IoT Cybersecurity: Webinar Series to Tackle Security Challenges of IoT — ENISA
https://www.enisa.europa.eu/news/enisa-news/iot-cybersecurity-webinar-series-to-tackle-security-challenges-of-iot

Workshop on Cybersecurity Risks in Consumer Home IoT Products | NIST
https://www.nist.gov/news-events/events/2020/10/workshop-cybersecurity-risks-consumer-home-iot-products

FISMA Implementation Project | CSRC
https://csrc.nist.gov/Projects/risk-management/rmf-training

Why is Threat Detection Hard?. While creating a recent presentation, I… | by Anton Chuvakin | Anton on Security | Oct, 2020 | Medium
https://medium.com/anton-on-security/why-is-threat-detection-hard-42aa479a197f

In case if you missed it:
GitHub launches code scanning to unearth vulnerabilities early | VentureBeat
https://venturebeat.com/2020/09/30/github-launches-code-scanning-to-unearth-vulnerabilities-early/

В следующий четверг, 15 октября, буду вести вебинар про снижение числа фолсов при внедрении решений по обнаружению угроз. Регистрация открыта и бесплатна - https://t.co/MbWABlYHlF pic.twitter.com/dUYlbfIu4B
— Alexey Lukatsky (@alukatsky) October 9, 2020

Cybersecurity Bachelor's Degree | SANS.edu
https://www.sans.edu/academics/applied-cybersecurity-bachelors-degree

https://twitter.com/SVSoldatov/status/1314540183900090369

Bulletproof hosting (BPH) services have long been crucial parts of the cybercriminal infrastructure. How do they protect malicious activities, and how do cybercriminals use them to stay in business?

I decided to make a review of several Vulnerability Management market news that I recently read.

#Tenable made a press release about the upcoming Lumen features ("Remediation Maturity", "Mitigations", "Predictive Scoring"). This all sounds pretty cool. The only thing is, as usual, what kind of data they analyze, how good the data is, and how good the methods of analysis are. Most likely, it will remain a black box. Unfortunately.

Tenable also made a press release that they became partners with Central for Internet Security. Maybe Tenable will become the only VM vendor associated with #CIS Controls IG1 “Cyber Hygiene”, but who knows. I really don't understand what is the Center for Internet Security nowadays. These guys for a long time were combining best practices for software & operating system into security standards, and controlling the implementation of those standards among Compliance Management vendors. At the same time, they were a Compliance Management vendor themselves (CIS CAT). A bit weird, but ok. But after they became a kind of regulator, with acquisition of SANS 20 and MITRE OVAL repository, the role of Central for Internet Security is completely unclear to me.

#Rapid7 released a blog post "Why Every Organization Needs a Vulnerability Management Policy". In short, it can be useful as a guide describing how to sell the idea of Vulnerability Management process to your c-level management. In this article, I saw three groups of reasons:
1. Real security. "technical infrastructures stay more secure, which helps them [organizations] reduce risk in an environment filled with cybercriminals".
2. Compliance. "...any corporation with little focus on vulnerability management runs the risk of fines due to falling out of compliance"; "many regulators first look for the existence of a policy as part of any auditing process"; "a clearly defined vulnerability management policy holds the different technology teams at a company responsible for internal compliance"
3. Corporate culture and IT/Dev benefits. "One result of this proactive approach [to VM] is higher system uptime"; "Regular, proactive feature improvements in software applications play a key role in the success of those companies that thrive on an innovative culture. Seamlessly integrating software patches and enhancements is a must for these businesses, and a strong vulnerability management policy helps this integration happen in a secure fashion"; "providing innovative applications and services to their customer base without burning development cycles dealing with security issues"

#Qualys released a tool that "report the deployment status of Cloud Agent across all vCenter-managed virtual machines". It's great that they did it. The only thing I want to mention is that this is a good illustration of a task (“controlling agent installation”), which is not really a part of Vulnerability Management process, but without this task the Vulnerability Management process simply won't work. So such automation should be done by someone on vendor's or customer's side.

Жизнь 80 на 20: Статистика по сертификатам ISO 27001 за 2019 год
https://80na20.blogspot.com/2020/10/iso-27001-2019.html?m=1

Cyber insurance is only a few claims away from disaster | World Economic Forum
https://www.weforum.org/agenda/2020/10/there-s-not-enough-money-in-cyber-insurance/

Отличная статья на ZeroDay за авторством Криса Матищика, технического эксперта, руководителя консалтинговой компании Howard Raucous.

Если оставить все размышлизмы Матищика за кадром, то останется два основных тезиса, одновременно являющиеся же и ключевыми проблемами, которым посвящена статья:

- корпоративные пользователи остаются людьми со всеми присущими им человеческими недостатками, поэтому пытаются прикрутить к корпоративной сети любую новую свистоперделку с выходом в Интернет, будь то умная колонка от Amazon или дистанционно управляемая кофеварка;

- специалисты ИТ и ИБ остаются людьми со всеми присущими им человеческими недостатками, поэтому, несмотря на признание подключения незащищенных IoT устройств к корпоративной сети одной из основных угроз ее компрометации, даже не рассматривают возможность организации процесса их своевременных обновлений.

Единство и борьба противоположностей. Инфосек edition.