RE: Passwords in a disaster

["Enquiries Globalart4u" <enquiries () globalart4u com>]

i would not put into a bank because you are assuming that the bank wherever
it is will still be functioning in a dr situation and what happens if the
responsible person is unable to retreive, and if it happens in the weekend
is the bank open to be able to retrieve as most online businesses do no not
just work monday to friday but weekends too?  

would the court be functioning normally during a dr by opening up somewhere
else? then have a dr site elsewhere with a reputable company and have key
people who will have the passwords, which can be generated weekly and given
to them weekly.

Tallat

http://www.promomat.biz/golfmap.htm = scottish golf course maps

 http://www.yuckyslugsandsnails.co.uk/ = innundated with slugs and snails -
try some of our solutions or just have a meal out of them

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Stephen Tanner
Sent: Thursday, January 24, 2008 9:11 AM
To: security-basics () securityfocus com
Subject: RE: Passwords in a disaster

Because of the nature of the account, we disallow access to the account
in normal business.  The account is generic, leaving no accountability.
However, in a DR situation, where we are in a depreciated state, we are
using this account for access to a read-only web based interface.  We
don't disable the account through traditional means to avoid issues with
the information not getting propagated to DR correctly.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Stephen Tanner
Information Security Administrator
Network Support Services
Lee County Clerk of Courts
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

-----Original Message-----
From: Sheldon Malm [mailto:smalm () ncircle com]
Sent: Thursday, January 24, 2008 11:41 AM
To: Stephen Tanner; mike.barber () wachovia com
Cc: security-basics () securityfocus com
Subject: RE: Passwords in a disaster

For what it's worth, this is really no different than any kind of
Incident Response and/or DRP/BCP scenario.  A Firecall ID process should
be well established and practiced in advance so there are standing
instructions on release of the Firecall ID in the case of a disaster.
This ensures that the release of the privileged account is facilitated
as part of the Disaster Response rather than waiting for an individual
to take action.  Basic "single point of failure" avoidance, which is
what DRP/BCP and incident response are all about.


Sheldon Malm
Director
Security Research & Development
nCircle Network Security

Check out the VERT daily post
http://blog.ncircle.com/vert



-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Stephen Tanner
Sent: Thursday, January 24, 2008 10:25 AM
To: security-basics () securityfocus com
Subject: RE: Passwords in a disaster

Well, not really.  I am more speaking of a court room only setting where
there IS no phone.  Phones aren't non-existent, just not an option.  I
would like to go the route in the previous suggestion, but pushing
encryption I do not believe would fly.  The point here is really a
mitigation of risk.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Stephen Tanner
Information Security Administrator
Network Support Services
Lee County Clerk of Courts
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

-----Original Message-----
From: mike.barber () wachovia com [mailto:mike.barber () wachovia com]
Sent: Thursday, January 24, 2008 10:22 AM
To: Stephen Tanner
Subject: Re: Passwords in a disaster


If phones are not an option, what are your options?....Chances are good
that if phones are completely out your network will be as well. 


Thanks,
Mike Barber
CIS - Unix Security Engineering
Wachovia Corp.
(704) 427-0512




"Stephen Tanner" <stanner () leeclerk org> Sent by:
listbounce () securityfocus com 

01/24/2008 09:49 AM
To
<security-basics () securityfocus com>
cc
Subject
Passwords in a disaster

        




I'm trying to get a consensus on what people think is the best solution
to sending a shared password or passphrase in a DR situation where
phones are not a viable option.  Any thoughts?

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Stephen Tanner
Information Security Administrator
Network Support Services
Lee County Clerk of Courts
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=




Florida has a very broad Public Records Law.  Most written
communications to or from State and Local Officials regarding State or
Local business are public records available to the public and media upon
request. Your email communications may therefore be subject to public
disclosure.

ForwardSourceID:NT00015E6E     




 Florida has a very broad Public Records Law.  Most written
communications to or from State and Local Officials regarding State or
Local business are public records available to the public and media upon
request. Your email communications may therefore be subject to public
disclosure.



 Florida has a very broad Public Records Law.  Most written
communications to or from State and Local Officials regarding State or
Local business are public records available to the public and media upon
request. Your email communications may therefore be subject to public
disclosure.
No virus found in this incoming message.
Checked by AVG Free Edition. 
Version: 7.5.516 / Virus Database: 269.19.10/1240 - Release Date: 23/01/2008
17:47

No virus found in this outgoing message.
Checked by AVG Free Edition. 
Version: 7.5.516 / Virus Database: 269.19.11/1243 - Release Date: 25/01/2008
11:24