Category Archive: Cybersecurity

Focus on resources: DHS Protective Security Advisors

Posted on August 03, 2015

PSA imageRecently, we received an inquiry from an out-of-state colleague. Some of his questions could be answered over the phone, but it was clear that an on-site consultation was in order.

I asked my colleague, “Do you know your Protective Security Advisor (PSA)?” He replied, “What?”

DHS employs PSA’s in all 50 states and many states have multiple regions. Our experience here in NY is that our PSA’s are a wonderful resource. They are hard-working, knowledgeable and professional.

  • Security surveys. Subject to time constraints you can ask your PSA to conduct security surveys and assessments of your facilities. We’ve joined our PSA’s during some of these sessions and their suggestions are both sound and pragmatic.
  • Training. PSA’s have access to a wide variety of training options, e.g. active shooters, suspicious packages, severe weather. Even if you don’t know your exact need, talk to them. They can open up a variety of resources for you.
  • Special events planning. Let them know if you are planning a high profile event. They can advise you on security and logistical issues.
  • Outreach. Get on their radar. They will invite you to various trainings and events.

Click here for more information on Protective Security Advisors. To contact your local PSA, please contact PSCDOperations@hq.dhs.gov. To contact NY PSA’s or if you have questions or need other assistance please complete the form below.

Cybersecurity: WordPress Vulnerabilities

Posted on April 01, 2015

FBI (April 7) ISIL Defacements Exploiting WordPress Vulnerabilities. Continuous Web site defacements are being perpetrated by individuals sympathetic to the Islamic State in the Levant (ISIL) a.k.a. Islamic State of Iraq and al-Shams (ISIS). The defacements have affected Web site operations and the communication platforms of news organizations, commercial entities, religious institutions, federal/state/local governments, foreign governments, and a variety of other domestic and international Web sites. Although the defacements demonstrate low-level hacking sophistication, they are disruptive and often costly in terms of lost business revenue and expenditures on technical services to repair infected computer systems. Click here for the full alert.

Best practice. The FBI recommends the following actions be taken:

  • Review and follow WordPress guidelines: http://codex.wordpress.org/Hardening_WordPress
  • Identify WordPress vulnerabilities using free available tools such as
    http://www.securityfocus.com/bid,
    http://cve.mitre.org/index.html,
    https://www.us-cert.gov/
  • Update WordPress by patching vulnerable plugins:
    https://wordpress.org/plugins/tags/patch
  • Run all software as a non-privileged user, without administrative privileges, to diminish the effects of a successful attack
  • Confirm that the operating system and all applications are running the most updated versions.

Hacktivist

Click on the graphic to open a PDF version of this notification.

The FBI is warning U.S. companies that cyber terrorists from the Middle East and North Africa are planning to conduct cyber-attacks against Israeli and Jewish interests next week.  The Bureau stated in a security notice to U.S. industry on Sunday that, as of early March, “several extremist hacking groups indicated they would participate in a forthcoming operation, #OpIsrael, which will target Israeli and Jewish Web sites.”

“Given the perceived connections between the government of Israel and Israeli financial institutions, and those of the United States, #OpIsrael participants may also shift their operations to target vulnerable U.S.-based financial targets or Jewish-oriented organizations within the United States,” the FBI warning said.

The FBI predicts that the threat to U.S.-based infrastructure from the coming cyber attack is low for well-maintained and updated networks. So, make sure that your techies and hosts maintain and update your systems.

The FBI said members of at least two extremist hacking groups it did not identify are currently working to recruit hackers for the attacks next week. The hacker group Anonymous this week also threatened an “electronic Holocaust” in a video statement.

The FBI estimated that the threat to U.S.-based infrastructure from the coming cyber attack is low for well-maintained and updated networks. However, as part of its program to notify private industry of major cyber threats, the FBI is notifying several possible targets.

 

Cybersecurity for synagogues | Dec. 10 @ 7:30

JCRC CybersecurityJCRC Cybersecurity

Ongoing cyberthreats, website defacements

A screenshot of the defaced synagogue website.

Recent posts on the ADL Blog and Geektime describes the efforts of an anti-Israel hacktavist group that calls itself “Team System Dz”. While most of the website defacements occurred in July and August, incidents in Florida and New York were reported recently.

The Geektime post explains, “… the team is a group of Arab youth that is looking to teach protection and penetration of sites and services and strive for peace. Their hacks however don’t appear to be looking for peace. The group seems to align itself with Anonymous”. Their inclusion of an “i love you isis” message probably indicates their definition of how to look for peace. The Team’s Facebook page listing their accomplishments was taken down.

Often, visitors to your organization’s website get their first impression of your organization and your members rely on it for good information. To a great extent, your website can be the most important element of your reputation. Treat it accordingly. 

Best practices. It is likely that this group, and others, will continue to try to hack Jewish websites, so all Jewish organizations should work to ensure that they are following “best practices” in order to protect their websites and their reputations:

Website

  • An Institutional should always make the effort to have their Website hosted with a professional Web hosting company and avoid having the Website reside on an Institution or member’s home computer
  • Institutions should meet or conference with their Web hosting service and ask about such things as active back-up of Website, what security measures do the hosting company use to prevent Denial of Service (DoS) attacks and unauthorized Website access. Also ask if they have a disaster recovery procedure that includes someone available as a 24/7 point of contact for emergencies.
  • As with institutional email addresses, an effort should be made to limit and control the number of people Website administrator or Webmaster permissions and policy for password assignment and a schedule for changing passwords.

Computer Systems

  • It is in the best interest of any computer owner to be aware of who has access to their computer, the permissions granted to each account, who has system administrator authorization and who assigns passwords.
  • It is now considered a good practice to segregate general office and bookeeping/member information to the greatest degree possible.
  • If a computer system is connected to the Internet, an institution should consider using a primary carrier (Comcast, TimeWarner, Verizon etc) for Internet service.
  • Companies who re-sell other company’s services should be avoided where possible.
  • It is always prudent to have active and up-to-date firewall, anti-virus and threat detection software.
  • Although not all Websites or personal use of an Institutions computers pose a problem, a basic “no personal use” policy is reasonable.
  • As a general rule users should be discouraged from connecting personal devices, such as phones, iPods, tablet computers and flash drives to institutional computer systems.
  • Downloading of any material form the Internet should be closely supervised to avoid viruses and potential copyright infringement.

System Intrusion

  • Computer system intrusion can happen in a variety of ways: access in an unauthorized manner, by an unauthorized user, internally by a member of the institution or externally by the public.
  • Advanced software can alert a system administrator if an unauthorized access has been attempted. Older systems may require a regular manually review of computer logs to detect unwanted access.
  • Computer logs and advanced software, if properly configured, can indicate which computer files, if any, have been accessed. A policy should be established to inform members if files containing personal or sensitive information have been exposed. It is likely best to err on the side of caution in such situations.
  • Unauthorized computer access is potentially a criminal act. System intrusions rarely happen by accident and, as such, it is best to assume the person violating the system is seeking something. As with Website hacking, those perpetrating a system breach, likely know they are breaking the law and may have motivation to justify that risk.
  • As soon as a system intrusion is detected the system administrator must be contacted immediately. Subsequent contact to law enforcement and FBI (http://www.ic3.gov/default.aspx) computer crime specialists would not be an unusual next step.

Mobile Devices (smartphones, tablets, gaming and media players)

  • Due to the recent emergence and proliferation of smart mobile communication devices and mobile computing, there is at this time very little anti-virus or anti­-malware protection for mobile computing devices. Mobile devices should only be granted access to institutional systems under the supervision of an experienced service provider, who clearly understands the security needs of a Jewish institution.

Event Response

Website Hacking

  • Website hacking can take a number of different forms and can happen for a variety of reasons. For this document we are defining a hacking as; Activity in the secure section of a Website that is not the result of action by an authorized individual. How the hacking occurs is secondary, here we are discussing what to do afterward.
  • We suggest contacting the hosting company for the Website as soon as the incident is discovered. The hosting company will need to preserve a copy of the hacked page(s) and copies of all relevant server logs. The hacked page(s) need to be removed as soon as possible in case malware is involved and also to limit the hacker’s usual main objective – to gloat.
  • Report the event to the police and FBI (http://www.ic3.gov/default.aspx) promptly. Provide them with a copy of the material left by the hacker especially if it involves threats or hateful language.
  • Restore the Website from back-up copy of the Website, but only after the hosting company or ISP acknowledges the issues relating to the hack have been addressed.

Distributed Denial of Service Attack (aka DoS attack)

  • DoS attacks are the simplest and most common form of cyber-attack. A DoS attack is a coordinated effort by a group of computers to request access to a Website. This and creates a situation where no one can access the Website or that the contents are delivered very slowly. , In many cases a Website hosting company will shut down a Website temporarily rather than create a problem for their other customers. If a Website is the potential target of attacks, the Website hosting company should be made aware of the situation and can offer solutions.

Additional resources

Posted in Cybersecurity

Gaza fighting continues, should you up your security game?

Posted on August 01, 2014

The ongoing military conflict between Israel and Hamas has lead to disturbing attacks on Jewish institutions abroad. While there are no specific threats to U.S. Jewish institutions or individuals, JCRC-NY recommends that Jewish institutions increase their levels of vigilance out of an abundance of caution.

  • Create a culture of security. Institutions shouldn’t merely subcontract security. Even buildings with well-trained security personnel shouldexpect that staff and constituencies should be part of the security equation. Everyone should have heightened vigilance in times like these. For tips on security awareness, click here and the ADL’s Guide to Detecting Surveillance of Jewish Institutions and 18 Best Practices for Jewish Institutional Security.
  • Be in contact with your local police.  Someone (or more than one) should have ongoing personal relationships with key police personnel. They should know you, your building and your organizational activities.
    • Discuss your security procedures with them and ask them for suggestions for improvement.
    • Inform them of the dates and times your regular events and of special events.
  • Revisit and review your security plans and procedures. 
    • Access control. Did you hear the one about a pro-Israel organization visited by a middle-aged, well-dressed woman saying that she wanted to make a contribution? They opened the door for her and a dozen protesters rushed in. Nine of the invaders were arrested. Are you vulnerable to such antics? Take the time to review your access control procedures. For more information and guidance see JCRC-NY’s Sample Building Access Policies & Procedures (PDF).
    • Bomb threats. Review your bomb threat procedures and make sure that your staff (especially those who answer the phones) know what is expected of them. For a range of resources from top agencies, including the FBI and the DHS guidance click here.
    • Suspicious packages. Is your staff aware that they should be on the lookout for suspicious packages? For USPS guidance click here.
    • Active shooters. See both quick pocket-card and in-depth resources from DHS, FBI and other agencies here.
  • Assess your cybersecurity. Over the past month the websites of several Jewish-affiliated organizations were hacked. Protect your organization. See Cybersecurity for Jewish organizations 101: an update and how to have inexpensive and effective backup and other plans at Resources to prepare your organization’s technology for a disaster.

Click here to contact JCRC-NY for further guidance and advice.