Start with Security: A Cybersecurity Guide for Business (even nonprofits)

October 13, 2016

Lessons from Federal Trade Commission cases

Go to the FTC Start with Security website here or click here to download a PDF copy of their full recommendations.

When managing your network, developing an app, or even organizing paper files, sound security is no accident. Companies that consider security from the start assess their options and make reasonable choices based on the nature of their business and the sensitivity of the information involved. Threats to data may transform over time, but the fundamentals of sound security remain constant. As the Federal Trade Commission outlined in Protecting Personal Information: A Guide for Business, you should know what personal information you have in your files and on your computers, and keep only what you need for your business. You should protect the information that you keep, and properly dispose of what you no longer need. And, of course, you should create a plan to respond to security incidents.

There’s another source of information about keeping sensitive data secure: the lessons learned from the more than 50 law enforcement actions the FTC has announced so far. These are settlements – no findings have been made by a court – and the specifics of the orders apply just to those companies, of course. But learning about alleged lapses that led to law enforcement can help your company improve its practices. And most of these alleged practices involve basic, fundamental security missteps. Distilling the facts of those cases down to their essence, here are ten lessons to learn that touch on vulnerabilities that could affect your company, along with practical guidance on how to reduce the risks they pose.

  1. Start with security.
  2. Control access to data sensibly.
  3. Require secure passwords and authentication.
  4. Store sensitive personal information securely and protect it during transmission.
  5. Segment your network and monitor who’s trying to get in and out.
  6. Secure remote access to your network.
  7. Apply sound security practices when developing new products.
  8. Make sure your service providers implement reasonable security measures.
  9. Put procedures in place to keep your security current and address vulnerabilities that may arise.
  10. Secure paper, physical media, and devices.

It’s National Cyber Security Awareness Month

October 05, 2016

Cyber Security is Everyone’s Responsibility

Data breaches resulting in the compromise of personally identifiable information of thousands of Americans. Intrusions into financial, corporate, and government networks. Complex financial schemes committed by sophisticated cyber criminals against businesses and the public in general.

These are just a few examples of crimes perpetrated online over the past year or so, and part of the reason why Director James Comey, testifying before Congress last week, said that “the pervasiveness of the cyber threat is such that the FBI and other intelligence, military, homeland security, and law enforcement agencies across the government view cyber security and cyber attacks as a top priority.” The FBI, according to Comey, targets the most dangerous malicious cyber activity—high-level intrusions by state-sponsored hackers and global cyber syndicates, and the most prolific botnets. And in doing so, we work collaboratively with our domestic and international partners and the private sector.

But it’s important for individuals, businesses, and others to be involved in their own cyber security. And National Cyber Security Awareness Month—a Department of Homeland Security-administered campaign held every October—is perhaps the most appropriate time to reflect on the universe of cyber threats and on doing your part to secure your own devices, networks, and data.

What are some of the more prolific cyber threats we’re currently facing?

Ransomware is type of malware that infects computers and restricts users’ access to their files or threatens the permanent destruction of their information unless a ransom is paid. In addition to individual users, ransomware has infected entities such as schools, hospitals, and police departments. The actors behind these sophisticated schemes advise the users that if they pay the ransom, they will receive the private key needed to decrypt the files. Most recently, these cyber criminals—demonstrating some business savvy—give victims the option of decrypting one file for free to prove that they have the ability to restore the locked files.

Business e-mail compromise, or BEC, scams continue to impact many businesses across the U.S. and abroad. BEC is a type of payment fraud that involves the compromise of legitimate business e-mail accounts—often belonging to either the chief executive officer or the chief financial officer—for the purpose of conducting unauthorized wire transfers. After compromising a company’s e-mail account—usually through social engineering or malware—the criminals are then able to send wire transfer instructions using the victim’s e-mail or a spoofed e-mail account. BEC scams have been reported in all 50 states and in 100 countries and have caused estimated losses of more than $3 billion worldwide. More on BEC scams.

Intellectual property theft involves robbing individuals or companies of their ideas, inventions, and creative expressions—often stolen when computers and networks are accessed by unscrupulous competitors, hackers, and other criminals. Intellectual property can include everything from trade secrets and proprietary products and parts to movies, music, and software. And the enforcement of laws protecting intellectual property rights (IPR)—which are critical to protecting the U.S. economy, our national security, and the health and safety of the American public—is an FBI criminal priority. The Bureau’s IPR focus is the theft of trade secrets and infringements on products that can impact consumers’ health and safety, including counterfeit aircraft, automotive, and electronic parts.

“The FBI is doing everything we possibly can, at every level, to make it harder for cyber criminals to operate,” says Associate Executive Assistant Director David Johnson, “and I believe many of them are now starting to think twice before they put fingers to keyboard. But we also ask that the public do its part by taking precautions and implementing safeguards to protect their own data.”

Check back on our website during the month of October for information on protecting your data and devices and on FBI efforts to combat the most egregious cyber criminals.

High Holidays: Are you ready to get out if you have to?

September 26, 2016

It’s happened more than once…a fire in a synagogue during High Holiday services. Bomb threats and suspicious packages … you have a plan, but fires?

Most people  tend to exit through the door they entered. In an emergency, if people don’t use all of the doors there will be bottlenecks leading to injuries or worse. With a little bit of planning and rehearsal this problem can be readily mitigated.

  • We all have seen the “cards in the seat pockets in front of you” on a plane. Simply figure out how to divide your sanctuary spaces so that all of the exits will be used and create a chart like the one below (add some instructions), reproduce it and stick it in the pockets in front of the pews.
  • No one expects you to conduct a fire drill on Yom Kippur, but you can ask your ushers and key staff to attend a rehearsal meeting in advance of services. Discuss your plans and their roles with them ahead of time.
  • Pre-write directions that should be kept on the bimah. In the event of an emergency you shouldn’t count on people to call an “audible” (i.e., improvise).
(Click to link to a PDF of the sample)

Ransomware victims urged to report infections

September 15, 2016

FBI

 

 

 

September 15, 2016/Alert Number I-091516-PSA

RANSOMWARE VICTIMS URGED TO REPORT INFECTIONS TO FEDERAL LAW ENFORCEMENT

High Holiday security: stay vigilant

September 13, 2016
Bernard Picart [Public domain], The Sounding of the Shofar on Rosh Hashanah, illustration circa 1733–1739 by Bernard Picart from
Bernard Picart [Public domain], The Sounding of the Shofar on Rosh Hashanah, illustration circa 1733–1739 by Bernard Picart from “The Ceremonies and Religious Customs of the Various Nations of the Known World”
Security and emergency planning should be an integral component of every synagogue’s High Holiday preparations. Here are some tools to guide you:

High Holiday Security and Emergency Preparedness Planning Library

Synagogue-specific Security & Emergency Planning

Consider the following elements of heightened vigilance:

  • Increase visible security measures. Someone planning an attack may look at your facility, conclude that it is defended and decide to go elsewhere. Several recent incidents also underscore that the presence of armed security and law enforcement personnel and the placement of security checkpoints do not guarantee that an attack will be averted or interupted. Nevertheless, their presence can enable the timely discovery and quick resolution of potential threats and reduce the lethality of terrorist attacks.
  • Review your policies and procedures. How else can you send a signal to outsiders that your facility is a tough target? For example, does your staff do regular inspections of your facility looking for something that, “Just doesn’t look right?” If not, start now. If they do, should you increase the frequency. Review JCRC’s Sample Access Policies and Procedures to identify additional steps.
  • Test your systems. OK, you’ve identified systems to screen your mail, respond to bomb threats and suspicious objects and you have an active shooters plan. The key question is: “Will they work in reality?” Do your panic buttons function? Test them (after you first alert the alarm company). Have you had tabletop exercises and drills covering multiple hazards? How can you make sure that your entire staff and constituencies are on their collective toes?
  • Check in with your local police. For most Jewish organizations, September is the start of a new program year. Reach out to your local police. Offer them the opportunity to get to know your programs, your rhythms, your people and your building. Ask them for suggestions as to how to make your people safer.
  • If you see something, say something. Think how to build a culture of security, because security is everbody’s business. If any of your staff, students, volunteers, congregants or clients sees or hears something suspicious they should feel comfortable to report it to the appropriate person in your facility and the information should be passed on to the police. In NYC the number is 1-888-NYC-SAFE. Elsewhere in New York State the number is 1-866-SAFE-NYS. Every tip is investigated.

Increased vigilance as 9/11 anniversary nears

September 06, 2016

VigilanceA recent federal bulletin urged state and local law enforcement to be on high alert ahead of 9/11 anniversary. It explained that that terrorists – specifically those aligned with
ISIS – “may be inspired or directed to conduct attacks against events associated with 9/11 memorial commemorations or other mass gathering targets timed to this date.” The report notes the symbolism associated with the somber anniversary as a motivating factor for a potential terrorist attack.

While the FBI reports that it is “unaware of any specific, credible information” of a plot against the U.S. homeland (or against Jewish communal targets), Daesh (aka “ISIS”) and Al Qaeda propaganda have repeatedly tried to inspire attacks by individuals  — such as the ones in Paris, Nice, Istanbul and Orlando — using firearms, edged weapons, improvised explosive devices (IEDs), and commercial vehicles. Federal analysts note that there is an  “ongoing heightened threat environment.”

Heightened security measures should be in place through 9/11 and through the Jewish holiday season (Remember: the potential attacker in Aventura, FL was aware of the Jewish calender and planned to strike on a Jewish holiday in order to maximize the impact of his attack). Many of the terrorists responsible for recent incidents engaged in “pre-operational surveillance”, i.e., they checked out the site while planning their attack. Consider the following elements of heightened vigilance:

  • Increase visible security measures. Someone planning an attack may look at your facility, conclude that it is defended and decide to go elsewhere. Several recent incidents also underscore that the presence of armed security and law enforcement personnel and the placement of security checkpoints do not guarantee that an attack will be averted or interupted. Nevertheless, their presence can enable the timely discovery and quick resolution of potential threats and reduce the lethality of terrorist attacks.
  • Review your policies and procedures. How else can you send a signal to outsiders that your facility is a tough target? For example, does your staff do regular inspections of your facility looking for something that, “Just doesn’t look right?” If not, start now. If they do, should you increase the frequency. Review JCRC’s Sample Access Policies and Procedures to identify additional steps.
  • Test your systems. OK, you’ve identified systems to screen your mail, respond to bomb threats and suspicious objects and you have an active shooters plan. The key question is: “Will they work in reality?” Do your panic buttons function? Test them (after you first alert the alarm company). Have you had tabletop exercises and drills covering multiple hazards? How can you make sure that your entire staff and constituencies are on their collective toes?
  • Check in with your local police. For most Jewish organizations, September is the start of a new program year. Reach out to your local police. Offer them the opportunity to get to know your programs, your rhythms, your people and your building. Ask them for suggestions as to how to make your people safer.
  • If you see something, say something. Think how to build a culture of security, because security is everbody’s business. If any of your staff, students, volunteers, congregants or clients sees or hears something suspicious they should feel comfortable to report it to the appropriate person in your facility and the information should be passed on to the police. In NYC the number is 1-888-NYC-SAFE. Elsewhere in New York State the number is 1-866-SAFE-NYS. Every tip is investigated.

School security guards: New FAQ’s.

August 04, 2016

The New York City Department of Citywide Administrative Services (DCAS) held its first meeting with schools yesterday. Applications for the School Security Guard Program are currently being accepted until November 1st for 2016-2017 school year. For questions related to the nonpublic school application process, it is really worth your while to check out the FAQ‘s. If you still have questions, contact Latesha Parks – lmparks@dcas.nyc.gov. We feel that DCAS has been making this process user-friendly.

Eligible schools. To be eligible to participate in the program, a school must meet the following:

  • Must be New York City nonpublic school;
  • Must be nonprofit;
  • Have 300 or more students in any combination of grades Pre-K through twelfth grades only;
  • Have been assigned a Basic Educational Date System (BEDS) code by the New York State Education Department (NYSED).

Eligible security guard companies. DCAS is working to establish a list of qualified security vendors. In order to receive reimbursements, schools will only be able to utilize firms that are on the qualified vendor list.  Once a list is available, DCAS will notify schools of its availability via email or letter.  The list will also be available on the DCAS website. Information about how security guard companies can apply to become qualified vendors can be found in the FAQ’s.

Contracts. One piece of advice. As a school you will contract directly with a qualified security vendor. You should make sure to stipulate in the contract that should the designated City funds become unavailable, that the school has the option to decide whether to continue or terminate the contract.(n.b., the law caps the expenditure at approximately $20 million, so there is a slight possibility that the funding might run out).

There will be up-dates – so check frequently with JCRC-NY and at the DCAS website.

School security guards: How to register

July 20, 2016

Security Guard Reimbursement for Nonpublic Schools

Local Law 2 of 2016 authorizes the City of New York to reimburse qualifying nonpublic elementary and secondary schools for the cost of certain security guard services. New York City released its Final Adopted Rules for the program. Each nonpublic school with an enrollment of more than 300 will receive a letter directing them to “prequalify” online using the HHS Accelerator. If you need assistance using HHS Accelerator, you can register for training or contact the HHS Accelerator Helpdesk once you have logged into the system.

Do not delay. After completing the HHS Accelerator you will be contacted about signing a Memorandum of Understanding (MOU). A qualified nonpublic school will not be eligible to apply for reimbursement for any security services until an MOU has been signed by the school and registered with the Comptroller. Only expenses incurred after the signing of the MOU will be reimburseable.

If you are currently using a security guard provider they will have to register with the city in order to be an approved company. Click to the Frequently Asked Questions for more information.

 Training: AcceleratorAssist

To sign up for training, select a date below based on the status of your organization’s account with HHS Accelerator. Registration is required to attend trainings.

If you can’t make a training, you can watch a video or read a guide. Or if you would like individualized assistance, contact us.

Upcoming Trainings

Getting Prequalified in HHS Accelerator (webinar)
This session is designed for organizations that are getting started in HHS Accelerator.

The session covers an overview of the system, how to upload and share documents, guidance on completing the HHS Accelerator Application to become prequalified.

Friday, August 12, 2016 2:00 PM – 3:00 PM

Friday, August 26, 2016 2:00 PM – 3:00 PM

Getting Prequalified in HHS Accelerator with On Site Support
AcceleratorAssist creates a space for providers to receive individual attention on the HHS Accelerator System and the process to get prequalified.

The session begins with an overview of the Prequalification Application and then providers are allotted a generous amount of time to work in the system with guidance from Accelerator staff. Registration is required.

Wednesday, July 27, 2016 9:30 AM – 12:00 PM
Wednesday, August 3, 206 9:30 AM – 12:00 PM
Wednesday, August 17, 2016 9:30 AM – 12:00 PM
Wednesday, August 24, 2016 9:30 AM – 12:00 PM

Competing for Funding Using HHS Accelerator System (webinar)

This session is primarily designed for pre-qualified organizations. Users whose organizations have applications which are nearly complete and are interested in specific upcoming procurements may also participate.

The session covers how to find Request for Proposals and submit proposals.

Tuesday, August 2, 2016 2:00 PM – 3:00 PM

Managing Financials, Budgets, Invoices and Payments in HHS Accelerator (on site)
This training is only for organizations that use HHS Accelerator Financials.

The HHS Accelerator Financials module allows you to electronically submit budgets and invoices for review, start budget modifications, request advances and assignments, and track payments. This comprehensive session will provide you with an overview of each of the system’s capabilities. Please note this training is only for Providers who have been selected by their Agency to use HHS Accelerator Financials. Registration is required.

Thursday, July 28, 2016 2:00 PM – 4:00 PM

Submitting Budgets in HHS Accelerator (webinar)
This training is only for organizations that use HHS Accelerator Financials.

This shorter session is designed for organizations who will be submitting budgets in HHS Accelerator for fiscal year 2017. This session covers how to submit budgets, advances and budget modifications in HHS Accelerator.

Tuesday, August 23, 2016 2:00 PM – 3:00 PM

Submitting Invoices in HHS Accelerator (webinar)
This training is only for organizations that use HHS Accelerator Financials.

This shorter session is designed for organizations with Approved budgets in HHS Accelerator that are ready to use HHS Accelerator Financials to invoice. This session covers how to submit invoices in HHS Accelerator and track payments.

Tuesday, July 26, 2016 10:00 AM – 11:00 AM

  • Prevailing wage. People have inquired how to determine the “prevailing wage” in the HHS Accelerator. Prevailing wages are set by the New York City Comptroller and can be found on p. 19 in this document. For those who want the 2016-2017 answer instantly:

SECURITY GUARD (UNARMED)

For the period: 7/1/2016 – 12/31/2016: $14.30 (hourly wages) + $5.04 (supplemental benefit rate per hour)
For the period: 1/1/2017 – 6/30/2017:   $14.40 (hourly wages) + $5.22 (supplemental benefit rate per hour)

  • Guidelines for hiring a security contractor. This ADL publication raises a number of important issues. Remember, security guard companies on the NYC approved list are required to submit information on their financial resources, technical qualifications,experience, record of performance and record of business integrity. They also must comply with NYS requirements such as licensing and background checks.

 

Nonprofit Security Grant Program 2016 results | NY secures over $5.1M | Special thank you’s to Schumer, Gillibrand, Lowey, Donovan and King

June 29, 2016

Thank you to our champions. They fought for this grant and 70 NY organizations will benefit this year. They are already fighting for the 2017 allocation. Please let Senators Schumer and Gillibrand and Reps. Lowey, Donovan and King and the rest of our delegation know that you appreciate their hard work.

SCHUMER, GILLIBRAND SECURE OVER $5.1 MILLION TO IMPROVE EMERGENCY PREPAREDNESS FOR RELIGIOUS INSTITUTIONS & ORGANIZATIONS IN-AND-AROUND NYC; GRANTS AWARDED TO 66 AT-RISK JEWISH SCHOOLS AND CONGREGATIONS

Schumer and Gillibrand Secured over 25% Of Total Funding For Organizations Based in New York – Out of the Total $20 Million Granted to Awardees Across the Country
The Awardees Include 66 Jewish Educational Institutions and Congregations; The Money Will Help These At-Risk Nonprofits For Security Preparedness
Schumer, Gillibrand: These Schools and Congregations are Vital Parts of our Community and Like Institutions Have Been Targeted Before; We Must Do All we can to Protect all At-Risk Institutions

U.S. Senators Charles Schumer and Kirsten Gillibrand announced today that 66 New York Jewish organizations, includingDHS Nonprofit Security Grant Program Results schools and congregations, and more have received a combined total of $5,172,143 for the 2016 fiscal year as Urban Areas Security Initiative (UASI) Nonprofit Security Grant Program (NSGP) Awardees. The program, run by the Federal Emergency Management Agency (FEMA), awards federal funds to nonprofit organizations that are at a high risk of a national terrorist attack to encourage preparedness efforts.

“Would-be evildoers have previously targeted schools and congregations for attacks and that’s why FEMA’s Nonprofit Security Grant Program is critical in making sure that high-risk organizations like Jewish schools and congregations are safe and protected from terrorist attacks,” said Senator Schumer. “It is especially important for organizations in and around New York City to receive this federal funding, which will go a long way to ensure that they are fully prepared for whatever may happen in the future.”

“New York is the number one terror target in the world, so we must continue to be vigilant, and I’ll continue to fight for every available federal resource to help keep us safe,” said Senator Gillibrand. “New York’s religious institutions and non-profit organizations, including Jewish schools and congregations, are the backbone of our communities. These federal funds through Homeland Security will provide the necessary resources to help keep our places of worship safe and secure.”

The Nonprofit Security Grant Program (NSGP) is run under the Federal Emergency Management Agency’s (FEMA) Urban Areas Security Initiative (UASI). For the 2016 fiscal year, the UASI NSGP was budgeted $20 million. Only eligible nonprofit organizations, as described by the 501(c)(3) tax code of 1986, may apply for this grant. To be eligible, the nonprofit must be at high risk for an international terrorist attack and must be located in one of the designated urban areas throughout the country.

The 66 Jewish organizations that received funding from the New York City-metro area are:

A Ahi Ezer Congregation, Associated Beth Rivkah School for Girls, Inc.
B Babylonian Jewish Center, Bais Ruchel High School, Bais Uvi Grieding, Bay Terrace Garden Jewish Center, Be’er HaGolah Institutes, Beth Gavriel Bukharian Congregation, Beth Jacob Parochial School of Manhattan, Beth Rachel School for Girls, Boro Park Hatzolah
C Cathedral Church of Saint John the Divine, Chabad Lubavitch Community Center of Northeastern Queens, Chabad Lubavitch of Briarcliff Manor-Ossining, Inc., Congregation Aish Kodesh, Congregation Beth Torah, Congregation B’nai Israel, Congregation Bnos Chaya, Congregation Emanu-El of the City of New York, Congregation Khal Adath Jeshurun, Congregation Kneseth Israel, Congregation Machna Shalva, Congregation Mercaz Hatorah of Belle Harbor, Congregation Mount Sinai Anshe Emeth, Congregation Ohel Chabad Lubavitch, Congregation Or Zarua, Congregation Shaari Tefiloh of Kings Highway, Conservative Synagogue Adath Israel of Riverdale
F Foundation for Sephardic Studies dba Bnei Yitzhak
G Good Shepard Roman Catholic Church
H Hebrew Academy of Long Beach, Hebrew Academy of Nassau County, Hebrew Academy of the Five Towns and Rockaway, Hebrew Educational Society of Brooklyn, Hebrew Institute of University Heights dba Hebrew Institute of Riverdale, Hebrew Union College-Jewish Institute of Religion
L Lincoln Square Synagogue
M Magen David Yeshivah, Manhattan Beach Jewish Center, Manhattan High School for Girls, Manhattan Jewish Student Center, Masores Bais Yaakov, Mesivta Ateres Yaakov of Greater Long Island, Mesivta Yeshiva Rabbi Chaim Berlin, Mirrer Yeshiva Central Institute
N North Shore Sephardic Synagogue
R Rabbinical Academy Mesivta Rabbi Chaim Berlin
S Satya Narayan Mandir, Shaare Zion Congregation, Inc., Shulamith School for Girls, Sonia & Max Silverstein Hebrew Academy, St. James’ Episcopal Church, Staten Island Volunteers of Hatzalah, Inc. dba Hatzalah of Staten Island
T Talmud Torah Ohel Yochanan, Talmud Torah Tashbar, Temple Beth Sholom Roslyn Heights, Temple Beth-El of Great Neck, The Jewish Center, The Merrick Jewish Centre, Torah Center of Hillcrest
Y Yeshiva and Mesivta Toras Chaim of Greater NY at South Shore, Yeshiva Ketana of Long Island, Yeshiva Ketana of Manhattan, Yeshiva of Central Queens, Yeshivah of Flatbush, Yeshivat Darche Eres, Young Israel of Kew Gardens Hills, Young Israel of Lawrence Cedarhurst, Young Israel of Oceanside, Young Israel of Scarsdale, Inc.

Latest National Terrorism Advisory System Bulletin

June 16, 2016

16_0615_NTAS_bulletin header

SUMMARY

16_0615_NTAS_bulletin
Click to view a PDF copy of the bulletin.

In December, we described a new phase in the global threat environment, which has implications on the homeland. This basic assessment has not changed. In this environment, we are particularly concerned about homegrown violent extremists who could strike with little or no notice. The tragic events of Orlando several days ago reinforce this. Accordingly, increased public vigilance and awareness continue to be of utmost importance. This bulletin has a five-month duration and will expire just before the holiday season. We will reassess the threats of terrorism at that time.

ADDITIONAL DETAILS

Since issuing the first Bulletin in December, our concerns that violent extremists could be inspired to conduct attacks inside the U.S. have not diminished.

  • Though we know of no intelligence that is both specific and credible at this time of a plot by terrorist organizations to attack the homeland, the reality is terrorist-inspired individuals have conducted, or attempted to conduct, attacks in the United States.
  • DHS is especially concerned that terrorist-inspired individuals and homegrown violent extremists may be encouraged or inspired to target public events or places.
  • As we saw in the attacks in San Bernardino, Paris, Brussels, and, most recently, Orlando, terrorists will consider a diverse and wide selection of targets for attacks.
  • Terrorist use of the Internet to inspire individuals to violence or join their ranks remains a major source of concern.
  • In the current environment, DHS is also concerned about threats and violence directed at particular communities and individuals across the country, based on perceived religion, ethnicity, nationality or sexual orientation.
  • Learn how to recognize signs of pre-operational planning associated with terrorism or other criminal activity.
  • Be prepared for increased security and plan ahead to anticipate delays and restricted/prohibited items.
  • In populated places, be responsible for your personal safety. Make a mental note of emergency exits and locations of the nearest security personnel. Keep cell phones in your pockets instead of bags or on tables so you don’t lose them during an incident. Carry emergency contact details and any special needs information with you at all times. For more visit Ready.

Click here to read and download a PDF copy of the full bulletin.