49-day Hack shows need for cyber security beef up

It took one NSW Government agency 49 days to shut down a hack by fraudsters, a new report on cyber security in the public service has revealed.

The attempted financial fraud in 2017 involved a government agency and its IT systems provider, and spread to other agencies before it was reported and stopped.

The case study is part of a new report by the state’s auditor-general Margaret Crawford.

She called for urgent improvements in the public sector’s ability to respond to cyber security incidents.

“There is a risk that incidents will go undetected longer than they should, and opportunities to contain and restrict the damage may be lost,” the report said.

“Cyber security incidents can harm government service delivery and may include theft of personal information, denial of access to critical technology, or even the hijacking of systems for profit or malicious intent.”


Hacked account sent out 450 bogus emails

The 2017 case study started with a compromised email account, and led to led to a shut-down of the agency’s financial payment system.

Six days later, the hacked account sent deceptive emails, known as phishing, in a bid to get the credentials of finance staff.

Two weeks after the initial hack, the agency’s IT provider detected a fraudulent invoice and raised the incident to major status.

Email account users were told to change their passwords, but by day-20, the hacked email account had sent out 450 bogus emails, and 300 staff had clicked on the link inside.


At that point the agency had found out that about 200 email accounts were under the control of criminals, yet it failed to temporarily lock the accounts.

It was not until day 36 that the IT provider reported the incident to the Government’s chief information security officer.

Six days later, it was found that the account that had been hacked at the start was still compromised.

The agency’s payments gateway, which handled business invoices, staff salaries and superannuation, was finally re-opened on the 49th day.

Click here to go in detail http://snip.ly/cismk


FDA steps up efforts at bringing about medical device cyber security

It is a disturbing, but true fact that medical devices are hacked. Medical devices have inbuilt software, and hackers try to breach this. Medical device cyber security is thus critical, because lack of it can bring harm to patients who use medical devices that come with software built into them.

An important factor that makes medical devices vulnerable to cyberattacks, thus triggering and hastening the need for medical device cyber security is that many times, medical devices are not standalone devices. They are connected via the Net to a number of important sources such as hospitals, electronic records and healthcare providers.

This fact makes it easier for hackers to carry out cyberattacks on medical devices because it is not necessary for them to actually have access to the device to carry out their breach. All these factors combine to make medical device cyber security a much needed system.

CyberAttacksIndustries_gifThe FDA guideline of June 2013:

Keeping in mind the nature of fallibilities in a medical device; the FDA, with the intention of bringing about medical device cyber security passed the draft guideline on this topic in mid-2013. Titled the Content of Premarket Submissions for Management of Cybersecurity in Medical Devices; this guideline sought to address the issue of medical device cyber security by making an attempt at identifying the issue from its root.

That is, this guideline on medical device cyber security put in place security checks and procedures that manufacturers of medical device have to put in place right from the earliest stages of manufacture, going all the way up to the time it is implanted in or used by the patient.


The main intention of this FDA medical device cyber security guideline is to offer recommendations that medical device manufacturers need to take to reduce the intentional or unintentional risk of an attack on a medical device. This FDA guideline seeks to enforce medical device cyber security by ensuring that the manufacturers take steps to secure medical devices by clearly defining medical device cyber security.

Terms clearly defined

The FDA defines medical device cyber security as steps taken to prevent any of these:

  • Unauthorized modification
  • Misuse of the device
  • Denying the use of the device
  • Unauthorized use of the information that is stored in these devices. This relates to the information stored, accessed and modified when the device is transferred from one source to another

Documentation is at the heart of ensuring medical device cyber security

Towards ensuring medical device cyber security as defined by it; this FDA guideline requires manufacturers to monitor and document all the aspects of medical device cyber security at all stages. Medical device manufacturers should bring about medical device cyber security by developing a set of controls in three vital areas:

  • Firstly, medical device manufacturers should take steps to permit only authorized personnel into the software of the medical device
  • Medical device manufacturers should also ensure medical device cyber security by filling only relevant and accurate data into the device
  • They should also ensure that data is available when asked for

Controls, controls, controls

A very important aspect of medical device cyber security that the Content of Premarket Submissions for Management of Cybersecurity in Medical Devices brings about is that it requires medical device manufacturers to monitor and document all the possible potential for medical device cyber security breach from the design stage itself.

medicalDeviceCyberSecurityMedical device manufacturers have to also bring to the notice of the FDA whenever they make changes related to security at the premarket notification stage. It seeks to fortify medical device cyber security by requiring medical device manufacturers to provide information relating to medical device cyber security by submitting data related to the following:


Cyber security startups fall on harder times

SAN FRANCISCO (Reuters) – A wave of cyber attacks by criminals, spies and hacker activists should make these heady days for U.S. cyber security startups.

Instead, many in the crowded market are struggling to live up to their early promise. In some cases, the security products they developed have been overtaken by advances in cyber hacking, according to industry executives and venture capitalists. In others, larger competitors have come out with similar technology and locked down customers.

“I have never seen such a fast-growing market with so many companies on the losing side,” said David Cowan, a partner at Bessemer Venture Partners, a venture capital firm that has invested in the cyber security sector.


Venture capital continues to pour into the industry, driven by the belief that there is no end in sight to cyber attacks or companies’ need to protect themselves. Yet only a handful of startups have successfully sold themselves or floated in the stock market in recent years. (Graphic: tmsnrt.rs/2mzClbR)

The result is a number of these start-ups have become corporate “zombies” with little prospect of fetching a good price in an initial public offering (IPO) or becoming acquisition targets, experts said. Their early investors have been left without an easy or profitable exit.

Not only is the technology behind cyber attacks rapidly evolving, the nature of how the corporate world uses security firms is changing. To save money and trouble, some companies have consolidated their security work, using just a few large players rather than spreading business around.

Companies are also diverting money to lower-cost “bug bounty” firms that contract out researchers who help identify security weaknesses.

“Suddenly, we are in this situation where there are just too many vendors and too few can be sustained,” said Dave DeWalt, the former CEO of cyber security company FireEye Inc (FEYE.O).

“You’re starting to see companies go, ‘oh my gosh, what do I do? Can I get more capital, do I have to merge?’” DeWalt said.

Momentum Cyber, an advisory firm focused on cyber industry mergers and acquisitions, said it tracks 2,500 security companies today, almost double the number a few years ago. The firm’s co-founder, Eric McAlpine, estimates 300 cyber security startups launch every year.

Few of these are pulling off IPOs. What’s more, big software companies have become less willing to acquire cyber security products they believe they can develop on their own.

“The pipe dream days of selling companies at a rich price equivalent to ten times their revenue are gone,” said Tom Kellermann, chief executive of venture capital firm Strategic Cyber Ventures.

ForeScout Technologies Inc (FSCT.O), a provider of software that helps companies keep the devices of their employees secure, was the only U.S. cyber security company, excluding identity management providers, to go public last year. This compares to three cyber security IPOs in 2016 and four in 2015.

http://snip.ly/91dbi Continue without interruption



The AAMI TIR 45 is invaluable in helping adapt Agile methods for medical device software

A report from the Association for the Advancement of Medical Instrumentation, namely, AAMI TIR 45, offers recommendations for how to comply with both international standards and guidance documents from the FDA when it comes to Agile practices for developing medical device software.

The AAMI TIR 45 is an attempt to align and synchronize Agile’s values, goals, principles and practices to medical device software development. It shows the ways of doing this. It seeks to remove the many misconceptions and myths surrounding the suitability and adaptability of Agile to medical device software and explains how to apply Agile methods for meeting the Quality System requirements set out for medical device software.

AAMI TIR 45 has been set out to help manufacturers of medical device software reap the benefits that Agile provides, while staying compliant with the regulatory expectations and requirements.

The AAMI TIR 45 was created because of the value that Agile can bring to medical device software. One of the reasons for which Agile was developed was to address concerns relating to the quality and efficiency present in the methods of software development that existed then. When its core features are adapted to the medical device software field, it brings enormous benefits, some of which include:

–       It allows for continuous and persistent focus on risk management, safety and delivering customer value through its method of prioritizing backlog work, and practices relating to planning and customer feedback

–       It uses continuous integration and testing to continuously and consistently assess quality

–       Through its methods of retrospective action and accountability; Agile brings in continuous improvement into the process of software development

–       By focusing on getting things done one stage at a time and thus ensuring timely and incremental completion of work and deliverables; Agile satisfies the demands and needs of the medical device company’s stakeholders in the management and quality areas.

A few reservations

Many experts in both medical device software and Agile fields have expressed reservations about the suitability that Agile has in an extremely stringently regulated area such as medical device software. They refer to the Agile Manifesto, which seems to contain value statements that seemingly contradict the values at the core of a Quality Management System.

They also draw attention to the fact that as Agile evolved at a time when there was no criticality attached to risk management and human safety; the controls needed for producing software to which safety is critical have not been embedded into Agile.

Requires proper understanding and implementation

These points notwithstanding; Agile comes with a fundamental adaptability to the context it is applied in. Implementing Agile principles and practices in a proper way makes it more than adequate in an area like medical device software, where safety is critical. It is perfectly well-suited to accomplishing the lifecycle steps prescribed in IEC 62304 and risk management under ISO 14971. It can also help achieve usability design as required under IEC 62366

A learning session on the AAMI TIR 45

Compliance4All, a leading provider of professional trainings for all the areas of regulatory compliance, will offer thorough clarity on the area of the suitability of the Agile to medical device software. The speaker at this session, Brian Shoemaker, will unravel the elements of AAMI TIR 45 and explain how it can be applied to medical device software smoothly and effectively in a manner that meets regulatory requirements.

Please visit Agile Meets Software Standards to register for this webinar and derive the benefit of understanding how to apply Agile principles to medical device software.

At this webinar, Brian will help understand how the AAMI TIR 45 can be the ideal roadmap for facilitating and bettering development, which benefits everyone concerned, be they development teams, companies, patients, caregivers, or regulators.

He will put this in perspective by explaining the following topics:

o  Convergence: Agile principles and regulatory needs

o  Lifecycle: incremental development, design reviews, documentation

o  Key practices: planning, collective effort, product definition

o  Implementation: evolving architecture, emergent design, continuous testing, traceability

o  Managing your software: release, configuration management, third-party software, and CAPA

Brian will cover the following areas at this webinar:

o  TIR 45 comes at a much-needed time

o  TIR 45 stitches together the important high-level concepts

o  TIR 45 outlines key practices that are needed for flexibility and quality

o  Implementation issues are not ignored

o  This TIR is actually just a starting point.

For more updates and articles AAMI TIR 45

Companies continue to increase transparency of external audit oversight

More companies are providing investors and other stakeholders with information about audit committee oversight of external auditors, according to the latest edition of the Audit Committee Transparency Barometer, an annual report released Wednesday by the Center for Audit Quality (CAQ) and Audit Analytics.

“For the fourth year in a row, audit committees have continued to enhance transparency around their oversight of the external auditor by voluntarily and broadly increasing disclosure,” Cindy Fornelli, executive director of the CAQ, said in a press release. The CAQ is affiliated with the AICPA.

The barometer found that 37% of S&P 500 companies’ proxy statements included enhanced discussions of the factors audit committees considered in recommending the appointment of the external audit firm. That’s up from 31% in 2016 and 13% in 2014.

The analysis, which also looks at mid-cap and small-call companies in the S&P Composite 1500, found that 24% of S&P MidCap 400 companies and 17% of S&P SmallCap 600 companies provided enhanced discussion of audit committee considerations in choosing an audit firm. Those percentages are up from 10% and 8%, respectively, in 2014.

to continue the article http://snip.ly/yrkko

Misinterpretation of closed Data when Treated with “Normal” Statistical Methods

Geology is among the many branches of science in which compositional data (CoDa) arise naturally. In branches such as geochemistry, compositional data seem to occur typically, when one normalizes raw data or when one obtains the output from a constrained estimation procedure, such as percentages, ppm, ppb, molar concentrations, etc.

Compositional or constrained data have proved difficult to handle statistically because of the awkward constraint that the components of each vector must sum to unity. The special property of compositional data (the fact that the determinations on each specimen sum to a constant) means that the variables involved in the study occur in constrained space defined by the simplex, a restricted part of real space.

It is important for geochemists and geologists in general to be aware of the fact that the usual multivariate statistical techniques are not applicable to compositional data. They need to have access to appropriate techniques as they emerge and become available.

Pearson was the first to point out dangers that may befall the analyst who attempts to interpret correlations between Ratios whose numerators and denominators contain common parts. More recently, Aitchison, Pawlowsky-Glahn, S. Thio, and other statisticians have developed the concept of Compositional Data Analysis, pointing out the dangers of misinterpretation of closed data when treated with “normal” statistical methods.

Learning about all elements of CoDa

A webinar from Compliance4All, a leading provider of professional trainings for all the areas of regulatory compliance, will throw light on all the important aspects of CoDa. At this session, Ricardo Valls, a professional geologist with thirty years in the mining industry, and who has extensive geological, geochemical, and mining experience, managerial skills, and a solid background in research techniques; will be the speaker.

To gain insights into CoDa, please enroll for this webinar by visiting  real case studies developedreal case studies developed

At this session, Ricardo will present several real case studies he has developed, to demonstrate the advantages of applying various aspects of the CoDa analysis in the search for and evaluation of ore bodies by comparing them with regular statistical modelling of geochemical data.

At this webinar, which will be of high value to personnel involved in mining, such as Geologists, Geochemists, Exploration Personnel, Graduate Students, and Post-Graduate Students; Ricardo will cover the following areas:

o  History of the Problem

o  The Current Situation

o  The Model

o  Normal Statistical Processing of the Data

o  Compositional Data Analysis

o  Factor and Principal Component Analysis

o  Dealing with zero and b.d.l. Values

Conclusions and Recommendations.

For more click the advantages of applying different aspects

What You Need To Know For Validated Systems?

Instances of cyberattacks that lead to disruption of service, data theft or compromise and even ransomware are making the news headlines of late with alarming frequency. Cyberattacks are carried out because computer systems used in highly regulated companies house very sensitive and valuable information.

Data relating to valuable electronic submissions, clinical information, medical device design control records, legal information, and other such information are usually placed in these systems, which is what makes them targets of cyberattacks. Cyber attackers have become so sophisticated and emboldened in recent times that they have not even spared the White House.

Computer Systems Validation has a major role

Companies that hold vital information should ask themselves many questions on this topic. Some of these include: Will my company able to cope with a breach of one of our validated systems? How secure is the information we have stored in the cloud? Are we conducting adequate due diligence on our cloud provider?

Even as the dependence on the cloud, by which life sciences companies are increasingly implementing and deploying systems in a cloud environment goes up; the procedures and controls to effectively manage and protect their validated systems environments is somewhat inadequate.

In the current situation of higher and stronger attacks on computer systems unaided by solid safety and security guarantees; Computer Systems Validation (CSV) has a critical role to play. Validation engineers need to take a serious relook at testing strategies. They must look at systems that provide objective evidence that computer systems have the requisite technologies, processes, and practices designed to protect networks, computers, programs, and data from attack, damage, or unauthorized access.

There is an acute need for validation engineers to be more vigilant in today’s systems environment that is sometimes hostile, in order to detect and prevent cybersecurity issues before they become real problems. Proper and diligent CSV goes a long way in helping to ensure that this happens.

Valuable learning on lean validation 

The ways of doing this will be the learning a valuable webinar from Compliance4All, a leading provider of professional trainings for all the areas of regulatory compliance. Valarie King-Bailey, who is the CEO of OnShore Technology Group, an independent Chicago-based consultancy founded in 2004 specializing in Independent Validation and Verification (IV&V) services and solutions; will be the speaker at this webinar.

Please enroll for this webinar by visiting concept of Cybersecurity Qualification

Full aspects of cybersecurity

The regulatory, legal, compliance and business risks associated with the threat of cybersecurity constitute the core of this webinar. It will address the unique threat of cyberattacks on validated systems environments and discuss how to mitigate and protect validated systems.

As validation engineers continue to conduct IQ, OQ, PQ, CyQ testing must be added as a defense against cyberattacks to validate computer systems.  Valerie will discuss the NIST Cybersecurity framework and how it can be applied to validated computer systems. She will also discuss a new level of qualification for validated computer systems known as Cybersecurity Qualification (CyQ), a concept she will introduce at this webinar.

Being organized for the benefit of enterprise and validation professionals such as validation engineer, validation project manager or software quality engineer, and IT Managers, Directors, VPs, Chief Information Officers, Quality Assurance/Quality Control Managers, Validation Engineers, Validation Project Managers and Program/Project Managers; this webinar will cover the following areas:

o  The Cyber Threat Megatrends: What You Need to Know for Validated Systems

o  Understanding Cybersecurity Regulatory Guidance and Standards

o  Cybersecurity Qualification: The NEXT Frontier

o  Automated Testing in the Cloud

o  Top 20 Critical Security Controls for Validated Systems

o  Cloud Security Technology Maturity

o  Cloud Quality Assurance & Governance

o  The Changing State of Computer Systems Validation in a Cyber World

o  Understanding the NIST Cybersecurity Framework for Validated Systems.

Here to continue further How to mitigate and protect validated systems