Cybersecurity for Jewish organizations 101: an update
Two years ago the websites of many Jewish organizations were hacked during Israel’s Operation Pillar of Defense. JCRC-NY and ADL (thanks to the ADL for some of the suggestions below) have noted some new attacks against Jewish community websites allegedly motivated by the ongoing conflict in Israel. Hacker groups claiming affiliation to Anonymous, the hacker collective, have attacked and defaced the websites for U.S. based Jewish institutions as well as Israeli government and business websites.
There may be an increase in the frequency and scope of attacks against Jewish websites. Jewish institutions should review their security procedures, including:
Website. Have your website hosted with a professional web hosting company rather than having it reside on an institutional server or a member’s home computer. Contact your institution’s Internet Service Provider (ISP) and/or website hosting company to discuss what measures are in place to protect your website and its content and what steps should be taken in case of an incident.
When deciding on a web host and ask them:
- whether they install security patches on a regular and timely basis;
- how often they make active backups of hosted websites (you should have a current back-up version of the relevant website and establish a periodic policy of taking snapshot backups — e.g., on a weekly basis, in no case should the period be longer than a month).
- what security measures do the hosting company use to prevent Denial of Service (DoS) attacks and unauthorized Website access.
- if they have a disaster recovery procedure that includes someone available as a 24/7 point of contact for emergencies.
Remove any personal information (e.g., personal email, Facebook pages, Twitter handles, home addresses and phone numbers) from organizational websites wherever possible. Website administrators should review website server logs for unusually high visitor activity or visitors from unusual locations and alert their ISP or hosting company immediately.
Passwords. As with institutional email addresses, an effort should be made to limit and control the number of people Website administrator or Webmaster permissions and policy for strong passwords and a schedule for changing passwords.
- Administrator passwords must be changed periodically (at least every two months). Passwords must be complex, i.e., contain both alpha and numeric characters and have at least one case change. Ideally, they should also contain at least one “special” (non-alpha/numeric) character. Staff names should never be part of any password.
- You can find tips to create strong passwords and a utility to check the strength of a potential password here.
Social networks. Social networking pages are also vulnerable and should be monitored regularly. In addition, wherever possible, institutional staff should remove information about their affiliation with the institution from personal social media pages. See these tips on socializing securely.
ADL is in contact with many of the major Internet and social networking companies. Facebook pages for Hamas and hacker groups have already been removed from the Internet and we will continue our efforts.
Computer systems. Be aware of who has access to their computer, the permissions granted to each account, who has system administrator authorization and who assigns passwords.
- To the extent possible, financial records should be segregated from membership data and other documents. Many programs allow users to encrypt data, further protecting the confidentiality of constituents. Of course, passwords become critical elements of your data protection efforts.
- It is always prudent to have active and up-to-date firewall, anti-virus and threat detection software.
Phishing. Remind institutional staff and key members to be wary of attachments to emails. Computer criminals are adept sending emails from people that you know (often victims of prior phishing attacks) to lure you into a sense of false security. See specific tips and more at Lots of phishing going on: Stop, think, click.
System Intrusion. Computer system intrusion can happen in a variety of ways: access in an unauthorized manner, by an unauthorized user, internally by a member of the institution or externally by the public.
- Advanced software can alert a system administrator if an unauthorized access has been attempted. Older systems may require a regular manually review of computer logs to detect unwanted access.
- Computer logs and advanced software, if properly configured, can indicate which computer files, if any, have been accessed. A policy should be established to inform members if files containing personal or sensitive information have been exposed. It is likely best to err on the side of caution in such situations.
- Unauthorized computer access is potentially a criminal act. System intrusions rarely happen by accident and, as such, it is best to assume the person violating the system is seeking something. As with Website hacking, those perpetrating a system breach, likely know they are breaking the law and may have motivation to justify that risk.
- As soon as a system intrusion is detected the system administrator must be contacted immediately. Subsequent contact to law enforcement and FBI (http://www.ic3.gov/default.aspx) computer crime specialists would not be an unusual next step.
For more information, explanations and suggestions see the FCC’s Small Biz Cyber Planner.