Information Security Blog

1 in 7 Password Protected Mobile Devices Aren’t!

Is this a  HIPAA headache? Over the course of the last few years we have experienced a notable increase in our Healthcare Practice area with three main drivers:

• Increased burden of proof (e.g., United Healthcare won’t do business with you anymore unless you can prove you are secure)
• Third Party Woes (e.g., with 62% of personal health information breaches attributable to third-parties – we need to perform due diligence)
• Mobility issues (e.g., we need to get our arms around PHI on mobile devices)

Mobile security tends to focus on three main points:

• Password protect devices (so we can ensure access to the device is authorized)
• Encrypt devices (so non-authorized users can’t gain access to the underlying data)
• Remote wiping (so data can be destroyed before an intentioned user can work around the other security controls)

I happened upon a great blog that points out that passwords may not provide the protection most of us hope and the importance of enforcing “complexity” on the PIN’s that protect most devices. Based on the evaluation of over 200K iPhone PIN’s – 10 PIN’s (of a possible 10,000) are used 15% of the time. As iPhones often allow 10 failed password attempts before wiping the phone – that (statistically) means that 1 in 7 of your PHI containing devices may be unlocked by a malicious user (unless you were already clever enough to include PIN complexity in your Mobile Device Security Policy).

I thought I was very smart for using the pattern tracing locking on my Android device instead of an easily guessed PIN – until my phone was recently “hacked” by my 12-year-old daughter. She had “guessed” my swipe based on the “swipe print” that my unlocking had left (it was readily visible if the phone was viewed off angle with the screen unlit). On testing – I was able to determine the 4 numbers on my new pin the same way – at that point it’s just a matter of determining the order.

Not sure that I have ever recommended Windex in the findings of a Mobile Data Security Assessment … but there is always a first time!

Free Whitepaper: Five Best Practices for SIEM

The promise of SIEM is the consolidation of all relevant Security Event Logs from disparate sources into a single unified and normalized data store.

• Simplify compliance monitoring/reporting
• Vastly improve Incident Detection & Incident Response
• Contextualize event information with other business relevant information

Free Whitepaper: Stop Wasting Money on Penetration Testing

Penetration Testing is most frequently performed to:

• Substantiate the net effectiveness of a mature control environment
• Prove to a third party that an environment is secure/trustworthy
• Quickly assess the security of a less mature control environment (in a sense a technical risk assessment)
• To validate that significant changes did not have unanticipated results

Best Practices for Firing A Network Security Administrator

Want to know how to fire a Network Admin? Need to know what precautions to take? Firing any employee can be a stressful event. Firing one who has significant knowledge of and privileged access to your Information Technology/Security infrastructure is even more stressful, as the risks are so notable.

Free Download: A Best Practices Guide to Database Security

Because data is only as secure as the systems & processes it relies on – a holistic approach to data security is essential. This roadmap is not meant to be exhaustive but rather to stimulate the necessary thought process to put you on the path to good data security.

Free Download: ISO 27001 Implementation Roadmap

Have no fear – our “roadmap” will guide you, step by step, through the entire ISO 27001 process.

Getting to ISO 27001 certification is a process made up of things you already know – and things you may already be doing!

Download: Information Security Attestation Guide

A Best-Practices Guide to Information Security Attestation

Download our proven Information Security Guide to simplify the process of protecting your data, proving you’re secure and growing your business.

Is ISO 27001 Right for (Y)our Organization?

Thinking about ISO 27001 Certification? View our free On-Demand ISO 27001 Webinar

• How to deal with increasing threats
• How to manage multiple regulatory requirements
• How to handle client requests for attestation
• To validate that significant changes did not have unanticipated results