A Quick Lesson on Some Information Security Acronyms
While attending the RSA conference back in February, I started thinking about all of the TLAs (Three Letter Acronyms) that are used in the security industry – starting with RSA itself. The IT industry in general loves acronyms because it’s generally appealing to geeks, but the information security space might even be slightly more obsessed with acronyms.
Curiosity got the best of me and I wanted to share my findings on the various acronyms in security that you may have been curious about too, but never had the time to delve deeper. Below I have listed some of the key acronyms with some explanation. This is certainly not an exhaustive list, just some basics.
RSA – Let’s start with a company that has certainly become a benchmark in the security industry. Most people automatically use the term RSA without consciously thinking about what it means. The company certainly tries to stay away from explaining the acronym, so they can maintain a high level brand name, similar to IBM, which doesn’t go by International Business Machines because it no longer reflects today’s broad business. The "RSA" in RSA Security is not associated with the most commonly known definition for the acronym Russian Space Agency, but rather it stands for “Rivest Shamir Adleman”. Ron Rivest, Adi Shamir and Leonard Adleman developed the RSA encryption algorithm in 1977 and they founded RSA Data Security in 1982.
EMC – Since we are talking about RSA, we might as well mention its parent company EMC, which also stands for the initials for its founders Richard Egan and Roger Marino and a third individual who has remained nameless.
SSL – One of the most well-known terms is SSL which stands for Secure Sockets Layer. Many people are familiar with SSL certificates popularized by Verisign, GoDaddy, Microsoft and other vendors. SSL is a standard technology establishing an encrypted link between a Web server and a browser. This link ensures that all data passed between the Web server and browsers remain private and integral. To create an SSL connection, a Web server requires an SSL certificate which uses a Public and a Private cryptographic key. For consumers this process is seamless and is denoted by the lock icon.
PKI – PKI stands for Public Key Infrastructure, an architecture to proof the identities of people, Web sites, computer programs, etc. on the Internet. In a PKI, the Certificate Authority (CA) issues Digital Certificates to applicants. CA also verifies the identity of applicants, and publishes certificates on an on-line repository where people can lookup others' certificates.
VPN – Virtual Private Network. A VPN is a secure connection over a public network. A VPN "endpoint" can either be a PC running a VPN client or server software.
DLP – While more popular in the digital world (where it stands for Digital Light Processing), in the security world, DLP stands for Data Loss Prevention. DLP solutions try to guard organizations from both intentional and unintentional leaks. It typically covers data in motion (data moving through the network), data at rest (in file systems, databases etc.), and data at the endpoint (USBs, external drives etc.).
DMZ – In computer security, a DMZ, or Demilitarized Zone is a physical or logical sub-network that contains and exposes an organization's external services to a larger untrusted network, usually the Internet.
DNS - A Domain Name Server is like directory-assistance for the internet. In the same way that the phone company provides directory-assistance so that you can find the number that enables you to connect to your friend's telephone, a DNS provides your computer with the TCP/IP address of the web server that you are trying to connect to.
WAF – While WAF is used for various other terms like "Wife acceptance factor", "Women Against Fundamentalism", “With All Faults” etc., in information security WAF stands for Web Application Firewall. WAF is a device or software that sits between a Web-client and a Web server, analyzing OSI Layer-7 messages for violations in the programmed security policy. WAFs try and block incoming attacks .
DAST– Stands for Dynamic Application Security Testing. This term is used for Web application scanners that use black box testing methodology to test Web applications for security vulnerabilities (or defects) through the user interface versus scanning the raw code.
SAST – Stands for Static Application Security Testing and unlike DAST, it analyzes source code for vulnerabilities.
CYA – I don’t think I need to define this. All information security professionals should become proficient in this.
Now that you have these definitions, next time you are talking to a vendor who is trying to be BWC (Buzz Word Compliant) you can call them on some of these things.
I guess I should sign off as MSK.