FB-ISAO

Tag: coronavirus

  • August 2020: FB-ISAO Physical Threat Level Remains SEVERE; Cyber Threat Level Remains GUARDED

    August 2020: FB-ISAO Physical Threat Level Remains SEVERE; Cyber Threat Level Remains GUARDED

    This message is TLP:WHITE. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.

    The COVID-19 global pandemic is a complex and blended threat impacting members and the broader faith-based and charity community in numerous ways. FB-ISAO’s Threat and Incident Response Group (TIG) continues to assess the ongoing threats and risks to our community and has made the following updates to our Threat Level Assessments:

    The TIG has determined to maintain the Physical Threat Level at “SEVERE.” SEVERE means an event is highly likely. The TIG will continue to assess the Physical Threat Level and provide updates accordingly. This determination is valid through sunset on 31 Aug 2020, and will be periodically re-evaluated, especially with respect to ongoing threats and developing federal, state, local, tribal, and territorial (FSLTT / SLTT) guidance and directives.

    The TIG has determined to maintain the Cyber Threat Level at “GUARDED.” GUARDED means FB-ISAO is unaware of any specific or targeted cyber attacks, but a general risk of cyber attacks exist. The TIG will continue to assess the Cyber Threat Level and provide updates accordingly. Likewise, the cyber threat landscape will be continuously monitored, but this Cyber Threat Level determination is valid until further notice.

    Reopening America. Across the country, many FBOs have reopened or are preparing to reopen, while others have elected to continue to suspend in-person activities (some determining to do that through at least the rest of 2020). As we continue in the process of reopening, with the possibility of having to move back to more stringent restrictions or delays in continued reopening based on events in our local communities, FB-ISAO continues to strongly encourage members “hold the line.” By hold the line, we mean continue to follow FSLTT guidance and directives and reopen, reenter and resume operations in accordance with, and not ahead of, such guidance and directives.

    Several states and local communities are continuing experience new highs, though some of “hotspots” seem to be leveling off, in identified infections and deaths and CDC expects the death rate to steadily continue to climb, stating (as of 20 Jul) that “there will likely be between 160,000 and 175,000 total reported COVID-19 deaths by August 15th.” While personally and organizationally, many are understandably feeling pandemic fatigue, the coronavirus remains an active health threat with the potential to lead to local outbreaks or broader flare-ups, particularly if established best practices such as social distancing and mask wearing are not followed. As leaders, we encourage members to fight complacency and fatigue. FBOs should not base policies or enforcement on personal feelings, politics, or other subjective considerations. While as individuals we may agree or disagree with specific measures, FB-ISAO strongly discourages defying state and local guidance and directives and encourages members to reopen, reenter and resume operations in accordance with government guidance and directives.

    Regarding the Physical Threat Level, coronavirus remains a serious threat in the United States, with various states and local communities experiencing increasing infection numbers and with several recent local outbreaks related to gatherings at FBOs, such as:

    A health threat poses a challenge in assessing a threat level. In accordance with FB-ISAO’s threat levels, in many respects we are still in a “CRITICAL” phase, given that the pandemic remains very active and that further outbreaks are expected as reopening continues. The likelihood of a broad second wave of COVID-19 remains very possible, particularly if individuals, organizations and communities fail to follow identified best practices to mitigate risks.

    Beyond the explicit health threat, we have other security concerns, including:

    • As noted above, SEVERE means we believe an event is highly likely. With respect to our current environment and this assessment, we assess an event to be one of two types:
      • Local Outbreak. The possibility of a local COVID-19 outbreak remains very possible. FBOs in particular may experience rapid spread and infection if infected individuals are exposed to larger groups.
      • Hostile Events. In addition to routine threats, additional stressors may increase challenges for FBOs. That concern is raised in Assistant Director Harrell’s 08 Apr letter to the faith-based community. There are also other challenges that could lead to hostile events or provide opportunities for individuals or small groups to conduct acts of violence.
        • Protests & Targeting of African-American People and Facilities. On 01 June we assessed that “protests relating to the death of George Floyd and racial issues take on a political dimension, it is also possible extremists could choose to target predominantly African American places of worship.” Sadly, that has come to fruition. Threats and hostile events have occurred at FBOs, to include predominantly African-American churches such as in Virginia and Kentucky. As Black Lives Matters and associated protests continue, this remains a concern.
        • Protests & Targeting Other People of Faith. As domestic protests demand law enforcement resources, some extremists have suggested using that as an opportunity for attacks against people of faith – and synagogues specifically. We have seen this occur internationally and remain concerned about the possibility of domestic incidents.
        • Disgruntled Individuals. Individuals who do not agree with positions taken by an FBO during periods of closure and reopening may take action against those organizations or others.  
        • Political Events. Presidential elections, particularly during times of adversity, such as with the pandemic and associated economic impacts, or relating to other emotional topics, such as the removal of statues and monuments, can lead to a highly-charged atmosphere and pose associated risks to FBOs in the area which may not be directly targeted by indirectly implicated. As election-related activities increase in the months ahead, it is possible rallies may see protests and counter-protests – aimed at politicians, groups, or places of worship where events may be held. Such concerns are not limited to any party or individual but are a possibility for any political event occurring at or near an FBO.
    • There continue to be varied incidents, attacks, and threats against retail establishments and personnel relating to enforcement of safety protocols such as required wearing of masks and maintaining adequate social distancing, or the wearing of masks that incite responses from others (such as KKK or Nazi masks). This has continued in recent weeks, though FB-ISAO is unaware of any known incidents that have occurred at FBOs. As FBOs reopen and welcome back individuals, it is possible that some may have heightened sensitivities regarding these issues and may not respond well to personnel attempting to enforce safety actions. FBOs should prepare “frontline” staff and volunteers regarding how to engage personnel, when to ask for help from senior personnel, and other considerations to prepare them to effectively communicate and assist visitors.
    • As we continue to reopen and reenter FBOs, recognize the potential for violence based on the stressors of COVID-19, the threats from violent extremists, and the longstanding issues that have resulted in previous acts of violence at houses of worship.
    • There continues to be extremist interest in conducting various attacks and hostile actions against people and places of faith (to include specific anti-Semitic rhetoric relating to exploiting COVID-19 and other extremist discussion and interest in places of worship and people of faith [see previous FB-ISAO and government partner reporting]).
    • Beyond the immediate challenges, while we have yet to emerge from the “first wave,” there is a very real possibility of second and third waves until a vaccine is developed and applied nationwide. Further, many countries around the world continue on an upward trajectory and it is expected that the number of cases in many areas will continue to increase in the coming weeks.

    Regarding the Cyber Threat Level, FB-ISAO assess the current volume of coronavirus-related cyber attack campaigns continues to recede and is consistent with a general “GUARDED” posture. While there is still no shortage of coronavirus-themed cyber attack campaigns, non-coronavirus lures also continue to populate the cyber threat landscape. While we assess remaining at “GUARDED” is still reasonable at this time, increased vigilance is recommended due to the ongoing pandemic, continued widespread teleworking, abundance of information and updates from legitimate and less-established sources (including social media and unofficial expert blogs), and commensurate distractions in businesses and homes across the U.S., among other considerations.

    Update on #BlueLeaks: The FBI office in Houston continues to investigate. There was a report earlier this month that German authorities seized the server containing the leaked data. Likewise, Netsential has provided stakeholders with a notification of measures it has implemented and plans to implement to better secure its systems. Otherwise, as previously reported the #BlueLeaks data breach incident directly affects FB-ISAO due to the compromise of Netsential’s systems that maintain our membership and content delivery portal. That fact, plus our own partnerships with the other impacted entities, and many member’s close relationships with the same impacted entities, including fusion centers and law enforcement, still represent a very real and present threat from actors who may try to leverage those trusted relationships to phish (email or phone) for more information. Additionally, as impacted entities report on their analysis of the stolen data, a commonly captured non-public data point used for verification/validation includes registrants’ supervisor’s name and contact information. Therefore, it is likely threat actors could leverage supervisor information to lend greater credibility to the guise or to use as an additional target set. We cannot stress enough the need to exercise extreme vigilance when receiving communications purporting to come from any impacted organization, particularly ones in your region.

    Additional considerations for continued increased vigilance:

    • Ransomware running rampant. From municipalities and education institutions to healthcare and mega-corporations, no organization is safe from ransomware. In addition to becoming a direct victim, faith-based organizations that outsource IT services to a managed service provider (MSP) can also become an indirect victim with direct impacts when the MSP is infected. Compromising MSPs to systemically infect multiple organizations has been an increasing trend over the past year. Members are encouraged to review ransomware and data breach playbooks/policies/procedures with staff and MSPs, or at least discuss necessary actions should ransomware impact your organization. This Forrester report provides some salient points about dealing with ransomware.
    • Cyberactivity spurred by ongoing #BlackLivesMatter protests. While most cyber activity surrounding protests have been targeting law enforcement and local government websites, FB-ISAO emphasizes the need for continued vigilance. Website defacements and denial-of-service (DoS) attacks have been the primary attack types thus far, but cyber threat actors are also known to aggrandize headlines to proliferate malware. Likewise, as #BlueLeaks represents, hacktivists are actively seeking to compromise organizations that are likely to contain troves of law enforcement sensitive documents for the purpose of public disclosure/dissemination.
    • Contact tracing scams. Scammers are pretending to be contact tracers and sending fake text messages. Keep in mind that legitimate contact tracing messages are intended to be factual and will not ask for personal information or include a link to click. Multiple federal agencies have partnered to alert the public on avoiding contract tracing scams, including the FTC and the Justice Department.
    • Mis/disinformation is still a concern. Dis/misinformation continues to spread regarding coronavirus related matters and protest activity. Disinformation is spread by various entities for disruption, deceit, and even to discredit legitimate government efforts. It is imperative to think critically and continue verifying everything. FB-ISAO continues to encourage members to treat every coronavirus-themed communication or protest related subject with suspicion.

    We are all targets of opportunity. Cyber tactics such as phishing, smishing (SMS phishing), vishing (voice phishing), disinformation/misinformation, and counterfeit websites leveraging coronavirus themes will continue for the foreseeable future.

    • Continue enabling/encouraging remote staff to work securely. As organizations consider a prolonged, perpetual, or even permanent work from home model, it is important to deliberate on the best strategy to promote a secure remote work environment. Many organizations and people were thrust into remote working. Those who continue working remotely may require procurement and configuration of new devices, network infrastructure, and services to securely support extended offsite working. StaySafeOnline maintains its COVID-19 Security Resource Library with an up-to-date compilation of resources to enable safe telecommuting.
    • Continue providing threat awareness training to staff. There are many open source examples of emails, lures, images, and indicators of compromise being shared daily in the FB-ISAO Daily Journal. Consider appropriate ways to use that information to educate and better prepare staff. FB-ISAO is happy to help develop education and cybersecurity awareness materials for dissemination.

    As we periodically update these assessments, FB-ISAO’s Preparedness Group (PG) continues to support the efforts of our broader Pandemic Recovery Group with FB-ISAO staff, PG members, and other government and industry partners, and is also liaising with the venue community in collaboration with the International Association of Venue Managers. This group has developed and released the FB-ISAO Pandemic Reopening Reentry Checklist and continues in close collaboration as we assess appropriate needs for revisions and updates. Interested in helping? Contact our team to find out how!

    Please contact our team with any questions, needs for information, assistance or any other concerns.

    • We encourage members to review the FB-ISAO Daily Journal for general threat awareness, updates and ideas on what other organizations are doing.
    • Join the #covid-19, #protest_awareness, #cybersecurity and other topical channels in FB-ISAO Slack to see more updates, reports, and conversation on threats, and to share your questions, ideas, and actions for others.

    This assessment has been developed by FB-ISAO and is our general, nationwide, cyber threat assessment for the U.S. community of faith. As always, for local threat information, members are encouraged to work closely with neighborhood partners, local law enforcement, state and local fusion centers, local FBI field offices, DHS Protective Security Advisors (PSAs), Cybersecurity Advisors (CSAs), and other local experts and responders.

  • FB-ISAO Physical Threat Level Remains SEVERE; Cyber Threat Level Remains GUARDED

    FB-ISAO Physical Threat Level Remains SEVERE; Cyber Threat Level Remains GUARDED

    This message is TLP:WHITE. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.

    The COVID-19 global pandemic is a complex and blended threat impacting members and the broader faith-based and charity community in numerous ways. FB-ISAO’s Threat and Incident Response Group (TIG) continues to assess the ongoing threats and risks to our community and has made the following updates to our Threat Level Assessments:

    The TIG has determined to maintain the Physical Threat Level to “SEVERE.” SEVERE means an event is highly likely. The TIG will continue to assess the Physical Threat Level and provide updates accordingly. This determination is valid through sunset on 31 July 2020, and will be periodically re-evaluated, especially with respect to ongoing threats and developing federal, state, local, tribal, and territorial (FSLTT / SLTT) guidance and directives.

    The TIG has determined to maintain the Cyber Threat Level at “GUARDED.” GUARDED means FB-ISAO is unaware of any specific or targeted cyber attacks, but a general risk of cyber attacks exist. The TIG will continue to assess the Cyber Threat Level and provide updates accordingly. Likewise, the cyber threat landscape will be continuously monitored, but this Cyber Threat Level determination is valid until further notice.

    Reopening America. Across the country, many FBOs are reopening or preparing to reopen, while many have elected to continue to suspend in-person activities. As we continue in the process of reopening, with the possibility of having to move back to more stringent restrictions or delays in continued reopening based on events in our local communities, FB-ISAO continues to strongly encourage members “hold the line.” By hold the line, we mean continue to follow FSLTT guidance and directives and reopen, reenter and resume operations in accordance with, and not ahead of, such guidance and directives.

    Many states are seeing their highest daily rates of infection and CDC expects the death rate to steadily continue to climb, with “between 130,000 and 150,000 total reported COVID-19 deaths by July 18th.” While personally and organizationally, many are understandably feeling pandemic fatigue, the coronavirus remains an active health threat with the potential to lead to local outbreaks or broader flare-ups. As leaders, we encourage members to fight complacency and fatigue. FBOs should not base policies or enforcement on personal feelings, politics, or other subjective considerations. While as individuals we may agree or disagree with specific measures, FB-ISAO strongly discourages defying state and local guidance and directives and encourages members to reopen, reenter and resume operations in accordance with government guidance and directives.

    Regarding the Physical Threat Level, as SLTT governments continue to “reopen” their communities and as FBOs are reopening and beginning to welcome back the public, coronavirus remains a serious threat in the United States, with many states experiencing increasing infection numbers and with several outbreaks related to gatherings at FBOs. A health threat poses a challenge in assessing a threat level. In accordance with FB-ISAO’s threat levels, in many respects we are still in a “CRITICAL” phase, given that the pandemic remains very active and that further outbreaks are expected as reopening continues. The likelihood of a broad second wave of COVID-19 remains very possible, particularly if individuals, organizations and communities fail to follow identified best practices to mitigate risks.

    Beyond the explicit health threat, we have other security concerns, including:

    • As noted above, SEVERE means we believe an event is highly likely. With respect to our current environment and this assessment, we assess an event to be one of two types:
      • Local Outbreak. The possibility of a local outbreak remains very possible. FBOs in particular may experience rapid spread and infection if infected individuals are exposed to larger groups. FBOs have been associated with several local outbreaks in recent weeks.
      • Hostile Events. In addition to routine threats, additional stressors may increase challenges for FBOs. That concern is raised in Assistant Director Harrell’s 08 Apr letter to the faith-based community. There are also other challenges that could lead to hostile events or provide opportunities for individuals or small groups to conduct acts of violence.
        • Protests & Targeting of African-American People and Facilities. On 01 June we assessed that “protests relating to the death of George Floyd and racial issues take on a political dimension, it is also possible extremists could choose to target predominantly African American places of worship.” Sadly, that has come to fruition. Threats and hostile events have occurred at FBOs, to include predominantly African-American churches such as in Virginia and Kentucky.
        • Protests & Targeting Other People of Faith. As domestic protests demand law enforcement resources, some extremists have suggested using that as an opportunity for attacks against people of faith – and synagogues specifically. Overseas, this has been observed, for example, in Turkey, where Christians and Christian facilities have been targeted.
        • Disgruntled Individuals. Individuals who do not agree with positions taken by an FBO during periods of closure and reopening may take action against those organizations or others.
        • Political Events. Presidential elections, particularly during times of adversity, such as with the pandemic and associated economic impacts, can lead to a highly-charged atmosphere. As election-related activities increase in the months ahead, it is possible rallies may see protests and counter-protests – aimed at politicians, groups, or places of worship where events may be held. Some of those challenges were observed at a June rally for President Trump in Arizona. Such concerns are not limited to any party or individual but are a possibility for any political event occurring at or near an FBO.
    • During reopening, there have been varied attacks and threats against retail establishments and personnel relating to enforcement of safety protocols such as required wearing of masks and maintaining adequate social distancing. This has continued in recent weeks, be it there have been less observed instances and known incidents at FBOs. As FBOs reopen and welcome back individuals, it is possible that some may have heightened sensitivities regarding these issues and may not respond well to personnel attempting to enforce safety actions. FBOs should prepare “frontline” staff and volunteers regarding how to engage personnel, when to ask for help from senior personnel, and other considerations to prepare them to effectively communicate and assist visitors.
    • As we reopen and reenter FBOs, recognize the potential for violence based on the stressors of COVID-19, the threats from violent extremists, and the longstanding issues that have resulted in previous acts of violence at houses of worship.
    • There continues to be extremist interest in conducting various attacks and hostile actions against people and places of faith (to include specific anti-Semitic rhetoric relating to exploiting COVID-19 and other extremist discussion and interest in places of worship and people of faith [see previous FB-ISAO and government partner reporting]).
    • Beyond the immediate challenges, there is a very real possibility of second and third waves until a vaccine is developed and applied nationwide. Further, many countries around the world – including very significant ongoing outbreaks in Brazil and other parts of Latin America – are on an upward trajectory and it is expected that the number of cases in many areas will continue to increase in the coming weeks.
    • The 4th of July holiday, while likely with smaller and fewer events this year, always has security concerns due to mass gatherings and high visibility. While events may be fewer and smaller, combined with some of the additional challenges and complexities of our current environment, FBOs hosting events or in proximity to planned events, should consider threats and security to their people and places.

    Regarding the Cyber Threat Level, FB-ISAO assess the current volume of coronavirus-related cyber attack campaigns continues to recede and is consistent with a general “GUARDED” posture. While there is still no shortage of coronavirus-themed cyber attack campaigns, non-coronavirus lures continue to populate the cyber threat landscape. While we assess remaining at “GUARDED” is still reasonable at this time, increased vigilance is recommended due to the ongoing pandemic, continued widespread teleworking, abundance of information and updates from legitimate and less-established sources (including social media and unofficial expert blogs), and commensurate distractions in businesses and homes across the U.S., among other considerations. In addition, as previously reported the recent #BlueLeaks data breach incident directly affects FB-ISAO due to the compromise of the technology service provider (Netsential) that manages our membership and content delivery portal. That fact, plus our own partnerships with the other impacted entities, and many member’s close relationships with the same impacted entities, including fusion centers and law enforcement, present a very real and present threat from actors who may try to leverage those trusted relationships to phish (email or phone) for more information. We cannot stress enough the need to exercise extreme vigilance when receiving communications purporting to come from any impacted organization, particularly ones in your region.

    Additional considerations for continued increased vigilance:

    • Cyberactivity spurred by ongoing protests over the death of George Floyd. While most cyber activity surrounding protests have been targeting law enforcement and local government websites, FB-ISAO emphasizes the need for vigilance. Website defacements and denial-of-service (DoS) attacks have been the primary attack types thus far, but cyber threat actors are also known to aggrandize headlines to proliferate malware. Likewise, as #BlueLeaks represents, hacktivists are actively seeking to compromise organizations that are likely to contain troves of law enforcement sensitive documents for the purpose of public disclosure/dissemination.
    • Contact tracing scams. Scammers are pretending to be contact tracers and sending fake text messages. Keep in mind that legitimate contact tracing messages are intended to be factual and will not ask for personal information or include a link to click. The FTC has updated guidance on avoiding fake contact tracers.
    • Mis/disinformation is still a concern. Dis/misinformation continues to spread regarding coronavirus related matters and protest activity. Disinformation is spread by various entities for disruption, deceit, and even to discredit legitimate government efforts. Social media organizations such as Twitter are striving to flag potentially harmful and misleading posts. Likewise, several states are working to fight the scourge. It is imperative to think critically and continue verifying everything. FB-ISAO continues to encourage members to treat every coronavirus-themed communication or protest related subject with suspicion.

    We are all targets of opportunity. Cyber tactics such as phishing, smishing (SMS phishing), vishing (voice phishing), disinformation/misinformation, and counterfeit websites leveraging coronavirus themes will continue for the foreseeable future.

    • Continue enabling/encouraging remote staff to work securely. As organizations consider a prolonged, perpetual, or even permanent work from home model, it is important to deliberate on the best strategy to promote a secure remote work environment. Many organizations and people were thrust into remote working. Those who continue working remotely may require procurement and configuration of new devices, network infrastructure, and services to securely support extended offsite working. StaySafeOnline maintains its COVID-19 Security Resource Library with an up-to-date compilation of resources to enable safe telecommuting.
    • Continue providing threat awareness training to staff. There are many open source examples of emails, lures, images, and indicators of compromise being shared daily in the FB-ISAO Daily Journal. Consider appropriate ways to use that information to educate and better prepare staff. FB-ISAO is happy to help develop education and cybersecurity awareness materials for dissemination.

    As we periodically update these assessments, FB-ISAO’s Preparedness Group (PG) continues to support the efforts of our broader Pandemic Recovery Group with FB-ISAO staff, PG members, and other government and industry partners, and is also liaising with the venue community in collaboration with the International Association of Venue Managers. This group has developed and released the FB-ISAO Pandemic Reopening Reentry Checklist and continues in close collaboration as we assess appropriate needs for revisions and updates. Interested in helping? Contact our team to find out how!

    Please contact our team with any questions, needs for information, assistance or any other concerns.

    • We encourage members to review the FB-ISAO Daily Journal for general threat awareness, updates and ideas on what other organizations are doing.
    • Join the #covid-19, #protest_awareness, #cybersecurity and other topical channels in FB-ISAO Slack to see more updates, reports, and conversation on threats, and to share your questions, ideas, and actions for others.

     This assessment has been developed by FB-ISAO and is our general, nationwide, cyber threat assessment for the U.S. community of faith. As always, for local threat information, members are encouraged to work closely with neighborhood partners, local law enforcement, state and local fusion centers, local FBI field offices, DHS Protective Security Advisors (PSAs), Cybersecurity Advisors (CSAs), and other local experts and responders.

  • FB-ISAO Physical Threat Level Returns to SEVERE; Cyber Threat Level Remains GUARDED

    FB-ISAO Physical Threat Level Returns to SEVERE; Cyber Threat Level Remains GUARDED

    This message is TLP:WHITE. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.

    The COVID-19 global pandemic is a complex and blended threat impacting members and the broader faith-based and charity community in numerous ways. FB-ISAO’s Threat and Incident Response Group (TIG) continues to assess the ongoing threats and risks to our community and has made the following updates to our Threat Level Assessments:

    The TIG has determined to lower the Physical Threat Level to “SEVERE.” SEVERE means an event is highly likely. The TIG will continue to assess the Physical Threat Level and provide updates accordingly. This determination is valid through sunset on 26 June 2020, and will be periodically re-evaluated, especially with respect to ongoing threats and developing federal, state, local, tribal, and territorial (FSLTT / SLTT) guidance and directives.

    The TIG has determined to maintain the Cyber Threat Level at “GUARDED.” GUARDED means FB-ISAO is unaware of any specific or targeted cyber attacks, but a general risk of cyber attacks exist. The TIG will continue to assess the Cyber Threat Level and provide updates accordingly. Likewise, the cyber threat landscape will be continuously monitored, but this Cyber Threat Level determination is valid until further notice.

    Reopening America. After many weeks of closures, many FBOs are reopening or preparing to reopen. This is an exciting transition but one that requires a deliberate, thoughtful and disciplined approach. As we continue in the process of reopening, with the possibility of having to move back to more stringent restrictions or delays in continued reopening based on events in our local communities, FB-ISAO continues to strongly encourage members “hold the line.” By hold the line, we mean continue to follow FSLTT guidance and directives and reopen, reenter and resume operations in accordance with, and not ahead of, such guidance and directives. FB-ISAO strongly discourages defying state and local guidance and directives and encourages members to reopen, reenter and resume operations in accordance with government guidance and directives.

    Regarding the Physical Threat Level, as SLTT governments continue to “reopen” their communities and as FBOs are reopening and beginning to welcome back the public, coronavirus remains a serious threat in the United States, with many areas experiencing increasing infection numbers as they begin phase one reentry/reopening. A health threat poses a challenge in assessing a threat level. In accordance with FB-ISAO’s threat levels, in many respects we are still in a “CRITICAL” phase, given that the pandemic us underway and that further outbreaks are expected as reopening continues. We have been reluctant to decrease the physical threat level but, assessing the broad, national threat, we felt it was appropriate to move to SEVERE at this time. The likelihood of a broad second wave of COVID-19 remains very possible, particularly if individuals, organizations and communities fail to follow identified best practices to mitigate risks.

    The possibility of a local outbreak remains very possible. FBOs in particular may experience rapid spread and infection if infected individuals are exposed to larger groups.

    Beyond the explicit health threat, we have other security concerns, including:

    • As noted above, SEVERE means we believe an event is highly likely. With respect to our current environment and this assessment, we assess an event to be one of two types:
      • Hostile Events. In addition to routine threats, additional stressors may increase challenges for FBOs. That concern is raised in Assistant Director Harrell’s 08 Apr letter to the faith-based community. Further, individuals who do not agree with positions taken by an FBO during periods of closure and reopening may take action against those organizations or others. That was evidenced in a recent arson attack that destroyed the destroyed the First Pentecostal Church in Holly Springs, Mississippi. FB-ISAO warned about such possibilities in our 14 May threat levels update; the arson attack occurred the following week.
        • As domestic protests demand law enforcement resources, some extremists have suggested using that as an opportunity for attacks against people of faith – and synagogues specifically.
        • As protests relating to the death of George Floyd and racial issues take on a political dimension, it is also possible extremists could choose to target predominantly African American places of worship. We have no specific knowledge of threats suggesting that is being discussed but feel the possibility exists and should be considered.

    “In addition to routine threats, additional stressors may increase challenges for FBOs.”

    • During reopening, there have been varied attacks and threats against retail establishments and personnel relating to enforcement of safety protocols such as required wearing of masks and maintaining adequate social distancing. As FBOs reopen and welcome back individuals, it is possible that some may have heightened sensitivities regarding these issues and may not respond well to personnel attempting to enforce safety actions. FBOs should prepare “frontline” staff and volunteers regarding how to engage personnel, when to ask for help from senior personnel, and other considerations to prepare them to effectively communicate and assist visitors.

    “FBOs should prepare ‘frontline’ staff and volunteers regarding how to engage personnel”

    • As we reopen and reenter FBOs, recognize the potential for violence based on the stressors of COVID-19, the threats from violent extremists, and the longstanding issues that have resulted in previous acts of violence at houses of worship.
    • There continues to be extremist interest in conducting various attacks and hostile actions against people and places of faith (to include specific anti-Semitic rhetoric relating to exploiting COVID-19 and other extremist discussion and interest in places of worship and people of faith [see previous FB-ISAO and government partner reporting]).
    • Beyond the immediate challenges, there is a very real possibility of second and third waves until a vaccine is developed and applied nationwide. Further, many countries around the world – including very significant ongoing outbreaks in Brazil and other parts of Latin America – are on an upward trajectory and it is expected that the number of cases in many areas will continue to increase in the coming weeks.

    Regarding the Cyber Threat Level, FB-ISAO assess the current volume of coronavirus-related cyber attack campaigns has remained stable and is consistent with a general “GUARDED” posture. While there is still no shortage of coronavirus-themed cyber attack campaigns, non-coronavirus lures continue to populate the cyber threat landscape. While we assess remaining at “GUARDED” is still reasonable at this time, increased vigilance is recommended due to the ongoing pandemic, continued widespread teleworking, abundance of information and updates from legitimate and less-established sources (including social media and unofficial expert blogs), and commensurate distractions in businesses and homes across the U.S., among other considerations.

    Additional considerations for continued increased vigilance:

    • Cyberactivity spurred by protests over the death of George Floyd. While most cyber activity surrounding protests are targeting law enforcement and local government websites, FB-ISAO emphasizes the need for vigilance. Website defacements and denial-of-service (DoS) attacks have been the primary attack types thus far, but cyber threat actors are also known to aggrandize headlines to proliferate malware.
    • Contact tracing scams. As if COVID-19 contact tracing doesn’t have enough challenges, the proliferation of fraudulent text messages from scammers pretending to be contact tracers adds to the issue. As iterated from the FTC, there’s no question contact tracing plays a vital role in helping stop the spread of COVID-19. But scammers are pretending to be contact tracers and taking advantage of how the process works by sending fake text messages. Also, given legitimate health department messages may vary from region to region, it may be difficult to determine a real message from a fake one. However, keep in mind that legitimate contact tracing messages are intended to be factual and will not ask for personal information or include a link to click. Visit the FTC for more tips on recognizing, avoiding, and reporting scam texts messages.
    • Mis/disinformation is still a concern. In addition to coronavirus related matters, recent protest activity surrounding the death of George Floyd have also sparked similar attempts at spreading disinformation, including social media posts stating various extremist groups were present at protests, in neighborhoods, etc. Disinformation is spread by various entities for disruption, deceit, and even to discredit legitimate government efforts. Social media organizations such as Twitter are striving to flag potentially harmful and misleading posts. Likewise, several states are working to fight the scourge. It is imperative to think critically and continue verifying everything. FB-ISAO continues to encourage members to treat every coronavirus-themed communication or protest related subject with suspicion.

    “In addition to coronavirus related matters, recent protest activity surrounding the death of George Floyd have also sparked similar attempts at spreading disinformation”

    We are all targets of opportunity, especially during this time. Cyber tactics such as phishing, smishing (SMS phishing), disinformation/misinformation, and counterfeit websites leveraging coronavirus themes will continue for the foreseeable future.

    • Continue enabling/encouraging remote staff to work securely. As organizations begin to consider a prolonged, perpetual, or even permanent work from home model, it is important to deliberate on the best strategy to promote a secure home working environment. Many organizations and people were thrust into remote working. However, those who continue to work remotely may require procurement and configuration of new devices, network infrastructure, and services to securely support extended offsite working. StaySafeOnline maintains its COVID-19 Security Resource Library with an up-to-date compilation of numerous trusted and verified resources to enable safe telecommuting.
    • Continue providing threat awareness training to staff. There are many open source examples of emails, lures, images, and indicators of compromise being shared daily in the FB-ISAO Daily Journal. Consider appropriate ways to use that information to educate and better prepare staff. FB-ISAO is happy to help members develop education and cybersecurity awareness materials for dissemination.

    As we periodically update these assessments, FB-ISAO’s Preparedness Group (PG) continues to support the efforts of our broader Pandemic Recovery Group with FB-ISAO staff, PG members, and other government and industry partners, and is also liaising with the venue community in collaboration with the International Association of Venue Managers. This group has developed and released the FB-ISAO Pandemic Reopening Reentry Checklist and continues in close collaboration as we assess appropriate needs for revisions and updates. Interested in helping? Contact our team to find out how!

    Please contact our team with any questions, needs for information, assistance or any other concerns.

    • We encourage members to review the FB-ISAO Daily Journal for general threat awareness, updates and ideas on what other organizations are doing.
    • Join the #covid-19 channel and #cybersecurity channel in FB-ISAO Slack to see more updates, reports, and conversation on this threat, and to share your questions, ideas, and actions for others.

    This assessment has been developed by FB-ISAO and is our general, nationwide, cyber threat assessment for the U.S. community of faith. As always, for local threat information, members are encouraged to work closely with neighborhood partners, local law enforcement, state and local fusion centers, local FBI field offices, DHS Protective Security Advisors (PSAs), Cybersecurity Advisors (CSAs), and other local experts and responders.

  • FB-ISAO Physical & Cyber Threat Level Updates

    FB-ISAO Physical & Cyber Threat Level Updates

    The COVID-19 global pandemic is a complex and blended threat impacting members and the broader faith-based and charity community in numerous ways. FB-ISAO’s Threat and Incident Response Group (TIG) continues to assess the ongoing threats and risks to our community and has made the following updates to our Threat Level Assessments:

    The TIG has determined to maintain the Physical Threat Level at “CRITICAL,” – our highest level of threat – as it has been since 31 March 2020. The TIG will continue to assess the Physical Threat Level and provide updates accordingly. This determination is valid through sunset on 14 May 2020, and will be periodically re-evaluated, especially with respect to ongoing threats and developing federal, state, local, tribal, and territorial (FSLTT / SLTT) guidance and directives.

    The TIG has determined to maintain the Cyber Threat Level at “ELEVATED,” as it has been since 20 March 2020. The TIG will continue to assess the Cyber Threat Level and provide updates accordingly. This determination is valid through sunset on 14 May 2020, and will be periodically re-evaluated, especially with respect to ongoing cyber threats.

    FB-ISAO continues to strongly encourage members “hold the line.” By hold the line, we mean continue to follow FSLTT guidance and directives and reopen, reenter and resume operations in accordance with, and not ahead of, such guidance and directives.

    Regarding the Cyber Threat Level, we do not assess a significant change from the 21 Mar assessment. However, we do consider a sustained higher level of cyber risk as threat actors pivot attack campaigns to leverage themes associated with “Opening Up America Again.” As organizations begin transitioning from strictly online activities back to gathering in person, cyber attackers will closely follow the messaging tone and cadence throughout each gating phase and adjust their lures accordingly.

    • The ploys are the same, but the deluge is unprecedented – Cyber tactics leveraging coronavirus themes will continue at a significant volume for the foreseeable future. Cyber attacks such as phishing, smishing (SMS phishing), disinformation/misinformation, and counterfeit websites purporting to have important or urgent updates will continue to dominate the threat landscape.
    • Think critically – Cyber attackers will continue their attacks to seek financial gain or sow seeds of rumors and disinformation to create chaos and confusion for their amusement.
    • Trust but verify – FB-ISAO members are encouraged to treat every coronavirus-themed, including “Opening Up America Again” communication or situational report with suspicion.

    Regarding the Physical Threat Level, as SLTT governments begin to “reopen” their communities, coronavirus remains a serious threat in the United States; beyond the immediate challenges, there is a very real possibility of second and third waves until a vaccine is developed and applied nationwide. Further, many countries around the world – including nations in the Western Hemisphere – are on an upward trajectory and it is expected that the number of cases in many countries will increase in the coming weeks. Based on the health threat alone, we continue to strongly urge members to follow FSLTT guidance and direction and, as directed, to limit the size of gatherings or to forgo physical assemblies, in accordance with that guidance. FB-ISAO strongly discourages defying state and local guidance and directives and encourages members to reopen, reenter and resume operations in accordance with government guidance and directives.

    Beyond the pandemic threat:

    • Ramadan continues and, since the first night of the annual Muslim holiday, there have been threats and incidents aimed at mosques and Muslim people (to include in the U.S. and Canada), as captured in recent FB-ISAO reports.
    • 27 April marked the one-year anniversary of the Poway synagogue attack. Such occasions can motivate and inspire like attacks.
    • Continued extremist interest in conducting various attacks and hostile actions against people and places of faith (to include specific anti-Semitic rhetoric relating to exploiting COVID-19 and other extremist discussion and interest in places of worship and people of faith [see previous FB-ISAO and government partner reporting]);
    • May Day / International Workers’ Day (01 May 2020). FB-ISAO is not aware of any credible threat or large scale, worldwide demonstrations during May Day, however, personnel with physical security interests should maintain awareness of locally planned events and take appropriate preparedness actions.

    As with April, we assess the month of May to continue to be a CRITICAL threat period.

    Recent and upcoming reports and public posts speak to ideas elaborating on these various threats and on mitigation, including the public posts listed above, and recent weekly reports on maintaining preparedness for non-health threats during this pandemic and on upcoming threats. Please contact our team with any questions, needs for information, assistance or any other concerns.

    • We encourage members to review the FB-ISAO Daily Journal for general threat awareness, updates and ideas on what other organizations are doing.
    • Join the #covid-19 channel in FB-ISAO Slack to see more updates, details and conversation on this threat, and share your questions, ideas and actions for others.

    As we periodically update these assessments, FB-ISAO’s Preparedness Group (PG) has launched a Pandemic Recovery Group with FB-ISAO staff, PG members, and other government and industry partners, and is also liaising with the venue community in collaboration with the International Association of Venue Managers. This group is developing information which may help inform FBO’s reopening and reentry operations. Interested in helping; contact our team to find out how!

    This assessment has been developed by FB-ISAO and is our general, nationwide, cyber threat assessment for the U.S. community of faith. As always, for local threat information, members are encouraged to work closely with neighborhood partners, local law enforcement, state and local fusion centers, local FBI field offices, DHS Protective Security Advisors (PSAs), Cybersecurity Advisors (CSAs), and other local experts and responders.

  • A Message to the Community of Faith, from the DHS Assistant Director of Infrastructure Security

    A Message to the Community of Faith, from the DHS Assistant Director of Infrastructure Security

    On These Trying Times for the Nation

    “The ongoing coronavirus (COVID-19) pandemic has temporarily altered our daily activities. People are rightly practicing social distancing to limit community spread, in line with the President’s Coronavirus Guidelines for America. Many houses of worship have also suspended or significantly reduced services to avoid mass gatherings. Although many people undoubtedly continue to practice their faith, including through remote services and prayer, most are inevitably eager to return to normalcy and join their fellow congregants in practicing their faiths. The American people are resilient, and we will achieve this goal soon.”

    The above is an excerpt from a letter written by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) Assistant Director of Infrastructure Security, Mr. Brian Harrell.

    In addition to the letter, CISA wanted to make sure FB-ISAO members are familiar with a valuable resource page, CISA’s Hometown Security can be found here: https://www.cisa.gov/hometown-security. From the webpage “These tools and resources are offered free to communities because the Department recognizes that communities are the first line of defense in keeping the public safe and secure.” Brian Harrell continues with “As I mentioned in my February 2019 letter to the Faith-Based Community, the Cybersecurity and Infrastructure Security Agency (CISA) within the U.S. Department of Homeland Security (DHS) is committed to supporting your efforts to maintain safe and secure houses of worship and related facilities while sustaining an open and welcoming environment. In partnership with entities such as the DHS Center for Faith and Opportunity Initiatives and the Faith-Based Information Sharing and Analysis Organization, we provide resources that assist in securing physical and cyber infrastructure.”

    Assistant Director Brian Harrell

    “In partnership with entities such as the DHS Center for Faith and Opportunity Initiatives and the Faith-Based Information Sharing and Analysis Organization, we provide resources that assist in securing physical and cyber infrastructure.”

    “Thank you again for everything you do to champion the American people’s Constitutional First Amendment rights, as well as your leadership in keeping our houses of worship safe and secure. You have a committed partner in DHS who is steadfast in ensuring you have the resources to enhance your security programs.”  – Assistant Director Harrell

    Through relationships with leaders and organizations, such as Assistant Director Harrell and CISA, with the Federal Bureau of Investigation, state and local fusion centers, and other public sector partners, we will continue to grow our private-public collaboration, and the continued awareness, preparedness, security, and resilience of the American community of faith. Please read the entirety of Assistant Director Harrell’s letter, above, and thank you for your commitment to building a stronger, more prepared nation.

  • FB-ISAO Raises Physical Threat Level to “CRITICAL,” Maintains Cyber Threat Level at “ELEVATED”

    FB-ISAO Raises Physical Threat Level to “CRITICAL,” Maintains Cyber Threat Level at “ELEVATED”

    The COVID-19 global pandemic is a complex and blended threat impacting members and the broader faith-based and charity community in numerous ways. FB-ISAO’s Threat and Incident Response Group (TIG) has continued to assess the ongoing threats and risks to our community and has made the following updates:

    The TIG has determined to increase the Physical Threat Level from “SEVERE,” to “CRITICAL,” – our highest level of threat – as of 31 March 2020. The TIG will continue to assess the Physical Threat Level and provide updates accordingly. At present, this increase is valid through sunset on 30 April 2020, but that will be periodically re-evaluated.

    The TIG has determined to maintain the Cyber Threat Level at “ELEVATED,” as it has been since 20 March 2020. The TIG will continue to assess the Cyber Threat Level and provide updates accordingly. At present, this increase is valid through sunset on 30 April 2020, but that will be periodically re-evaluated.

    Regarding the cyber threat level, we do not assess a significant change from the 21 Mar assessment. We do consider a higher level of risk as organizations move to online processes – from routine assemblies to special events, and for online giving.

    • The ploys are the same, but the deluge is unprecedented – With work, learning, and worship from home being status-quo for awhile, tactics leveraging coronavirus themes will likely continue to increase at an exponential rate before they plateau, as individuals who are not used to near-exclusive level of online interactions are bombarded with cyber attacks such as phishing, smishing (SMS phishing), disinformation, and counterfeit websites.
    • Think critically – Cyber attackers will continue their attacks to seek financial gain or sow seeds of rumors and disinformation to create chaos and confusion for their amusement.
    • Trust but verify – FB-ISAO members are encouraged to treat every coronavirus-themed communication or situational report with suspicion.

    Regarding the physical threat level, the escalating threat of coronavirus in the United States and many countries around the world is on an upward trajectory and it is expected that the number of cases will increase in the coming weeks. Based on the health threat alone, we urge members to follow national guidance and state and local direction and, as directed, to limit the size of gatherings or to forgo physical assemblies, in accordance with that guidance. FB-ISAO strongly discourages defying state and local guidance and directives.

    Beyond the pandemic threat on its own:

    • With the upcoming major holidays of Passover and Easter;
    • Continued extremist interest in conducting various attacks and hostile actions against people and places of faith (to include specific anti-Semitic rhetoric relating to exploiting COVID-19; see previous FB-ISAO reporting);
    • As well as the anniversary of complex coordinated terrorist attacks in Sri Lanka last Easter, and other incidents that may serve to inspire extremists;

    We assess the month of April to be a CRITICAL threat period.

    Recent and upcoming reports and public posts speak to ideas elaborating on these various threats and on mitigation, including the public posts listed above, and recent weekly reports on maintaining preparedness for non-health threats during this pandemic and on upcoming threats. Please contact our team with any questions, needs for information, assistance or any other concerns.

    • We encourage members to review the FB-ISAO Daily Journal for general threat awareness, updates and ideas on what other organizations are doing.
    • Join the #covid-19 channel in FB-ISAO Slack to see more updates, details and conversation on this threat, and share your questions, ideas and actions for others.

    This assessment has been developed by FB-ISAO and is our general, nationwide, cyber threat assessment for the U.S. community of faith. As always, for local threat information, members are encouraged to work closely with neighborhood partners, local law enforcement, state and local fusion centers, local FBI field offices, DHS Protective Security Advisors (PSAs), Cybersecurity Advisors (CSAs), and other local experts and responders.

  • FB-ISAO Raises Cyber Threat Level to “ELEVATED”

    FB-ISAO Raises Cyber Threat Level to “ELEVATED”

    FB-ISAO‘s Cyber Threat Intelligence Group (CTIG) is closely monitoring COVID-19 and accompanying coronavirus-themed cyber threats and scams. Based on the current situation, the CTIG has decided to increase the Cyber Threat Level from “GUARDED,” to “ELEVATED,” as of 20 March 2020. The CTIG will continue to assess the Cyber Threat Level and provide updates accordingly. At present, this increase is valid through sunset on 31 March 2020, but will be re-evaluated periodically. Please refer to this post for an explainer on the FB-ISAO Threat Levels.

    ELEVATED

    Cyber Threat Level. It is out of an abundance of caution that FB-ISAO has assessed the general Cyber Threat Level for U.S. Faith-Based Organizations as “ELEVATED.” As per FB-ISAO’s definitions of the Threat Levels, “ELEVATED” means FB-ISAO is not aware of any specific or targeted cyber threats, but there is a concern that the general risk of cyber threat activity is higher than normal.

    We are all targets of opportunity, and malicious cyber actors are expectedly using this opportunity to prey on our curiosity, concern, anxiety, and fear during this tumultuous time. The increase of threats from coronavirus-based cyber attacks and scams were expected and are akin to spikes in seasonal scams, such as those waged during holiday and tax filing seasons, etc. But seasonal scams have a predictable and somewhat finite (albeit annually repeated) lifecycle. With many organizations, employees, and citizens in a state of flux and uncertainty, cyber threat actors have significantly stepped up their campaigns in hopes to capitalize on the numerous distractions and our eagerness for greater situational awareness during this time. With nearly everyone working and learning from home for the foreseeable future, cyber attackers are leveraging theses added distractions in their social engineering tactics. In other words, while the physical responses and manifestations are of the utmost importance during this pandemic, we live in a digital world, and that is how most people seek and obtain their information. Malicious cyber actors are no respecters of crisis’ and do not hesitate to use whatever means necessary to attack us; they follow the online news cycle and understand the online messaging organizations are disseminating. They continue to use likenesses we trust with subjects we expect to entice us to open their phishing emails, click on their fake websites, or spread their disinformation campaigns – all pretending to be trusted and authoritative sources.

    Under normal circumstances, the use of coronavirus-themed cyber attack campaigns are actually more aligned with our lowest level of threat, which is “GUARDED.” GUARDED means FB-ISAO is unaware of any specific or targeted cyber attacks, but a general risk of cyber attacks exist. However, while this is the case, given the ongoing pandemic, widespread teleworking, abundance of news and updates from endless sources, and commensurate abounding distractions in businesses and homes across the United States, we assess that “ELEVATED” is a reasonable level at this time.

    “What does this mean to me?” Given the very diverse nature of the populations at faith-based organizations – from places of worship to charities, schools, and others, we are encouraging FBOs to assess the evolving cyber threats to their places and people and consider appropriate actions to mitigate risk. Among those considerations and possible actions:

    • Constantly assess the threat, operations, and mitigation activities.
      • We encourage members to review the FB-ISAO Daily Journal for general and cyber threat awareness, updates and ideas on what other organizations are doing.
      • Join the #covid-19 channel and #cybersecurity channel in FB-ISAO Slack to see more updates, details and conversation on this threat, and share your questions, ideas, and actions for others.
      • As employees are telecommuting (hopefully from home), enable them to do so securely. StaySafeOnline has a COVID-19 Security Resource Library with a compilation of numerous trusted and verified resources to enable safe telecommuting.
      • Provide threat awareness training to staff. There are many open source examples of emails, lures, images, and indicators of compromise being shared daily in the FB-ISAO Daily Journal. Consider finding appropriate ways to use that information to educate and better prepare staff. FB-ISAO is happy to help members develop education and cybersecurity awareness materials to disseminate to staff.

     

    • Stop the spread (of malware).
      • Implement enhanced cyber hygiene procedures and increase cybersecurity awareness.
      • While it is understandable that we are all watching the physical trends and doing our part to stop the spread of the virus, it is important to remind staff they also play a vital role in stopping the spread of the coronavirus-themed malware that may evade your organization’s blocking technologies.
      • With countless organizations providing daily COVID-19 status updates and situational reports, it is crucial that we trust but verify before opening any emails or visiting websites that appear to be from legitimate or authoritative sources.
      • Rule of thumb: If you did not subscribe to it, delete it. Authoritative sources such as WHO and CDC will NEVER randomly send emails to anyone who did not actively subscribe to receive their updates.

     

    This assessment has been developed by FB-ISAO and is our general, nationwide, cyber threat assessment for the U.S. community of faith. As always, for local threat information, members are encouraged to work closely with neighborhood partners, local law enforcement, state and local fusion centers, local FBI field offices, DHS Protective Security Advisors (PSAs), Cybersecurity Advisors (CSAs), and other local experts and responders.

     

Show Buttons
Hide Buttons