Focus on resources: DHS Protective Security Advisors

August 03, 2015

PSA imageRecently, we received an inquiry from an out-of-state colleague. Some of his questions could be answered over the phone, but it was clear that an on-site consultation was in order.

I asked my colleague, “Do you know your Protective Security Advisor (PSA)?” He replied, “What?”

DHS employs PSA’s in all 50 states and many states have multiple regions. Our experience here in NY is that our PSA’s are a wonderful resource. They are hard-working, knowledgeable and professional.

  • Security surveys. Subject to time constraints you can ask your PSA to conduct security surveys and assessments of your facilities. We’ve joined our PSA’s during some of these sessions and their suggestions are both sound and pragmatic.
  • Training. PSA’s have access to a wide variety of training options, e.g. active shooters, suspicious packages, severe weather. Even if you don’t know your exact need, talk to them. They can open up a variety of resources for you.
  • Special events planning. Let them know if you are planning a high profile event. They can advise you on security and logistical issues.
  • Outreach. Get on their radar. They will invite you to various trainings and events.

Click here for more information on Protective Security Advisors. To contact your local PSA, please contact PSCDOperations@hq.dhs.gov. To contact NY PSA’s or if you have questions or need other assistance please complete the form below.

Cybersecurity: WordPress Vulnerabilities

April 01, 2015

FBI (April 7) ISIL Defacements Exploiting WordPress Vulnerabilities. Continuous Web site defacements are being perpetrated by individuals sympathetic to the Islamic State in the Levant (ISIL) a.k.a. Islamic State of Iraq and al-Shams (ISIS). The defacements have affected Web site operations and the communication platforms of news organizations, commercial entities, religious institutions, federal/state/local governments, foreign governments, and a variety of other domestic and international Web sites. Although the defacements demonstrate low-level hacking sophistication, they are disruptive and often costly in terms of lost business revenue and expenditures on technical services to repair infected computer systems. Click here for the full alert.

Best practice. The FBI recommends the following actions be taken:

  • Review and follow WordPress guidelines: http://codex.wordpress.org/Hardening_WordPress
  • Identify WordPress vulnerabilities using free available tools such as
    http://www.securityfocus.com/bid,
    http://cve.mitre.org/index.html,
    https://www.us-cert.gov/
  • Update WordPress by patching vulnerable plugins:
    https://wordpress.org/plugins/tags/patch
  • Run all software as a non-privileged user, without administrative privileges, to diminish the effects of a successful attack
  • Confirm that the operating system and all applications are running the most updated versions.

Hacktivist
Click on the graphic to open a PDF version of this notification.

The FBI is warning U.S. companies that cyber terrorists from the Middle East and North Africa are planning to conduct cyber-attacks against Israeli and Jewish interests next week.  The Bureau stated in a security notice to U.S. industry on Sunday that, as of early March, “several extremist hacking groups indicated they would participate in a forthcoming operation, #OpIsrael, which will target Israeli and Jewish Web sites.”

“Given the perceived connections between the government of Israel and Israeli financial institutions, and those of the United States, #OpIsrael participants may also shift their operations to target vulnerable U.S.-based financial targets or Jewish-oriented organizations within the United States,” the FBI warning said.

The FBI predicts that the threat to U.S.-based infrastructure from the coming cyber attack is low for well-maintained and updated networks. So, make sure that your techies and hosts maintain and update your systems.

The FBI said members of at least two extremist hacking groups it did not identify are currently working to recruit hackers for the attacks next week. The hacker group Anonymous this week also threatened an “electronic Holocaust” in a video statement.

The FBI estimated that the threat to U.S.-based infrastructure from the coming cyber attack is low for well-maintained and updated networks. However, as part of its program to notify private industry of major cyber threats, the FBI is notifying several possible targets.

 

Ongoing cyberthreats, website defacements

October 15, 2014
A screenshot of the defaced synagogue website.

Recent posts on the ADL Blog and Geektime describes the efforts of an anti-Israel hacktavist group that calls itself “Team System Dz”. While most of the website defacements occurred in July and August, incidents in Florida and New York were reported recently.

The Geektime post explains, “… the team is a group of Arab youth that is looking to teach protection and penetration of sites and services and strive for peace. Their hacks however don’t appear to be looking for peace. The group seems to align itself with Anonymous”. Their inclusion of an “i love you isis” message probably indicates their definition of how to look for peace. The Team’s Facebook page listing their accomplishments was taken down.

Often, visitors to your organization’s website get their first impression of your organization and your members rely on it for good information. To a great extent, your website can be the most important element of your reputation. Treat it accordingly. 

Best practices. It is likely that this group, and others, will continue to try to hack Jewish websites, so all Jewish organizations should work to ensure that they are following “best practices” in order to protect their websites and their reputations:

Website

  • An Institutional should always make the effort to have their Website hosted with a professional Web hosting company and avoid having the Website reside on an Institution or member’s home computer
  • Institutions should meet or conference with their Web hosting service and ask about such things as active back-up of Website, what security measures do the hosting company use to prevent Denial of Service (DoS) attacks and unauthorized Website access. Also ask if they have a disaster recovery procedure that includes someone available as a 24/7 point of contact for emergencies.
  • As with institutional email addresses, an effort should be made to limit and control the number of people Website administrator or Webmaster permissions and policy for password assignment and a schedule for changing passwords.

Computer Systems

  • It is in the best interest of any computer owner to be aware of who has access to their computer, the permissions granted to each account, who has system administrator authorization and who assigns passwords.
  • It is now considered a good practice to segregate general office and bookeeping/member information to the greatest degree possible.
  • If a computer system is connected to the Internet, an institution should consider using a primary carrier (Comcast, TimeWarner, Verizon etc) for Internet service.
  • Companies who re-sell other company’s services should be avoided where possible.
  • It is always prudent to have active and up-to-date firewall, anti-virus and threat detection software.
  • Although not all Websites or personal use of an Institutions computers pose a problem, a basic “no personal use” policy is reasonable.
  • As a general rule users should be discouraged from connecting personal devices, such as phones, iPods, tablet computers and flash drives to institutional computer systems.
  • Downloading of any material form the Internet should be closely supervised to avoid viruses and potential copyright infringement.

System Intrusion

  • Computer system intrusion can happen in a variety of ways: access in an unauthorized manner, by an unauthorized user, internally by a member of the institution or externally by the public.
  • Advanced software can alert a system administrator if an unauthorized access has been attempted. Older systems may require a regular manually review of computer logs to detect unwanted access.
  • Computer logs and advanced software, if properly configured, can indicate which computer files, if any, have been accessed. A policy should be established to inform members if files containing personal or sensitive information have been exposed. It is likely best to err on the side of caution in such situations.
  • Unauthorized computer access is potentially a criminal act. System intrusions rarely happen by accident and, as such, it is best to assume the person violating the system is seeking something. As with Website hacking, those perpetrating a system breach, likely know they are breaking the law and may have motivation to justify that risk.
  • As soon as a system intrusion is detected the system administrator must be contacted immediately. Subsequent contact to law enforcement and FBI (http://www.ic3.gov/default.aspx) computer crime specialists would not be an unusual next step.

Mobile Devices (smartphones, tablets, gaming and media players)

  • Due to the recent emergence and proliferation of smart mobile communication devices and mobile computing, there is at this time very little anti-virus or anti­-malware protection for mobile computing devices. Mobile devices should only be granted access to institutional systems under the supervision of an experienced service provider, who clearly understands the security needs of a Jewish institution.

Event Response

Website Hacking

  • Website hacking can take a number of different forms and can happen for a variety of reasons. For this document we are defining a hacking as; Activity in the secure section of a Website that is not the result of action by an authorized individual. How the hacking occurs is secondary, here we are discussing what to do afterward.
  • We suggest contacting the hosting company for the Website as soon as the incident is discovered. The hosting company will need to preserve a copy of the hacked page(s) and copies of all relevant server logs. The hacked page(s) need to be removed as soon as possible in case malware is involved and also to limit the hacker’s usual main objective – to gloat.
  • Report the event to the police and FBI (http://www.ic3.gov/default.aspx) promptly. Provide them with a copy of the material left by the hacker especially if it involves threats or hateful language.
  • Restore the Website from back-up copy of the Website, but only after the hosting company or ISP acknowledges the issues relating to the hack have been addressed.

Distributed Denial of Service Attack (aka DoS attack)

  • DoS attacks are the simplest and most common form of cyber-attack. A DoS attack is a coordinated effort by a group of computers to request access to a Website. This and creates a situation where no one can access the Website or that the contents are delivered very slowly. , In many cases a Website hosting company will shut down a Website temporarily rather than create a problem for their other customers. If a Website is the potential target of attacks, the Website hosting company should be made aware of the situation and can offer solutions.

Additional resources

Gaza fighting continues, should you up your security game?

August 01, 2014

The ongoing military conflict between Israel and Hamas has lead to disturbing attacks on Jewish institutions abroad. While there are no specific threats to U.S. Jewish institutions or individuals, JCRC-NY recommends that Jewish institutions increase their levels of vigilance out of an abundance of caution.

  • Create a culture of security. Institutions shouldn’t merely subcontract security. Even buildings with well-trained security personnel shouldexpect that staff and constituencies should be part of the security equation. Everyone should have heightened vigilance in times like these. For tips on security awareness, click here and the ADL’s Guide to Detecting Surveillance of Jewish Institutions and 18 Best Practices for Jewish Institutional Security.
  • Be in contact with your local police.  Someone (or more than one) should have ongoing personal relationships with key police personnel. They should know you, your building and your organizational activities.
    • Discuss your security procedures with them and ask them for suggestions for improvement.
    • Inform them of the dates and times your regular events and of special events.
  • Revisit and review your security plans and procedures. 
    • Access control. Did you hear the one about a pro-Israel organization visited by a middle-aged, well-dressed woman saying that she wanted to make a contribution? They opened the door for her and a dozen protesters rushed in. Nine of the invaders were arrested. Are you vulnerable to such antics? Take the time to review your access control procedures. For more information and guidance see JCRC-NY’s Sample Building Access Policies & Procedures (PDF).
    • Bomb threats. Review your bomb threat procedures and make sure that your staff (especially those who answer the phones) know what is expected of them. For a range of resources from top agencies, including the FBI and the DHS guidance click here.
    • Suspicious packages. Is your staff aware that they should be on the lookout for suspicious packages? For USPS guidance click here.
    • Active shooters. See both quick pocket-card and in-depth resources from DHS, FBI and other agencies here.
  • Assess your cybersecurity. Over the past month the websites of several Jewish-affiliated organizations were hacked. Protect your organization. See Cybersecurity for Jewish organizations 101: an update and how to have inexpensive and effective backup and other plans at Resources to prepare your organization’s technology for a disaster.

Click here to contact JCRC-NY for further guidance and advice.

Resources to prepare your organization’s technology for a disaster

July 23, 2014

Tech Soup is a respected and valuable technology resource for nonprofits (If you don’t know about their deeply-discounted software, you should). They recently published an excellent disaster planning guide:  The Resilient Organization. Find their links to the new guide and related webinars below.


Disaster preparedness isn’t just about being ready for a fire or earthquake; it’s a nimble, flexible approach to your organization’s day-to-day programs and operations. A natural disaster may never hit your office, but by adopting certain technologies and strategies, you can deepen your nonprofit’s impact and make your work faster and more efficient. The resources in this toolkit will not only prepare you for a crisis, but also deepen the impact of your nonprofit or charity in times of health.

The Resilient Organization is a holistic guide to disaster planning and recovery. This book is intended both for organizations striving to be better prepared for an emergency and for organizations striving to rebuild and maintain operations after a disaster. Download The Resilient Organization and browse other disaster planning and recovery resources below. The book comes in four formats:

Cybersecurity for Jewish organizations 101: an update

July 22, 2014

Two years ago the websites of many Jewish organizations were hacked during Israel’s Operation Pillar of Defense. JCRC-NY and ADL (thanks to the ADL for some of the suggestions below) have noted some new attacks against Jewish community websites allegedly motivated by the ongoing conflict in Israel. Hacker groups claiming affiliation to Anonymous, the hacker collective, have attacked and defaced the websites for U.S. based Jewish institutions as well as Israeli government and business websites.

There may be an increase in the frequency and scope of attacks against Jewish websites. Jewish institutions should review their security procedures, including:

Website. Have your website hosted with a professional web hosting company rather than having it reside on an institutional server or  a member’s home computer. Contact your institution’s Internet Service Provider (ISP) and/or website hosting company to discuss what measures are in place to protect your website and its content and what steps should be taken in case of an incident.

When deciding on a web host and ask them:

  • whether they install security patches on a regular and timely basis;
  • how often they make active backups of hosted websites (you should have a current back-up version of the relevant website and establish a periodic policy of taking snapshot backups — e.g., on a weekly basis, in no case should the period be longer than a month).
  • what security measures do the hosting company use to prevent Denial of Service (DoS) attacks and unauthorized Website access. 
  • if they have a disaster recovery procedure that includes someone available as a 24/7 point of contact for emergencies.

Remove any personal information (e.g., personal email, Facebook pages, Twitter handles, home addresses and phone numbers) from organizational websites wherever possible. Website administrators should review website server logs for unusually high visitor activity or visitors from unusual locations and alert their ISP or hosting company immediately.

Passwords. As with institutional email addresses, an effort should be made to limit and control the number of people Website administrator or Webmaster permissions and policy for strong passwords and a schedule for changing passwords.

  • Administrator passwords must be changed periodically (at least every two months). Passwords must be complex, i.e., contain both alpha and numeric characters and have at least one case change. Ideally, they should also contain at least one “special” (non-alpha/numeric) character. Staff names should never be part of any password.
  • You can find tips to create strong passwords and  a utility to check the strength of a potential password here.

Social networks.  Social networking pages are also vulnerable and should be monitored regularly. In addition, wherever possible, institutional staff should remove information about their affiliation with the institution from personal social media pages. See these tips on socializing securely.

ADL is in contact with many of the major Internet and social networking companies. Facebook pages for Hamas and hacker groups have already been removed from the Internet and we will continue our efforts.

Computer systems. Be aware of who has access to their computer, the permissions granted to each account, who has system administrator authorization and who assigns passwords.

  • To the extent possible, financial records should be segregated from membership data and other documents. Many programs allow users to encrypt data, further protecting the confidentiality of constituents. Of course, passwords become critical elements of your data protection efforts.
  • It is always prudent to have active and up-to-date firewall, anti-virus and threat detection software.

Phishing. Remind institutional staff and key members to be wary of attachments to emails.  Computer criminals are adept sending emails from people that you know (often victims of prior phishing attacks) to lure you into a sense of false security. See specific tips and more at Lots of phishing going on: Stop, think, click.

System Intrusion. Computer system intrusion can happen in a variety of ways: access in an unauthorized manner, by an unauthorized user, internally by a member of the institution or externally by the public.

  • Advanced software can alert a system administrator if an unauthorized access has been attempted. Older systems may require a regular manually review of computer logs to detect unwanted access.
  • Computer logs and advanced software, if properly configured, can indicate which computer files, if any, have been accessed. A policy should be established to inform members if files containing personal or sensitive information have been exposed. It is likely best to err on the side of caution in such situations.
  • Unauthorized computer access is potentially a criminal act. System intrusions rarely happen by accident and, as such, it is best to assume the person violating the system is seeking something. As with Website hacking, those perpetrating a system breach, likely know they are breaking the law and may have motivation to justify that risk.
  • As soon as a system intrusion is detected the system administrator must be contacted immediately. Subsequent contact to law enforcement and FBI (http://www.ic3.gov/default.aspx) computer crime specialists would not be an unusual next step.

For more information, explanations and suggestions see the FCC’s Small Biz Cyber Planner.

Lots of phishing going on: Stop, think, click

February 18, 2014
How do you stop phishers? Look for these clues. Click to enlarge.
How do you stop phishers? Look for these clues. Click to enlarge.

OK, you’ve heard it over and over…don’t click on unknown links. Well, people, even smart people, don’t listen. You get an email from someone that you know, click on what is said to be a “secure” link and your adventure begins.

googledocs - Secure Login
Here’s the bait. It looks official. People click and type in their password, giving their email account and contacts to hackers.

Now the phisher has you lured in. You’re asked to sign in. A nasty bot takes control of your computer, steals your contact list and sends everyone on your list an invitation to become infected.

Recommendations:

    • Look at the illustration at the top of this email. Be aware.
    • Do not follow unsolicited web links in email messages or submit any email account or password information to unknown webpages in links.
    • Use caution when opening email attachments. Refer to Using Caution with Email Attachments for more information on safely handling email attachments.
    • Maintain up-to-date anti-virus software.
    • Perform regular backups of all systems to limit the impact of data and/or system loss.
    • Apply changes to your Intrusion Detection/Prevention Systems and Firewalls to detect any known malicious activity.
    • Secure open-share drives by only allowing connections from authorized users.
    • Keep your operating system and software up-to-date with the latest patches.
    • Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
    • Refer to the Security Tip Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

US-CERT and DHS encourage users and administrators experiencing a ransomware infection NOT to respond to extortion attempts by attempting payment and instead to report the incident to the FBI at the Internet Crime Complaint Center (IC3).

Here are some free resources to see if your computer is infected (from STOP. THINK. CONNECT.™  the global cybersecurity awareness campaign to help all digital citizens stay safer and more secure online. – See more at: http://www.stopthinkconnect.org/)

For more tips about cybersecurity, check out the following non-technical publications:

New cyberthreats (including CryptoLocker Ransomware)

November 17, 2013
Stop. Think. Connect.
Click on the icon to download a set of posters to help you create a culture of cybersecurity.

The FBI and the National Cybersecurity and Communications have identified new computer malware threats and recommend that, “organizations should increase vigilance and evaluate their capabilities encompassing planning, preparation, detection, and response for such an event.” Destructive malware is a direct threat to your daily operations. Because of the increasing sophistication of malware, anyone (employee, client, volunteer, student) who  is on your network could trigger an infection affecting everyone. Organizations should work to develop a culture of safe computing.

  1. The publication, Planning and Recommended Guidance: Destructive Malware is technical, but it is a good guide for techies. Please pass it on to your IT departments and/0r consultants to assist them to protect you, your data, your credit and your reputation.
  2. The National Cyber Awareness System reports outbreak of “ransomware” that restricts access to infected computers and demands a payment to to decrypt and recover your files (see CryptoLocker Ransomware Infections for more information and how to undo the damage). The latest means of infection appears to be phishing emails designed to mimic the look of legitimate businesses and through phony FedEx and UPS tracking notices. Some victims saw the malware appear following after a previous infection from existing botnets lurking on infected computers.

Recommendations:

    • Do not follow unsolicited web links in email messages or submit any information to webpages in links.
    • Use caution when opening email attachments. Refer to Using Caution with Email Attachments for more information on safely handling email attachments.
    • Maintain up-to-date anti-virus software.
    • Perform regular backups of all systems to limit the impact of data and/or system loss.
    • Apply changes to your Intrusion Detection/Prevention Systems and Firewalls to detect any known malicious activity.
    • Secure open-share drives by only allowing connections from authorized users.
    • Keep your operating system and software up-to-date with the latest patches.
    • Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
    • Refer to the Security Tip Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

US-CERT and DHS encourage users and administrators experiencing a ransomware infection NOT to respond to extortion attempts by attempting payment and instead to report the incident to the FBI at the Internet Crime Complaint Center (IC3).

Related information:

For more tips about cybersecurity, check out the following non-technical publications:

Syria: potential repercussions

September 01, 2013

The escalating drumbeat for military action naturally leads to questions about possible terrorism here in New York. Note: as of today there are no specific, credible threats against New York or the Jewish community. Nevertheless, all Jewish organizations should review their security and emergency preparedness plans to ensure that they are up-to-date and that they can be readily implemented. Some specifics:

High Holidays

If you are an organizations hosting High Holiday services and/or programs you should:

  1. Notify your local police about all planned services and programs. Discuss the number of people expected at each service and ask them for any suggestions that could improve your security and emergency preparedness plans.
  2. Review your security and emergency preparedness measures, especially access control, evacuation and lockdowns. Meet with your staff and volunteers and make sure that everyone is on the same page and knows what to do. Check the “High Holidays” category for more suggestions..

Potential for Cyberattacks

Last week the Syrian Electronic Army compromised the New York Times website and others. Western financial institutions are also targetted by others. We all should review our own cybersecurity because, in the past, anti-Israel hackers have attacked Jewish-related sites. See JCRC’s Cybersecurity Resources.

This week the FBI distributed the following:

  • The Syrian Electronic Army (SEA), a pro-regime hacker group that emerged during Syrian antigovernment protests in 2011, has been compromising high-profile media outlets in an effort to spread proregime propaganda. The SEA’s primary capabilities include spearphishing, Web defacements, and hijacking social media accounts to spread propaganda. Over the past several months, the SEA has been highly effective in compromising multiple high-profile media outlets.
  • The SEA has recently compromised high profile media Web sites through a new tactic of hacking third party networks – including a Domain Name System (DNS) registrar and a content recommendation website.
  • In April 2013, the SEA compromised the Twitter feed of the Associated Press, posting a false story that President Obama was injured, causing in a brief drop in the stock market.
  • In addition to Syrian hackers, groups or individuals sympathetic to the SEA may also be observed participating in CNO efforts against US Web sites and networks.
  • Please maintain heightened awareness of your network traffic and take appropriate steps to maintain your network security. If you detect anomalous or malicious traffic or network behavior, please contact your local FBI Cyber Task Force or the FBI CyWatch (855) 292-3937 immediately.

Defending Against Hacktivism

In general, hacktivism cyber attacks may result in denial of service, Web site defacements, and the compromise of sensitive information which may lead to harassment and identify theft. Although the specific OpUSA claims referenced above speak specifically to DDoS attacks, precautionary measures to mitigate a range of potential hacktivism threats include:

  • Implement a data back-up and recovery plan to maintain copies of sensitive or proprietary data in a separate and secure location. Backup copies of sensitive data should not be readily accessible from local networks. 
  • Have a DDoS mitigation strategy ready ahead of time and keep logs of any potential attacks.
  • Scrutinize links contained in e-mail attachments.
  • Regularly mirror and maintain an image of critical system files.
  • Encrypt and secure sensitive information.
  • Use strong passwords, implement a schedule for changing passwords frequently and do not reuse passwords for multiple accounts.
  • Enable network monitoring and logging where feasible.
  • Be aware of social engineering tactics aimed at obtaining sensitive information.
  • Securely eliminate sensitive files and data from hard drives when no longer needed or required.
  • Establish a relationship with local law enforcement and participate in IT information sharing groups for early warnings of threats.