted with a known password to these team members.
Inside we hold a password protected access database file that contains
just the needed passwords to recover in this situation.  Along with docs
needed that lay out what needs to be restored, in what order and how to
do it.
The password to the access DB is known only to the members of the
security team.

Of course, all the passwords here are changed according to policy and
meet strict requirements.

It's not the most elegant of solutions, but in a fairly small
organization (under 10 managers and a 2 person security team) it works
well in testing and has an added benefit of being very low cost to
implement, keep going and test.

Alex Ackley, CISSP
Security Administrator
EPMG, PC

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Stephen Tanner
Sent: Thursday, January 24, 2008 9:50 AM
To: security-basics () securityfocus com
Subject: Passwords in a disaster

I'm trying to get a consensus on what people think is the best solution
to sending a shared password or passphrase in a DR situation where
phones are not a viable option.  Any thoughts?

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Stephen Tanner
Information Security Administrator
Network Support Services
Lee County Clerk of Courts
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=




 Florida has a very broad Public Records Law.  Most written
communications to or from State and Local Officials regarding State or
Local business are public records available to the public and media upon
request. Your email communications may therefore be subject to public
disclosure.


Generally, this communication is for informational purposes only
and it is not intended as an offer or solicitation for the purchase
or sale of any financial instrument or as an official confirmation
of any transaction. In the event you are receiving the offering
materials attached below related to your interest in hedge funds or
private equity, this communication may be intended as an offer or
solicitation for the purchase or sale of such fund(s).  All market
prices, data and other information are not warranted as to
completeness or accuracy and are subject to change without notice.
Any comments or statements made herein do not necessarily reflect
those of JPMorgan Chase & Co., its subsidiaries and affiliates.

This transmission may contain information that is privileged,
confidential, legally privileged, and/or exempt from disclosure
under applicable law. If you are not the intended recipient, you
are hereby notified that any disclosure, copying, distribution, or
use of the information contained herein (including any reliance
thereon) is STRICTLY PROHIBITED. Although this transmission and any
attachments are believed to be free of any virus or other defect
that might affect any computer system into which it is received and
opened, it is the responsibility of the recipient to ensure that it
is virus free and no responsibility is accepted by JPMorgan Chase &
Co., its subsidiaries and affiliates, as applicable, for any loss
or damage arising in any way from its use. If you received this
transmission in error, please immediately contact the sender and
destroy the material in its entirety, whether in electronic or hard
copy format. Thank you.
Please refer to http://www.jpmorgan.com/pages/disclosures for
disclosures relating to UK legal entities.