RE: Passwords in a disaster

["Stephen Tanner" <stanner () leeclerk org>]

Alex,
        We are doing something similar.  However, for some of the
business units there are some shared passwords that would be utilized in
a full blown situation that need to be disseminated in a timely manner,
this prevents us from physically taking a key to them to allow each
person to retrieve the password.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Stephen Tanner
Information Security Administrator
Network Support Services
Lee County Clerk of Courts
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

-----Original Message-----
From: Ackley, Alex [mailto:aackley () epmgpc com] 
Sent: Thursday, January 24, 2008 10:24 AM
To: Stephen Tanner; security-basics () securityfocus com
Subject: RE: Passwords in a disaster

Well it all depends on what you mean by a DR situation.  If you're
talking a full blown, OMG the building is gone type situation what we've
done is used a pair of secure USB keys.  They get swapped out on a
weekly basis into a local bank safety deposit box.

Each member of management and the security team have access to this box.
The USB Drive is encrypted with a known password to these team members.
Inside we hold a password protected access database file that contains
just the needed passwords to recover in this situation.  Along with docs
needed that lay out what needs to be restored, in what order and how to
do it.
The password to the access DB is known only to the members of the
security team.  

Of course, all the passwords here are changed according to policy and
meet strict requirements.

It's not the most elegant of solutions, but in a fairly small
organization (under 10 managers and a 2 person security team) it works
well in testing and has an added benefit of being very low cost to
implement, keep going and test.

Alex Ackley, CISSP
Security Administrator
EPMG, PC

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Stephen Tanner
Sent: Thursday, January 24, 2008 9:50 AM
To: security-basics () securityfocus com
Subject: Passwords in a disaster

I'm trying to get a consensus on what people think is the best solution
to sending a shared password or passphrase in a DR situation where
phones are not a viable option.  Any thoughts?

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Stephen Tanner
Information Security Administrator
Network Support Services
Lee County Clerk of Courts
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=




 Florida has a very broad Public Records Law.  Most written
communications to or from State and Local Officials regarding State or
Local business are public records available to the public and media upon
request. Your email communications may therefore be subject to public
disclosure.



 Florida has a very broad Public Records Law.  Most written communications to or from State and Local Officials 
regarding State or Local business are public records available to the public and media upon request. Your email 
communications may therefore be subject to public disclosure.