Jack of all trades, master of pun

Welcome to the Big Ass List of Security and Security-Adjacent Acronyms or BALSSAA for short.

Jumping into the InfoSec space has at times felt overwhelming. Even with a Computer Science degree and years spent as a software engineer, I found the terminology intimidating. I can only imagine what the learning curve can be like for product managers and designers new to the space.

So we’re setting out to publish a compilation of relevant acronyms and what they mean. You can read this all the way through, or you can bookmark it and use it as a reference tool for when you’re stuck on a term or learning something new.

Here are the 3 parts you can expect to see:

  1. Networking
  2. Security
  3. Compliance

Today, we’re starting with Networking and we’ll be updating this post with Security-specific acronyms and Compliance acronyms later.

To keep you engaged and make learning these incredibly dull terms more fun, we’re also including a BINGO card. Take it to your next conference, webinar, or board meeting and compete with your friends. Or use it as a tool to convince your CEO to cut a few acronyms from your website.

Bring on the BINGO!

Part 1 - Networking technology acronyms

ISP - Internet Service Provider

An organization that provides access to the internet. While doing research for this post I couldn’t find any documentation requiring them to have terrible customer service and yet they all do.

OS - Operating System

The software that defines and runs the core functions for a device like a computer or router. We’ll stop there because I did very poorly in my Operating Systems class in college.

CAPTCHA - Completely Automated Public Turing test to tell Computers and Humans Apart

If you’ve used the internet in the past 10 years you probably already know what a CAPTCHA is, so this one’s just for fun. But come on, aren’t you glad you know what CAPTCHA stands for now? CAPTCHAs are used to filter out bot traffic on form submissions.

API - Application Programming Interface

A set of predefined methods for communicating between two pieces of software. When you use your keyboard and your screen to access your computer, you’re using a visual interface. Likewise, an API is an interface you use to interact with software, although instead of being visual it's text/code based.

To get a feel for what an API actually looks like click around the Stripe documentation.

DNS - Domain Name Server

A domain name server converts text-based domains to IP (defined below) addresses because humans are really terrible at remembering long strings of numbers. The domain for this website is krit.com whereas the IP address is: 159.65.221.58

This also makes it possible to change IP addresses (or devices) while keeping the same domain. And to do wild things like configure subdomains that go to different devices than the core domain. Fun fact: DNS was built in 1983 and has barely changed since.

rDNS - Reverse DNS

A Reverse DNS lookup goes from IP address to domain instead of the other way around. Pretty straightforward.

ASN - Autonomous System Number

An ASN is a unique identifier for a block of IP prefixes with a clearly defined external routing policy (a way for traffic to leave the network). Whereas IP addresses define the location of a specific device, ASNs define the location of a specific network.

URL - Uniform Resource Locator

A URL is a reference to a specific resource’s location on the internet as well as a method of retrieving it. When you think of a URL you likely think of the address you put into your web browser to fetch web pages, but URLs are also used in all of the protocols listed here.

This snippet from Julia Evans’ zine “HTTP: Learn your browser's language” does a great job of illustrating URLs in action. Her zine is an excellent resource for understanding HTTP and networking on a deeper level.

CDN - Content Delivery Network

A CDN is basically a big group of powerful computers that sit in between the people who want to access your server and you. They cache the information on your server and handle most of the requests themselves. That way, your server doesn’t get overwhelmed, and the people who want to access your sweet sweet software can access it faster.

CDNs also provide security functions, like protections against DDoS (we’ll define DDoS in our Security section) attacks and detection of bot traffic.

CORS - Cross-Origin Resource Sharing

Browsers have a policy to protect users from malicious javascript that requests made in the browser must be from the same origin. So if you go to example.com and it tries to load something from api.example.com (which is technically a different domain) the browser will block the request by default to protect you.

There are many cases where an application has a perfectly legitimate reason for requesting resources from another origin. Just like in the example above, it is very common for developers to host the UI of their web application and the backend API at a different subdomain, which the browser would view as a different origin. So the way around this is for the application to enable cross-origin resource sharing using a series of headers (basically metadata) in the requests.

ACL - Access Control List

An ACL is a list of permissions associated with a given resource. This is used to restrict access to a server or network. Basically... the list a bouncer is holding at a fancy club.

WAF - Web Application Firewall

A firewall is a barrier between a computer and the outside network (most often the internet). It used to be a hardware device, but these days it’s often a software application installed on the outer edge of the network. A web application firewall is a type of firewall that filters, monitors, and blocks HTTP traffic to and from a web app.

A whole generation of programmers was created by kids trying to get around the firewalls on their school computers so they could play video games.

VPN - Virtual Private Network

A VPN allows users to share data across a public network as if they were connected privately. It is often used to obfuscate or encrypt a user’s IP address or web traffic. Or to access British Netflix so you can get all of the extra seasons of Great British Bake Off.

Protocols

Many of the networking acronyms we cover here and that come up in security products on a regular basis are the names for network protocols. A protocol is just a set of rules defined with code for transmitting data between devices. Together the protocols covered here (and many more) govern how the internet functions.

Source: Julia Evans / Wizard Zines

The full suite of internet protocols is made up of multiple layers. IP makes up the Network Layer, TCP and UDP are part of the Transport Layer, and protocols like HTTP, FTP, SSH, SSL make up the Application Layer.

Source: Khan Academy

IP - Internet Protocol

IP is the primary protocol for relaying data across networks on the internet. IP delivers packets of information from a source to a destination based on IP addresses in the packet headers. Every device connected to the internet has an IP address.

TCP - Transmission Control Protocol

TCP is the most common protocol used on top of IP for transferring data across the internet. TCP has a number of methods built in to reduce data loss and increase accuracy.

UDP - User Datagram Protocol

UDP is a lightweight data transfer protocol that works on top of IP like TCP. It is less reliable than TCP but is also faster, so it’s used in applications where speed is a high priority.

HTTP - Hypertext Transfer Protocol

HTTP is the protocol that’s used to access web pages from a browser. HTTP is one of the most widely used protocols, and in addition to being used to serve web pages and applications it can also be used for VPNs and web sockets (a sort of data pipeline that two devices use to transfer information back and forth).

FTP - File Transfer Protocol

While used less widely these days than it used to be, FTP is an application layer protocol used for transferring files between devices.

SSH - Secure SHell protocol

SSH is an important cryptographic protocol used for operating secure network services over an unsecured network. This most commonly looks like remote command-line, login, and command execution. In other words, accessing a server remotely in a secure way and telling it to do things (using text commands instead of mouse clicks). The standard TCP port for SSH is 22.

Wondering where the H comes in? The SH at the end of SSH is short for SHell and the P in protocol is ignored all together. I guess SSH sounded cooler to the creators than SSP.

SMTP - Simple Mail Transfer Protocol

Want to take a guess at this one? Yep, SMTP is used for sending email.

TLS / SSL - Transport Layer Security / Secure Sockets Layer

SSL was actually developed by Netscape (bet you haven’t thought about that name in a while) to add security to HTTP requests made using their browser. It is now deprecated in favor of TLS.

TLS is most widely used as the secure part of HTTPS. TLS provides privacy and reliability between two devices that are communicating over a network.

Part 2 - InfoSec

People & Industry terms

IT - Information Technology

IT refers to the technology businesses use to hold meetings, store documents, connect to the internet and generally run their business—and that includes the computer you use to do your work, the software on that computer, the WiFi network you’re connected to, and the people who tell you to turn your computer off and back on again.

IT departments at large companies work with the security team to update and maintain both the devices and the software the company depends on. At smaller companies, IT departments often ARE the security team.

Regardless of a company’s side, IT is a MASSIVE and incredibly important industry which overlaps the security industry.

OT - Operational Technology

Whereas IT refers to the technology required to run the business processes, Operational Technology refers to the technology required to operate the businesses core products or services. In the Colonial Pipeline ransomware attack*** T for the company was compromised. The technology used to operate the pipeline (their OT) was still functional, but business still ground to a halt because the company couldn’t manage invoices, payroll, etc.

***Note: Ransomware attacks are where a hacker gains access to sensitive data and rather than leaking it out, they encrypt it. They then hold the data ransom, requiring the victim to pay a large fee in exchange for the encryption key.

ICS - Industrial Control Systems

A more specific term for the systems (technological or otherwise) used for running industrial processes for a business. This word is sometimes used alongside OT.

CIO/CISO - Chief Information Officer / Chief Information Security Officer

The CISO/CIO is the executive in charge of security for an organization. If their title is CIO, it typically means they’re also in charge of IT (defined below) for the organization. CISOs are notorious for having lots of free time, massive budgets, and very little stress (joking!).

SOC - Security Operations Center

SOC can refer to the group in charge of security operations for an organization or the physical location the security team operates from. Before an organization is large enough to have a dedicated SOC, security is either outsourced or owned by the IT department.

Within a SOC, you may find roles like Security Analyst (or SOC Analyst) or Security Engineer. Historically, security teams have been divided into two specialties.

  1. The Blue Team or Defensive Security Team is responsible for maintaining the security of the organization, as well as detecting and responding to security breaches.
  2. The Red Team or Offensive Security Team is responsible for testing the organization’s defenses and getting into the mind of the adversary.

Defense is usually the first skillset built in house for an organization.

The new hotness in some circles is to have one Purple Team instead: a united team where offensive and defensive experts work together.

If you do a stock image search for cybersecurity you’ll come up with a bunch of images of a room packed with monitors and fancy dashboards: that’s a SOC (or at least a bad stock image photographer’s idea of what a SOC should look like).

Love to see a good, “Team of Young Professionals Doing Code Programming.”

IoT - Internet of Things

While not necessarily a security-specific acronym, the Internet of Things refers to the increasing network of devices that are connected to the internet. That toaster you got for your birthday with the fancy app that controls the exact level of toast to the nth degree? Yeah, that’s part of the internet of things. And it’s probably poorly secured, which means it’s a great gateway into your home network for an attacker.

Now imagine instead of a toaster on your home network, you run a large manufacturing business with more internet-connected sensors and devices than you can count...

Which toast are you?

CTF - Capture the Flag

A Capture the Flag event is a simulated security competition where competitors race to collect pieces of pre-designated information (the flags) using security techniques. Almost as much fun as what you used to play in the backyard when your neighbor’s cousins were in town for the weekend.

OSINT - Open Source INTelligence

The last time you stalked your old classmate on Instagram to figure out what they’re doing now, who they married, and what kind of dog they adopted, you were doing OSINT!

OSINT refers to the process of gathering as much information on a target as you can before attempting a (hopefully simulated) attack. Publicly available information can be used to help a security Red Team determine vulnerabilities (if you’re running out-of-date software), crack passwords (by plugging personal details into a program that tries lots of combinations really fast), or use Social Engineering to trick your support team into giving them access to a critical account.

Note: Social Engineering means using the people in your organization to get around security measures by… talking to them. It’s basically just playing the role of a con man or woman.

CVE- Common Vulnerabilities and Exposures

CVE is a list maintained by MITRE of publicly known vulnerabilities in commonly used software and technology systems. This list is used to keep technology up to date and safe from attack, as well as to categorize attacks.

MITRE is a non-profit organization funded by the US government to conduct security research and develop new security technologies. MITRE is not actually an acronym, so it doesn’t get an official place on our distinguished list.

Their ATT&CK framework is another widely-used resource for understanding and categorizing different types of cyber security attacks. They just released a new D3FEND framework for defense methodologies as well.

Types of attack

DDoS - Distributed Denial of Service

A DDoS attack aims to take down or crash a network, or network-connected application (like a marketing website), by overwhelming it with a massive amount of web traffic.

While they’re often associated with angry teens on Xbox (really, kids will get pissed and download software they can use to DDoS another player preventing them from accessing the internet), these attacks can also be extremely expensive and painful to deal with.

This awesome thread shows how DDoS attacks can really hurt.

XSS - CrossSite Scripting

Cross-Site Scripting is a form of web vulnerability that allows an attacker to masquerade as a user. It works by hiding malicious javascript in a website, so that the user unwittingly downloads it and then runs the code by mistake. If they have sufficient privileges, the attacker can then gain access to applications they couldn’t otherwise and get around the same origin policy (remember CORS from before?).

CSP - Content Security Policy

Content Security Policy refers to a layer of security technology in HTTP that aims to prevent Cross-Site Scripting (see above) and data injection attacks by limiting who can run scripts in the browser. Web developers can define a Content Security Policy using HTTP headers on the server or browser side of their application.

SSRF - Server-Side Request Forgery

Server-Side Request Forgery is another type of web vulnerability where the attacker manipulates the server instead of the browser. The attacker forces the server to make HTTP requests to an arbitrary URL of their choosing. They could use this to get access to an internal-only service that isn’t supposed to be exposed to the internet, or to leak data to an outside server.

Product/service types

The phrase “only a poor workman blames their tools” doesn’t apply in the Info Sec industry. That’s because this is one of the only industries in the world where you’re working directly against other human beings. If your tools can’t keep up with those of your adversaries, good luck.

This has led to an explosion in security tools, and we’re only seeing the beginning. All of that means... a lot of acronyms being tossed around.

SIEM - Security Information and Event Management

SIEMs are the core tool in a Security Analyst’s toolkit. SIEMs aggregate log, alert, and threat intelligence data to give analysts a dashboard to monitor and diagnose security issues. Don’t let the pretty gradients on their marketing websites fool you, they’re almost all horribly designed.

Splunk, one of the industry-leading SIEM solutions. 

SOAR - Security Orchestration, Automation and Response

SOAR tools aim to reduce the load on human analysts by giving them the ability to create rules and automatic responses to security alerts.

MSSP - Managed Security Service Provider

An agency or consulting group you hire to handle security for you. If you can't afford MSSPs, you can get by on your own with the help of your engineers or IT person; but at some point, when you're too big and security is too important to fall on someone who isn't an expert, you will need to either build a security team and use MSSPs occasionally to augment their capability, or outsource the whole operations to an MSSP.

MDR - Managed Detection and Response

A special type of security provider that identifies and handles breaches. This is who you call when you get hacked. Or ideally before.

ASM - Attack Surface Management

Let’s pretend you’re running a bank in the wild west, pre-cat memes. You might have a vault inside that has a ton of valuable gold. But before they can crack the vault, bandits have to get inside the bank—through your walls, windows, roof, etc., all of which count as your ‘attack surface’.

In today’s world, the attack surface is a lot more complicated. It can be your company’s primary marketing website, but also an application that your employees can log into remotely, or a Wordpress site someone in your marketing department stood up for a side project and then promptly forgot about.

Anything that is connected to the internet and to your internal organization becomes a part of your attack surface (potentially even your internet connected toaster). Keeping track of everything at a big organization is really difficult, so there has been a huge surge recently in attack surface management software that does it for you.

An Attack Surface Management tool called Orbital that we designed and built for a client.

DLP - Data Loss Prevention

Data Loss Prevention is the practice of preventing data from being destroyed or getting leaked, and detecting when this does happen. This can refer to strategies like data backups to protect the organization against ransomware attacks, or systems to detect unauthorized leaks of PII (personally identifiable information) to stay compliant with regulations like HIPAA (Health Insurance Portability And Accountability Act - we’ll dive into this more in Part 3).

IAM - Identity and Access Management

Identity and Access Management is a broad category that includes a lot of subcategories, but it generally refers to tools that help organizations control who has access to what. The big player in the space, and the most common tool still used today, is Microsoft’s Active Directory.

Within IAM you also have:

  • SSO, which refers to Single Sign On, or programs that allow a user to sign into multiple things with one username and password.
  • Identity as a Service, which extended traditional IAM and SSO tools to support web applications.
  • Two-Factor Authentication or MultiFactor Authentication tools, which allow you to require additional methods like a phone number or a hardware device like a Yubikey to prove that a user is who they say they are.

It’s a big, complicated space. Because passwords are hard, and so is keeping track of who should have access to what.

GRC - Governance, Risk management, and Compliance

As we’ll cover in our final section, there are a lot of different regulations to keep track of, especially if you’re an international organization. Staying compliant with all of them is a nightmare, and GRC tools help you track changes in regulation and keep your organization compliant so you don’t run into legal troubles.

IDS - Intrusion Detection System

An intrusion detection system is a software application or hardware device that looks at what is going in and out of your network to identify any potential breaches. It does this by comparing traffic to known attack signatures, which means it can miss cutting edge attacks.

IPS - Intrusion Prevention System

An IPS goes a step further than an IDS by weeding out potentially malicious traffic and alerting a network administrator. IDS and IPS systems are often combined into one.

But wait, isn’t this what a firewall does? Well, kind of. The differences between an IPS and a Firewall are subtle: a Firewall uses predetermined rules to filter out traffic from known bad IP addresses and port numbers, whereas an IPS analyzes traffic for patterns and known types of attacks. They also sit at different parts of the network (an IPS typically sits behind a firewall).

An IPS is a powerful tool, but it can be subject to false positives, which can cause problems for users and headaches for system administrators (or sysadmins).

WAAP - Web Application and API Protection

WAAP solutions are the evolution of WAFs (remember WAFs from Part 1). In addition to blocking traffic, they help to protect your web applications against common problems like bot traffic and DDoS attacks.

UEBA - User and Entity Behavior Analytics

The ultimate big brother tool. UEBA systems analyze human behavior to detect insider threats and financial fraud. They essentially monitor anything that happens on the company’s network and identify potential risks. For instance, they might notice an employee is considering leaving the company because they’re sending out resumes on company computers - which makes them a higher risk to disclose data.

Part 3 - Compliance

If you thought the last two sections were riveting, you’re in for a treat now. In this final section, we’re talking COMPLIANCE.

Like it or not, the security industry is tightly tied to compliance and regulations. For the cynical, many of them are a set of meaningless checkboxes designed to let companies shirk blame without actually making meaningful improvements to security. For the less cynical, they’re an important set of standards designed to protect consumers and provide a set of guidelines for companies without deep security knowledge.

Either way, there’s no getting around them. If you’re going to operate in the InfoSec space for any amount of time, you’re going to run into some compliance acronyms. It helps to understand what they mean, and where they come from.

Acts and regulations

GDPR - General Data Protection Regulation

Hard to believe that GDPR went into effect in May 2018. When it first came out, its regulations had the tech world in a flurry, because they actually had teeth. On the official website, GDPR is described as “the toughest privacy and security law in the world,” with “penalties reaching into the tens of millions of euros.”

GDPR is a comprehensive regulation based on 7 core principles: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality (security); and accountability. It also had a huge impact on digital marketing practices like tracking cookies and organising mailing lists.  

GDPR laws technically only apply if you have citizens of the EU as users or website visitors... so they apply to pretty much everyone.

GDPR introduced harsh penalties for the unauthorized use of third-party cookies and tracking pixels

CCPA - California Consumer Privacy Act

Shortly after GDPR was passed, the California government passed the CCPA which is the strictest privacy law within the United States. Like GDPR, it introduced new rights for consumers and stricter penalties for companies. Specifically, from the CCPA website:

  • The right to know about the personal information a business collects about them and how it is used and shared.
  • The right to delete personal information collected from them (with some exceptions);
  • The right to opt-out of the sale of their personal information.
  • The right to non-discrimination for exercising their CCPA rights.

HIPAA - Health Insurance Portability and Accountability Act

The Health Insurance Portability and Accountability Act is the regulation that governs how companies have to handle any personally identifiable healthcare data in the United States. It can seem scary and daunting, but it boils down to:

  • Use the best security practices possible (like encrypting data wherever possible) when dealing with any personally identifiable information (PII).
  • Document and log everything so that there is an audit trail.
  • Let people access or delete their health data when they ask for it.

The Act also introduces requirements for how you work with business partners anytime they touch health data. The biggest pains come in the legal and documentation costs to prove you’re staying compliant.

GLBA - Gramm–Leach–Bliley Act / Financial Services Modernization Act

The GLBA is a United States law that requires financial institutions to share how they protect their customers’ data and provides requirements for how that data is handled. It’s basically like HIPAA for finance. It includes requirements around:

  • The types of data to protect;
  • Specific security measures to take with financial data;
  • Preventing and lessening the number of opportunities for unauthorized access.

FISMA - Federal Information Security Modernization Act

FISMA was enacted in 2002 and requires government agencies in the US to enact information security plans to protect sensitive data. FISMA compliance is important, because it is required for working with most government agencies.

ATO - Authority to Operate

The ATO process was defined by FISMA and is in place for a federal agency to use to determine whether or not an information system should be allowed to operate for a specific amount of time. The process involves assessing the risk and determining whether the risk levels are appropriate.

Institutions and standards

ISO - International Organization for Standardization

The International Organization for Standardization is, well, uh… an international organization that creates… standards. The group is based in Geneva, Switzerland and includes experts from 165 standards groups all over the world. They create sets of guidelines on topics ranging from security to sustainable tourism to give businesses an idea of how to operate effectively.

SOC2 - System and Organization Controls 2

A SOC2 report proves that a service provider (this can include SaaS companies) has the technology practices in place to keep a customer’s data private and safe. There are actually 3 levels of SOCreports:

  1. SOC1 is for service providers that affect the financial statements of their customers (like payroll processing firms).
  2. SOC2 is a more general set of standards for any company that stores customer data.
  3. SOC3 is an abbreviated version of a SOC2 report that can be released publicly.

These reports or audits are typically done by an outside party.


Outside party

PCI - Payment Card Industry Data Security Standard

The Payment Card Industry Data Security Standard (say that five times fast) or PCI compliance is relevant for any company that processes and stores debit or credit card information. The standard is mandated by the credit card brands but administered by the PCI Security Standards Council.

These days a lot of tech companies avoid having to deal with PCI compliance by using a 3rd party processor like Stripe, but plenty of businesses still store credit card information and so have to be compliant.

OWASP - Open Web Application Security Project

OWASP is a non-profit foundation that works to improve the security of software. They maintain a list of the 10 most critical web application security risks called the OWASP Top 10. Their Application Security Verification Standard (ASVS) is one of the most widely accepted security standards in the world and is used as a measuring tool to determine how secure software is. They also have a pretty solid logo.


Pretty solid logo


NIST - National Institute of Standards and Technology

The NIST is a lab and an agency of the US Department of Commerce, but they do not create regulation: their mission is to promote American innovation and competitiveness.

The NIST created the Cyber Security Framework (CSF), a voluntary framework outlining guidelines and best practices for securing critical infrastructure. The Framework is organized by five key Functions – Identify, Protect, Detect, Respond, Recover.

FIPS - Federal Information Processing Standards

The Federal Information Processing Standards were developed by the NIST and establish requirements for computer systems used by government agencies and contractors (but exclude the military).

Conclusion

I just got back from the Black Hat and DEFCON conferences and let me tell you, the acronyms are still in full force in the security industry. There were plenty of new terms that I’ll eventually have to add to this list. And we didn’t even cover non-acronym buzzwords like ZERO TRUST!

Also none of the definitions, content, or jokes in this guide are legal or security advice. If you’re looking for legal advice from a design agency maybe ask yourself why?? But if you’re looking for design advice from designers who know what at least half of these acronyms mean, then schedule a call. I’d love to compare bingo cards and chat about how we can create a product experience for your customers that doesn’t require weeks of training.

Further reading:

Also some bonus acronyms for you to look up on your own if you want to dive even deeper!

  • NAC - Network Access Control
  • SDN - Software Defined Networking
  • SASE - Secure Access Service Edge

This post originally appeared on the Krit blog. Header photo by Sherise VD on Unsplash.

You’ve successfully subscribed to Andrew Askins
Welcome back! You’ve successfully signed in.
Great! You’ve successfully signed up.
Your link has expired
Success! Check your email for magic link to sign-in.