Security: High Holidays 5780

September 03, 2019

Thinking High Holiday Security & Preparedness

After a year that included the horrible events of Pittsburgh and Poway, JCRC-NY recommends that Jewish institutions increase their levels of vigilance. This is especially true during the High Holidays, when people know that Jews congregate. Synagogues should review this document, ADL’s Security Recommendations For the High Holidays or SCN’s High Holy Days Security Planning. For more information click to our contact form here and someone will get back to you.

Your services are usually associated with larger than normal crowds and could be an attractive target for terrorism and other crimes. The single, most important step that congregations should consider: screen all attendees before they enter your premises. Your screeners (who might be equipped with a “panic button” to be used if there’s an emergency) may assess those with valid, High Holiday tickets as “pre-screened” (see “Ticket sales” below) so that+ any others merit a higher level of scrutiny. Trained guards, staff, or volunteers should conduct screening. Consider bag checks.

Hm-m-m-m-m. Any special planning for severe weather?

Here are some additional suggestions:

  • Create a culture of security. Institutions should not merely subcontract security. Even buildings with well-trained security personnel should expect that staff and constituencies should be part of the security equation. Everyone should have heightened vigilance in times like these. For tips on security awareness, Indicators of Terrorist Activity from the NYPD and/or the ADL’s Guide to Detecting Surveillance at Jewish Institutions.
  • Connect with your local police. Someone (or more than one) should have ongoing personal relationships with key police personnel. They should know you, your building and your organizational activities.
    • Discuss your security procedures with them and ask them for suggestions for improvement. Inform them of the dates and times of your services, regular events and special events.
    • Special attention is given to a synagogue based on an assessment of the current threat balanced by the availability of resources. In some jurisdictions it is a longstanding practice to assign police personnel to synagogues during services. In others, patrol cars are directed to visit synagogues at regular intervals. Discuss your situation with local police officials as soon as possible so that they have time to make their assessments and to secure the resources that they need to protect you.
    • In some instances, the traffic conditions surrounding services warrant police attention.
  • Private security. Some police departments allow private parties to hire off-duty officers in uniform for events (in NYC, contact the Paid Detail Unit). Others use other off-duty officers (hired privately or through a security firm), retired officers or hire private security guards.
    • Security guards must be trained in security awareness, understand your environment, be in harmony with your organization’s culture and be customer-service-oriented. You must clearly detail what is expected of your security guards, including specific duties, inspection of your facilities and your access control policy. (See more at the JCCA Security Readiness Manual, pp. 50 ff.)
    • Check that your security firm is appropriately insured and ask for a Certificate of Insurance naming your synagogue as an additional named insured.
  • Revisit and review your security plans and procedures.
    • Access control. Did you hear the one about a pro-Israel organization visited by a middle-aged, well-dressed woman saying that she wanted to make a contribution? They opened the door for her and a dozen protesters rushed in. Nine of the invaders were arrested. Are you vulnerable to such antics? Take the time to review your access control procedures. For more information and guidance, see JCRC-NY’s Sample Building Access Policies & Procedures (PDF).
    • Active shooters. Have a plan and train your staff and key volunteers on its implementation. See JCRC’s dedicated active shooter webpage here.
    • Bomb threats. Review your bomb threat procedures and make sure that your staffers (especially those who answer the phones) know what is expected of them. For a range of resources from top agencies, including the FBI and the DHS guidance click here.
    • Train your staff and key volunteers. It might not be practical to have evacuation/active shooter drills for your entire congregation before the holidays, but do conduct drills for your staff and key volunteers (e.g., ushers, area captains) as soon as possible. Get their feedback on your plans and update the plans as necessary.
    • Suspicious packages. Is your staff aware that they should be on the lookout for suspicious packages? For USPS guidance click here.
  • Assess your cybersecurity. Over the past month the websites of several Jewish-affiliated organizations were hacked. Protect your organization. See Cybersecurity for Jewish organizations 101: an update and how to have inexpensive and effective backup and other plans at Resources to prepare your organization’s technology for a disaster.
  • Questions? Click here to send questions, comments and suggestions.

Click here for an expanded PDF version of the JCRC-NY High Holiday Planning Thinkplate 2019. 

Ransomware strikes close to home

August 22, 2019
Photo credit: WFTV News

Today, the New York Times reported that “This has been the summer of crippling ransomware attacks” to all types of computer systems. Not only have 40 municipalities been struck — their data encrypted and a ransom demanded — but last week there was a report that another synagogue ransomware attack investigated by the FBI.

Cyber-hygiene. If you look closely at the screenshot above, you will see a pop-up from the anti-malware provider  Malwarebytes, stating that its database is out of date (Oops!). What should you be doing to ensure a good cyber-hygiene regimen? (see a longer article from Symantec here)? What can you do to protect your data?

  • Deploy an antivirus/anti-malware product. An up-to-date, real-time antivirus might stop a cyber-attack.
  • Backup. Make sure to back up your important documents and keep a backup set offsite (in case of fire, etc.). There’s no excuse. These days, cloud backups are free or low-cost and you can automatically sync documents to your cloud account.
  • Update, update,update. It’s a constant battle. Bad actors learn how to sneak into our systems to do bad things. Software providers constantly provide security patches designed to close the open doors that bad actors use. Update your operating systems (Window or Mac), browsers, remote management software, Adobe products, Microsoft products, firewalls — everything. True, updates sometimes cause problems, but not updating leads to worse problems.
  • Use a firewall.  Firewalls are the guards designed to protect your network from the internet. Whether you have a hardware or software firewall, it is critical that you keep it up to date.
  • Set strong passwords and use two-factor authentication. People still use easy-to-guess passwords like, “Welcome123”, fail to change default passwords, or use the same password for multiple sites. Check out password tips from Google here. Check out a good primer from PC Mag, Two-Factor Authentication: Who Has It and How to Set It Up.
  • Before you pay a ransom ask for help! Contact the DHS Cybersecurity and Infrastructure Security Agency (CISA), the FBI, or the Secret Service and work with an experienced advisor to help recover from a cyber attack. Victims of ransomware should report it immediately to CISA at www.us-cert.gov/report, a local FBI Field Office, or Secret Service Field Office.

Consider cyber-attack insurance. Cyber-attacks can be costly. Even if you are following all of the steps recommended above and have current backups of everything, you may still be attacked and getting back to business may be costly. A compromised computer or network will have to be restored. If there is a data breach and your members’ confidential data is compromised, other steps will have to be taken. Work with your insurance broker to determine what it would cost to recover from a cyber-attack versus the cost of the policy and do a cost-benefit analysis.

Note: Membership records. The synagogue was lucky, their membership data is stored in the cloud (e.g., Chaverware, ShulCloud). Most of the established synagogue management software stores data online, encrypts it and backs up its database. User agreements should specify that it is the vendor’s responsibility to protect your data and to be prepared to quickly restore it.

For more information visit the CISA Resource Page on Ransomware.

 

Reminder: Safeguard Against Ransomware Attacks

July 31, 2019

In light of the increasing number of reports of ransomware attacks against government data DHS and its partners issued the following statement. The three steps to resilience are good advice for all of us to implement.


CISA, MS-ISAC, NGA & NASCIO RECOMMEND IMMEDIATE ACTION TO SAFEGUARD AGAINST RANSOMWARE ATTACKS

Take the First Three Steps to Resilience Against Ransomware for State and Local Partners

WASHINGTON – July 29, 2019 – The recent ransomware attacks targeting systems across the country are the latest in a string of attacks affecting State and local government partners. The growing number of such attacks highlights the critical importance of making cyber preparedness a priority and taking the necessary steps to secure our networks against adversaries. Prevention is the most effective defense against ransomware.

The Cybersecurity and Infrastructure Security Agency (CISA), Multi-State Information Sharing and Analysis Center (MS-ISAC), National Governors Association (NGA), and the National Association of State Chief Information Officers (NASCIO) are committed to supporting ransomware victims and encouraging all levels of government to proactively protect their networks against the threat of a ransomware attack. Today, we call on our State, local, territorial and tribal government partners, along with the wider cyber community, to take the following essential actions to enhance their defensive posture against ransomware. Through this collective action, we can better protect ourselves and our communities, and further advance the cyber preparedness and resilience of the Nation.

Three Steps to Resilience Against Ransomware

Back-Up Your Systems – Now (and Daily)

Immediately and regularly back up all critical agency and system configuration information on a separate device and store the back-ups offline, verifying their integrity and restoration process. If recovering after an attack, restore a stronger system than you lost, fully patched and updated to the latest version.

Reinforce Basic Cybersecurity Awareness and Education

Ransomware attacks often require the human element to succeed. Refresh employee training on recognizing cyber threats, phishing and suspicious links – the most common vectors for ransomware attacks. Remind employees of how to report incidents to appropriate IT staff in a timely manner, which should include out-of-band communication paths.

Revisit and Refine Cyber Incident Response Plans

Agencies must have a clear plan to address attacks when they occur, including when internal capabilities are overwhelmed. Make sure response plans include how to request assistance from external cyber first responders, such as state agencies, CISA and the MS-ISAC, in the event of an attack.

Additional Resources

After implementing these recommendations, refer to the ransomware best practices published by CISA, MS-ISAC, NGA, and NASCIO for additional steps to protect your organization.

###

Cyber attacks increase, what can you do?

July 24, 2019

Cybersecurity Best Practices

The following is a list of best practices designed to keep individuals and their data safe when connected to the internet.

EMAIL SECURITY

  • Avoid opening emails, downloading attachments, or clicking on suspicious links sent from unknown or untrusted sources.

  • Verify unexpected attachments or links from known senders by contacting them via another method of communication.

  • Avoid providing your email address, phone number, or other personal information to unknown sources.

  • Avoid providing sensitive information to anyone via email. If you must, be sure to encrypt it before sending.

  • Be skeptical of emails written with a sense of urgency and requesting an immediate response, such as those stating your account will be closed if you do not click on an embedded link or provide the sender with sensitive information.

  • Beware of emails with poor design, grammar, or spelling.

  • Ensure an email’s “sender name” corresponds to the correct email address to identify common email spoofing tactics.

  • Never open spam emails; report them as spam, and/or delete them. Do not respond to spam emails or use included “Unsubscribe” links as this only confirms to the spammer that your email address is active and may exacerbate the problem.

PASSWORDS AND MULTI-FACTOR AUTHENTICATION

""

Use strong passwords on all of your accounts.  

  • Long, complex passwords make you less susceptible to brute-force attacks.

  • Use a combination of upper and lowercase letters, numbers, and special characters.

  • Avoid easy-to-guess elements like pets’ names, children’s names, birthdays, etc.

To reduce the risk of account compromise, account holders should:

  • Avoid using the same password across multiple accounts or platforms.

  • Never share their password with anyone, leave passwords out in the open for others to read, or store them in an unsecured, plaintext file on computers or mobile devices.

  • Consider using long acronyms or passphrases to increase the length of your password.

  • Enable two-factor authentication (2FA) or multi-factor authentication (MFA) on all accounts that offer it. This will help prevent unauthorized access in the event of credential compromise.

ON THE WEB

  • Ensure any websites requesting the insertion of account credentials and those used to conduct transactions online are encrypted with a valid digital certificate to ensure your data is secure. These website addresses will have a green padlock displayed in the URL field and will begin with https.

  • Avoid saving account information, such as passwords or credit card information, in web browsers or browser extensions.

  • Avoid using public computers and public Wi-Fi connections to log into accounts and access sensitive information.

  • Consider using ad-blocking, script-blocking, and coin-blocking browser extensions to protect systems against malicious advertising attacks and scripts designed to launch malware or mine cryptocurrency.

  • Sign out of accounts and shut down computers and mobile devices when not in use. Program systems and devices to automatically lock the active session after a set period of inactivity.

DEVICE SECURITY

  • Keep all hardware and software updated with the latest, patched version.

  • Run reputable antivirus or anti-malware applications on all devices and keep them updated with the latest version.

  • Create multiple, redundant backups of all critical and sensitive data and keep them stored off the network in the event of a ransomware infection or other destructive malware incident. This will allow you to recover lost files, if needed.

New DHS resource guide and mail screening poster

June 04, 2019

New resource guide. Take a look at DHS’ new resource guide, Security of Soft Targets and Crowded Places. It’s essentially a one-stop table of contents for DHS’s free materials, including links for help on identifying suspicious activity, access control and screening, active assailants (they’re not just shooters anymore) and bomb threats. Follow the supplied links for an introduction to facility security that can serve as a good first step for houses of worship, schools and other soft targets. Resources include fact sheets, guidance, and online training and education courses.


Mail screening poster. Thanks to the world’s leading geopolitical intelligence platform, Stratfor, for its timely reminder about mail and package screening after an attempted bombing.

  • While many questions remain in the case of a parcel bomb sent to a Mexican senator, the largest is why the mail of such a high-level official was not screened.
  • While politicians and large corporations clearly must take significant measures to screen their mail, even ordinary people (and Jewish organizations) should open their mail cautiously.
  • Simple steps can help everyone from the largest entities to the average citizen.

Note that Cesar Sayoc, 57, admitted in court to having mailed 16 explosive devices to a variety of officials and to CNN’s offices in October 2018. He allegedly said he would “eradicate the Jews” if he had the power to, along with lesbians, black people and Hispanic people.

We urge you to download the tips found on the Stratfor graphic and share it with your staff and others.

Security at the Celebrate Israel Parade

May 24, 2019

 

Remarks by

Deputy Commissioner for Intelligence & Counterterrorism
John Miller

May 23, 2019

The Celebrate Israel Parade is an important, annual event in New York City.  The NYPD and our law enforcement partners work with the parade’s producer, the Jewish Community Relations Council, to try to ensure that every participant and spectator will be safe. There will be a large detail of NYPD officers protecting the participants and spectators, supported by an array of counterterrorism tools and measures designed to ensure everyone’s safety. 

The NYPD works with the FBI and has over a hundred detectives assigned to the Joint Terrorism Task Force (JTTF). The NYPD closely monitored the progress of the Jonathan Xie investigation, culminating with his arrest Wednesday in New Jersey. I can add that as of this time, there are no known, specific, or credible threats to New York City, the parade, or the Jewish community.

NSGP: Updated JCRC-NY Tutorial

May 01, 2019

From NY DHSES

Click here for the JCRC-NY updated Investment Justification tutorial.

From the NY DHSES FAQ’s

Question: What makes a strong Investment Justification?
Answer:

  • Clearly identified risks, vulnerabilities and consequences;
    Description of findings from a previously conducted vulnerability assessment;
  • Details of any incident(s) including description, dates, etc.;
  • A brief description of any supporting documentation (such as police reports or photographs) that is submitted as part of the application, if applicable;
  • Explanation of how the investments proposed will mitigate or address the vulnerabilities identified from a vulnerability assessment;
  • Establish a clear linkage with investment(s) and core capabilities (See National Preparedness Goal); see http://www.fema.gov/national-preparedness-goal for information on core capabilities;
  • All activities proposed in the application are allowable costs per the FY 2019 NSGP RFA;Realistic milestones that consider the Environmental Planning and Historic Preservation (EHP) review process, if applicable; and
  • Description of the project manager or managers’ level of experience.

NYC School Security Guards Reimbursement: bridge loans

April 25, 2019

Qualifying New York City nonpublic elementary and secondary schools with an enrollment of more than 300 can be reimbursed for the cost of certain security guard services (see the Final Adopted Rules for the program). They must “prequalify” online using the HHS Accelerator. Eligible schools should have already received a notice from NYC.

Note: The NPS Program 2019-2020 application filing period is open as of March 1, 2019 and will close on May 15, 2019.

New! Worried about cash flow? Interest-free financing is available for NYC-area projects/expenses covered by security grants, including this program. These loans are are intended to ensure that cash flow timing issues do not prevent qualified organizations from applying for security grants. For more information, see: https://hfls.org/loan-programs/security-infrastructure-loans/.

Do not delay. After completing the HHS Accelerator you will be contacted about signing a Memorandum of Understanding (MOU). A qualified nonpublic school will not be eligible to apply for reimbursement for any security services until an MOU has been signed by the school and registered with the Comptroller. Only expenses incurred after the signing of the MOU will be reimburseable.

Please reach out to the DCAS Nonpublic School Security Reimbursement Program at 212-386-0040 or ContactDCAS@dcas.nyc.gov if you have any questions.

Contact Information

Mailing Address:

New York City Department of Citywide Administrative Services
Attn: Nonpublic School Security Reimbursement Program
1 Centre Street, 17th Floor North
New York, NY 10007

Telephone:

Schools: 212-386-0040
Security Vendors: 212-386-0428
Fax #: 646-500-7142

Email:

You can email the Nonpublic School Security Reimbursement Program for more information.

NSGP: More on contracted security guards

April 25, 2019

Updated April 25, 2019| U.S. DHS posted its Fiscal Year 2019 Nonprofit Security Grant Program (NSGP) Notice of Funding Opportunity (NOFO). We are reviewing the materials and have identified two key changes:

  • Grant amount. The maximum award this year will be $100,000.
  • Stacking the deck for new applicants. This year 10 bonus points will be added to the scores of organizations that never received NSGP funding. This effectively gives a serious advantage to newbies.
  • Security guards. Hiring of contracted security personnel is now allowed under this program (see the FEMA update here).
    • Note: Recipients of NSGP funding may use the grant to pay for contracted security personnel over the entire three year period of the grant. However, grantees should not assume that they will be successful applicants (you might not win a grant or this program may not exist in coming years) so you must be able to sustain this capability in future years without NSGP funding.
    • NSGP funds may not be used to purchase equipment for security guards. These costs should be classified as organization costs.
    • Subrecipients (grantees) may not use NSGP funding to hire full or part-time employees that will be placed on a nonprofit’s payroll.
    • Rob Goldberg of JFNA reports after speaking with FEMA, that the blanket waiver WILL be in place and interested subrecipients may now request up to 100% of their total award towards the cost of contacted security personnel.
    • JCRC comment: Make a case for security guards through an identified vulnerability included in your assessment (e.g., failure to review or monitor CCTV recordings for possible instances of hostile surveillance, inadequate access control measures, and or the lack of security guards during all hours of operation) and add “Contracted security guards” as an “Item to be purchased”  in IV.  Target Hardening (Note: there is no AEL number for Contracted security guards).

A case can readily be made for additional contracted security guards, additional hours or an upgrading replacement (e.g., unarmed to armed) of the existing guards.

Finally, we think that it is appropriate to remind you that security guards are no panacea. Security planning should entail a well-considered mix of personnel, plans, procedures, training, drills and exercises and security hardware. The judges tend to look at your assessments to see if you are addressing the most important vulnerabilities.

  • Investment Justification. At first glance we don’t see any changes in the 2019 Investment Justification. Download it here.
  • Timing. We estimate that the submission deadline for NY organizations be  mid-May. We will be producing and posting our tutorial material this week, but will schedule a webinar — with an opportunity for questions –after Pesach.

The New York Division of Homeland Security and Emergency Services (NY DHSES) posted its New York-specific Request for Applications here. Check their site and ours for updates.

The guidelines and the paperwork seems to closely track the FY 2018 guidelines  (with the exception of security guards), so if you have been drafting your applications based our existing help you will be in very good shape.