When you are just starting off in electronics, there are many design pitfalls that can lead to hours of frustrating troubleshooting. I highlighted the importance of troubleshooting in this earlier blog post regarding my work on the automated energy harvester. Many times these faults are fixed with a very simple tweak to the circuit design or component selection. One of the most basic of the faults is the infamous “floating pin” or “floating input” that can affect the I/O pins of digital integrated circuits. To best explain a floating input and how it can negatively affect your project consider the circuit in Figure 1:
When the momentary button is pressed it connects the I/O pin to Vcc and the microcontroller would register the input as a high. Now, what happens when the button is released? If you were like me you would assume the microcontroller, now that it is no longer connected to Vcc, would register a logic low. But this is not the case because the gate is not connected to ground; rather, it is floating. The microcontroller may register a low, but it might just as well register a high. By not being connect to a source, Vcc, or GND, the I/O pin is susceptible to electrical noise that makes the I/O randomly fluctuate between low and high. Such sources include thermal noise and electromagnetic interference (EMI) since the leads of the chip act like tiny antennas when they are floating.
You might be tempted to solve the problem with a solution seen in Figure 2. The problem with simply connecting the input to Vcc occurs when you press the button and create a short circuit between Vcc and GND. The short circuit could generate enough heat to damage your circuit. Or at the very least cause power supply voltage to drop to ground potential resulting in a non-functioning device. In short, bad things will happen.
So our solution, as shown in Figure 3, is to insert a pull-up resistor between Vcc and the I/O pin or a pull-down resistor between ground and the I/O. Using a pull-up resistor the I/O pin will normally see a logic high and when the button is pressed it will see a low. This is sometimes referred to as “active low” logic. Alternatively with a pull-down resistor, the I/O pin will normally see a logic low and when the button is pressed it will see a logic high. This is referred to as “active high” logic.
In our button example, use of a pull-up versus a pull-down resistor is rather subjective. Both will work, you just need to remember how to handle the button press in the firmware. There are other applications such as analog comparators or communication protocols such as I2C that are “open drain” based and thus require a pull-up resistor to raise the voltage on the communications lines. We will discuss I2C and open drain circuits further in a future blog post.
Another issue with reading button presses is called “bounce”. That is when a microcontroller registers multiple button presses even if the user only pushes the button once due to the mechanical oscillation of the button. We will also discuss button debouncing techniques to combat this problem in a future blog post as well.
Do you have troubleshooting horror stories you want to share? Let us know if floating pins have ever caused you design problems in the comments down below.
*** All circuits were done in the new MultiSim BLUE from Mouser and NI. Check it out at www.mouser.com/MultiSimBlue.
(Source: Proxima Studio/Shutterstock.com)
Most small and home networks connect to the internet through an internet service provider (ISP), which provides a broadband modem or router over a digital subscriber line (DSL), cable, or fiber-optic connection. This device’s primary function is to connect your home network to the internet through two components: a modem and a router. The capabilities that the modem provides often perform at the data link and physical layers: You can’t configure them. The routing components provide networking and security functionality. Although they usually don’t stack up to the features that dedicated security appliances and modern firewalls offer, you can typically upgrade or replace them with more capable options. With the proliferation of Internet of Things (IoT) devices, more connected homes, and increasingly savvy attacks, it’s more important than ever to protect your home network adequately. A quick review of the device that connects you to the internet is a good place to start.
Protecting your home network begins with your ISP broadband modem or router. Your telecommunications provider typically supplies this device, which is the demarcation point between the ISP’s service and the devices on your home network. Over the years, as telecommunications providers have improved their performance and capacity, they have required that subscribers upgrade their equipment. The latest broadband modems and routers have more security functionality than before so that in many cases, simply enabling these features is good enough to protect your home network. However, if you’re running on older equipment, you might want to consider upgrading and looking at alternatives to add modern security protections to your network.
In most cases, your ISP issues you an IP address, a subnet mask, and a default gateway to configure your broadband router to connect to the internet. The router typically has two types of ports: a wide area network (WAN) port configured with your ISP-issued public IP address and local area network ports configured to provide your home devices with dynamic private IP addresses. The router provides Dynamic Host Configuration Protocol (DHCP) and network address translation (NAT) services to make this happen. All this results in a mostly plug-and-play installation process that ISPs try to make as simple as possible so that subscribers (especially less tech-savvy individuals) can connect their devices to the internet in as few steps as possible.
Unfortunately, many of these early broadband routers simply performed basic network filtering and port forwarding; they don’t protect your devices against more sophisticated attacks. Popular options for increasing this security include adding a dedicated security device, enabling security features that might be available on your broadband router but are not turned on by default, or upgrading your device to one more capable.
The first option, adding another security device, requires a bit more networking experience but also provides the greatest flexibility. This new device typically takes over the routing functionality that your ISP-provided equipment handles. If you can configure your broadband modem or router into bridge mode (which effectively bypasses any router functionality in your device), this can be a good option. Once your ISP device is in bridge mode, you can install a firewall (which acts as a more sophisticated router) behind your ISP device and configure its external WAN port with the public IP address that your ISP provided. All the networking and security functionality, such as traffic routing and inspection, DHCP, and NAT, will be handled by this new security appliance. Recently, an explosion of new, lower-cost security devices combine network firewalling, routing, switching, and services with wireless access point management and threat protection into a single device that you can install behind your broadband modem. Several low-cost open-source firewalls are available to install to provide commercial-grade protection for your network.
For the second option, enabling security options on an already-installed device, you must have administrative access to your ISP broadband router and an idea of which security capabilities are available. A quick internet search on your broadband router’s make and model typically leads to a device service manual that describes the additional security configurations. In many cases, these features won’t rival those offered by dedicated security equipment, but this option is much easier and less expensive to set up than installing a new inline security device.
Finally, you might replace your entire broadband router or bridge with a different model with the additional security features you want. For example, the website for the popular cable ISP Xfinity lists compatible devices that work with its service from companies such as Arris, Motorola, and NETGEAR. These products have different security features and prices, but they are all easy to install: You simply replace what you already have.
It is important to remember that many successful security attacks bypass network firewalls altogether. For example, simple firewalls won’t detect phishing attacks that trick users into divulging their credentials or clicking a link to a website that leads to malware. Although more sophisticated security devices that use threat intelligence feeds and real-time blacklists can lower the risk, a firewall solution alone is usually not adequate to fully guard against these kinds of attacks.
These broadband devices play important roles in protecting you against some attacks, but it remains critical that you enable other security protection. Protect your endpoints by patching your computers regularly with security updates and enabling the security features that your operating system provides. Don’t forget that the smart devices that you connect to your home network might have fewer security capabilities than your computer: Isolating those devices into a network separate from your sensitive data can be wise. It’s not always possible to patch these IoT devices, and their built-in security capabilities might be rudimentary at best. That said, upgrading and adding additional network security capabilities to your broadband connection might provide just enough security for these devices.
If you’re like many engineering students, you probably find the idea of attending a career fair to be a bit nerve-racking. Most of us would probably prefer just to lurk at the career fair and land an internship based on our resumes and professor recommendations and maybe a bit of osmosis. I’m getting a pit in my stomach just thinking about my own experiences, and that was 20-mumble years ago!
Why do career fairs create so much angst? While we could go on about them being an important resource for landing the internship you want, marking your professional entry into your field of study, and having too much commotion to really engage in meaningful discourse, the real reason is simpler: Not all of us are comfortable talking about ourselves—much less selling ourselves.
So how do you figure out what to talk about? The good news is that listening to what potential employers seek will provide the best clues to help you know what to say. They are seeking information about you, but ideally what you share about your projects and coursework will be in the context of their needs. Beyond that, a little planning and practice go a long way in presenting yourself as articulate and cogent, easing those sweaty palms, and standing out as a candidate. Let’s take a look….
Before the fair, take time to research participating companies, understand what they do, and get an idea of how engineering fits into their business. Basically, learn as much as you can before you go. Why? Part of it is simply showing that you’ve done your research, which gives you an advantage over those who don’t. Perhaps more importantly, this gives you some background information that helps break the ice when chatting with their representatives. Rather than arriving and asking, “What do you do?” you can arrive saying, “I understand your company does XYZ” or “I’d like to know more about the XYZ industry.” (It also provides useful details for your “elevator pitch,” discussed next.)
A good starting place for research is the career fair website, which usually lists the participating companies and sometimes internship details as well. If possible, take time to visit the websites for all the participating companies and identify where your interests and goals align. It’s tempting to explore just ones with name recognition or ones with best internship reputations, but it’s a good idea to do at least cursory research on all participating companies because you might miss opportunities that would be an unexpectedly great fit. Exploring all the companies is also a good way to learn more about what engineers in your area do, the types of applications they work on, and the types of problems they solve.
From that initial research, identify the top five or six companies that best align with your interests and goals, then explore not just what they do, but how they do it, who they hire, and what people say. Visit those companies’ websites, as well as their microsites on GlassDoor and LinkedIn, which can help you gauge corporate culture and reputation. This part does take some time, but it provides useful insights, as well as gives you potential talking points at the fair.
Imagine you’re standing in an elevator and someone asks you about what you do professionally: While the elevator takes you from the coffee cart on the first floor to your office on the 22nd floor, you’d have ~15 seconds or so to answer the question. An “elevator pitch” is a type of communication aimed at providing key details in a short amount of time. In the job fair context, you’ll use an elevator pitch when you introduce yourself to prospective employers or to reply when someone asks, “Tell me about yourself.” You’ll encounter both at a job fair.
I can hear you groaning as you read this. Many people, even seasoned professionals, find introducing themselves and starting conversations especially difficult. That’s why coming up with—and practicing—your elevator pitch is important. For most traditional students, an elevator pitch would be two or three sentences that communicate things like where you are in the program, your interest areas, and your senior project topic, among other possibilities, like this example:
“Hi, I’m Jane Smith. I’m a senior in electrical engineering with a particular interest in aerospace applications. I completed drone certification this summer and am starting on my senior project now—testing jamming and spoofing drones for military applications.”
In this example, the student has relevant experience and a good idea of what she’s interested in. And because she offers some specifics, she’s giving the hiring manager some fodder to ask questions, which then helps discussions flow.
If you’re not yet far along in your coursework, just say so:
“Hi, I’m Jane Smith. I’m a second-semester freshman interested in electrical engineering. I’m here to learn more about what electrical engineers do at various companies.”
In this example, Jane sets the expectation that she’s not yet seeking an internship, yet demonstrates that she’s proactive.
Better yet, use the company research you did before the career fair in your elevator pitch, like this:
“Hi, I’m Jane Smith. I’m a first-semester junior in electrical engineering interested in drone applications. I understand your company develops XYZ…I’d like to know more about that!”
This last example is a good one in that it shows you’ve done your homework, yet it doesn’t potentially limit the exchange if your interests, experience, or senior project topic are outside the scope of what they do. That is, while you might be very interested in drones or aerospace, you might have other interests and be open to internships in others areas. Developing an elevator pitch is a bit of a craft.
Whatever the details you identify, practice saying your elevator pitch aloud. Many job seekers make the mistake of just “practicing in their heads,” which often isn’t enough when nerves strike and all the details swimming around in your head suddenly disappear. Practicing aloud cements your words and helps ensure you don’t get tongue-tied when you’re on the spot:
If all else fails, practice in front of your cat. Or in the closet. Or in the car. Or wherever you feel comfortable. But do practice aloud. You’ll be glad you did and regret if you didn’t.
Participating companies work hard at making the career fair a friendly, positive experience. As such, it’s unlikely that you’d be asked “hardball” questions; in fact, they’re probably pretty skilled at eliciting details to help conversations flow. Even so, you should still come prepared to talk about one (maybe two) projects or courses you’ve completed, even if the experience or course is recent.
Practice talking about those details aloud, just as you should your elevator pitch. The goal isn’t to memorize, but to ensure the details are fresh in your mind for the career fair. It’s amazing how details escape us when nerves strike, even simple ones like the type of project, software used, hardware used, techniques, components, protocols, resources, libraries, reference designs, and so on. Some things to have fresh in your mind:
Again here, don’t just think through these questions, but actually talk through them with your spouse, significant other, roommate, or professor. As with your elevator pitch, talking through these things will help solidify details and help you speak fluently at the job fair.
Other details to freshen up include answers to questions about why you’re interested in engineering and what you like about (or why you chose) the program you’re in. Hobbies are good as well, as they tend to support your interest in engineering or can show well-roundedness.
Yes, you’re going to have to talk about yourself at career fairs; there’s no avoiding it. Listening to what potential employers seek will provide the best clues to help you know what to say. If you’ve researched the companies, practiced your elevator pitch, and have project/course details fresh in your mind, you might be surprised at how easily discussions flow.
Good luck! And let us know how it goes!
One of the first lessons many people learn when starting off learning practical, hands-on electronics is the need for pull-up resistors. Whether to prevent floating I/O pins on a microcontroller or interfacing two circuits via an open-drain design; pull-up resistors are an often necessary but rarely appreciated component. So why do we use pull-up resistors, can’t we just connect a wire to the Vcc supply of our device? What size resistor should you use?
So why do we even need to bother with pull-up resistors to begin with? Let’s assume we have a momentary normally open pushbutton and we don’t want the I/O pin to float. Why not just connect a wire to the Vcc between the I/O pin and the lead of the pushbutton? This would work to prevent the microcontroller’s I/O pin from floating—it would need a Vcc or a solid HIGH—while the button is not pressed. However, as soon as the button is pressed, a short circuit would occur between the Vcc and ground (Figure 1). This will create a lot of heat, and if the device is battery-powered, it will drain the battery quickly. In addition to thwarting problems associated with floating microcontroller I/O pins, pull-up resistors are a necessity when using an open-drain topology. We discussed open drains at length in this Bench Talk post.
Figure 1: Just running a wire allows for a short circuit (Left). A pull-up resistor prevents floating inputs while as preventing an unwanted short circuit (Right). (Source: Author)
So how do we select the right sized resistor? As is true with most good engineering questions, the answer depends on your application. Let’s start by thinking about the extreme options 0Ω and let’s say 1mΩ. The 0Ω option (small value resistors are referred to as strong pull-ups as they allow a lot of current to flow) we already discussed. Too small of a resistance value and we get too much current flow which can either be unsafe or at the very least energy inefficient. What if we go with a huge 1mΩ resistor? Won’t that be safe? Large resistor values are referred to as weak pull-ups as they prevent too much current from flowing. The answer is yes but it comes at a cost. In this case, it’s a trade-off between speed and power.
Think of the microcontroller’s I/O pin as a capacitor. Recall that the voltage across a capacitor cannot change instantaneously. Rather it charges up based on what is known as the timing constant (T) and is mathematically expressed as T=RC where R is the value of the resistor and C is the value of the capacitor. When we add a very large resistor, we are increasing the time it takes the capacitor to charge by limiting the current flow. Practically speaking that means the microcontroller will not immediately detect the pressed button as it will take some amount of time for the microcontroller to see the voltage change from what it considers a LOW/OFF state to the HIGH/ON state. This might result in unacceptable circuit performance from a user perspective. The system would appear to not respond in a timely fashion. In open-drain applications such as the I2C serial communication protocol, the large timing constant would have a negative impact on the I2C bus to achieve the desired baud rate on its Serial Data Line (SDA) and Serial Clock Line (SCL) lines.
Mathematically speaking this is how you compute the resistor values:
Rp(min) is the smallest resistor value that is acceptable and is given by the equation:
Rp(min) = (Vcc - VOL(max) ) / IOL whereby:
Rp(max) is the largest resistor value that is acceptable and is given by the equation:
Rp(max) = tr / (0.8473 x Cb) whereby:
Now for a practical rule of thumb, here are the resistor values you should consider testing in your circuit to see if you get the desired performance:
The last thing to consider is that many microcontrollers have internal pull-up resistors that can be turned on via code. Be sure to check the data sheets to see if the internal resistor value is appropriately sized for your application. If not, you will have to use external pull-up resistors.
Threat modeling is a disciplined process designed to identify and correct potential product vulnerabilities in the early stages of design. The threat models you create describe how your product components work together with users and enumerate potential threats and countermeasures that mitigate these threats. Ideally, you’ll want to threat model each of your systems early in the design process when changes can be made at a much lower cost than when the product is complete. Threat modeling is an important component of a security development lifecycle (SDL) program and ensures your components, systems, and code are appropriately secure by design. Threat modeling is a critical exercise for both software developers and information technology systems engineers and architects. Even if you did not build the systems that you operate, regularly conducting threat-modeling exercises forces you to think like an attacker and will spark ideas to improve your product security. And of course, be sure to update your existing threat models whenever significant changes to your systems are made.
At its core, threat modeling is the process for documenting the design elements of your system and specifically the threats to those elements as seen from an attacker’s point-of-view. The process involves understanding the components and users of your systems, the boundaries between these components and users, and the attack paths—or threat vectors—likely favored by attackers. This perspective helps you take a risk-based approach to design the right safeguards and countermeasures that mitigate these threats. For example, a threat model will highlight the risks of connecting a sensitive data store adjacent to a public web server and guide the selection of appropriate logical security controls to lower that risk to an acceptable level.
Even as the internet began to ramp up in the early ‘90s, researchers and scientists were already thinking about threat modeling. Early models of attack trees and threat trees were developed by enumerating system vulnerabilities and systematically examining all the ways an attacker could compromise a system. As the internet expanded and exploited vulnerabilities became an everyday problem, many companies sought to build better security into the core of their products. For example, Microsoft developed the STRIDE threat model, which became a critical component of their own secure development lifecycle. STRIDE is a systematic process to discover potential threats and recommend mitigations across six potential threat categories:
There are other types of threat model methodologies, and the principles are similar. What is important is the process of asking yourself what could go wrong, and then breaking down these potential threats into categories to help you think about appropriate countermeasures. For example, you might identify the transmission of sensitive data over HTTP to a remote system as a potential information disclosure threat that could be mitigated by encrypting the network traffic.
An essential element to threat modeling is the data flow diagram (DFD), which includes all the important components of your system and their interaction. This diagram shows all key components and systems—whether they are spread across an on-premise and cloud infrastructure or reside on one server or within a single application. The approach and level-of-detail in your DFD depend on what you are designing. For example, if you are deploying a new video camera on your network, you might not be able to threat model the camera software itself, but you should identify all the surrounding systems that the camera needs to communicate with, what protocols it uses, and who will access it. Be sure to include this information in your DFD. And hopefully, the manufacturer of the camera has also threat modeled the development of their video software as well. For example, their software threat model might identify the internal boundaries, objects, and methods used by the software to isolate sensitive data and communicate with other objects and systems. The DFD should show the objects and their request and responses from other objects as well as clearly delineate boundaries between different groups of objects. For example, you might show the logical boundaries between your front-end web-app systems and more sensitive data stores. Add the users of your systems and specifically the actors—or threat agents—that might abuse your system to your DFD. For example, differentiate a privileged operator from a regularly credentialed employee when modeling authorization processes to your system. Identify potential bad actors in your DFD and show how they might access your system.
With your DFD that identifies the trust boundaries, communications across these boundaries, and who and what will make up these communications, you can then begin to look at the potential threats to your system.
If you are new to threat modeling, identifying the right threats can be overwhelming. Fortunately, there are several threat modeling tools available to guide you through this process and help identify what kinds of threats to look for. One free and easy-to-use tool is the Microsoft Threat Modeling Tool. While this tool is targeted towards software developers and architects, it can be extended for basic IT operational models as well. The Microsoft Threat Modeling Tool is especially useful when trying to grasp the fundamentals of threat modeling quickly. Download and install the client, and within minutes you will be creating your first threat model. Follow the steps below to create a threat model using the Microsoft Threat Modeling Tool:
When you are finished, you can run a report and the tool will use these objects, attributes, and boundaries to generate and show you a preliminary list of threats and suggested mitigations. You will want to validate its assumptions and adjust the threat model to refine it to your environment and specific use cases.
There are many other robust commercial and community threat modeling tools tailored to specific types of operational models. For example, one tool might integrate especially well with agile software development processes, and another might excel at modeling traditional information technology systems, like calling out specific firewalls and intrusion detection systems and their configurations. Some of these tools perform sophisticated attack simulations and are hosted on a collaborative, permission-based web platform that allows you to share threat-modeling data between team members easily.
Threat modeling is a straight forward process of identifying your system, what could go wrong with your system, and how to prevent that. However, there is a lot of nuance to creating a good threat model, and you will want to be sure your own process captures the right data so that you do not miss anything important. The threat modeling tools go a long way to help provide this framework. Remember to take advantage of the many threat modeling resources on the internet to help you design and build a process well-suited to your own environment.
Before having kids, I assumed that they would be easy to keep in line at crowded restaurants, parks, or wherever else our family chose to wander. The people who used restraints like leashes were, obviously, very bad parents, resorting to treating the tiny humans in their care like animals. After having kids myself, my viewpoint shifted dramatically, and I now understand wholeheartedly why parents might choose this type of tool. However, our hyper-networked world is now providing a wide range of safety technologies (some which are so miniature that they come in the form of inconspicuous accessories) to help keep track of kids. This tracking technology can be great for everyday use, and it can be especially helpful on summer adventures, whether you’re at a crowded theme park or on a camping trip with no one else around.
The most important technology behind these child tracking or “child LoJack” systems is, of course, GPS, which is a program originally conceived by the US military and now widely available for civilian use. While it was originally less accurate for ordinary citizens, this so-called selective availability ended in 2000, and users can now achieve accurate readings within a few meters. When combined with our global cellular data transmission capabilities, these readings can provide a useful safeguard, if a child somehow makes it out of your watchful view.
One example of note is the Jiobit, a GPS-based tracker so compact that it can easily attach to a child’s belt loop or even shoelaces. This system functions with an iOS/Android smartphone app that updates the location of the child every 10 seconds, and it allows you to set up geofencing around the child’s school, home, or wherever he or she should be. In fact, you can even set up a moving geofence around yourself (using your smartphone’s GPS), so if your child wanders too far away, you can move in the appropriate direction.
For kids old enough to play in the neighborhood with friends or to go to a limited number of locations, the dokiWatch S is another interesting option. It’s designed for kids 6 to 12 years old and is something that would have been science fiction when parents of today were growing up. The watch acts as a cellular communication device, allowing calls to a limited number of people, and allows parents to track their kid’s location. Most impressively though, especially in its wrist-mounted form factor, is that it can do video calling, letting mom and dad see Junior’s smiling face. Kids can also use it to show their parents a discovery or to ask for help with a homework problem. The dokiWatch S also features an SOS button, allowing kids to send out a quick distress signal if they do need immediate help.
As would be, there are a wide variety of other trackers available with their own take on this concept. However good these tracking technologies are in theory, parents must also consider how strangers may track and store their child’s data and how the wrong people could use it if their hands got access to it. Jiobit, for their part, notes how they protect data and how their protection plan complies with the Children’s Online Privacy Protection Rule (COPPA). This certainly shows that they are at least thinking about this issue; nevertheless, parents must be careful to consider whether the services mesh with their personal standards. For that matter, there’s always the question of whether a company can keep a child’s data secure—a real concern given recent large-scale data breaches.
At some point, there is always the option to give kids a cell phone or simply let them borrow one of yours in certain situations. This, of course, opens a new line of communications, along with a whole new set of worries. You’re giving them the keys to the information kingdom—the Internet—and enabling a level of data tracking that few of us fully understand. The Internet can be an amazing learning resource, but as with all powerful tools, the person using it must be ready—or at least properly supervised! But, that’s an entirely different discussion. For now, just remember that there are a variety of new options you can discover to electronically track your kid’s location at any time and anywhere, which could offer an added peace of mind as your family leaps into that next big summer adventure.
Building and maintaining an accurate inventory of your systems, devices, and applications is critical to ensuring that your technical security controls operate effectively across your entire organization. This is simply because you need to know what you have before you can begin to secure it adequately. Having an accurate inventory when you develop your security program enables you to know what machines to scan for vulnerabilities and subsequently patch. Also, you will likely query your inventory for which specific devices to include in your advanced security-information event-manager platform. Without a solid inventory, you might inadvertently exclude devices from your security controls that could give an attacker a foothold into your network.
The most basic inventory is a list of systems and devices found in your organization or environment. Enhance this list with security-relevant metadata including the make and model of the device and distinguishing characteristics such as:
More sophisticated inventories include additional metadata about a device such as:
Logical assets should include information that makes it easy to find the device or manage it in case of an incident. Examples of when you would use this information include:
The purpose of the inventory metadata is to aid in planning when designing new security controls as well as reduce the response time to discover impacted assets during a security incident.
Make sure your inventory is usable and accessible. For even the smallest inventories, give thought to the best data structures that organize and store your inventory that allow you to easily filter and query for specific devices based on the metadata. In some cases, a simple web frontend to your inventory database might be a good solution to abstract users from more complicated database schemas.
If you are not yet formally collecting an inventory, start with a simple list—a spreadsheet works fine—and evolve to a more sophisticated inventory management program as your needs expand. You will find there are many commercial and open-source inventory and asset management applications for all sizes of businesses and many offer demonstrations to test drive the features that best suit your purposes. Larger applications require maintenance and upkeep. It is important not to let the complexity of these programs overshadow the accessible and immediately usable benefits that even a simple, effective inventory list can provide. For example, a spreadsheet with data filters and pivots can quickly transform and present data into usable and actionable results without a lot of development. Of course, larger organizations that require multiple teams to regularly access and update inventory information might require a more sophisticated approach.
Consider leveraging inventory repositories already set up by other teams to uplift your own efforts. Finance, datacenter, or facility teams may already manage physical inventory for their own capital asset tracking, and this data may be a great starter to seed the data collection for at least a subset of your own data needs. Through cooperation with these other teams, you may be able to add assets that they might not collect—e.g., virtual machines—and augment their records with security-relevant metadata that enriches the larger repository.
Dynamically subscribing to another inventory repository might net you a treasure trove of inventory data already collected and managed by others. Be careful of one-time data extracts that could go stale over time. As your organization and own program grows, do not forget to scale your inventory processes as well lest they obsolesce. Store your inventory in an extensible and exportable format to facilitate sharing with other programs and systems. Even for smaller efforts, this will become important as your program grows from a simple spreadsheet into a custom database or commercial or open-source inventory application. Where possible, extend and integrate your inventory management processes into your move-add-change and change management processes to allow these programs to update your inventory data in concert with real changes to the environment.
A complete inventory that supports most security controls will represent both the physical and logical systems and devices in your environment. It is important to include the cloud assets as many of the same challenges to secure on-premise hosts also affect infrastructure as a service (IAAS) guests as well. Capturing cloud assets will require additional steps than those used to collect assets on your own managed network because the cloud assets might reside across multiple cloud subscriptions. However, the major cloud providers supply queries and application programming interfaces (APIs) that you can use to create dynamic reports or data extracts of your cloud assets given the right subscription authorization.
I often think of the inventory count as the denominator for measuring the overall effectiveness and reach of your security controls. Think about your security scorecard. Your security scorecard might include a metric representing the percentage of systems patched for known vulnerabilities. You might feel pretty good thinking you patched 85% of your systems, but you might not feel so good if you later find out that this metric only represents half of your total systems. Showing the denominator for security metrics is essential and helps tell the whole story. Take for example these made up metrics. If only 134 out of 200 devices connect to the newest logging system, then that might suggest that there is more work to do to enroll the remaining 66 devices. The dashboard on your commercial vulnerability scanner might report that it scanned 3,462 assets for vulnerabilities last week. Is that a good thing? It is tough to tell without the denominator. What if you are responsible for securing 4,000 assets or possibly 10,000 assets and the scanner only evaluated 3,462 assets for vulnerabilities? Having a complete inventory provides this denominator and completes the story of the overall effectiveness of the security control. Let's take one of the prior examples a bit further. Regardless of how many vulnerabilities are found on the 3,462 scanned assets, it is also essential to understand how many assets were not scanned and why. For example, was an IP range mistakenly left out or was it a conscientious financial decision attributed to license costs? Knowing when a control is operating for only a subset of assets and knowing why it is not operating for all assets is important. This ensures you do not have any gaps in your security coverage and helps design mitigating controls where necessary.
A good inventory will also help you meet your compliance and audit obligations. For example, in the past, the Payment Card Institute Data Security Standard (PCI-DSS) considered systems that held or processed credit card data as in scope of the PCI-DSS controls and audits. Identifying and tagging the systems in your inventory with PCI-DSS relevant metadata ensures you apply the right security controls for very in-scope system. When requirements are updated, such as when PCI-DSS expanded in-scope systems to include all connected systems, you can update your inventory to reflect these changes and always have confidence that your controls are applied to the right assets.
Lastly, consider taking your inventory management to the next level by recording asset dependencies. For example, you might link a web server asset to the database asset that it relies upon in the inventory database. More advanced inventory management systems help manage these dependencies, and these relationships will help inform your security decisions. For example, patching a database server for a critical security vulnerability might require it to restart. Knowing which web servers this restart will affect enables others to prepare in advance.
Building and managing a complete inventory of all your physical and logical systems and devices will prove useful to your day-to-day security and operations. With an up-to-date inventory, you will have fewer blind spots and more confidence that your security controls are appropriately scoped and deployed to just the right assets.
Privacy Center |
Terms and Conditions
Copyright ©2024 Mouser Electronics, Inc.
Mouser® and Mouser Electronics® are trademarks of Mouser Electronics, Inc.
All other trademarks are the property of their respective owners.
Corporate headquarters and logistics center in Mansfield, Texas USA.