Question

Questions for Security Engineering:

• Why is security difficult?
• How does it compare to other objectives like cost, power, performance, reliability?

Answer 1

Security Engineering:
Why security is difficult:
In general, security is difficult, because it is hard to have a system, software, server, computer, mobile device, network, etc secured and at the same time keep them available and convenient to use them. The more the systems have security, the less the convenience of using the systems are and vice versa. It is difficult to maintain this balance. Hence, optimum solutions are being innovated, designed, developed, implemented, and used so, the users have both security and convenience at the same level.

* First off, there is a lot to protect and secure.
* It is about the users versus, and, against the web: Humans need a lot of continuous training, skills development, and skills transfer about the systems and their security.
* Users cannot predict what is happening and what would happen.
* Something of little importance, bit negligence, small issue, glitch, or bug become a big problem, disaster, failure, downtime, and blunder in the future.
* It requires everyone to be trained and this is important.

From a different perspective, any system, device, network, and the like, when secured for legitimate users providing them, security, safety, availability, accessibility, reliability, power, performance, confidentiality, integrity, privacy, anonymity, etc, the same benefits are enjoyed by the bad guys in the society, such as terrorists, hackers, online criminals, thieves, attackers, etc, to carry out their illegal, dangerous, and criminal activities. In case, these benefits are not provided to the users thinking the bad guys would get ruled out from the privileges, the legitimate users will also get deprived of such benefits and would be vulnerable for attacks, and their systems would be under threat and could be compromised.

No system in this world is 100% secure and this figure cannot be achieved. Even the biggest organizations, FBI, CIA, Police, Defence, governments, security organizations themselves, etc, are not secure. If the bad guys have decided and are determined to attack a particular individual, country, company, government, etc, and have targeted the same, they will eventually and ultimately attack or hack their system for sure. They can do it, they will do it, and nothing can stop them. However, what good guys who want to secure their systems can do is defend them, have a backup plan, minimize the risk and loss, and always have a Plan B, in case of failure, natural events, attacks, hack, etc, as unintentional, natural events, and failures are unpredictable, sporadic, and random. On the other hand, the least privileged access should be implemented by everyone, especially by security engineers and administrators as a security best practice.

Another point, why security is hard because of the different platforms, architectures, technologies, configurations, models, versions, brands, etc of the systems, network, servers, software, etc, which are not standard, and as such each one of them has their own security features, configurations, methods, etc. This is hard to work along. Also, security is a daily process. Systems have to be monitored, upgraded, updated, should have security patches, etc. This is difficult to keep a track on. One single miss would let an attacker hack the system who would have been watching and monitoring the system closely looking for an opportunity for the user or an administrator to commit a mistake.

One other factor, is no matter how secure a system is, if the user, employee, company, security engineer or administrator have not implemented, adopted, are not using systems effectively, responsibly adhering to the security policies, the system will be hacked. The weakest point in security is the human factor or simply called social engineering. Hence, security awareness should be provided to everyone. Security engineering requires everyone to be a security engineer, at least for their own systems, software, devices, etc. Security is a shared responsibility of everyone such as security provider and the people, employees, or users on the other side using the system, software, network, and the like.

How security compares to other objectives like cost, power, performance, reliability:
Irrespective of how less expensive, or available for free, how powerful and robust, how optimum performance or high end, and how much ever reliable a system is if there is no security, any system in the world can be hacked and could even be done easily. It is like a house built with all the facilities, reliability, performance of every other thing or devices in the house, with full-blown power anytime and any day, and say, even cost-effective, however, if the house owner has not locked the house or has locked the house but has kept the house key available such that it is accessible to anyone, attackers or thieves will definitely get into the house and steal things.

These days, security is the number one priority in all the systems, servers, software, devices, and networks being designed, developed, implemented, and used by users and companies. Security has become job zero. Other objectives can be achieved or worked upon slowly and can eventually be achieved. However, security has to be implemented right from the beginning till the end and thereafter when the systems are being used and till the system's disposal, termination, deletion, or removal.

The more the security, the more the systems would cost and the vice versa. More security may mean less performance in some systems as there are certain security mechanisms that are carried out as overhead such as encryption or decryption and other techniques and methods which reduce systems' performances. Also, the more the systems are secured, the more they will be reliable.