I see and hear a variety of acronyms being used on a daily basis. I recently heard one tossed around with good humor that makes a point: TMA or Too Many Acronyms. Every once in a while, when I think I’ve embedded the definition and use of an acronym into my long-term memory (anything beyond an extended weekend), it seems as if either a new acronym was spawned, or it has been overloaded with a different meaning. My goal in this blog post is offer both a refresher on some topical acronyms that appear to be quite commonly circulated in security technology circles and media outlets. It is challenging to be a subject matter expert in every aspect of cyber security. Whether you are reading an article, joining a conversation or preparing for a presentation or certification in the realm of cyber security, you may not be completely perplexed by these acronyms when you come across them and become more familiar with them. For situational purposes, I organized the acronyms into categories where I have seen them used frequently and included related links for each of them.

Network Infrastructure

AAAAuthentication, Authorization, and Accounting. This is a set of actions that enable you to control over who is allowed access to the network, what services they are allowed to use once they have access, and track the services and network resources being accessed.

ACL/tACL/iACL/VACL/PACLAccess Control List. ACLs are used to filter traffic based upon a set of rules that you define. For ACLs listed with a prefix (for example, t=transit, i=infrastructure, V=VLAN (Virtual Local Area Network), P=Port)), these ACLs have special purposes to address a particular need within the network.

FW/NGFW/FWSM/ASASM: Firewall/Next Generation Firewall/Firewall Service Module/Adaptive Security Appliance Services Module. These products provide a set of security features designed to govern the communications via the network. Cisco provides firewall features as a dedicated appliance or hardware module that can be added to a network device such as a router.

IPS: Intrusion Prevention System. Typically, this is a network appliance that is used to examine network traffic for the purposes of protecting against targeted attacks, malware, and application and operating system vulnerabilities. In order to ensure the effectiveness of a Cisco IPS device, it  should be maintained using Cisco’s IPS subscription service.

DNSSECDomain Name System (DNS) Security Extensions. That’s right, we have an acronym within an acronym. These are the specifications for security characteristics that make it possible to verify the authenticity of information stored in DNS. This validation makes it possible to provide assurances to resolvers that when they request a particular piece of information from the DNS, that they receive the correct information published by the authoritative source.

SSL VPNSecure Sockets Layer Virtual Private Network. This security capability provides remote-access connectivity using a Web browser via its native SSL encryption. A key benefit is a Cisco IOS SSL VPN does not require VPN client software to be pre-installed on the endpoint host such as a personal computing device.

RTBHRemote Triggered Black Hole. This technique is used to drop or divert undesirable traffic at the edge of a network. This technique is associated with other security and defensive measures such as mitigation against DDoS  (Distributed Denial of Service), worm attacks, quarantine of network traffic, and enforcing blacklist filtering.

Network Architecture

BYODBring Your Own Device. The fundamental message here is the idea of “work your way”. It is viewed as both a solution and a conceptual model focused on the framework and underlying infrastructure needed to support personal computing devices requiring access to applications and data residing within the domain of a private network such as a corporate network. Personal devices such as smartphones, tablets, etc., may be owned by an individual or the company that also owns the connected network.

MDM:  Mobile Device Management. This is a solution driven by policies that allow you to control both network access and the content on a mobile device such as a smartphone or tablet.  Those policies can be as rigorous as needed.  This solution also examines the security posture of the device itself to protect against potential security issues such as data loss, unauthorized access, and anomalous behavior. In these cases, this solution could exercise protective measures (for example, a remote wipe and/or lock of the device based on policy violations). A good primer on Mobile Device Management is detailed in this video.

Vulnerability Management

CVSS:  Common Vulnerability Scoring System. This is an industry standard for conveying the severity of a vulnerability in a product.  The scoring system divides a vulnerability into three components: base, temporal, and environmental. The base metric describes how severe the issue is from a technical perspective. The temporal metric describes how a vulnerability changes over time. The environmental metric specifies the impact on a specific running system. Cisco provides a free web-based CVSS calculator. The example below describes how the CVSS is used in a Cisco vulnerability alert publication.

CVECommon Vulnerabilities and Exposures. This is an industry standard for providing common names or identifiers for publicly known security issues in vendor’s product. The goal is to facilitate the public sharing of data across vulnerability management processes and capabilities. A unique identifier along with a brief description, references and a creation date are created for each issue. Cisco assigns CVE identifiers to security vulnerabilities in its products according to the Cisco public vulnerability policy. The example below describes how a CVE is used in a Cisco vulnerability alert publication.

CWE : Common Weakness Enumeration. This is an industry standard list of weaknesses that is used to identify and classify security weaknesses in software. It provides a common baseline standard to publicly share and communicate security weaknesses, mitigation, and prevention efforts. A key benefit is to provide an organization with the assurances that the software products it acquires and develops are free of known types of security flaws. The example below describes how a CWE is used in a Cisco vulnerability alert publication.


CVRFCommon Vulnerability Reporting Framework. This is a machine, as opposed to human, language that is designed to communicate specific information system vulnerabilities to another machine.  This enables a machine to take care of automating several actions that are overly time consuming or prone to human error. Another key benefit is the use of a common format for vendors, researchers, incident handlers, and end-users to consume information about vulnerabilities directly through their own systems. The Cisco Product Security Incident Response Team (PSIRT) includes a CVRF description for Cisco IOS Software security advisories. The example below describes how the CVRF is used in a Cisco security advisory publication.

OVALOpen Vulnerability and Assessment Language. This is an international community standard to promote open and publicly available security content and to standardize the transfer of this information in security tools and services.  It provides a structured and standard machine-readable format that allows system security administrators to quickly consume security vulnerability information and identify affected devices. It can also be used to verify that the patches or fixes that resolve vulnerabilities were successfully installed. The Cisco Product Security Incident Response Team (PSIRT) includes OVAL definitions in Cisco IOS Software security advisories. The example below describes how OVAL is used in a Cisco security advisory publication.


NVDNational Vulnerability Database. This is the U.S. government repository of standards based vulnerability management data.  It provides access to databases of security checklists, security related software flaws, misconfigurations, product names, and impact metrics. It is sponsored by the Department of Homeland Security’s National Cyber Security Division.

CPE: Common Platform Enumeration. This is a standardized method to describe and identify classes of products such as applications, operating systems, and hardware devices. The CPE can be used as an information source to support the automation of areas such as vulnerability and asset management. The National Institute of Standards and Technology (NIST) provides a detailed CPE specification.

MAEC: Malware Attribute Enumeration and Characterization. This is a standardized language to describe and communicate information about malware based upon attributes such as behaviors, artifacts, and attack patterns. The MAEC website provides more detail about the MAEC specification and associated material. MAEC is a trademark of the MITRE corporation.

CWSSCommon Weakness Scoring System. This is a standardized method to score weaknesses discovered in software applications. Some of the benefits of CWSS include a quantitative measure of residual weaknesses in software and potentially factor that quantitative measure into the overall security posture of the systems that interact with it. CWSS is a trademark of the MITRE corporation.

CWRAFCommon Weakness Risk Analysis Framework. CWRAF provides a framework for assessing software application weaknesses relative to the application’s business context and domain function, technology or other area potentially at risk. This framework could be useful in managing risk as it relates to meeting software assurance commitments. CWRAF is a trademark of the MITRE corporation.

CCECommon Configuration Enumeration. CCE is used to provide a common identifier to a particular security-related system configuration issue.  Benefits include improved data correlation and improved interoperability between security solutions focused on vulnerability management.

CAPECCommon Attack Pattern Enumeration and Classification. CAPEC is a list of common attack patterns coupled with a schema and classification taxonomy. A key goal of CAPEC is to offer information that can enhance security throughout the stages of the software development lifecycle. CAPEC is a trademark of the MITRE corporation.

STIX: Structured Threat Information eXpression. STIX is a structured language to communicate cyber threat information. It is used to convey the nature of a cyber threat including its attributes that details how to protect the system from the threat. STIX is a trademark of the MITRE corporation.

TAXIITrusted Automated eXchange of Indicator Information. TAXII is a standard that describes how cyber threat information can be securely shared. It is accomplished by providing a set of services and messages that facilitate the information exchange. Benefits include a modular design that can accommodate a variety of data sharing models and thus enhance and encourage interoperability between different security solutions and vendors. TAXII is a trademark of the MITRE corporation.

SCAPSecurity Content Automation Protocol. SCAP provides a set of specifications that can be implemented to maintain or enhance the security posture of an organization’s systems. Some applications of SCAP include automation of security configuration management, software patch management and monitoring of exposures from security threats. Cisco has published information about how SCAP enables security automation as it relates to the application of one of its components, the Open Vulnerability and Assessment Language (OVAL).

Incident Management

CERT: Computer Emergency Readiness Team.  There are many organizations throughout the world that utilize the CERT designation such as the US-CERT. These teams focus on research, vulnerability management, and security and collaboration in order to improve overall computer security. CERT is a registered trademark of Carnegie Mellon University.  The
Computer Emergency Readiness Team Coordination Center is located at Carnegie Mellon University’s Security Engineering Institute.

CSIRT: Computer Security Incident Response Team. Typically, this is an internally focused team dedicated to protecting the organization/company from computer and network security threats and vulnerabilities. Related activities may include, but not necessarily be limited to, forensic investigations, security architecture assessments, threat assessments and mitigation planning. Cisco has its own Computer Security Incident Response Team.

PSIRTProduct Security Incident Response Team. This a team within Cisco that is dedicated to managing the receipt, investigation, and public reporting of security vulnerability information related to Cisco products and networks.

Common Vulnerabilities and Attacks

APT: Advanced Persistent Threats. This type of attack typically uses a low-profile approach leading to an understanding of how to successfully launch and conduct an attack against its target. Those orchestrating the attack may apply both conventional and unconventional methods for regular, as opposed to one-time, monitoring of their target to learn about its weaknesses, potential attack vectors, and opportunities to launch an attack. Cisco discusses its own approach to protect against Advanced Persistent Threats.

Botnet: Even though this not an acronym, I am including it here in case you thought it was one. It is a combination of two words — roBot and network. This makes sense because a compromised device is the “bot”.  Groups of “bots” can form a “network” of compromised devices that are under the command and control of an individual. Botnet creation begins with the download of malware along with an embedded exploit (or payload) through an infected email attachment or download of infected files.

DDoSDistributed Denial of Service. This type of attack focuses on degrading computing and network resources to the point of unavailability. It receives notoriety as the extent of damage it can cause can be far reaching. There a few basic types of DDoS attacks. Bandwidth attacks are aimed at consuming resources such as network bandwidth or equipment by overwhelming one or the other (or both) with a high volume of packets. Application attacks use the expected behavior of protocols such as TCP (Transport Control Protocol) and HTTP (Hypertext Transfer Protocol) to the attacker’s advantage by tying up computational resources and preventing them from processing transactions or requests.

CSRF/XSRFCross-Site Request Forgery. This type of attack typically targets web applications. This attack can include unauthorized changes of user information or extraction of user sensitive data from a web application.  The attacker attempts to access sensitive information and make unauthorized changes of user data from a web application by convincing a user to execute a crafted web application request.

XSSCross-Site Scripting. This type of attack exploits a flaw within web applications to enables malicious users, vulnerable websites, or owners of malicious websites to send malicious code to the browsers of unsuspecting users. The malicious code in this attack is usually in the form of a script embedded in the address of a hyperlink (Uniform Resource Locator) or the code may be stored on the vulnerable server or malicious website.


HIPAAHealth Insurance Portability and Accountability Act. This U.S. compliance regulation mandates that health care entities take appropriate minimum measures to ensure the protection of the personal information of their patients, customers, and partners. From a compliance perspective, the associated regulations often call for information technology functions in the areas of data confidentiality, integrity, availability, and the ability to be audited.

PCI-DSSPayment Card Industry Data Security Standard. This global standard details requirements for securing payment card data. It includes a framework of specifications, tools, measurements, and support resources to help organizations ensure the safe handling of cardholder information. It also provides an actionable framework for developing a robust payment card data security process, prevention, detection, and appropriate reaction to security incidents.

GLBAGraham-Leach-Bliley Act. This U.S. regulation is also known as the Financial Modernization Act. Its intention is to protect consumers’ personal financial information held by financial institutions. Cisco offers security technologies and solutions such as firewallsintrusion protection systems and email security to help customers comply with the underlying rules governing this regulation.

FISMAFederal Information Security Management Act.  This U.S. regulation defines how federal agencies must implement security controls and policies to protect data and provide for the continuous monitoring and reporting of cyber security risks. Cisco offers an integrated approach to network security that helps federal agencies accelerate compliance with FISMA and other security regulations.

SOXSarbanes-Oxley. This U.S. regulation is designed to improve the accuracy and reliability of corporate disclosures to protect investors. Cisco offers a white paper describing on how its technologies can help achieve regulatory compliance.

If I have subjected you to TMI (Too Much Information), hopefully you have gained new insight or reinforced information you can apply while venturing through the wild world of security technology. One suggestion is to look for ways to apply a few of these acronyms to keep them fresh in your mind. If you have any other security acronyms you would like to share, please comment here and let me know!