Today, the New York Times reported that “This has been the summer of crippling ransomware attacks” to all types of computer systems. Not only have 40 municipalities been struck — their data encrypted and a ransom demanded — but last week there was a report that another synagogue ransomware attack investigated by the FBI.
Cyber-hygiene. If you look closely at the screenshot above, you will see a pop-up from the anti-malware provider Malwarebytes, stating that its database is out of date (Oops!). What should you be doing to ensure a good cyber-hygiene regimen? (see a longer article from Symantec here)? What can you do to protect your data?
- Deploy an antivirus/anti-malware product. An up-to-date, real-time antivirus might stop a cyber-attack.
- Backup. Make sure to back up your important documents and keep a backup set offsite (in case of fire, etc.). There’s no excuse. These days, cloud backups are free or low-cost and you can automatically sync documents to your cloud account.
- Update, update,update. It’s a constant battle. Bad actors learn how to sneak into our systems to do bad things. Software providers constantly provide security patches designed to close the open doors that bad actors use. Update your operating systems (Window or Mac), browsers, remote management software, Adobe products, Microsoft products, firewalls — everything. True, updates sometimes cause problems, but not updating leads to worse problems.
- Use a firewall. Firewalls are the guards designed to protect your network from the internet. Whether you have a hardware or software firewall, it is critical that you keep it up to date.
- Set strong passwords and use two-factor authentication. People still use easy-to-guess passwords like, “Welcome123”, fail to change default passwords, or use the same password for multiple sites. Check out password tips from Google here. Check out a good primer from PC Mag, Two-Factor Authentication: Who Has It and How to Set It Up.
- Before you pay a ransom ask for help! Contact the DHS Cybersecurity and Infrastructure Security Agency (CISA), the FBI, or the Secret Service and work with an experienced advisor to help recover from a cyber attack. Victims of ransomware should report it immediately to CISA at www.us-cert.gov/report, a local FBI Field Office, or Secret Service Field Office.
Consider cyber-attack insurance. Cyber-attacks can be costly. Even if you are following all of the steps recommended above and have current backups of everything, you may still be attacked and getting back to business may be costly. A compromised computer or network will have to be restored. If there is a data breach and your members’ confidential data is compromised, other steps will have to be taken. Work with your insurance broker to determine what it would cost to recover from a cyber-attack versus the cost of the policy and do a cost-benefit analysis.
Note: Membership records. The synagogue was lucky, their membership data is stored in the cloud (e.g., Chaverware, ShulCloud). Most of the established synagogue management software stores data online, encrypts it and backs up its database. User agreements should specify that it is the vendor’s responsibility to protect your data and to be prepared to quickly restore it.
For more information visit the CISA Resource Page on Ransomware.
In light of the increasing number of reports of ransomware attacks against government data DHS and its partners issued the following statement. The three steps to resilience are good advice for all of us to implement.
CISA, MS-ISAC, NGA & NASCIO RECOMMEND IMMEDIATE ACTION TO SAFEGUARD AGAINST RANSOMWARE ATTACKS
Take the First Three Steps to Resilience Against Ransomware for State and Local Partners
WASHINGTON – July 29, 2019 – The recent ransomware attacks targeting systems across the country are the latest in a string of attacks affecting State and local government partners. The growing number of such attacks highlights the critical importance of making cyber preparedness a priority and taking the necessary steps to secure our networks against adversaries. Prevention is the most effective defense against ransomware.
The Cybersecurity and Infrastructure Security Agency (CISA), Multi-State Information Sharing and Analysis Center (MS-ISAC), National Governors Association (NGA), and the National Association of State Chief Information Officers (NASCIO) are committed to supporting ransomware victims and encouraging all levels of government to proactively protect their networks against the threat of a ransomware attack. Today, we call on our State, local, territorial and tribal government partners, along with the wider cyber community, to take the following essential actions to enhance their defensive posture against ransomware. Through this collective action, we can better protect ourselves and our communities, and further advance the cyber preparedness and resilience of the Nation.
Three Steps to Resilience Against Ransomware
Back-Up Your Systems – Now (and Daily)
Immediately and regularly back up all critical agency and system configuration information on a separate device and store the back-ups offline, verifying their integrity and restoration process. If recovering after an attack, restore a stronger system than you lost, fully patched and updated to the latest version.
Reinforce Basic Cybersecurity Awareness and Education
Ransomware attacks often require the human element to succeed. Refresh employee training on recognizing cyber threats, phishing and suspicious links – the most common vectors for ransomware attacks. Remind employees of how to report incidents to appropriate IT staff in a timely manner, which should include out-of-band communication paths.
Revisit and Refine Cyber Incident Response Plans
Agencies must have a clear plan to address attacks when they occur, including when internal capabilities are overwhelmed. Make sure response plans include how to request assistance from external cyber first responders, such as state agencies, CISA and the MS-ISAC, in the event of an attack.
- MS-ISAC Security Primer on Ransomware
- CISA Tip Sheet on Ransomware
- NGA Disruption Response Planning Memo
- NASCIO Cyber Disruption Planning Guide
After implementing these recommendations, refer to the ransomware best practices published by CISA, MS-ISAC, NGA, and NASCIO for additional steps to protect your organization.
Cybersecurity Best Practices
The following is a list of best practices designed to keep individuals and their data safe when connected to the internet.
Avoid opening emails, downloading attachments, or clicking on suspicious links sent from unknown or untrusted sources.
Verify unexpected attachments or links from known senders by contacting them via another method of communication.
Avoid providing your email address, phone number, or other personal information to unknown sources.
Avoid providing sensitive information to anyone via email. If you must, be sure to encrypt it before sending.
Be skeptical of emails written with a sense of urgency and requesting an immediate response, such as those stating your account will be closed if you do not click on an embedded link or provide the sender with sensitive information.
Beware of emails with poor design, grammar, or spelling.
Ensure an email’s “sender name” corresponds to the correct email address to identify common email spoofing tactics.
Never open spam emails; report them as spam, and/or delete them. Do not respond to spam emails or use included “Unsubscribe” links as this only confirms to the spammer that your email address is active and may exacerbate the problem.
PASSWORDS AND MULTI-FACTOR AUTHENTICATION
Use strong passwords on all of your accounts.
Long, complex passwords make you less susceptible to brute-force attacks.
Use a combination of upper and lowercase letters, numbers, and special characters.
Avoid easy-to-guess elements like pets’ names, children’s names, birthdays, etc.
To reduce the risk of account compromise, account holders should:
Avoid using the same password across multiple accounts or platforms.
Never share their password with anyone, leave passwords out in the open for others to read, or store them in an unsecured, plaintext file on computers or mobile devices.
Consider using long acronyms or passphrases to increase the length of your password.
Enable two-factor authentication (2FA) or multi-factor authentication (MFA) on all accounts that offer it. This will help prevent unauthorized access in the event of credential compromise.
ON THE WEB
Ensure any websites requesting the insertion of account credentials and those used to conduct transactions online are encrypted with a valid digital certificate to ensure your data is secure. These website addresses will have a green padlock displayed in the URL field and will begin with https.
Avoid saving account information, such as passwords or credit card information, in web browsers or browser extensions.
Avoid using public computers and public Wi-Fi connections to log into accounts and access sensitive information.
Consider using ad-blocking, script-blocking, and coin-blocking browser extensions to protect systems against malicious advertising attacks and scripts designed to launch malware or mine cryptocurrency.
Sign out of accounts and shut down computers and mobile devices when not in use. Program systems and devices to automatically lock the active session after a set period of inactivity.
Keep all hardware and software updated with the latest, patched version.
Run reputable antivirus or anti-malware applications on all devices and keep them updated with the latest version.
Create multiple, redundant backups of all critical and sensitive data and keep them stored off the network in the event of a ransomware infection or other destructive malware incident. This will allow you to recover lost files, if needed.
New resource guide. Take a look at DHS’ new resource guide, Security of Soft Targets and Crowded Places. It’s essentially a one-stop table of contents for DHS’s free materials, including links for help on identifying suspicious activity, access control and screening, active assailants (they’re not just shooters anymore) and bomb threats. Follow the supplied links for an introduction to facility security that can serve as a good first step for houses of worship, schools and other soft targets. Resources include fact sheets, guidance, and online training and education courses.
Mail screening poster. Thanks to the world’s leading geopolitical intelligence platform, Stratfor, for its timely reminder about mail and package screening after an attempted bombing.
- While many questions remain in the case of a parcel bomb sent to a Mexican senator, the largest is why the mail of such a high-level official was not screened.
- While politicians and large corporations clearly must take significant measures to screen their mail, even ordinary people (and Jewish organizations) should open their mail cautiously.
- Simple steps can help everyone from the largest entities to the average citizen.
Note that Cesar Sayoc, 57, admitted in court to having mailed 16 explosive devices to a variety of officials and to CNN’s offices in October 2018. He allegedly said he would “eradicate the Jews” if he had the power to, along with lesbians, black people and Hispanic people.
We urge you to download the tips found on the Stratfor graphic and share it with your staff and others.
Rosh Chodesh Elul includes clarion calls indicating that the High Holidays are coming soon. So, now is a good time to check out a recent presentation on synagogue security or to take a deeper dive into the library of documents available on the JCRC-NY Security Resources pages. Here are some relevant selections:
High Holiday Security and Emergency Preparedness Planning Library
- High Holidays: Are you ready to get out if you have to?
- JCRC-NY High Holiday Security Thinkplate
- Access control considerations during High Holiday services (PDF)
- Houses of Worship and the High Holidays
- Planning for the Unexpected – High Holiday Edition 2010 (PDF)
- Are you prepared? 5 steps to make your facility safer and more secure
- Sample Building Access Policies & Procedures (PDF)
- Bomb Threat Guidance resources. See also Hoax threats can be scary, too, To evacuate or not to evacuate? That is the question., DHS’ Introduction to Bomb Threat Management, Manhattan bomb threat: lessons learned, Bomb threat training video.
- Active Shooter Resources Page (DHS, FBI and NYPD)
- Cybersecurity Resources Page
- US Postal Inspection Service Guide to Mail Center Security (PDF)
Vulnerability, Risk and Safety Assessments and Planning
- FEMA: Reference Manual to Mitigate Potential Terrorist Attacks Against Buildings
- FEMA, Emergency Operations Planning
- Potential Indicators, Common Vulnerabilities, and Protective Measures: Religious Facilities (Updated)
- Hometown Security Report Series: Houses of Worship
- K-12 School Security: A Guide for Preventing and Protecting against Gun Violence (2nd ed., 2018) provides preventive and protective measures to address the threat of gun violence in schools. The Guide is delivered in two parts: the first portion is a PDF with general security best practices and considerations in narrative format; while the second portion is a Microsoft Excel-based security survey. Together, these documents outline action-oriented security practices and options for consideration based on the results of the individual school’s responses to the survey. While the primary audience for the Guide is the K-12 community, institutions of higher education or pre-K schools may also benefit from the information presented.
- NYPD: Engineering Security: Protective Design for High Risk Buildings
- OSHA: Evacuation Plans and Procedures eTool. This expert system will help you to create a basic Emergency Action Plan. This basic plan likely will be adequate for needs of many small and medium-sized entities. Most small and medium-sized entities can create basic plans using this system in 10 to 15 minutes. Larger, more complex organizations will require more work.
- Practical Information on Crisis Planning: A Guide for Schools and Communities. U.S. Department of Education, Office of Drug Free and Safe Schools. Taking action now can save lives, prevent injury, and minimize property damage in the moments of a crisis. The importance of reviewing and revising school and district plans cannot be underscored enough, and Practical Information on Crisis Planning: A Guide for Schools and Communities is designed to help you navigate this process. The Guide is intended to give schools, districts, and communities the critical concepts and components of good crisis planning, stimulate thinking about the crisis preparedness process, and provide examples of promising practices.
- Emergency Preparedness Planning Guide for Childcare Centers. From the Illinois Emergency Medical Services for Children (a collaborative program between the Illinois Department of Public Health and Loyola University Chicago). Lots of ideas to keep toddlers safe.
- Readiness and Emergency Management for Schools (REMS) Technical Assistance Center, U.S. Department of Education
- REMS: Conducting a Safety Audit
- California STAS: Protective Measures for Enhanced Facilities Security
- New Jersey Office of Homeland Security and Preparedness Critical Infrastructure Protection Bureau: Facility Self-Assessment Tool (updated) and other tools here.