FB-ISAO

Tag: faith-based

  • A Cyber Christmas Carol

    A Cyber Christmas Carol

    by Jennifer Walker

    This post was originally informed by a TLP:GREEN FB-ISAO Monthly Threat Briefdistributed on 19 December 2019.

    What could we possibly learn about cybersecurity from the Charles Dickens classic: A Christmas Carol, you ask? Well, pardon our parallels and allow us some latitude as we explore this holiday classic with a cyber theme. In A Christmas Carol, Ebenezer Scrooge (the community of faith) is visited by the ghost of his longtime partner and friend, Jacob Marley (FB-ISAO) warning Scrooge that he’s doomed if he doesn’t change his ways. Jacob then foretells Scrooge that he will be visited by three spirits who will show Scrooge visions of his past, present, and a very unpleasant future should the trajectory of his life remain unchanged. Like the Christmas spirits, the cybersecurity community takes a similar approach at the end of each year by reviewing past events and incidents, looking at the present, and applying lessons learned to increase future cyber readiness. With that in mind, FB-ISAO presents some of these cyber events to help inform the community of faith toward a positive future trajectory of cyber resilience.

    • The Ghost of Cyber Past. This spirit takes us on a journey of the most notable cyber events of the past decade. An enlightening summary about some of the most influential events that shape cyber-present and yet-to-come. Not all of the biggest incidents are represented, but each event depicts a new trend or watershed moment in cybersecurity. Like Scrooge, if given the opportunity of hindsight in light of past cyber events, what changes will you make for a more promising future? But at the very least, the events beg the question, “Do you member when?”
      • Stuxnet (2010). An advanced computer worm designed to sabotage Iranian nuclear centrifuges. I know, this incident wasn’t relevant to most, and certainly less for FBOs. But a vivid depiction of Stuxnet proved to the public consciousness that cyberattacks weren’t just the work of hoodie-clad teenagers holed up in their parent’s basement. Stuxnet was serious, and forever changed how businesses approached cybersecurity. Was news of Stuxnet the first time you perceived cyber threats might actually be real, even if you thought, “it won’t happen to me”?
      • Target Breach (2013). The massive point-of-sale (PoS) compromise that enabled the siphoning of credit and debit card, and personal data of over 40 million guests. Target’s transparency began the long, storied future of major retail data breach disclosures and brought the issue closer to home for the general public. In weeks to come, details of the breach would be a poignant example of how malicious actors attack less cyber secure SMBs to gain access to the big target (pun intended). This incident remains a bit of a poster child as far as cybercrime data breaches go. When was the last time you shopped at Target?
      • Anthem, Inc. & Office of Personnel Management Breaches (2015). Two more widespread data breaches. Personal health records (Anthem) and security clearance, personal, and fingerprint data (OPM) were stolen by Chinese state-sponsored cyber espionage threat actors. Over 100 million combined records were pilfered in what is believed to be an attempt of the Chinese government to amass intelligence on U.S. citizens. These thefts validated the value of Personal Health Information (PHI) and remove all question that our sensitive personal data is in the hands of our adversaries. Is there any expectation of privacy or confidentiality anymore?
      • Mirai (2016). Malware designed to infect unsecured connected consumer devices (internet-of-things) and enslave them as part of a massive botnet to wage further cyberattacks. Mirai was the first botnet of its kind and used to launch some of the largest DDoS attacks to date. Mirai (and its ilk) exploit the convenience and plug-n-play nature of IoT, including industrial control devices running our nation’s critical infrastructure. Do you remember that day the internet died?
      • (Ransomware) WannaCry and NotPetya (2017). Global ransomware epidemics that leveraged previously leaked source code from an exploit (EternalBlue) stolen from the NSA. These weren’t the first ransomware strains we’d seen in the cyber community, but like what Stuxnet did for advanced cyber threats, and Target did for data breaches, WannaCry brought ransomware into the public consciousness. The sad part about these outbreaks – they could’ve been prevented. But as is the case all too often, previously released security patches weren’t applied in a timely fashion. WannaCry (May) was a rude awakening, but NotPetya (June) still caught many with their cyber pants down. Hmmm, I feel like I’ve been here before – DejaBlue (and BlueKeep)…
      • Equifax Breach (2017). Ouch! I don’t think much needs to be said here. First we had Target losing credit, debit, and personal data. Then personal health records and sensitive security clearance details stolen from Anthem and OPM. Now, the entire credit histories of over 145.5 million Americans, British, and Canadian citizens are siphoned. This is beginning to look a lot like a complete identity picture floating around. How? Failure to apply patches for known vulnerabilities. Is it Patch Tuesday yet?
      • Magecart (2018). E-commerce website online payment skimming malware. As if ATM skimming and PoS malware weren’t enough, Magecart pretty much represents both. Simply staying away from shady online stores may not keep your credit card data safe – Magecart actors infect well-known, high-profile, reputable, SSL protected websites, reminding us there are no safe websites, only less risky ones. Is your online holiday shopping done yet?
      • More Ransomware (2019). “Big game hunting” ransomware campaigns that have been particularly targeting municipalities, schools, and managed service providers (MSPs). Most notably, twenty-two government entities in Texas were infected with ransomware in August after the compromise of a single MSP they all had in common. This onslaught of attacks primarily highlights two things: the importance of encrypted, validated, off-site backups, and the necessity of third-party risk management programs. Have you tested your backups recently?
    • The Ghost of Cyber Present. This spirit gives Scrooge a unique glimpse into his life as others see him and how past choices led him here. Like Scrooge, we can learn a lot from assessing past events and how they inform present circumstances. FB-ISAO reviewed some of the most concerning threats faced in 2019 and how they’ve unfolded in the current threat environment in light of past decisions – many incidents were even a combination of the two, and more often than not were precipitated by the ever-popular phishing-based email account spoofing tactic.
      • Ransomware. The threat responsible for one of the biggest cyber events of the decade (More Ransomware) was undoubtedly one of 2019’s most widespread threats. Like Scrooge, it seems the majority of businesses and enterprises alike have failed to heed spirits’ warnings on the importance of backups as the best mitigation against a crippling ransomware attack. Furthermore, to add insult to injury, ransomware gangs are now outing victim businesses who do not pay up by threatening to publicly release data that has been stolen (not just encrypted).
      • Supply Chain. As if past events were not enough to convince you of the importance of supply chain security and third-party risk management, there were countless incidents in 2019 that highlighted this unabating problem. Yet many organizations still fail to properly vet these relationships and end up paying the price when they are compromised through a vendor. Supply chain risks are a concern for all types and sizes of organizations. With the latest ransomware attacks targeting MSPs, it’s particularly important for organizations to remember that while you may outsource your IT (and/or cybersecurity) services, you can’t outsource your risk.
    • The Ghost of Cyber Yet-to-Come. Short of the ability to time travel, Scrooge gets an opportunity that none of us will ever have – a glimpse of things yet-to-come if he continues down the same path. For the rest of us, if we learn from others’ successes and failures, the past may not come back to haunt us. That said, with prognostications in hand, and a view of the past and present, FB-ISAO offers its top cyber concern for 2020 to help you take a step forward to invest wisely into your cybersecurity posture for the coming year(s). That doesn’t mean treat other threats with less importance, but if you haven’t addressed this threat by now, please do so before it’s too late.
      • Even More Ransomware. In 2018 it looked like ransomware was going to take a backseat in 2019 to other threats, like cryptojacking and cloud-based threats. But it didn’t take long to resurge and catch many organizations unprepared. Will Tiny Tim die, laments Scrooge. If the shadows of ransomware remain unaltered by the future, many more organizations will fall victim and further legitimize the ransomware economy. The cybersecurity community expects more targeted ransomware attacks, and actors will increasingly leverage common techniques of phishing and computer vulnerabilities, such as exploiting the Remote Desktop Protocol (RDP).

    Jennifer Lyn Walker is a cybersecurity professional with over nineteen years’ experience supporting critical infrastructure and SLTT governments. As Director, Cybersecurity Services for FB-ISAO and Gate 15, she advises and consults on cyber threats related to homeland security for critical infrastructure and vital lifeline sectors, including WaterISAC. She is experienced in malware analysis, threat assessments, cyber threat intelligence, compliance, and cybersecurity awareness.

    Join FB-ISAO! We welcome faith-based organizations, charities and critical partners to join FB-ISAO. Access our TLP AMBER and TLP GREEN reports, join our collaborative forums, working groups, participate in leadership opportunities and take the next step in enhancing your organization’s preparedness, security and resilience!

  • Hostile Events Attack Cycle – Intense Surveillance

    Hostile Events Attack Cycle – Intense Surveillance

    by David Pounder and Brett Zupan

    This post was originally informed by a TLP AMBER FB-ISAO Weekly Physical Security Reportdistributed on 01 August 2019.

    Special note: In light of the on-going hostile events and mass violence attacks, a Pittsburgh, PA parish cancelled a scheduled festival in response to a suspicious note.

    On 13 August, a parish in Pittsburgh, PA painstakingly chose to cancel a scheduled festival that would have taken place 14-17 August. While no direct threat was made, the parish decided to cancel the festival out of an abundance of caution in response to a suspicious handwritten note received by the Diocese of Pittsburgh; the note said, “Cancel August 14-17 Festival Security Problem is Huge.”

    FB-ISAO stresses the importance of considering all suspicious activity and treating threats seriously as leaders and organizations make threat-informed, risk-based decisions for their communities, as exemplified by the parish.

    In our previous post in the Hostile Events Attack Cycle (HEAC) series, we reviewed the target selection phase of the HEAC. We highlighted three recent incidents (recapped below) to illustrate the process attackers go through when determining potential targets to wage attacks. Since that post was written, a recent arrest was made of a Las Vegas suspect with ties to a hate group accused of plotting to bomb synagogues and an LGBTQ bar.

    • On 28 July, three people were killed when a shooter opened fire at the Gilroy Garlic Festival in Gilroy, California – the attacker’s reported target set was religious and political groups.
    • On 3 August, a 21-year old killed 20 people and injured 26 more at a Walmart in El Paso, Texas – the attacker indicated his desire to “kill as many Mexicans as he could.”
      In the early morning of 4 August, a 24-year old attacker killed nine people and another 26 were injured at the popular Oregon District in Dayton, Ohio – target set is inconclusive, but FBI reports the attacker had a history of violent obsessions and had mused about committing mass murder.
    • On 8 August, a 23-year old suspect was arrested in Las Vegas in connection with plans to surveil a Las Vegas bar he believed catered to LGBTQ clientele. An FBI-led task force found a notebook with “hand-drawn schematics” for a possible attack in the Las Vegas area. The suspect is identified as a registered security guard in Nevada. According to authorities, the suspect allegedly attempted to recruit a homeless person to conduct “pre-attack surveillance” on at least one Las Vegas synagogue and “other targets.”

    As a quick review, target selection usually involves some symbolic value to the attacker, or motivation to gain publicity for a cause. The target selection process can occur consciously or subconsciously and is often influenced by a grievance and a sense of injustice, leading the attacker to feel the need to right the wrong. In this post, we explore how attackers build out their plan against their selected target by engaging in more detailed surveillance (intense surveillance) to increase the best chance of attack success.

    Intense Surveillance

    Once a target is selected, the attacker will resolve outstanding questions about the target environment, expand collection efforts through surveillance, and seek to adequately address remaining unknowns in order to ensure their attack is as successful as possible. While initial surveillance will help identify potential weaknesses within a target, the period of intense surveillance will go into much more detail and will involve a lot more “time on target” – time spent getting to know the target in-depth. Reports regarding the El Paso and Dayton attacks indicate the attackers spent time casing the areas before returning to their cars to arm themselves in preparation for the massacres. This intense surveillance allows the attacker to learn as much as possible and validate the initial attack plan. Likewise, it may even identify additional vulnerabilities that could make the target susceptible to a larger attack, or confirm alternate targets if the initial target is seen as too secure to permit an effective attack.

    While all phases of the attack cycle are important, it could be argued that the intense surveillance phase can have the most impact in determining attack success or failure. This phase of the HEAC can take a long time. Depending on the target, some key questions intense surveillance will address include, but are certainly not limited to:

    • What are the layers of security outside and inside the location; are there roving patrols on foot by security personnel or vehicle patrols; how often and how many people are involved?
    • Does the facility have external surveillance platforms?
    • Does the facility have a receptionist or check in area; what is that like?
    • Are there alternate entrances that are not secure?
    • Does the facility have a loading dock or delivery area; what is that security like?
    • How often are deliveries made and on what schedule?
    • What is the security response to suspicious events or materials?

    In the Gilroy attack, it’s likely the attacker knew about the security processes in place at entrances, or at least knew there would be security to frustrate direct entry, but also understood the venue well enough to know that there would be access through the perimeter fence. Either way, research and surveillance conducted by the attacker allowed him to bypass security and exploit a gap. In the El Paso incident, the attacker was not from the area, but likely knew enough about these types of retail locations to inflict as much damage as possible prior to security response. Likewise, given that he surrendered to police, it is likely that he had anticipated how much time he had before police arrived.

    Photo by Annie Spratt on Unsplash

    It’s important to note, surveillance of a target does not always have to be done solely at the target site. Attackers can use similar type locations to identify potential vulnerabilities (and increasingly, attackers may conduct more and more of their targeting virtually). Recognizing similar venues will follow comparable protocols in their security plans, attackers can benefit from performing surveillance at other, like locations.

    Know the Threat

    As stated last time, all facilities, including places of worship, faith-based offices, other non-profits, and charities are potential targets for hostile attacks. The importance of maintaining awareness of the threat environment, potential threats to your organization(s), and an attack’s desired outcome is imperative – KNOW THE THREAT. FB-ISAO and its partners are dedicated to collecting and analyzing threat information to develop usable threat and risk intelligence to be disseminated/reported to the community of faith and to help organizations keep abreast of the current threat environment. Furthermore, through our ongoing work, resources, and Hostile Events Preparedness Series (HEPS) webinars, FB-ISAO aims to keep our members equipped to successfully prepare for and respond to any threat that should come against them.

    David Pounder is Gate 15’s Director of Threat and Risk Analysis. He advises on both physical and cyber security issues.  Dave spent over 20 years in the Army as an Intelligence and Security Officer, specializing in counter-terrorism, force protection, and counterintelligence efforts as well as serving in the private sector for leading financial institutions responsible for information security and mobile applications. Dave twice served in senior command positions responsible for both counterintelligence operations and investigations.  He has briefed Senior Army Leadership on intelligence and security issues and operations to include General David Petraeus and General Martin Dempsey. David was a regular guest instructor at the Department of Defense Joint Counterintelligence Training Academy in Quantico, VA.  Dave graduated from George Mason University and from the US Army’s Command and General Staff College and has served internationally to include tours in Iraq, Cuba and Qatar.

    Brett Zupan is a Risk Analyst at Gate 15 with experience in all-hazards analysis, exercise development, and information sharing. He has supported analysis, preparedness and operations for a number of critical infrastructure communities, including support to Water and Wastewater Systems Sector, the Commercial Facilities Sector, and with Higher Education in support of REN-ISAC, among other projects. Before joining the company in 2016, he worked at the Georgia State Senate. Brett received his Masters of International Relations from American University.

    Join FB-ISAO! We welcome faith-based organizations, charities and critical partners to join FB-ISAO. Access our TLP AMBER and TLP GREEN reports, join our collaborative forums, working groups, participate in leadership opportunities and take the next step in enhancing your organization’s preparedness, security and resilience!

  • FB-ISAO Newsletter, v1, issue 3

    TLP White | FB_ISAO Newsletter was distributed on 09 August, 2019 and may be accessed below..

    FB-newsletter-August-2019-1Download
  • Say No to Ransomware – Have a Plan!

    Say No to Ransomware – Have a Plan!

    by David Pounder and Brett Zupan

    This post was originally informed by a TLP: AMBER FB-ISAO Weekly Cybersecurity Reportdistributed on 10 July 2019.

    Over the past several weeks, ransomware has been a widespread topic. However, on 02 July there was a bit of good news for a change. St John Ambulance, a “not-for-profit provider of specialist patient transport services across England” advised customers they were “subjected to a ransomware attack.” Fortunately, having a plan in place allowed St John Ambulance to resolve the issue within 30 minutes without paying any ransom demands. While the company was “temporarily blocked from accessing the system affected and the data customers gave [them] when booking a training course was locked” there did not appear to be any information shared or exposed. Even though the UK-based company did not have to report the incident, they still performed due diligence by advising the Information Commissioner’s Office (ICO) and the Charity Commission, as well as the police in accordance with their established procedures. These notifications and the speed in which they were delivered is another indicator of strong preparedness processes in place.

    This recent report is another encouragement for non-profit organizations, especially on the heels of news about Father Bill’s and MainSpring, a Massachusetts-based non-profit homeless shelter, successfully blocking a ransomware attempt. These incidents demonstrate how, with advance planning and preparedness, organizations can recover from ransomware without having to pay costly fees to malicious actors or suffer further financial impacts. However, it is still important to note that an incident did occur; the attack was successful in that it locked out an aspect of the organization’s business and delivered the ransom demands. The difference is, as security researcher Graham Cluley noted, St John was “able to put in place emergency recovery plans to restore from unaffected backup systems. That’s in marked contrast to ransomware attacks that have hit American cities in recent weeks – which have resulted in extortionists being paid over a million dollars.” St John Ambulance’s recovery and response plan worked. But a plan on paper needs to be validated through exercises and testing in order to ensure gaps and vulnerabilities in the plan are addressed prior to implementation. In contrast, the city of Baltimore, which is still battling the effects of their ransomware attack, also opted not to pay the demands but ran into recovery challenges with an untested plan, and the financial impact has already exceeded $18 million.

    There is a lot of no-cost government and third-party guidance to help inform faith-based organizations, charities, and other non-profits what to put into a ransomware recovery plan. In general, adhering to good cyber discipline goes a long way to reducing or mitigating threats posed by ransomware. Some other key principles include FBI recommendations:

    • Back up data regularly. Verify the integrity of those backups and test the restoration process to ensure it is working.” This is extremely important to ensure that not only are the backups conducted, but that there are no bumps in the road when you attempt to restore them.
    • Conduct an annual penetration test and vulnerability assessment.”
    • Secure your backups. Ensure backups are not connected permanently to the computers and networks they are backing up. Examples are securing backups in the cloud or physically storing backups offline. Some instances of ransomware have the capability to lock cloud-based backups when systems continuously back up in real time, also known as persistent synchronization.” With regards to backing up data – one suggestion would be to use the “3-2-1 backup process” – 3 backups, 2 different mediums, 1 offsite.

    If impacted by ransomware, the ultimate question is: do we pay the ransom? In FBI guidance, the U.S. Government “does not encourage paying a ransom to criminal actors. However, after systems have been compromised, whether to pay a ransom is a serious decision, requiring the evaluation of all options to protect shareholders, employees, and customers. Victims will want to evaluate the technical feasibility, timeliness, and cost of restarting systems from backup. Ransomware victims may also wish to consider the following factors:

    • “Paying a ransom does not guarantee an organization will regain access to their data; in fact, some individuals or organizations were never provided with decryption keys after paying a ransom.
    • “Some victims who paid the demand were targeted again by cyber actors.
    • “After paying the originally demanded ransom, some victims were asked to pay more to get the promised decryption key.
    • “Paying could inadvertently encourage this criminal business model.”

    Ultimately, in the event of a ransomware attack, all organizations need to have a list of pre-determined responses. This list should be established by leaders before, not during, an attack.

    • Understand the situation. What is the extent of the infection? What data is being ransomed? What decision points determine whether to pay or not to pay?
    • Implement your security incident response and business continuity plan. Ideally, organizations will ensure they have appropriate backups, so their response to an attack will simply be to restore the data from a known clean backup. Having a data backup can eliminate the need to pay a ransom to recover data.
    • Immediately secure backup data or systems by taking them offline. Ensure backups are free of malware.
    • Contact law enforcement immediately. Victims of ransomware should report it immediately to CISA at www.us-cert.gov/report, a local FBI Field Office, or Secret Service Field Office.
    • If available, collect and secure partial portions of the ransomed data that might exist.
    • If possible, change all online account passwords and network passwords after removing the system from the network. Furthermore, change all system passwords once the malware is removed from the system.
    • Delete Registry values and files to stop the program from loading.

    RESOURCES.

    David Pounder is Gate 15’s Director of Threat and Risk Analysis. He advises on both physical and cyber security issues.  Dave spent over 20 years in the Army as an Intelligence and Security Officer, specializing in counter-terrorism, force protection, and counterintelligence efforts as well as serving in the private sector for leading financial institutions responsible for information security and mobile applications. Dave twice served in senior command positions responsible for both counterintelligence operations and investigations.  He has briefed Senior Army Leadership on intelligence and security issues and operations to include General David Petraeus and General Martin Dempsey. David was a regular guest instructor at the Department of Defense Joint Counterintelligence Training Academy in Quantico, VA.  Dave graduated from George Mason University and from the US Army’s Command and General Staff College and has served internationally to include tours in Iraq, Cuba and Qatar.

    Brett Zupan is a Risk Analyst at Gate 15 with experience in all-hazards analysis, exercise development, and information sharing. He has supported analysis, preparedness and operations for a number of critical infrastructure communities, including support to Water and Wastewater Systems Sector, the Commercial Facilities Sector, and with Higher Education in support of REN-ISAC, among other projects. Before joining the company in 2016, he worked at the Georgia State Senate. Brett received his Masters of International Relations from American University.

    Join FB-ISAO! We welcome faith-based organizations, charities and critical partners to join FB-ISAO. Access our TLP AMBER and TLP GREEN reports, join our collaborative forums, working groups, participate in leadership opportunities and take the next step in enhancing your organization’s preparedness, security and resilience!

  • Houses of Worship, Faith-Based Organizations, Charities, and Other Non-Profits: Yes, This CAN Happen to You.

    Houses of Worship, Faith-Based Organizations, Charities, and Other Non-Profits: Yes, This CAN Happen to You.

    by Jennifer Lyn Walker and Omar Tisza

    This post was originally informed by a TLP: GREEN FB-ISAO Monthly Threat Overviewdistributed on 27 June 2019.

    It’s easy to adopt the “this won’t happen to me” mentality when it comes to fighting cyber threats in the faith-based community, charities, and other non-profits. The reality is that cyber threats are everywhere, and manifest themselves in different ways, such as Business Email Compromise (BEC), clergy impersonation scams, phishing, and ransomware.

    Certainly, the aforementioned attack techniques have been particularly prevalent within the faith-based community. However, there is another cyberattack tactic that is relevant to faith-based organizations and should not be overlooked. Domain hijacking.

    What is Domain Hijacking?

    Domain hijacking occurs when malicious actors fraudulently change the registration information for a website domain with the domain registrar, such as GoDaddy, Bluehost, Network Solutions, etc. The changes are typically made possible due to a compromise of the domain registrar account credentials through a successful phishing attack, or through a deceptive password reset request.

    Domain hijacking is often the precursor to a website compromise; however, it has also been used to precipitate extortion attempts. Once a domain has been hijacked, miscreants are able to manipulate website content and/or redirect website traffic to another site under the attacker’s control. Content is often changed, or traffic is redirected, to display things that could damage the reputation of a faith-based organization, such as ideological statements contrary to an organization’s beliefs, or unsavory images. Likewise, malicious actors often set up phishing pages that mimic well-known and trusted sites, or install malware for other nefarious intent, such as spamming or credential harvesting. Furthermore, less sophisticated actors who do not have the skills to change content or redirect website traffic resort to the perception they are holding the domain hostage in exchange for ransom.

    Unexpected and Disruptive

    While domain hijacking seems like something only governments and major enterprises need to worry about, a church in Spring Township, PA recently learned otherwise. Church officials at West Lawn United Methodist Church (UMC) in Spring Township, PA said they never expected someone would target their church. But according to Jeff Raffauf, the church’s pastor, “hackers worked their way into the GoDaddy website server in March, changing all security information and transferring domains for the church’s two sites.” Fortunately, the attackers did not have a chance to do any damage, as administrative pastor, Carolanne Schneiderhan swiftly contacted the FBI to launch an investigation and immediately filed a transfer request with GoDaddy to regain control of the website domain. While the malicious actors did not take control or shutdown the website, or worse (for an FBO), redirect website visitors to something unsavory, not all was well. Despite the pastor’s diligence, “it took months before they got the domains back, and the sites still aren’t working right,” according to Raffauf. Even though West Lawn UMC is still recovering, the consequences of this attack could have been more severe if the incident had not been quickly identified and reported to the authorities and GoDaddy.

    If your house of worship is anything like West Lawn UMC, you regularly tell congregants to check your website for information, to sign-up for events or programs, or make donations. For many organizations, websites are central points for sharing information and to provide visibility to their communities. Not only would it be inconvenient and embarrassing if your site was unreachable, being redirected to a website of ill repute or nefarious intent, or plastered with propaganda contrary to your FBOs beliefs, but the hours and money spent to set up a new website, email, and branding would subtract from the daily and vital operations within your organization.

    While West Lawn UMC was able to stifle the attack, Faithful Friends, a nonprofit that fundraises for the church, was not so fortunate. According to the report, cyber attackers took control of Faithful Friends’ domain and asked for a $5000 ransom. These incidents further underscore the need for developing a cybersecurity strategy in houses of worship, faith-based organizations, charities, and other non-profits, and the infrastructures that support them. The benefits of establishing effective and proactive cybersecurity measures far outweigh the consequences of having to remediate the damages of a cyberattack against your organization and the community it serves.

    Avoid Domain Hijacking

    The best way to avoid becoming a victim of domain hijacking is to avail yourself to the domain security resources offered by your domain registrar. Most registrars offer domain monitoring and domain registry locking services. In addition, establish multifactor authentication on your domain administration account and set up notifications for any changes made to your domain.

    Despite the challenges that befell West Lawn UMC, the pastors embody the mission of information sharing and increased resilience and have taken the time to share details about the attack in hopes others will heed their warning to be alert. “Make sure your information is current. Go in and change the password. Set up a two-step verify,” Schneiderhan said, “…very, very important. I learned the hard way.”

    Remember, no matter how large or small your faith-based organization is:

    • You are always a target. In this day and age, cyberattacks are just as certain as death and taxes.
    • Your experiences are always valuable to help the community improve resilience and preparedness. Please share your successes and lessons learned with FB-ISAO for the benefit of the larger Community of Faith.

    Jennifer Lyn Walker is a cybersecurity professional with over nineteen years’ experience supporting critical infrastructure and SLTT governments. As Director, Cybersecurity Services for FB-ISAO and Gate 15, she advises and consults on cyber threats related to homeland security for critical infrastructure and vital lifeline sectors, including WaterISAC. She is experienced in malware analysis, threat assessments, cyber threat intelligence, compliance, and cybersecurity awareness.

    Omar Tisza graduated from American University in 2017 with a bachelor’s in International Relations. After a brief stint in business development on the federal market, he began his role as Jr. Risk Analyst at Gate 15 in 2018 and currently supports the Health Information Sharing and Analysis Center (H­ISAC) and the Healthcare Sector Coordinating Council – Cybersecurity under the leadership of Executive Director Greg Garcia, former Assistant Secretary for Cyber Security and Communications at DHS.

    Join FB-ISAO! We welcome faith-based organizations, charities and critical partners to join FB-ISAO. Access our TLP AMBER and TLP GREEN reports, join our collaborative forums, working groups, participate in leadership opportunities and take the next step in enhancing your organization’s preparedness, security and resilience!

  • June’s FB-ISAO Monthly Threat Overview: Vandalism & Theft

    June’s FB-ISAO Monthly Threat Overview: Vandalism & Theft

    by Andy Jabbour, Managing Director, FB-ISAO

    This post was originally informed by a TLP GREEN FB-ISAO Monthly Threat Overview, distributed on 27 June 2019.

    Every month, FB-ISAO provides a TLP GREEN report, the FB-ISAO Monthly Threat Overview. The report is developed over a specific reporting period by a team of analysts. The report addresses all-hazards – to include physical, cyber, natural hazards, and health threats. The complete physical security section includes incidents involving hostile events, vandalism, theft, harassment, arrests and other notable events. In our May report, I was struck by the remarkable number of incidents that were included, specifically in the area of hostile events. 

    This month, it was a different portion of the report that notably stood out for me – the significant incidents of vandalism and theft, which are not necessarily unique this period, though some are specific to the month. One of the areas that we observed in June was vandalism aimed at houses of worship recognizing Pride Month (June).

    “All of the faithful they should have some assurance that when they go into churches, that these places are safe” – Monsignor Edward Lohse, Vicar General with the Erie Catholic Diocese, via Erie News Now

    Chicago, Illinois: “LGBTQ Pride flags vandalized in possible hate crime at Wicker Park church.” On 25 June, The Chicago Tribune wrote, “A week before thousands of Chicagoans fill North Side streets to share love, acceptance and pride for the LGBTQ community, a Wicker Park church is moving ahead after being targeted with messages of hate. Early Sunday morning, a pride flag and transgender flag hung outside Wicker Park Lutheran Church in the 1500 block of North Hoyne Avenue were vandalized. A Chicago police spokesperson confirmed police are investigating the incident as a possible hate crime.”

    United Church of Renton, Washington State

    Renton, Washington: “FBI Offers Reward of Up to $5,000 for Information on Renton, Washington Church Display Defacement.” On 28 June, the FBI announced, “On June 19, 2019, at approximately 2:30 a.m., an unknown individual (or individuals) used explosive devices to deface an outdoor display at the United Church of Renton in Renton, Washington. The display featured multi-colored doors, each painted with a different word from the phrase ‘God’s doors are open to all.’ It is believed that the subject(s) also wrote ‘Leviticus 20:13’ on one of the doors. This display was previously vandalized during the evening hours of June 13, 2019, when parts of the display were knocked down. The display was also defaced with explosive devices at approximately 10:00 p.m. on June 16, 2019.”

    Beyond Pride Month acts of vandalism, theft continues to target Houses of Worship. From South Carolina to Virginia, and across other parts of the country, theft continues to challenge our community. 

    Loudoun County, Virginia: “Group tries to rob Virginia Buddhist temple; may havestolen from others.” On 26 June, WTOP reported, “Four people tried to rob a Buddhist temple in Sterling, Virginia, on Tuesday, and that might not have been the only temple they hit… One of the men tried to distract the abbot by asking about Buddhism and about a statue in the temple, while the other man sneaked off and went around to the office building, and the two women stole several keys from the abbot… Loudoun County Sheriff Mike Chapman said his department was working to confirm reports that the same group had robbed Buddhist temples in Maryland and North Carolina.”

    Bethune, South Carolina: “‘We estimate that we have over $38,000 worth of losses.’ Bus among other items stolen from Bethune church.” On 27 June, WLTX19, CBS, wrote, “Sometime Tuesday evening a church in the town of Bethune was broken into and thousands of dollars of valuables were stolen including their church bus. The pastor of the Bethune Baptist church Scott Bernshausen said, ‘I came out and found the bus was stolen… We entered the building and realized that the burglars had broke in and stolen multiple TVs and electronic equipment throughout the church.” Church member Robert Horton had just been at the church around 9 p.m. Tuesday night, ‘the neighbor said maybe this happened between 9 and 10. So you never know when somethings going on or when someone could be watching what you’re doing.’” 

    Last week, this post’s author had the opportunity to visit with a church leadership team to discuss hostile events preparedness. With Board of Trustees members having watched an FB-ISAO presentation on Hostile Events (see this month’s FB-ISAO newsletter for info on the next session), recently attending local law enforcement training, and after talking with police and fire personnel, the church wanted to discuss ways to approach security and to minimize risks. Among the ideas discussed was the importance of basic facility hardening. Not every facility can have robust security measures, but it is important to have something – whether human patrols, security cameras, public address systems, mass notifications capabilities, the cloud-based Geoaware®️ platform being offered **at no cost** to FB-ISAO Pro Members by our friends at Vizsafe, or other measures. Hardening and a complete preparedness program don’t happen overnight, but can be approached in manageable steps, respecting time, resources and an assessment of risks (read a great article on preparedness from Homeland Security Today, “Hard Conversations About Soft Targets: DHS Workshop Aims to Save Lives in Mass Shootings” [28 Jun])

    “I recognize that investments don’t happen overnight… Are we building security, redundancy and resiliency into our budgets, or are we just being reactive to everything? …we will not get any better during a crisis — we will fall back to our training.” Assistant Director Brian Harrell, Assistant Director for Infrastructure Security, DHS Cybersecurity and Infrastructure Security Agency (CISA), in HS Today

    In the case of the South Carolina church noted above, the church stated that, “We do have a security system and currently its with the burglars. We had just purchased a security system and we just formed a security team but before we could get the security system in, it actually got stolen by the burglars.” In Virginia, the temple has security cameras installed and operation and the Sherriff’s Office is reviewing and sharing footage with authorities in the other areas, according to WTOP. Two other recent incidents also demonstrate how having cameras, which can also help deter some crimes and attacks, at least also help inform post-incident investigations:

    Erie, Pennsylvania: “Erie Church’s Security Measures Help Police Track Down Attacker.” Erie News Now reportedon 01 July, “The victim fought off her attacker, and he left, but not before he was caught on the church’s surveillance cameras. Erie police released a picture of the suspect, along with his physical description on social media. By nightfall, Erie police identified the man as Josue Mendez, 25, and arrested him, ‘The presence of the surveillance cameras at St. Joseph’s was certainly a help in this case,’ said Msgr. Lohse.” And in another Pennsylvania incident, “Police investigating after break-in at Northampton County church” (WFMZ, 01 July).

    And in addition to cameras, the importance of threat reporting and information sharing cannot be understated. Beyond vandalism and crime, our community must always be ready for the possibility of hostile attackers. From WHTC in Michigan, 01 July: “Police were called at about 10 a.m. with the report of a suspicious incident at a church, which Mulder did not identify. The dispatcher was told by the church’s security official that a man made a comment about having a shotgun in his vehicle, and was headed to another church…”

    Threats exist – right now, today. We need to take reasonable actions – today. Is your organization properly, reasonably, and responsibly addressing the risks you are facing? Are you actively working on preparedness and operations to protect and prepare your people and places? FB-ISAO will be providing our next offering of the Hostile Events Preparedness Series educational presentation on 25 July. It is free, and only costs you an hour and a half of your time. Contact our team for more information on that event. 

    Join FB-ISAO! We welcome faith-based organizations, charities and critical partners to join FB-ISAO. Access our TLP AMBER and TLP GREEN reports, join our collaborative forums, working groups, participate in leadership opportunities and take the next step in enhancing your organization’s preparedness, security and resilience!

    The complete FB-ISAO Monthly Threat Overview goes into additional incidents, other threat vectors and provides resources for members. As a TLP GREEN report is available to all Standard and Professional members, as well as our Government and Law Enforcement members (read more on membership here). 

    Vandalism and Theft Incidents, for period from 23 May-25 June 2019.

    • In early June in London, Ontario, vandals scrawled an offensive message on the sidewalk outside of a mosque. Pictures of the graffiti were taken immediately, and police were called.
    • In early June in Germany, three mosques suffered assaults over a two day period. At one mosque, a right-wing group desecrated the mosque walls with graffiti that said, “get out.” In Hessen, vandals threw rocks at a mosque. Finally, at a mosque in Bremen, a copy of the Quran was set on fire. Police said they were investigating the attacks and expected to arrest the perpetrators soon.
    • On 8 June, the results of a British surveyrevealed that criminal gangs are increasingly turning to metal theft, including from church roofs. The survey found there were on average 37 reports of lead theft from churches in Britain each month. Security experts have warned that the thieves will often get violent if confronted.
    • On 6 June in Bergen County, New Jersey, a swastika was found etched into a classroom wall at a high school. It was the second such incident in the span of two weeks. On 28 May, a swastika was discovered on the wall of a bathroom shared between the high school and middle school. Local police are investigating, but they don’t have much evidence to go on, law enforcement said.
    • On 6 June in Tulsa, Oklahoma, a man was arrested after he was caught on video smashing a church’s windows. The church sustained $1,000 worth of damage as a result. Police say the man told them he had no reason for the vandalism, other than that he was drunk.
    • On 6 June in South Derbyshire, England, thieves broke into a church and stole money from charity collection boxes. Police appealed for witnesses to come forward.
    • On 2 June in Cardiff, Wales, two men were arrested after they broke into an Islamic community center. No one was hurt as a result of the break-in.
    • On 30 May in Florence, South Carolina, a pastor pleaded guilty to bank fraud and identity theft, having used his job as a bank manager to get loans and lines of credit for elderly customers and launder the money through his church. He used the money obtained through two customers to pay for rental cars, a home security system, and hotels in Myrtle Beach. He also closed a $50,000 certificate of deposit belonging to one of the elderly victims and made payments on his delinquent mortgage. The pastor tried to hide his financial doings by depositing some of the bank money in the church’s operating account and withdrawing it for his own use. He opened an account in the church’s name at a bank and disguised a $28,500 loan withdrawal as a donation from the elderly victim. The pastor faces up to 30 years in prison and a $1 million fine for bank fraud and a mandatory two-year term for aggravated identity theft.
    • On 29 May in Anaheim, California, a man broke into a church and stole electronics and religious items. Security footage showed a man breaking into the church and stealing two iPads, a laptop, a projector, and a microphone. The suspect also damaged property inside of the church. The police department said they had not seen any evidence that would point to the burglary as a hate crime.
    • On 29 May in Lake Charles, Louisiana, acts of arson and vandalism were perpetrated against a church. Security cameras captured a suspect approaching the building with a five-gallon bucket of possible flammable liquid. The suspect allegedly attempted to get into the church by kicking in the glass doors. Unable to gain entry, police say the suspect then can be seen breaking out a side window on the church and throwing the bucket of liquid into the building. The suspect allegedly made multiple trips to the broken window, throwing lit items into the building.
    • On 28 May in Austin, Texas, it was reported that a sign for “Muslim Space,” an Islamic institution, had been defaced with Islamophobic language and obscenities. The Austin chapter of the Council on American-Islamic Relations (CAIR-Austin), the nation’s largest Muslim civil rights and advocacy organization, asked police to investigate the incident.
    • On 28 May in Bellmead, Texas, a man broke into a church and stole two security cameras. The man entered the church through an unlocked window. At that time, he took a security camera and batteries for the camera. He also took a box containing keys to every door at the church. The following morning, he returned to the church and attempted to enter the front door using the keys that he took the night before. The alarm scared man off, and he took another camera as he left. He was eventually arrested by police.
    • On 23 May in Staten Island, New York, anti-Semitic graffiti was found written on the external walls of a synagogue. The graffiti said, “synagogue of Satan.” Meanwhile, at a Jewish school across the street, the letters “SOS” had been written. A spokesman for the synagogue said security would be increased. Police said they were aware of the incident and were investigating. 

  • FB-ISAO Newsletter, v1, issue 2

    The second TLP White | FB-ISAO Newsletter was distributed on 02 July, and may be accessed below.

    FB-newsletter-July-2019Download
    To access links, download the FB-ISAO Newsletter from the link above.

  • Vizsafe Partners with FB-ISAO to Offer Incident Reporting Capabilities at No Cost!

    Vizsafe Partners with FB-ISAO to Offer Incident Reporting Capabilities at No Cost!

    In cognizance of our mission to provide members with information, analysis, and capabilities to help reduce risk while enhancing preparedness, security, and resilience, our team at Faith-Based Information Sharing & Analysis Organization (FB-ISAO) is always eager to find like-minded partners.

    The Department of Homeland Security has identified Houses of Worship as a prime category of ST-CP, or Soft Targets-Crowded Places, as noted by Assistant Director Brian Harrell in his letter introducing the updated Security of Soft Targets and Crowded Places–Resource Guide last month. He wrote, “The cornerstone of our democracy is a free and open society where citizens can enjoy a wide range of activities without fear of harm. People across the U.S. should expect that they will be safe and secure as they cheer on a favorite team at a sporting event, shop at a mall, attend a house of worship, go to school, dine out with family and friends, or go to a concert.”

    The threats and risks houses of worship and the broader community of faith-based organizations face have been made all to clear in recent headlines and FB-ISAO reporting.  As our team strives to execute our mission, we are always searching for safety services partners who share our commitment to protecting worshipers.  One such partner is Vizsafe, which provides an intuitive and easy to use mobile incident reporting and management platform. 

    Their cloud-based Geoaware®️ platform is currently protecting some of the world’s most valuable facilities where it is used by employees, visitors and first responders.  Vizsafe has generously agreed to provide their base incident reporting and sharing platform to registered Faith Based-ISAO Professional Member organizations at no charge.  We are proud to partner with Vizsafe to provide this service to our members.  Please review the quick reference and visit vizsafe.com to learn more on this mission-enhancing capability.

    Contact FB-ISAO at [email protected] for more and if you’re not already, consider joining FB-ISAO!

    Here is where you can find everything you need to know about joining The Faith Based Information Sharing and Analysis Organization.

  • Truth and Consequences of Digital Extortion

    by Jennifer Lyn Walker and Omar Tisza

    This post was originally informed by a TLP: GREEN FB-ISAO report distributed on 14 February 2019.

    Like every other business type, faith-based organizations (FBOs) are susceptible to digital extortion attacks. History has shown many cyber criminals are not selective in their targets – they exploit vulnerabilities in people, processes, and technology regardless of industry or sector.

    What is Digital Extortion?

    At its core, digital extortion is a psychological tactic designed–through social engineering–to elicit an emotional response primarily through fear, embarrassment, or humiliation, and often aims to profit through ransom payments.According to the FBI, in 2018 extortion by email complaints increased 242%, totaling $83 million in losses.

    Some types of extortion threats are credible, in so far as the threat actor is able to inflict, or has already inflicted disruption or damage to some degree; however, there has also been an uptick in non-credible extortion-based threats during the past year. These empty threats may use personal information, such as passwords or email addresses as intimidation, but are nothing more than hoaxes. While ransomware may be the most well-known type of extortion attempt, there are many variants including the increasingly popular “sextortion” campaign.

    Below is an overview of common types of digital extortion, including ransomware and sextortion, that faith-based organizations are likely to encounter.

    Potentially Destructive, but at the Very Least, Disruptive

    Nary a week goes by without reports of organizations who have fallen victim to ransomware. Ransomware is malicious software (malware) that encrypts files on infected computers, making the files inaccessible until (presumably) unlocked with a decryption key. The malware displays a warning message along with a ransom demand and instructions for payment. The ransom is usually requested to be paid in Bitcoin or other cryptocurrency in exchange for ‘said’ decryption key – which may or may not work, let alone be provided.

    In many cases, organizations have had to rebuild their computers and file systems from scratch, costing valuable time and money – and causing many headaches. Recently there has been a spate of incidents affecting cities, municipalities – and other government entities, charities, non-profit organizations, and FBOs, including a food bank, and a catholic archdiocese.

    Non-Credible Extortion Threats

    In the past year, other extortion-based threats have been known to be non-credible, such as bomb threats and hitman scams. In December 2018, emails containing bomb threats and hitman schemes went viral. These messages gained worldwide attention and awareness for the hoaxes they were, but not before causing major disruptions to countless businesses and individuals.

    The majority of email extortion complaints to the FBI were comprised of sextortion. While not a “credible” threat, perpetrators are adept at crafting sextortion emails that appear believable enough to evoke fear or concern. A recipient receives an email purporting that the scammer has compromised their computer and stolen all their files, including contacts and browser history. The email further threatens the victim with public disclosure of unsavory pictures or videos to family, friends, and colleagues (allegedly captured with malware they placed on an “adult” website they visited) unless a ransom is paid for the scammer to keep quiet. These fraudsters do not have the “dirt” they claim; nonetheless, some include personal details to make the ruse seem more credible to increase the chance victims will pay the ransom. There is even a variation that looks like it comes from your own email address as the fraudsters want you to think they have also compromised your email account. 

    Conclusion

    In addition to ransomware, FB-ISAO believes that FBOs are likely to observe sextortion-based attacks. Given the personal and sensitive nature and appearance of impropriety, malicious actors would victimize the community of faith on what could be perceived as the need to protect image and reputation by succumbing to ransom demands. Yet, contrary to the majority of FBI complaints, for those same reasons, it is plausible that sextortion emails in the faith-based community are likely to go unreported.


    Incident Reporting

    It is also important to report digital extortion incidents to the appropriate authorities and share with the broader faith-based community to improve security and resiliency.

    o   Report all incidents to the FBI through the Internet Crime Complaint Center (IC3)

    o   If there has been a financial loss, you should (and in some cases, may be required to) contact local law enforcement

    o   Report the incident to FB-ISAO for broader awareness among the Community of Faith

    Jennifer Lyn Walker is a cybersecurity professional with over nineteen years’ experience supporting critical infrastructure and SLTT governments. As Director, Cybersecurity Services for FB-ISAO and Gate 15, she advises and consults on cyber threats related to homeland security for critical infrastructure and vital lifeline sectors, including WaterISAC. She is experienced in malware analysis, threat assessments, cyber threat intelligence, compliance, and cybersecurity awareness.

    Omar Tisza graduated from American University in 2017 with a bachelor’s in International Relations. After a brief stint in business development on the federal market, he began his role as Jr. Risk Analyst at Gate 15 in 2018 and currently supports the Health Information Sharing and Analysis Center (H­ISAC) and the Healthcare Sector Coordinating Council – Cybersecurity under the leadership of Executive Director Greg Garcia, former Assistant Secretary for Cyber Security and Communications at DHS.

    Join FB-ISAO! We welcome faith-based organizations, charities and critical partners to join FB-ISAO. Access our TLP AMBER and TLP GREEN reports, join our collaborative forums, working groups, participate in leadership opportunities and take the next step in enhancing your organization’s preparedness, security and resilience!

  • FB-ISAO Newsletter, v1, issue 1

    FB-ISAO Newsletter, v1, issue 1

    The first TLP WHITE | FB-ISAO Newsletter was distributed on 06 Jun, and may be accessed below.

    FB-newsletter-June-2019Download
    To access links, download the FB-ISAO Newsletter from the link above.
Show Buttons
Hide Buttons