Results 1 to 10 of 30

Thread: Hit by a Bus/Keys to the Kingdom

Hybrid View

  1. #1
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default Hit by a Bus/Keys to the Kingdom

    My fellow BOFH's, I recently got audited, a rather minor and lame audit, but it was an audit all the same. One of the things that came up of course is who has all the passwords to the network. My response was, "just me", which is true, I'm the only one that holds all the passwords, effectively the keys to the kingdom.

    The auditors of course didn't like that, because after all, what happens if I get hit by a bus. The company could have a lot of trouble recovering passwords from all the equipment and servers. I had always been meaning to come up with a plan for all that important information, that is needed, but you don't want just anyone to know.

    I'm curious as to what you guys that are in similar positions as I am do. Most small to medium size companies normally have 1 or 2 people in IT, so policies are normally left up to them, and just reviewed by superiors but with no real input from the superiors.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  2. #2
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    IMHO. Singular IT Human Resources are a valid Single Point of Failure issue.

    There are a number of ways to handle this including: safe deposit boxes, firesafes, etc. Unfortunately the majority of solutions require a second person have access to the information (though indirectly).

    My best suggestion would be a dual lock kind of situation where no other single person can get them. I.e.: A firesafe with dual locks, a safe deposit box that requires signatures from two different people, etc.

    The answer to this question really requires a Threat & Risk Assessment all its own.
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  3. #3
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by thorin View Post
    IMHO. Singular IT Human Resources are a valid Single Point of Failure issue.

    There are a number of ways to handle this including: safe deposit boxes, firesafes, etc. Unfortunately the majority of solutions require a second person have access to the information (though indirectly).
    I agree with you, which is why I was looking to see what others in my position do. I did implement a plan, but before I say what I did, I was curious as to what others were doing.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  4. #4
    Moderator theprez98's Avatar
    Join Date
    Jan 2010
    Location
    Maryland
    Posts
    2,533

    Default

    You could just escrow all your keys with the government, a la the Clipper Chip.
    "\x74\x68\x65\x70\x72\x65\x7a\x39\x38";

  5. #5
    My life is this forum Barry's Avatar
    Join Date
    Jan 2010
    Posts
    3,817

    Default

    I'm telling ya, post-it notes in the hardware.
    Of course, if you really wanted to have some fun, go to Wal-Mart late at night and ask the greeter if they could help you find trashbags, roll of carpet, rope, quicklime, clorox and a shovel. See if they give you any strange looks. --Streaker69

  6. #6
    Member webtrol's Avatar
    Join Date
    Jan 2010
    Posts
    113

    Default

    I guess any plan would have to somehow address the following:
    1) ability to retrieve the keys by company without help from you.
    2) log of that retrieval and sufficient safeguards to make it not as easy as 1-2-3
    3) security for the keys.
    4) has to make sure the plan can withstand a lawsuit based on information lost if key ever got out (legal duty etc)

    Solution/Problems:
    1) safety deposit box - only available during bank open hours.
    2) lawyer - employees of the law firm might have access to it.
    3) encrypted file with logging to Permanent storage device - as good as implementation.
    4) second user with the evil root rights. - "You can keep a secret that is known to 3 people ...only if the other 2 people are dead."

    I would go with bank if it is ok to wait for it to open, or lawyer with specified agreement that the keys can be retrieved at any time day or night etc.

    Sincerely,
    Trol

    P.S never had this problem in RL.... so this is all speculation for me. Cant wait to hear how you did it.

  7. #7
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Here's what I did.

    I created an Acrobat PDF template file that lists all appropriate user accounts (domain, root and such) as well as lists all the infrastructure devices that have logins. Also is a list of websites that I have 'company' accounts on, sites that I purchase from, sites that hold some of our license and maintenance agreements, generally any site that I use.

    I use the sheet as a checklist when it's time to change passwords, once completed, I electronically sign the form and print it. I then secure the form that it cannot be opened with a password, this is only done because to electronically sign it, I have to save it.

    Once it is printed, I place it inside a sealed envelope that I then sign and date it across the seal and place it inside our tape safe, which is fire rated and waterproof. Only myself and two other people know the combination to the tape safe, which is also locked inside our file room.

    Each time I update the list, I pull the old one out and run it through the crosscut shredder. The only people that know that this procedure is in place is my direct supervisor and the Executive director, so no one else even knows to look for any such document.

    I'm open to suggestions on improvements.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  8. #8
    Junior Member BlackRS's Avatar
    Join Date
    May 2008
    Posts
    45

    Default

    I keep all but the three most important passwords in an encrypted folder. The three big ones (firewall,domain admin,routers) I seal in a signed and dated envelope that is stored in a firesafe in the CEOs office. I do not have access to the safe. It forces me to commit the most important passwords to memory. I have only once had to ask the CEO to unlock the safe.
    Information is like water...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •