Security/Emergency Information

Hoax threats can be scary, too.

Update
Over the past several days there were bomb threats to Jewish institutions reported in Delaware, Florida, Georgia, Maryland, New Jersey, New York, Pennsylvania, South Carolina, and Tennessee. Most of the institutions immediately called 911 and chose to evacuate their facilities until a bomb sweep was conducted. All of the reported threats were unfounded.

Who’s behind it? No one knows yet, but federal and local authorities are investigating. We do know that White Supremacist Extremists, followers of foreign violent extremists and others share a history of targeting faith-based communities in the U.S.

Should we be worried? At this time the experts conclude that the series of incidents referencing threats against schools, Jewish facilities and businesses likely do not represent a credible terrorist threat for two reasons:

  1. terrorists’ rarely provide operational insight into their planning, and
  2. the fact that nearly all hoaxes in the United States are conducted by criminal actors or those instigating a nuisance prank.

Due to the common occurrence of bomb threats across the country over the last few years, the experts judge malicious terrorism hoaxes such as bogus emails and phoned-in threats, including robo-calls, will almost certainly continue, diverting resources as they create disturbances and send false alarms. However, don’t become blasé. Someone might take advantage of the hoaxes to accomplish a real attack.

What should we be doing? Consider these incidents to be a teaching moment. How would your organization handle such threats.

  1. Know what you should do. Have a bomb threat plan before an incident happens.  For starters, check out DHS’ Bomb Threat Guidance and Introduction to Bomb Threat Management. Add JCRC-NY’s post, Manhattan bomb threat: lessons learned to your reading list. Now is a good time to review, or to think through your own plans. Our own Emergency Planning: Disaster and Crisis Response Systems for Jewish Organizations has a longer chapter discussing the issue.
  2. Train your phone answerers. Everyone answering the phone (including those who might answer) should be taught how to handle a phone threat with this checklist. Have copies of the bomb threat checklist posted nearby.
  3. You have to communicate.
    • First things first. Call 911. Bring in the cavalry…ASAP. Whether you think the incident is real or a hoax, contact the experts and defer to them. Have a system (with primary and backup callers) that ensures that someone calls 911 immediately. Remember, don’t use a cell phone or walkie-talkie in the area of a suspicious package … you might set it off. Get to your landline.
    • Get the word out. Even if your people know what to do (i.e., you’ve conducted bomb scare drills) you have to let them know that they have to do it. Does your building have a public address system? Do you have cell phone numbers for all of your staff so that you can text them with updates? Can you modify your fire alarm system so that it sounds a distinctive signal for a bomb scare?
    • Let your constituencies know what’s happening. Bomb scares create angst and the possibility of physical danger, but there is the potential for risk to your reputation. No one wants a parent to learn about an incident from the media. Have pre-written messages ready for distribution directly to your constituencies (e.g., by text) stressing the steps you’ve taken and that everyone is safe. Have a point of assembly where worried parents can go for additional information from your best staffers. Work with the police to direct people to the appropriate areas. Do not post specifics on social media.  Click here for resources on crisis communication.
  4. Decisions, decisions. Have someone in charge (and a backup). OK, you receive a threat, now what? Certainly, dial 911, but should you evacuate or not (might someone use a bomb threat in order to trigger an evacuation setting up an active shooter or vehicle ramming?)? In reality there is no perfect answer to this question. Someone has to give the order and there will be no time to waste.
  5. Know where to go. If you decide to evacuate out of an abundance of caution you probably don’t want to stand in the street, especially if the weather is bad. Do you have an agreement with a neighboring institution that allows you to bring people into their facility. By doing so you can keep your people warm and dry and out of harms way.
  6. Keep unused parts of your building locked. It’s good practice to have your staff check your facilities daily, looking for something that “Just Doesn’t Look Right”. As they move through the rooms they should lock the doors. Closets and other storage areas should be kept locked. If you develop such procedures and do receive a bomb threat, the bomb sweep of your building can be accomplished faster.
  7. Consult your leadership about security plans. There will always be Monday morning quarterbacks, but a review of your plans at the Board level should empower those making difficult decisions under duress. As they say, “once is not enough.” Revisit security planning and procedures on a regular basis.

How can we know if the threat is real? The intelligence firm, Stratfor, recently published an article: How to distinguish a bomb threat from a bomb warning. The experts suggest some other possible indicators of a hoax:

  • Most genuine bombers wouldn’t specify the exact timing and target of an attack (since providing that information would jeopardize the success of an event);
  • Most genuine bombers wouldn’t use threats with complex scenarios involving chemical weapons or other advanced capabilities, or cite geographically dispersed targets; and
  • Most genuine bombers wouldn’t use threats involving large numbers of operatives.

Remember, there are no guarantees in security. You will have to weigh the options and make the best decisions possible. If you’ve thought about the options and have made decisions ahead of time, the odds of making the right decision increase dramatically.

Awareness 101: When it “Just doesn’t look right”

Regularly check around your facility for anything that "Just doesn't look right"

Regularly check around your facility for anything that “Just doesn’t look right”. Shown is a car parked in a “No Parking” zone with strange wires.

Experts note that terrorist attacks don’t appear out of thin air. In virtually every situation (and that includes active shooter events) an attacker practices “pre-operational surveillance.” More mundanely, they “case the joint” or just show up to observe, orient themselves to the situation and to decide how they will act during their attack. When suspect behavior is reported (1-888-NYC-SAFE) it can be investigated and an attack can be interrupted.

Determining that it “Just doesn’t look right”

The NYPD Intelligence Bureau just released some excellent guidance. Its primary focus is to help detect suspicious signs along special event routes (e.g., parades) or areas designated for large-scale public gatherings (e.g., demonstrations, celebrations, street fairs, etc.), but can apply to houses of worship, schools, community centers and other gathering points. The following examples of activity, though not fully inclusive, may be of possible concern to law enforcement (Click here for a PDF of the NYPD Indicators of Terrorist Activity guidance):

  • The appearance of a suspicious vehicle (including bicycles with a storage basket; motorcycles; utility storage boxes, etc.) parked near the area designated for the event to take place. Items left for a protracted period of time and disregarded.
  • Actions by an individual that suggest the pre-event videotaping or still photography of the route or location (and surrounding area) for no apparent reason (i.e., no aesthetic value). Sketching of the area e.g., cross streets, access streets into and out of the area.
  • Any request to videotape from a roof or a vacant unit/apartment overlooking the event venue.
  • The sudden appearance of a new street vendor in an area adjacent to the event route, the venue’s access doors, or gathering location.
  • Unclaimed or suspicious packages/objects found along the special event route/location.
  • Individuals sitting or standing at a bus stop and not boarding a bus; Individuals sitting at a particular location (e.g., park bench) at the same time each day for numerous days.
  • The very. recent placement of a garbage can, postal mailbox, newspaper kiosk or other stationary object along the special event route/location.
  • Recent attempts by unknown individuals to gain access to your building’s roof overlooking the parade route/special event location/venue.
  • Inquiries about short-term rental of an apartment or space above your store/business – or in your residential complex — that also happens to offer a view of a parade route or special event location. (Terrorist operatives will often cohabitate to facilitate operational planning.Additionally, they may attempt to position themselves in an area that will ease their surveillance of potential targets.)
  • Large plastic drums being stored inside a building (commercial or residential space).
  • Reports of small fires or smoke conditions being reported from a particular store or apartment.
  • Suspicious inquiries by unknown individuals regarding:
    • The security measures anticipated for the event (e.g., extensive questioning as to
      the searching of backpacks, stopping of vehicles, etc.)
    • The seating of public officials, dignitaries, or other VIPs at an event.

Ransomware: Lessons learned

Don’t say that we didn’t warn you (see here, here and especially here). Here’s a tale about a synagogue in the NYC area, but it could happen to anyone.

In mid-November the rabbi’s secretary was going about her business on the shul computer. Whether she was duped to click on an infected popup advertisement or she visited an infected website the damage was done. What we do know is that this ransom note appeared on her screen:

ransomware-warning

Then the panic. The note was accurate, they were locked out of the shul’s only computer. What should the shul do?

  • They couldn’t get to their Quickbooks.
  • They couldn’t get to their member software.
  • They couldn’t get to the file with the Yahrzeits.
  • They couldn’t get to their record of Kol Nidre pledges

Some computer-savvy members tried various tools, but no luck. The problem was eventually brought to the synagogue board and a hearty debate followed. Would they just be paying a ransom and get nothing in return (See the FBI guidance here)?  Finally, the vote was to pay the ransom, 3 bitcoins (almost $2,400).  Fortunately, the thieves were relatively honest. The synagogue’s files were decrypted and they could recover their data. Many other victims pay, but their computers remain locked.

Lessons learned

People, there’s nothing new here. Check out JCRC-NY’s Cybersecurity Resources page and our cybersecurity blog posts. This episode is an expensive reminder that it’s crucial to practice good cyber-hygiene.

  1. Backup, backup, backup. There is no excuse. External thumb drives and hard drives are cheap. Buy one and take the time to configure the backup program so that it automatically, regularly keeps critical data safe. There are many free or low-cost cloud options. Backup to Google Drive, Dropbox or a cloud server provided by your anti-virus/backup program. The data in some shul membership management programs are automatically saved to the cloud which may even be monitored by full-time cybersecurity staff. Finally, more than one backup (e.g., one onsite, one offsite or in the cloud)  is better than one … one is better than none.
  2. Keep your anti-virus software up-to-date. The bad guys are smart and they’re getting smarter. Somehow, the bad guys got the rabbi’s secretary to click on the infected link. Our poor synagogue had anti-virus software, but it was a year out-of-date (duh, it turns itself off).  Most of the better anti-virus programs are updated constantly and will probably stop a ransomware attack before your data is seized. Buy a license that will protect all of your computers. (see bargain software rates for nonprofits at Techsoup).
  3. Have strong passwords and record them. Whoever set up the synagogue’s computer did follow “best practice” and didn’t give the users “Administrator” access (pardon the techy-talk). The trouble was that no one knew that password so the consultant who assisted the synagogue had to get permission from the board to reset the password before she could revive the computer. Click to https://www.lockdownyourlogin.com/ for the latest guidance on passwords.
  4. Beware of residual “bread crumbs”. Some ransomware leaves malware on a computer so that the bad guys can re-infect the computer. After all, you paid once, won’t you pay again? Once you have recovered the encrypted files, use multiple products to scan your computer: first your new, up-to-date anti-virus program, then a some others (the trial or basic versions are available free online) such as Malwarebytes, CCleaner, SUPERAntispyware, to name a few. There is no perfect solution. Each may find something that the others missed.
  5. Cybersecurity is a board responsibility. The incident was an expensive lesson. When no one on staff has computer skills, the board has a fiduciary responsibility to make sure that the staff know the basics of cyber-hygiene: the software is being updated, the backups are made, the anti-virus programs are working.

Finally, kudos to JCRC-NY’s outside computer maven from Dragonfly Technologies, who dropped everything to travel to the shul and spent many hours into the night to get them back in business and up-to-date.

Attacks on Jews in the U.S. 1969-2016

From: Terrorist Incidents and Attacks Against Jews and Israelis in the United States, 1969-2016, Community Security Service

From: Terrorist Incidents and Attacks Against Jews and Israelis in the United States, 1969-2016, Community Security Service.

Take a look at the important new CSS publication, Terrorist Incidents and Attacks Against Jews and Israelis in the United States, 1969-2016by our talented, good friend, Yehudit Barsky, with a forward by another friend, Mitchell D. Silber. The publication supplements the JCRC’s own Selective Threat Scan which was designed to assist Nonprofit Security Grant Program applicants complete the “Threat” and “Consequences” sections of the Investment Justification.

Here’s the Executive Summary of the document which aligns with JCRC’s ongoing advice:

It is vital that the American Jewish community, together with our law enforcement partners, learn the lessons of the past, understand the nature of the challenges arrayed against it, and take the proper precautions to ensure that violent acts against Jews and Jewish institutions can be prevented in the future.

  • Jewish targets often serve as precursors to larger attacks: Perpetrators of well-known larger attacks, such as the 1993 World Trade Center bombing, were first involved in anti-Jewish incidents.
  • Awareness is critical: In many of these incidents, perpetrators conducted pre-operational surveillance. Training and engagement of community members to detect suspicious activity is thus essential.
  • A need to invest in community security infrastructure: The Jewish community can ill afford passivity and apathy against security threats. The community should broaden its understanding of what effective security entails, and invest in initiatives that provide tangible results. Foremost amongst these strategies is ensuring community members have the training and capacity to assist in securing their own communities, and partnering more closely with law enforcement agencies.

Unfortunately, much as we do not care to admit it to ourselves, the threats are real; there have been too many incidents to deny that. Now in the second decade of the twenty-first century, we find ourselves in an era where those who promote anti-Jewish rhetoric and instigation have the technical tools to reach a broader audience in less time than ever before. In fact, as recently as March 2016, the Islamic State in Iraq and Al-Sham (ISIS) publicly encouraged its followers to attack Jews and their allies, “wherever they find them.”

It is vital that the American Jewish community, together with our law enforcement partners, learn the lessons of the past, understand the nature of the challenges arrayed against it, and take the proper precautions to ensure that violent acts against Jews and Jewish institutions can be prevented in the future.

Click here for the full report.

Armed or unarmed security, what’s best?

The answer is, it depends. The question comes up at almost every one of our security training sessions. Honestly, there are both advantages and disadvantages of either option. Guns and Security: the Risks of Arming Security Officers in the December issue of Security Management (a publication of the security industry trade association, ASIS) discusses many of the issues that must be considered.

Each organization must carefully weigh the pluses and minuses themselves, as applied to their building, their constituencies and their culture. Since this decision could possibly affect your brand, your reputation and/or your liability, it is advisable to include your board of directors in the decision. If your organization is leaning towards armed security, we suggest four “best practices”:

  1. Hire any armed security guard on the basis of their experience, training and judgement rather than their weapon. If you hire e.g., an off-duty/retired law enforcement officer, you are hiring much more than their gun.
  2. Deploy armed guards as one element of a multi-layer security plan. If a determined intruder is targeting a specific institution, a solo guard (armed or not) may become the first, unfortunate target without any opportunity to even his/her weapon.
  3. Contract with an outside firm. Given the documented risks associated with armed guards (outlined in the Security Magazine article), consider contracting with an independent vendor and make sure that they are responsible for the supervision of armed guards, all aspects of the armed guard’s ongoing training and compliance with governmental training, licensing and other requirements.
  4. Discuss your decision with your insurer. Whether the armed guard is, or is not, your employee you may have some liability and/or named in any lawsuit. Make sure that your insurer knows about your decision and that your are appropriately and adequately covered. (n.b., Some institutions employ an outside security consultant to manage their employees. A discussion between the security consultant and the insurer may assuage the concerns raised by the insurer).

NYPD does have a Paid Detail Unit which provides officers to perform off-duty, uniformed security work within New York City for approximately $45/hour.  Click here for more information and contact details. Of course, the above recommendations still apply.

Quick tips: What should your guard(s) be doing?
no-potted-plantGuards should not be merely uniformed potted plants adorning your lobby. Rather, they should be an important and active component of your overall security plan.

If you have a single guard, his/her logical priority is access control (see our suggestions on how to develop an access control policy here). At the same time, don’t lose sight of other important functions, including:

  • Vigilance. While they are on duty they can observe what is going on outside your building and monitor CCTV, possibly leading to the early detection of hostile surveillance or imminent hostile acts. See our suggestions for detecting hostile surveillance here.
  • Walk-arounds. Remember the Chelsea bombs? They were hidden in a trash container and a suitcase. If someone planted a device in your garbage can would anyone find it? One best practice is to have your guard tour your facility, inside and out, looking for something that “Just doesn’t look right”.
  • Notifications.Your guard should be given defined protocol and procedures if something “Just doesn’t look right” : who to notify (e.g., senior staff, general alarm), how to act and what else to do.
  • Crisis management. A well trained guard should be able to follow the protocols and procedures defined by you. They should be able to support responses such as bomb threats, evacuations and/or sheltering-in-place.

The security management industry calls instructions for guards, “post orders” which clearly outline the duties, responsibilities, and expectations of security guards. For example, your post orders should clearly set forth your access control policies and define the areas of your property that should be included in a walk-around and their time and frequency (e.g., upon arrival and upon returning from lunch).