What’s Good Enough When It Comes to Security?

By Carolyn Mathas

Contributed By Digi-Key's North American Editors

Good enough security really depends on what’s being safeguarded, the likelihood of attack, and the resources of the company attempting to protect its assets. Companies have been somewhat slow in understanding security threats. As the Internet of Things continues to gain traction, the usefulness of devices dramatically increases, but so does the possibility that they’ll be an attack target. The threat of someone attacking your car, home, or any of your online devices is quite real.

On some level, technologies can and do insulate us from risk. The question is whether or not they will continue to do so. If one thinks that “good enough” data security is good enough in the era of cloud computing, for example, where public cloud threats increase with the number of cloud service users, that is probably not the case.

What constitutes good enough

In an era where large companies are subject to very public security attacks, even though they spend a substantial amount on protection, smaller companies are also vulnerable. Many businesses still don’t see cybersecurity as mandatory to reduce potential threats. In nearly all cases of a security breach, “good enough” controls were in place and industry regulatory requirements were adhered to.

Goals and tradeoffs

An important question is, “What do you want to protect?” Ultimately, this defines your security goals. Tradeoffs involve risk management. How much can you spend, and how much do you need to spend to protect what’s important to you. Remember, it means spending on an ongoing basis.

In general, organizations aren’t keeping pace with threats, nor do they understand what constitutes a threat. Start by keeping track of events, compromised data, malware, devices used by employees and what policies are already in place to mitigate potential vulnerabilities. What’s already in place such as firewalls, mobile device gateways, VPNs, authentication methods, and encryption. How successful have the protection methods been to date, and can they be quantified? If attacks have occurred, how did it happen? This threat intelligence can help establish priorities and reasonably assess existing vulnerabilities. What is insecure and how fast and well can these things be fixed?

When a breach does occur, resources must be allocated to respond to the threat, stop the attack, and clean up the results of the attack. At risk really is the intellectual property, personal data, financial data, and trade secrets, which can be lost with just “good enough” protection.

Implementing prevention and protection

Many vulnerabilities can be taken care of relatively easy. In some cases, it involves a specific detection method or preventing access by implementing a specific technology. In other cases, some vulnerabilities can be alleviated by preventing tampering or by establishing a chain where information can’t be tampered with or changed.

Implementation of prevention methods could include such technologies as facial recognition and fingerprint verification. For example, Omron’s HVC-P2 facial recognition modules are offered in two camera heads, a long distance detection type and a wide angle detection type. The modules use an Omron image recognition algorithm that determines human face and body detection, and is adept at estimating gender, age, expression, and other facial traits.

Image of Omron’s HVC-P2 facial recognition modulesFigure 1: Omron camera modules provide facial recognition that extends well beyond specific facial features. (Image source: Omron)

A piece of equipment embedded with the HVC-P2 detects a user in its vicinity, without the user knowing a camera is present. In addition, developers can quickly add facial recognition to an embedded system with an off-the-shelf microcontroller and camera combination.

Another solution, the DFRobot SEN0188, is a self-contained, Arduino-compatible fingerprint module. Featuring a high-speed DSP, it works with MSP430, AVR®, PIC®, STM32, Arm®, and FPGA devices. Able to store 1000 fingerprints, it supports fingerprint entry, intelligent image processing, and fingerprint comparison and search mode.

Image of DFRobot SEN0188 fingerprint moduleFigure 2: The DFRobot SEN0188 fingerprint module delivers comparison, image processing and fingerprint search modes. (Image source: DFRobot)

In the security protection realm, Infineon’s Blockchain Security 2 GO starter kit provides a fast and easy way to build best-in-class security into a blockchain system design. Delivering an evaluation environment for a variety of blockchain technologies, it includes five ready-to-use NFC cards, supporting basic blockchain functionalities such as secure key generation, pin protection, and signing methods.

Simply, blockchain is a decentralized digital ledger based on a chain of blocks, with each block cryptographically linked to the previous block. Each transaction is protected by a digital signature. The Blockchain Security 2GO starter kit features hardware-based protection mechanisms to securely generate and store private keys.

Maxim’s DS28C40 Anti-Tamper and Security Interface Evaluation Board provides the hardware and software required to evaluate the DS28C40 secure authenticator. The device provides a core set of cryptographic tools derived from integrated asymmetric and symmetric security functions. In addition to the security services provided by the hardware crypto engines, it integrates a FIPS/NIST true random number generator, one-time programmable memory for user data, keys and certificates, one configurable GPIO, and a unique 64-bit ROM identification number.

Image of Maxim DS28C40 secure authenticator evaluation boardFigure 3: The Maxim DS28C40 secure authenticator evaluation board delivers a core set of cryptographic tools for developers. (Image source: Maxim Integrated)

The DS28C40’s DeepCover embedded security cloaks sensitive data under multiple layers of advanced security providing strong secure key storage. To protect against device-level security attacks, invasive and noninvasive countermeasures are implemented including active die shield, encrypted storage of keys, and algorithmic methods. Applications include automotive secure authentication and identification and calibration of automotive parts, IoT node crypto-protection, secure authentication of accessories and peripherals, secure boot or download of firmware, and secure storage of cryptographic keys for a host controller.

Counting on “good enough”

“Good enough” security will always be a moving target. In most circumstances, good enough will never be quite good enough; the market is moving too fast. As the sophistication of systems and of hackers increases, good enough really just comes down to the cost/reward numbers that a company is willing or able to spend to protect its assets.

What can be put in place successfully is internal training of personnel, policies that protect the corporate network, authentication, and encryption methods combined with sufficient technology to offer at least reasonable protection. Fortunately, since criminals attempt to find the easiest accounts to compromise, good enough may mean implementing security methods that are good enough to turn someone away from you, towards someone else.

Disclaimer: The opinions, beliefs, and viewpoints expressed by the various authors and/or forum participants on this website do not necessarily reflect the opinions, beliefs, and viewpoints of Digi-Key Electronics or official policies of Digi-Key Electronics.

About this author

Carolyn Mathas

Carolyn Mathas has worn editor/writer hats at such publications as EDN, EE Times Designlines, Light Reading, Lightwave and Electronic Products for more than 20 years. She also delivers custom content and marketing services to a variety of companies.

About this publisher

Digi-Key's North American Editors