Almost three-quarters of companies (74%) expect at least 5% or more of their former on-site employees to work from home on a permanent basis, while nearly a quarter of firms are planning to keep at least 20% of their workers out of the office post-pandemic, according to a survey of chief financial officers by market research firm Gartner.

Armis has published a list of MITRE ATT&CK techniques to aid security practitioners in assessing the strength of their cyber defenses and improve their ability to protect industrial control systems (ICS). #ICS #industrialcybersecurity #OT 

Here are links to the 4 parts in the series. Read More

Armis announced the discovery of five critical, zero-day vulnerabilities in various implementations of the Cisco Discovery Protocol (CDP) that can allow remote attackers to completely take over devices without any user interaction. The vulnerabilities, dubbed CDPwn, affect a wide variety of Cisco equipment. Read More

//cdn.iframe.ly/embed.js

[via Synack]

On January 1, 2020, California’s new Internet of Things (IoT) Security Law goes into effect. The law is the first IoT-specific security law in the United States and, simply put, requires all IoT devices sold in California to be equipped with reasonable security measures. The law requires that the connected device be equipped with “reasonable security features” appropriate to the nature and function of the device and the information it may collect or transmit, and designed to protect the device and any information within from unauthorized access, destruction, use, modification or disclosure. IoT equipment suppliers are being asked to implement “security by design”. The FCC states the definition as “A development practice that reduces cyber risk by using a disciplined process of continuous testing, authentication safeguards and adherence to best development practices.” Many are speculating if other states will adopt similar laws, but in the meantime, the California market is too big for suppliers to walk away from and many are trying to understand how these laws will impact their products.

The Cybersecurity and Infrastructure Security Agency within the US Department of Homeland Security also released an advisory in July about the cybersecurity vulnerabilities, known as URGENT/11. “Some medical device manufacturers are already actively assessing which devices that use these operating systems are affected by URGENT/11 and identifying risk and remediation actions. Several manufacturers have also notified their customers consumers with devices determined to be affected so far, which include an imaging system, an infusion pump, and an anesthesia machine,” FDA says. [via CI Security]