What do all these acronyms mean? Here at Cisco Vulnerability Management we encourage you to use the platform as a self-service remediation tool within your teams. We understand that not everyone has a long and extensive cybersecurity career history, many acronyms are difficult to remember and some in particular are specific to the Cisco Vulnerability Management Platform.
To this end, we have created this comprehensive glossary and guide of all the terms you’ll likely encounter whilst working with the platform. They are listed below in alphabetical order with a brief explanation along-side so you can use them as a handy reference to bookmark and come back to. You’ll never need to be the one asking the meaning on that conference call again. Don't miss the opportunity to use a few of the terms at your next Cisco Vulnerability Management related team meeting to see what your colleagues know, just for fun.
0-DAY - (Zero-day)
0-day vulnerabilities are commonly recently discovered vulnerabilities (or bugs), not yet known to vendors or antivirus companies, that hackers can exploit.
2FA - Two-factor authentication (2FA)
2FA refers to the use of two different components to verify a user’s claimed identity. Also known as multi-factor authentication.
API - Application Programming Interface
API’s are provided by many organizations for their customers, or for internal use. When a company offers an API, it just means that they’ve built a set of dedicated URLs that return pure data responses — meaning those responses won’t contain the kind of presentational overhead that you would expect in a graphical user interface like a website. The API is available at api.kennasecurity.com
AppSec – Application Security
This acronym specifically relates to the Kenna AppSec Module.
AWS – Amazon Web Services
AWS is a subsidiary of Amazon providing on-demand cloud computing platforms and APIs to individuals, companies, and governments, on a metered pay-as-you-go basis.
BYOD – Bring your own Device
BYOD refers to the practice of employees using personal devices to connect to their organizational networks and access work-related systems and potentially sensitive or confidential data. Personal devices could include smartphones, personal computers, tablets, or USB drives.
CMDB – Configuration Management Database
CMDB is a repository that acts as a data warehouse – storing information about your IT environment, the components that are used to deliver IT services. The data stored in a CMDB include lists of assets (referred to as configuration items) and the relationships among them. CMDBs and the configuration management processes that surround them are the core of modern IT operations – enabling the company to manage data about a diverse set of IT components in one place (even if the actual devices are widely distributed). The CMDB aids the organization in performing service management processes such as incident management, change management and problem management, and is also an essential resource for decision-makers needing information to improve cost, quality and the performance of IT Services offered by the organization. Cisco Vulnerability Management is able to ingest CMDB data into the platform to enrich the asset information we already hold and to fine tune risk scoring dependent upon an asset’s business criticality score within CMDB.
CSV - Comma Separated Values file
A CSV file, allows data to be saved in a tabular format. CSVs look like a standard spreadsheet but with a .csv extension. CSV files can be used with almost any spreadsheet program, such as Microsoft Excel or Google Spreadsheets. They differ from other spreadsheet file types because you can only have a single sheet in a file. Also, you cannot not save formulas in this format. These files serve a number of different business purposes, but primarily they are used to export a high volume of data to a more concentrated database. For this reason, they are commonly used to ingest data into the Cisco Vulnerability Management platform.
CVE - Common Vulnerabilities and Exposures
The CVE system provides a reference-method for publicly known information-security vulnerabilities and exposures. The National Cybersecurity FFRDC, operated by the Mitre Corporation, maintains the system, with funding from the National Cyber Security Division of the United States Department of Homeland Security. The system was officially launched for the public in September 1999.
CVEs are assigned by a CVE Numbering Authority. There are three primary types of CVE number assignments:
The Mitre Corporation functions as Editor and Primary CNA
Various CNAs assign CVE numbers for their own products (e.g. Microsoft, Oracle, HP, Red Hat, etc.)
A third-party coordinator such as CERT Coordination Center may assign CVE numbers for products not covered by other CNAs.
When investigating a vulnerability or potential vulnerability it helps to acquire a CVE number early on.
CVEs are for software that has been publicly released; this can include betas and other pre-release versions if they are widely used. Commercial software is included in the "publicly released" category; however custom-built software that is not distributed would generally not be given a CVE. Additionally services (e.g. a Web-based email provider) are not assigned CVEs for vulnerabilities found in the service (e.g. an XSS vulnerability) unless the issue exists in an underlying software product that is publicly distributed.
CWE - Common Weakness Enumeration
CWE is a universal online dictionary of weaknesses that have been found in computer software. The dictionary is maintained by the MITRE Corporation and can be accessed free on a worldwide basis. The purpose of CWE is to facilitate the effective use of tools that can identify, find and resolve bugs, vulnerabilities and exposures in computer software before the programs are publicly distributed or sold.
CWE has been assembled in three levels called tiers. The top tier divides known weaknesses into a few large, general classes for discussion among enterprise management people, academics, researchers and vendors. The middle tier consists of several dozen groups of definitions categorized for use by security experts, system administrators and software developers. The lower tier is the full list, intended for people at all levels including personal computer (PC) users. The entries in CWE are numbered for reference.
CWE is compiled and updated by a diverse, international group of experts from business, academic institutions and government agencies, ensuring breadth and depth of content. CWE provides standardized terminology, allows service providers to inform users of specific potential weaknesses and proposed resolutions, allows software buyers to compare similar products offered by multiple vendors and allows legal personnel to formalize contracts, terms and conditions relevant to software use.
CVSS - Common Vulnerability Scoring System
CVSS is a free and open industry standard for assessing the severity of computer system security vulnerabilities. CVSS attempts to assign severity scores to vulnerabilities, allowing responders to prioritize responses and resources according to threat. Scores are calculated based on a formula that depends on several metrics that approximate ease of exploit and the impact of exploit. Scores range from 0 to 10, with 10 being the most severe. While many utilize only the CVSS Base score for determining severity, temporal and environmental scores also exist, to factor in availability of mitigations and how widespread vulnerable systems are within an organization respectively.
The current version of CVSS (CVSSv3.1) was released in June 2019.
DAST - Dynamic Application Security Testing
DAST is a black box testing method that examines an application as it’s running to find vulnerabilities that an attacker could exploit.
GCP – Google Cloud Platform
GCP is essentially a public cloud-based machine whose services are delivered to customers on an as-you-go basis, by way of service components.
HRM – Hierarchical Risk Meters
HRM are a relatively new feature within the Cisco Vulnerability Management platform which allow large enterprises to simplify asset management by organizing risk meters more intuitively. For example, you can add a child risk meter, where the child is a subset of its parent with additive filters, enabling a better visual hierarchy and a more intuitive way to assign permissions.
IDS/IDP - Intrusion Detection System/Intrusion Detection and Prevention
IDS/IDP is hardware or software that finds and helps prevent malicious activity on corporate networks.
IOT - Internet of things
IoT describes the ability of everyday objects, such as kettles, fridges and televisions, to connect to the internet.
KDI - Kenna Data Importer
Kenna Data Importer is a connector which ingests a standard JSON format for bringing vulnerability data into the platform. It ingests a collection of assets and their vulns/findings, as well as vulnerability definitions for those vulns/findings.
MTTR – Mean Time to Remediate
MTTR is the average number of days it took to close a group of vulnerabilities, organized by risk level. MTTR is recorded in the Cisco Vulnerability Management platform on the Home page and in Risk Meter reports.
NIST - National Institute of Standards and Technology (US Agency)
NIST is a U.S. federal agency responsible for the ‘Framework for Improving Critical Infrastructure Cybersecurity’ – voluntary guidelines used by organizations to manage their security risks.
NVD – National Vulnerability Database
NVD is the U.S. government repository of standards-based vulnerability management data represented using the Security Content Automation Protocol. This data enables automation of vulnerability management, security measurement, and compliance. In addition to providing a list of CVEs, the NVD scores vulnerabilities using the CVSS which is based on a set of equations using metrics such as access complexity and availability of a remedy.
OWASP - Open Web Application Security Project
OWASP is an international non-profit organization dedicated to web application security. One of OWASP’s core principles is that all of their materials be freely available and easily accessible on their website, making it possible for anyone to improve their own web application security. The materials they offer include documentation, tools, videos, and forums. Perhaps their best-known project is the OWASP Top 10.
The OWASP Top 10 is a regularly-updated report outlining security concerns for web application security, focusing on the 10 most critical risks. The report is put together by a team of security experts from all over the world. OWASP refers to the Top 10 as an ‘awareness document’ and they recommend that all companies incorporate the report into their processes in order to minimize and/or mitigate security risks.
P2P – Prioritization to Prediction
A comprehensive set of reports compiled by Cisco Vulnerability Management and the Cyentia Institute on the topic of vulnerability management.
PCI-DSS - The Payment Card Industry Data Security Standard
PCI-DSS is a set of security standards designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment.
PII - Personally Identifiable Information
PII is data that enables an individual to be identified.
RBAC - Role Based Access Control
RBAC is used as an approach to restricting system access to authorized users. The Cisco Vulnerability Management Platform utilizes RBAC. Within an organization, roles are created for various job functions. The permissions to perform certain operations or access Cisco Vulnerability Management data are assigned to specific roles. Users are then assigned particular roles, and through those role assignments acquire the permissions needed to perform functions relevant only to their particular job function.
RBVM – Risk Based Vulnerability Management
RBVM is a cybersecurity strategy in which organizations prioritize remediation of software vulnerabilities according to the risk they pose to the organization. A risk-based vulnerability management strategy has several components.
They use threat intelligence to identify the vulnerabilities attackers are discussing, experimenting with, or using.
Risk-based vulnerability management programs use this intelligence to generate risk scores based on the likelihood of exploitation.
They take into account the business context of various assets because intrusion into some segments of a network may be more damaging or likely than others.
By combining vulnerability risk assessment and asset criticality, risk-based vulnerability management programs focus patching efforts on the vulnerabilities that are most likely to be exploited and that reside on the most critical systems.
The Cisco Vulnerability Management Platform model is based upon RBVM methodology.
SaaS - Software as a Service
SaaS describes a business model where consumers access centrally-hosted software applications over the Internet. The Cisco Vulnerability Management Platform is a SaaS offering.
SAML - Security Assertion Markup Language
SAML is an open standard that allows identity providers to pass authorization credentials to service providers. In plain English, this means that you can use one set of credentials to log into many different websites.
SAST – Static Application Security Testing
SAST is a white box method of testing. It examines the code to find software flaws and weaknesses as opposed to the running application itself.
SIEM - Security Information and Event Management
SIEM technology supports threat detection and security incident response through the real-time collection and historical analysis of security events from a wide variety of event and contextual sources.
SLA - Service Level Agreement
In the Cisco Vulnerability Management Platform, you can set SLAs using rules that will populate due dates on vulnerabilities. These can be configured to match your internal policy documents regarding SLAs.
SNow – ServiceNow
SNow is a commonly used abbreviation for ServiceNow.
SOC - Security Operations Center
SOC can be described as a central location or team within an organization that is responsible for monitoring, assessment and defending of security issues.
SSL - Secure Sockets Layer
SSL is an encryption method to ensure the safety of the data sent and received from a user to a specific website and back. Encrypting this data transfer ensures that no one can snoop on the transmission and gain access to confidential information, such as card details in the case of online shopping. Legitimate websites use SSL (start with https). Users should avoid inputting their data in websites that don’t use SSL.
SSO - Single Sign On
A system which enables users to securely authenticate themselves with multiple applications and websites by logging in with a single set of credentials.
TLS – Transport Layer Security
Transport Layer Security, similar to SSL, is cryptographic protocol designed to provide communications security. Several versions of the protocol find widespread use in applications such as web browsing, email, instant messaging, and voice over IP.
VI/VI+ - Vulnerability Intel / Vulnerability Intel+
Vulnerability Intel (+) is a product offering from Cisco Vulnerability Management. VI offers a unified, comprehensive and searchable database of all vulnerabilities and rich exploit and threat intelligence for risk analysis by security teams. The (+) edition also includes API access to the same.
VM – Vulnerability Management
Vulnerability management is the "cyclical practice of identifying, classifying, prioritizing, remediating, and mitigating" software vulnerabilities. Vulnerability management is integral to computer security and network security, and must not be confused with Vulnerability assessment.
VPN - Virtual Private Network
By connecting through a VPN, all the data you send and receive travels through an encrypted "tunnel" so that no one can see what you are transmitting or decipher it if they do get a hold of it. If your vulnerability data is stored on-premise as opposed to in the cloud, the Cisco Vulnerability Management Platform will require a VPN (also known as a Kenna VT or Virtual Tunnel) for secure transfer of this data into the platform itself.
WAF - Web Application Firewall
WAF is a generic security term for appliances that are specifically designed to protect inbound web application traffic (eg, protecting inbound traffic from users trying to get to your web apps, versus regular firewalls which are typically for inbound and outbound filtering of all traffic).
WASC - Web Application Security Consortium
XML - eXtensible Markup Language
XML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. The World Wide Web Consortium's XML 1.0 Specification of 1998 and several other related specifications, all of them free open standards, define XML.
The design goals of XML emphasize simplicity, generality, and usability across the Internet. It is a textual data format with strong support via Unicode for different human languages. Although the design of XML focuses on documents, the language is widely used for the representation of arbitrary data structures such as those used in web services. XML can be used to import data into the Cisco Vulnerability Management platform.