What’s Good Enough When It Comes to Security?
Contributed By DigiKey's North American Editors
2020-01-20
Good enough security really depends on what’s being safeguarded, the likelihood of attack, and the resources of the company attempting to protect its assets. Companies have been somewhat slow in understanding security threats. As the Internet of Things continues to gain traction, the usefulness of devices dramatically increases, but so does the possibility that they’ll be an attack target. The threat of someone attacking your car, home, or any of your online devices is quite real.
On some level, technologies can and do insulate us from risk. The question is whether or not they will continue to do so. If one thinks that “good enough” data security is good enough in the era of cloud computing, for example, where public cloud threats increase with the number of cloud service users, that is probably not the case.
What constitutes good enough
In an era where large companies are subject to very public security attacks, even though they spend a substantial amount on protection, smaller companies are also vulnerable. Many businesses still don’t see cybersecurity as mandatory to reduce potential threats. In nearly all cases of a security breach, “good enough” controls were in place and industry regulatory requirements were adhered to.
Goals and tradeoffs
An important question is, “What do you want to protect?” Ultimately, this defines your security goals. Tradeoffs involve risk management. How much can you spend, and how much do you need to spend to protect what’s important to you. Remember, it means spending on an ongoing basis.
In general, organizations aren’t keeping pace with threats, nor do they understand what constitutes a threat. Start by keeping track of events, compromised data, malware, devices used by employees and what policies are already in place to mitigate potential vulnerabilities. What’s already in place such as firewalls, mobile device gateways, VPNs, authentication methods, and encryption. How successful have the protection methods been to date, and can they be quantified? If attacks have occurred, how did it happen? This threat intelligence can help establish priorities and reasonably assess existing vulnerabilities. What is insecure and how fast and well can these things be fixed?
When a breach does occur, resources must be allocated to respond to the threat, stop the attack, and clean up the results of the attack. At risk really is the intellectual property, personal data, financial data, and trade secrets, which can be lost with just “good enough” protection.
Implementing prevention and protection
Many vulnerabilities can be taken care of relatively easy. In some cases, it involves a specific detection method or preventing access by implementing a specific technology. In other cases, some vulnerabilities can be alleviated by preventing tampering or by establishing a chain where information can’t be tampered with or changed.
Implementation of prevention methods could include such technologies as facial recognition and fingerprint verification. For example, Omron’s HVC-P2 facial recognition modules are offered in two camera heads, a long distance detection type and a wide angle detection type. The modules use an Omron image recognition algorithm that determines human face and body detection, and is adept at estimating gender, age, expression, and other facial traits.
 Figure 1: Omron camera modules provide facial recognition that extends well beyond specific facial features. (Image source: Omron)
Figure 1: Omron camera modules provide facial recognition that extends well beyond specific facial features. (Image source: Omron)
A piece of equipment embedded with the HVC-P2 detects a user in its vicinity, without the user knowing a camera is present. In addition, developers can quickly add facial recognition to an embedded system with an off-the-shelf microcontroller and camera combination.
Another solution, the DFRobot SEN0188, is a self-contained, Arduino-compatible fingerprint module. Featuring a high-speed DSP, it works with MSP430, AVR®, PIC®, STM32, Arm®, and FPGA devices. Able to store 1000 fingerprints, it supports fingerprint entry, intelligent image processing, and fingerprint comparison and search mode.
 Figure 2: The DFRobot SEN0188 fingerprint module delivers comparison, image processing and fingerprint search modes. (Image source: DFRobot)
Figure 2: The DFRobot SEN0188 fingerprint module delivers comparison, image processing and fingerprint search modes. (Image source: DFRobot)
In the security protection realm, Infineon’s Blockchain Security 2 GO starter kit provides a fast and easy way to build best-in-class security into a blockchain system design. Delivering an evaluation environment for a variety of blockchain technologies, it includes five ready-to-use NFC cards, supporting basic blockchain functionalities such as secure key generation, pin protection, and signing methods.
Simply, blockchain is a decentralized digital ledger based on a chain of blocks, with each block cryptographically linked to the previous block. Each transaction is protected by a digital signature. The Blockchain Security 2GO starter kit features hardware-based protection mechanisms to securely generate and store private keys.
Maxim’s DS28C40 Anti-Tamper and Security Interface Evaluation Board provides the hardware and software required to evaluate the DS28C40 secure authenticator. The device provides a core set of cryptographic tools derived from integrated asymmetric and symmetric security functions. In addition to the security services provided by the hardware crypto engines, it integrates a FIPS/NIST true random number generator, one-time programmable memory for user data, keys and certificates, one configurable GPIO, and a unique 64-bit ROM identification number.
 Figure 3: The Maxim DS28C40 secure authenticator evaluation board delivers a core set of cryptographic tools for developers. (Image source: Maxim Integrated)
Figure 3: The Maxim DS28C40 secure authenticator evaluation board delivers a core set of cryptographic tools for developers. (Image source: Maxim Integrated)
The DS28C40’s DeepCover embedded security cloaks sensitive data under multiple layers of advanced security providing strong secure key storage. To protect against device-level security attacks, invasive and noninvasive countermeasures are implemented including active die shield, encrypted storage of keys, and algorithmic methods. Applications include automotive secure authentication and identification and calibration of automotive parts, IoT node crypto-protection, secure authentication of accessories and peripherals, secure boot or download of firmware, and secure storage of cryptographic keys for a host controller.
Counting on “good enough”
“Good enough” security will always be a moving target. In most circumstances, good enough will never be quite good enough; the market is moving too fast. As the sophistication of systems and of hackers increases, good enough really just comes down to the cost/reward numbers that a company is willing or able to spend to protect its assets.
What can be put in place successfully is internal training of personnel, policies that protect the corporate network, authentication, and encryption methods combined with sufficient technology to offer at least reasonable protection. Fortunately, since criminals attempt to find the easiest accounts to compromise, good enough may mean implementing security methods that are good enough to turn someone away from you, towards someone else.
 
            
        Disclaimer: The opinions, beliefs, and viewpoints expressed by the various authors and/or forum participants on this website do not necessarily reflect the opinions, beliefs, and viewpoints of DigiKey or official policies of DigiKey.
 
                 
                 
                 
 
 
 
 Nastavení
        Nastavení
     Rychlé dodání
                                    Rychlé dodání
                                 Dodávka zdarma
                                    Dodávka zdarma
                                 Incoterms
                                    Incoterms
                                 Typy plateb
                                    Typy plateb
                                






 Produkt služby Marketplace
                                    Produkt služby Marketplace
                                 
            






 
                 
                     
                                 
                                 
                         
                                 
                                 
                                 
                                 
                                 
                                 
                                 Česká republika
Česká republika