A generic engineering lifecycle model includes five stages:
• Material Solution Analysis
• Technology Development
• Engineering and Manufacturing Development
• Production and Deployment
• Operations and Support
The majority of engineering projects, processes, or products consider those five stages, either one time or through several cycles. Figure 2.5 shows DoD acquisition process and major stages (Acquisition University Press 2001).
Figure 2.5 shows four major stages in acquisition lifecycle:
• Pre-systems acquisition, concept, and technology development. In some model, this stage is divided into two stages: (1) concept refinement and decision, (2) technology development. Pre- systems acquisition stage is called “NEED” stage in DHS model (DHS 2008). Gaps and needs in existing systems are investigated and validated.
K0270: Knowledge of the Acquisition/Procurement Lifecycle Process
• In concept refinement, several alternative concepts are evaluated and compared that can satisfy project objectives or requirements. Risks associated with each concept are also discussed and analyzed. At the end of this stage, a decision must be made to advance concepts to the next stage.
• System development and demonstration.
• Production and deployment: In this stage, product is deployed and evaluated on its real environment. This stage is divided into two sub-stages in some models:
initial deployment or operational capability (IOC) and full; FOC.
• Sustainment and maintenance: This includes all activities after the first deployment cycle. In other models, this same stage is called operations and support. In some DoD or military models, this stage may include the term “Disposal”; in some cases, explicit process/stage is required to dispose or retire the product properly.
US department of Homeland Security (DHS) defines four stages for acquisition lifecycle (Hutton 2010):
• Identify assets needed functional capabilities and how those capabilities can serve requested objectives.
• Capabilities alternative solutions, cost, and schedule estimations.
• Developing, testing, and deploying selected alternatives.
• Evaluate asset after solution deployment to judge if objectives are met and moved, or not to full production.
Federal Aviation Administration proposed an acquisition lifecycle model of the stages: mission analysis, investment analysis, and solution implementation; a cycle of operation: in-service management and service life extension; finally, system dis- posal stage (Fig. 2.6).
Fig. 2.5 DoD acquisition process (Acquisition University Press 2001)
29
Need Mission
analysis Investment analysis
Solution implementation
Manage program
Service life extension
System residual S6
S4
S5 S S2 S3
S7 S1
System disposal
In-service
management XOR XOR
Fig. 2.6 FAA acquisition lifecycle model (Grady 2006)
Advanced studies
Project
defination Design
Acquire material
Provide logistics support
Modify
system IOR
SD4
SD6
SD7 SD3
SD2 SC
SB
SM
SD SA
SD1
SD5
SD8
AND
Use system Dispose of
system Nasa system
acquisition management System
residual Need Material
Detailed design
Manufacture system
Verify system
Development operationsand
Fig. 2.7 NASA acquisition lifecycle model (Grady 2006)
Similar to FAA, NASA adopts a semi-evolutionary model in development, deployment, and operational stages can go in several increments or cycles (Fig. 2.7).
Defense Acquisition University
Defense Acquisition University (DAU) is a corporate university of the US DoD that focuses on: Acquisition, Technology, and Logistics (AT&L) training to military and federal civilian staff and contractors (https://www.dau.mil/). Many relevant contents to this chapter can be found in the University website. Similarly, DoD directive 5000 is a major reference for government policies on acquiring material systems and infrastructure.
Positions in the acquisition workforce have different acquisition duties that can fall into 15 functional areas. For each area, certification is available at three levels:
basic, intermediate, and advanced: Auditing, Business Cost Estimating and Financial Management, Business Cost Estimating, Business Financial Management, Contracting, Facilities Engineering, Industrial/Contract Property Management,
K0270: Knowledge of the Acquisition/Procurement Lifecycle Process
Information Technology, Lifecycle Logistics, Production, Quality and Manufacturing, Program Management, Purchasing, Small Business, Systems Planning, Research, Development and Engineering—Program Systems Engineering, Science and Technology Manager, Engineering, Test and Evaluation.
K0523: Knowledge of Products and Nomenclature of Major Vendors (e.g., Security Suites—Trend Micro, Symantec, McAfee, Outpost, Panda, Kaspersky) and How Differences Affect Exploitation/Vulnerabilities
Security suites or anti-malware systems provide full or integrated security control solutions that protect against a large spectrum of malwares or attacks. Earliest ver- sions of such tools were called antiviruses where the only or most popular malwares at the time were viruses. The term malware is now used to refer to all categories of malicious software such as: viruses, worms, Trojan horses, spywares, and ad-wares.
Similarly, the term security suites indicate a recent trend in security controls to pro- vide a one-for-all security suite that can provide all categories of security controls or functions. For customers, and IT support this can be more convenient having to deal with and configure one centralized security suite. We can also avoid the issue of conflicts of actions or decisions between the different security controls. For example, we may have a gateway firewall that has a role to block a certain traffic while the same traffic is allowed, and necessary from a viewpoint of another secu- rity control. Currently, with many security controls, the role of precedence usually is enforced where if a security control denied a certain traffic and dropped it, there is no way for further security controls to reverse that.
On the other hand, with centralization, the issue of “single point of attack” or
“single point of failure” always rises. For a large enterprise, with a large number of assets, databases, etc. can one centralized security control be sufficient? How much confidence we have that this centralized security control is making always the right permit and deny decisions (e.g., consider false- positive and false-negative cases), and how much confidence we have that such centralized security suite is not going to be a target itself (e.g., tampering to change, add/delete some sensitive roles in its role-engine)?
In addition to malwares, there are other categories of security controls such as firewalls and Intrusion Detection/Protection systems: IDS/IPS. Details on those cat- egories can be found in other parts of this book. Major focus in this section is on the major vendors in this area of anti-malwares or integrated security controls. Security suites can be classified and compared according to the list of features they can pro- vide in comparison with cost (Fig. 2.8).
While paid security suites tend, usually to perform better than those that are free or open source, some no-cost options, such as: Avira, Panda, ClamWin, Avast, Microsoft Security Essentials, and AVG, hold up well. The rankings can vary
31
significantly from 1 year to another and even from one evaluator to another (e.g., based on features of interest). The main advantage of buying a security suite from a vendor is the ability to get help and support. With the sensitivity of security prob- lems or breaches and the urge to solve them quickly, one-time effective support can justify avoiding the free or open source option.
In terms of acquisition, there are different models on how security suite services are sold or provided. In addition to the free or open source options, early genera- tions of security controls have the option of one-time payment. However, current commercial security suites offer yearly subscriptions. Additionally, options can vary between costs per user or individual and cost per site or enterprise. Different factors cause the transition to this model:
• Internet and bandwidth availability: Early generations of Internet services were limited and slow. With the increase of available bandwidth for users and businesses, it became possible to provide real-time services. Many security suites offer the option to scan your machine without the need to install any software locally (e.g., software as a service—SaaS).
• The continuous evolution of security threats: Security threats change daily and new threats, vulnerabilities, or malware are discovered. The need to have real-time or frequent update for security suites is very important. In this scope, the term, zero-day attack is used to refer to attackers taking advantage or recently discovered vulnerabilities. They hope that such vulnerabilities are still valid in some computers, especially those that they did update their security suites (Assuming that security provider already discovered such vulnerability and cre- ated a fix/update for it).
• Different platforms and mobility issues: Users want to protect their laptops, desktops, smart phones, tablets, etc. They prefer to have one account and sub- scription that allow them to provide the same protection level from the same provider on their different computing environments.
Fig. 2.8 The Best Security Suites of 2018 (pcmag.com)
K0523: Knowledge of Products and Nomenclature of Major Vendors…