I see and hear a variety of acronyms being used on a daily basis. I recently heard one tossed around with good humor that makes a point: TMA or Too Many Acronyms. Every once in a while, when I think I’ve embedded the definition and use of an acronym into my long-term memory (anything beyond an extended weekend), it seems as if either a new acronym was spawned, or it has been overloaded with a different meaning. My goal in this blog post is offer both a refresher on some topical acronyms that appear to be quite commonly circulated in security technology circles and media outlets. It is challenging to be a subject matter expert in every aspect of cyber security. Whether you are reading an article, joining a conversation or preparing for a presentation or certification in the realm of cyber security, you may not be completely perplexed by these acronyms when you come across them and become more familiar with them. For situational purposes, I organized the acronyms into categories where I have seen them used frequently and included related links for each of them.
AAA: Authentication, Authorization, and Accounting. This is a set of actions that enable you to control over who is allowed access to the network, what services they are allowed to use once they have access, and track the services and network resources being accessed.
ACL/tACL/iACL/VACL/PACL: Access Control List. ACLs are used to filter traffic based upon a set of rules that you define. For ACLs listed with a prefix (for example, t=transit, i=infrastructure, V=VLAN (Virtual Local Area Network), P=Port)), these ACLs have special purposes to address a particular need within the network.
FW/NGFW/FWSM/ASASM: Firewall/Next Generation Firewall/Firewall Service Module/Adaptive Security Appliance Services Module. These products provide a set of security features designed to govern the communications via the network. Cisco provides firewall features as a dedicated appliance or hardware module that can be added to a network device such as a router.
IPS: Intrusion Prevention System. Typically, this is a network appliance that is used to examine network traffic for the purposes of protecting against targeted attacks, malware, and application and operating system vulnerabilities. In order to ensure the effectiveness of a Cisco IPS device, it should be maintained using Cisco’s IPS subscription service.
DNSSEC: Domain Name System (DNS) Security Extensions. That’s right, we have an acronym within an acronym. These are the specifications for security characteristics that make it possible to verify the authenticity of information stored in DNS. This validation makes it possible to provide assurances to resolvers that when they request a particular piece of information from the DNS, that they receive the correct information published by the authoritative source. Read More »
Tags: byod security, Cisco Security, cybersecurity, HIPAA Compliance, incident response, MDM, PCI Compliance, pci-dss, security, vulnerability
Organizations continue to face threats to their brands, reputations, and profits from attacks on their information systems. The Payment Card Industry Data Security Standard (PCI DSS) is designed to protect credit card information. During my five-year tenure at Cisco, I’ve been focused on PCI. The challenge that we have faced when deploying a solution to help customers become compliant and maintain a secure enterprise is the complexity. At the various trade shows that I have attended to discuss PCI, I have encountered a lot of head-shaking and looks of disgust as I bring up the topic of PCI. To help simplify PCI compliance, Cisco has released the latest Cisco Compliance Solution for PCI DSS 2.0 to make it easier for organizations to maintain a secure, compliant network.
Read More »
Tags: compliance, Compliance Solution for PCI DSS 2.0, PCI Council Board of Advisors, pci-dss, security
Anyone who has been involved with compliance knows that simplifying complexity is the key to maintaining a secure and compliant organization. It’s become quite apparent that sustaining compliance is a marathon, and the journey must be travelled with vigilance. This is not something that is an endpoint or a task, that once accomplished, can be shelved and forgotten; therefore, it is very helpful for merchants, who wish to become compliant or maintain compliance, to purchase solutions that are “certified.”
The fact that you are purchasing a product that’s already been validated as secure and “capable” of being compliant reduces the complexity and uncertainty associated with big-ticket items. Adding new credit card readers or a payment application in your stores is expensive, and knowing that these products are validated by the Payment Card Industry (PCI) Council gives merchants confidence that they’re making a wise and secure decision. Read More »
Tags: Cisco Security, cybertrust, pa-dss, PCI Compliance, pci-dss, qsa, qualified security assessor, security
I have a keen interest in the Latin American region because several of my closest friends and my respected colleagues are from this region. Also, internal market forces and global demand are accelerating the rate of data center projects, further heightening my interest. Last year, I visited the region where I got to see data center build outs and realized the extent of the “greenfield” opportunity. I very recently got acquainted with Daniel Garcia, a 12-year Cisco veteran and Security Specialist sales engineer covering the Latin American region. I found his insights most valuable and different to what I usually hear.
For Daniel the greatest difference between the Latin American Region and other regions is the number of Greenfield data center projects. But Daniel finds that many customers are looking for “cookie cutter” solutions that they implement into their environments without much customizing. This was something I hadn’t heard before but which makes excellent sense. The reason for this approach is that many customers lack in-house IT expertise and require proven solutions. The benefits of this approach mean less risk, less cost and with any validated solutions, far less time in production and testing. The downside is that each organization has distinct needs according to their business line and size, and their risk tolerance will vary. Daniel works with his customers to tweak data center reference architectures to provide customers with a tailored and secure data center environment. Read More »
Tags: it security, latin america, Payment Card Industry Data Security, pci-dss, secure data center
Having attended the annual North American PCI Community Meeting for many years and being involved with PCI compliance since 2008, I’ve heard firsthand the challenges merchants face in their quest for PCI compliance (see Blog: Compliance Headaches Continue). However, thinking back to the PCI Community Meeting last week in Orlando, I was intrigued by how this year’s keynote speaker fit into the program. How could an extreme adventurer, such as Jamie Clarke, rather than a hacker or data breach expert provide the necessary perspective on compliance? As I attended sessions and networked with over a thousand of my peers from 17 countries, it dawned on me: The collective PCI state of mind is reflective of the maturity of the journey and a fresh optimism emerges as we near the top of the mountain after a very long and arduous journey.
Here are some of the highlights from this year’s meeting.
- PCI SSC General Manager Bob Russo presented the annual PCI State of the Industry. The PCI standards continue to mature and merchants are increasing the focus to protect cardholder data. The overall tone was more about ‘tweak’ than change.
- The opportunity for training from the PCI Council continues to increase with several new programs including a Qualified Integrators and Resellers (QIR) program and a Payment Card Industry Professional (PCIP) certification.
- The Special Interest Groups (SIGs) are going strong, which again speaks to the maturity of the standard. We are seeing ongoing clarity, rather than new initiatives. The SIGs leverage valuable business and technical experiences from PCI Participating Organizations (POs). Over 460 POs were in attendance. Our key candidates for the 2013 SIGs are Cardholder Data Discovery and Guidance on Logging. However, there are 7 candidates up for voting.
- Spider Labs presented an overview of mobile device security and reviewed several mobile attack scenarios. The PCI Council has released new guidance on secure mobile payment acceptance.
- Updates to the Council’s Point-to-Point Encryption (P2PE) program are available.
- Feedback on the PCI standards was discussed in preparation for the next releases in 2013.
Read More »
Tags: mobile payments, pci, PCI Compliance, pci-dss, point-to-point encryption