However, there is no order that users have to change their Wi-Fi passwords regularly, the only requirement being to set up a password on the initial stage of wireless access installation and configuration.

I’ve conducted a mini-research here in Russia. There are 5 wireless networks in range that my computer finds when at home. Although all of the networks have rather bizarre names, they are all WPA- or WPA2-protected. My guess is that people do not install wireless access at home by themselves or browse the Internet for instructions and find some on protection and passwords. At the same time, I often come across unprotected networks in Moscow and I do use them to check my Twitter account. It is obvious that to make any conclusions, one has to dive into this topic much more deeply.

What I learnt working for ElcomSoft – the company that recovers passwords and does it very well – is the following: sometimes a password is not enough. You need a good password to make sure your data is protected. WPA requires using passwords that are at least 8 characters long. Such length guarantees quite good protection. The problem as usual is the human factor. We still use admin123 and the like to protect our networks.

Fortunately, there are tools that can help you check how strong your WPA/WPA2-password is. One of such tools is Wireless Security Auditor. It makes use of various hardware for password recovery acceleration and a set of customizable dictionary attacks. The idea is simple: if this monster does not find your WPA/WPA2-password, then it is secure 

Nice weekend to all.

So, how does the law see encryption and decryption issues through glasses of security standard? First of all, it says there simply should be encryption/decryption tools available.

ENCRYTION AND DECRYPTION (A) – § 164.312(a)(2)(iv)
Where this implementation specification is a reasonable and appropriate safeguard for a covered entity, the covered entity must:
“Implement a mechanism to encrypt and decrypt electronic protected health information.”

Understood only qualified people can have access to inner sensitive data. However, again no specific hard- or software mentioned. Another critical component is auditing.

Audit Controls – Standard § 164.312(b)
This standard has no implementation specifications. It is important to point out that the Security Rule does not identify data that must be gathered by the audit controls or how often the audit reports should be reviewed. A covered entity must consider its risk analysis and organizational factors, such as current technical infrastructure, hardware and software security capabilities, to determine reasonable and appropriate audit controls for information systems…

Again and again, we read reasonable and appropriate security, encryption, audit…Each company decides for itself what is reasonable or not and having professional people responsible for IT security questions is a good idea. For an amateur, today’s world of emerging encryption opportunities can become a nightmare.

Computer security management is not only about introducing anti-viruses and password managers, it’s a multi-layer piece of cake and regular security audit is one of the top layers. You decide what means to use to safeguard privacy and data security, but you cannot omit security audit, and still it’s up to you to decide such things as audit frequency and means of audit. Kind of freedom of choice.

*HIPAA

*NWW
*Information Security Law: The Emerging Standard for Corporate Compliance by Thomas J. Smedinghoff.

Let’s see what major security standards say about recommended security measures.

Data Protection Directive in Europe

…implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing

http://www.enisa.europa.eu/rmra/lr_privacy.html

HIPAA Security Standards: Technical Safeguards

It is important, and therefore required by the Security Rule, for a covered entity to comply with the Technical Safeguard standards and certain implementation specifications; a covered entity may use any security measures that allow it to reasonably and appropriately do so.

A covered entity must determine which security measures and specific technologies are reasonable and appropriate for implementation in its organization.

Determining which security measure to implement is a decision that covered entities must make based on what is reasonable and appropriate for their specific organization, given their own unique characteristics, as specified in § 164.306(b) the Security Standards: General Rules,Flexibility of Approach.

Read more: "Security Standards: Technical Safeguards"

The LGB Security Regulations

Effective security management requires your company to deter, detect, and defend against security breaches. That means taking reasonable steps to prevent attacks, quickly diagnosing a security incident, and having a plan in place for responding effectively.

http://www.ftc.gov/bcp/edu/pubs/business/idtheft/bus54.shtm

Does it seem to you pretty ambiguous at first reading? No, it is not law inconsistence that there are no more precise prescriptions/measures to be followed. On the contrary, they show security as a relative and flexible concept. The set of security measures and technologies (like approved passwords, password managers, or encryption …) is not universal for all cases, organizations, or industries – they can differ and each company has to understand its own industry-, company-, situation-, or else-specific dangers and accordingly protect sensitive information and maintain its protection.

Pretty wisely, security laws do not impose security measures, but require organizations to be involved in an ongoing and repetitive process*, which consequently presupposes both understanding of computer security development and taking timely measures. Otherwise, in the light of technologies constantly taking great strides forward, data security would bump into red tape and necessity to establish, introduce, and follow precise security measures.

*Information Security Law: The Emerging Standard for Corporate Compliance by Thomas J. Smedinghoff.

On Friday, German Federal Constitutional Court dismissed a complaint of an entrepreneur that production and distribution of tools for capturing traffic data is against the law. The judges said that the constitutional rights are not violated by the use of “hacking tools” (§202a-202b). According to the court decision, legal penalty applies only in the case when the software was developed with illegal intent in mind. “Double-purpose” tools that are designed to be used by law enforcement and IT security officers are not regarded illegal.

Special thanks for Florian Hohenauer for sending us the link.