Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Passwords in a disaster

from [Ackley, Alex] Network Security [Permanent Link]
Subject: RE: Passwords in a disaster
Date: Thu, 24 Jan 2008 11:26:58 -0500 

There should always be a key thing to look at when implementing any DR
situation like this.  Inexpensive and Easy.

You don't want to worry about having IDs with passwords on them...what
if the reader isn't working? Does it require a server to authenticate
with? What if that is down?

A USB key is simple, cheap works in any USB port.  

The bank is far enough away to be safe from same attack situations
unless it's city wide in that case... we've decided it's an acceptable
risk.  

I can't state it strongly enough... EASY.  Every DR plan needs to be as
easy to operate and follow as possible.  It won't always be the best
people following it; it's entirely possible it may be some out of town
no-nothing consultant who was hired on the spot.  It may even be your
boss who knew computers 15 years ago but only has operator knowledge
now.  

Add onto this, the stress environment and how people react in disaster
situations and everything needs to be as easy as possible.  As universal
as possible and as documented as possible.  

I've always been told and tell folks... write your documents and
evaluate your plan based on the idea that the janitor is the one who has
to follow it.


-----Original Message-----
From: Jeptha.Gibbs@jpmorgan.com [mailto:Jeptha.Gibbs@jpmorgan.com] 
Sent: Thursday, January 24, 2008 11:18 AM
To: Ackley, Alex
Cc: listbounce@securityfocus.com; security-basics@securityfocus.com;
Stephen Tanner
Subject: RE: Passwords in a disaster


Alex,

      In a true OMG, the building is gone situation, do you think that
would really work?  Is the bank located in the same city as the building
would you be able to access it, etc.

      A USB token held by that team, or utilizing a Card Reader at the
DR
site and each member of the Team having the Password embedded in their
IDs
via a Chip might be a cleaner solution.  The token can then be updated
as
necessary as members of the team leave/lose IDs, etc.

J
________________________________________________________________________
____


P Please consider the environment before printing this e-mail


Jeptha M. Gibbs V


JPMorgan Chase | Investment Bank | Information Risk Management


277 Park Ave 24 Fl| ( GDP 622-1576| ( Ext. 212 622-1576| *
jeptha.gibbs@jpmorgan.com





 

             "Ackley, Alex"

             <aackley@epmgpc.c

             om>
To 
             Sent by:                  "Stephen Tanner"

             listbounce@securi         <stanner@leeclerk.org>,

             tyfocus.com
<security-basics@securityfocus.com> 
 
cc 
 

             01/24/2008 10:24
Subject 
             AM                        RE: Passwords in a disaster

 

 

 

 

 

 





Well it all depends on what you mean by a DR situation.  If you're
talking a full blown, OMG the building is gone type situation what we've
done is used a pair of secure USB keys.  They get swapped out on a
weekly basis into a local bank safety deposit box.

Each member of management and the security team have access to this box.
The USB Drive is encrypted with a known password to these team members.
Inside we hold a password protected access database file that contains
just the needed passwords to recover in this situation.  Along with docs
needed that lay out what needs to be restored, in what order and how to
do it.
The password to the access DB is known only to the members of the
security team.

Of course, all the passwords here are changed according to policy and
meet strict requirements.

It's not the most elegant of solutions, but in a fairly small
organization (under 10 managers and a 2 person security team) it works
well in testing and has an added benefit of being very low cost to
implement, keep going and test.

Alex Ackley, CISSP
Security Administrator
EPMG, PC

-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of Stephen Tanner
Sent: Thursday, January 24, 2008 9:50 AM
To: security-basics@securityfocus.com
Subject: Passwords in a disaster

I'm trying to get a consensus on what people think is the best solution
to sending a shared password or passphrase in a DR situation where
phones are not a viable option.  Any thoughts?

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Stephen Tanner
Information Security Administrator
Network Support Services
Lee County Clerk of Courts
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=




 Florida has a very broad Public Records Law.  Most written
communications to or from State and Local Officials regarding State or
Local business are public records available to the public and media upon
request. Your email communications may therefore be subject to public
disclosure.


Generally, this communication is for informational purposes only
and it is not intended as an offer or solicitation for the purchase
or sale of any financial instrument or as an official confirmation
of any transaction. In the event you are receiving the offering
materials attached below related to your interest in hedge funds or
private equity, this communication may be intended as an offer or
solicitation for the purchase or sale of such fund(s).  All market
prices, data and other information are not warranted as to
completeness or accuracy and are subject to change without notice.
Any comments or statements made herein do not necessarily reflect
those of JPMorgan Chase & Co., its subsidiaries and affiliates.

This transmission may contain information that is privileged,
confidential, legally privileged, and/or exempt from disclosure
under applicable law. If you are not the intended recipient, you
are hereby notified that any disclosure, copying, distribution, or
use of the information contained herein (including any reliance
thereon) is STRICTLY PROHIBITED. Although this transmission and any
attachments are believed to be free of any virus or other defect
that might affect any computer system into which it is received and
opened, it is the responsibility of the recipient to ensure that it
is virus free and no responsibility is accepted by JPMorgan Chase &
Co., its subsidiaries and affiliates, as applicable, for any loss
or damage arising in any way from its use. If you received this
transmission in error, please immediately contact the sender and
destroy the material in its entirety, whether in electronic or hard
copy format. Thank you.
Please refer to http://www.jpmorgan.com/pages/disclosures for
disclosures relating to UK legal entities.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Passwords in a disaster, Ackley, Alex
Next by Date:  Re: Removing Local Admin Accounts - What do you think?, Chris Barber
Previous by Thread:  RE: Passwords in a disaster, Jeptha . Gibbs
Next by Thread:  Re: Passwords in a disaster, Brent Huston
Indexes:  [Date] [Thread] [Top] [All Lists]