Security Basics mailing list archives
RE: Passwords in a disaster
From: "Stephen Tanner" <stanner () leeclerk org>
Date: Thu, 24 Jan 2008 10:31:38 -0500
Alex, We are doing something similar. However, for some of the business units there are some shared passwords that would be utilized in a full blown situation that need to be disseminated in a timely manner, this prevents us from physically taking a key to them to allow each person to retrieve the password. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Stephen Tanner Information Security Administrator Network Support Services Lee County Clerk of Courts =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -----Original Message----- From: Ackley, Alex [mailto:aackley () epmgpc com] Sent: Thursday, January 24, 2008 10:24 AM To: Stephen Tanner; security-basics () securityfocus com Subject: RE: Passwords in a disaster Well it all depends on what you mean by a DR situation. If you're talking a full blown, OMG the building is gone type situation what we've done is used a pair of secure USB keys. They get swapped out on a weekly basis into a local bank safety deposit box. Each member of management and the security team have access to this box. The USB Drive is encrypted with a known password to these team members. Inside we hold a password protected access database file that contains just the needed passwords to recover in this situation. Along with docs needed that lay out what needs to be restored, in what order and how to do it. The password to the access DB is known only to the members of the security team. Of course, all the passwords here are changed according to policy and meet strict requirements. It's not the most elegant of solutions, but in a fairly small organization (under 10 managers and a 2 person security team) it works well in testing and has an added benefit of being very low cost to implement, keep going and test. Alex Ackley, CISSP Security Administrator EPMG, PC -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Stephen Tanner Sent: Thursday, January 24, 2008 9:50 AM To: security-basics () securityfocus com Subject: Passwords in a disaster I'm trying to get a consensus on what people think is the best solution to sending a shared password or passphrase in a DR situation where phones are not a viable option. Any thoughts? =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Stephen Tanner Information Security Administrator Network Support Services Lee County Clerk of Courts =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Florida has a very broad Public Records Law. Most written communications to or from State and Local Officials regarding State or Local business are public records available to the public and media upon request. Your email communications may therefore be subject to public disclosure. Florida has a very broad Public Records Law. Most written communications to or from State and Local Officials regarding State or Local business are public records available to the public and media upon request. Your email communications may therefore be subject to public disclosure.
Current thread:
- Passwords in a disaster Stephen Tanner (Jan 24)
- Message not available
- RE: Passwords in a disaster Stephen Tanner (Jan 24)
- RE: Passwords in a disaster Sheldon Malm (Jan 24)
- RE: Passwords in a disaster Stephen Tanner (Jan 24)
- RE: Passwords in a disaster Petter Bruland (Jan 24)
- RE: Passwords in a disaster Enquiries Globalart4u (Jan 28)
- RE: Passwords in a disaster Stephen Tanner (Jan 24)
- Message not available
- RE: Passwords in a disaster Stephen Tanner (Jan 24)
- RE: Passwords in a disaster Jeptha . Gibbs (Jan 24)
- RE: Passwords in a disaster Ackley, Alex (Jan 24)
- Re: Passwords in a disaster jam (Jan 24)