Even those accustomed to shopping online in 2020 may be looking forward to escaping the drone of the past year by indulging in some lighthearted online holiday shopping for their loved ones and forget this year’s National Cybersecurity Awareness Month theme to do their part and #BeCyberSmart. Therefore, as we quickly approach Black Friday and Cyber Monday, it is never too early to remind everyone of the seasonal shopping scams that plague the cyber threat landscape.
In addition to the usual “too good to be true” spam and scams from suspicious sites, phishing emails, or ads offering items at inconceivable discounts, an increase in holiday bonus gift card impersonation scams should be anticipated. We wouldn’t put it past scammers to use the “after such a challenging year” ploy to cajole COVID-weary employees or volunteers into unwitting accomplices to help the boss secretly procure gift cards to use for things like company bonuses or charitable donations. But whatever the financial or information-stealing theme, employees should be repeatedly reminded to never act on such requests. But since it may be excruciatingly difficult to tell “the boss” no, it is up to bosses and leaders to empower employees and volunteers to not act and to report said activity. Likewise, it is up to bosses and leaders to make any such special, secret, or surprise requests in-person, and not through an email or text.
While faith-based and charitable organizations are prime targets for holiday gift card impersonation scams of good cheer, there are other tactics to be wary. For more on holiday related phishing, spear phishing, vishing (voice/phone phishing), and smishing (SMS/text message) scams, visit Threatpost for a quick overview.
Finally, to make these and other security awareness reminders simple, members are encouraged to review and pass along the following timeless (and updated) easy to read online shopping safety resources from the National Cyber Security Alliance and Cybersecurity and Infrastructure Security Agency:
The U.S. Department of Homeland Security, Cybersecurity & Infrastructure Security Agency, Infrastructure Security Division has published a new website dedicated to the security of Faith-Based Organizations. The website hosts tools and resources of great value for FBOs and the broader community of faith.
CISA has aptly named the website “Faith Based Organization-Houses of Worship (FBO-HOW)” – the website can be accessed at www.cisa.gov/faith-based-organizations-houses-worship. The self-assessment tool that CISA is making available on the site can be accessed here: https://www.cisa.gov/publication/houses-worship-security-self-assessment. The tables in the document are designed to show a range of security and protection, from the lowest level of security that offers minimal protection (red) to a very high level of security that provides a greatly enhanced level of protection (green).
The threat of hostile events has been and will remain an enduring threat for FBOs. As we continue through the COVID-19 pandemic and reopening, hostile events have re-emerged, to include attacks of arson, vehicle ramming, shootings and more at and around FBOs. Adding to the hostile physical security environment and health challenges, the complexities of cybersecurity and seasonal natural hazards make this an even more challenging time for FBOs as our community strives to provide a safe and secure environment for people to come to and practice their faith and as they seek engage with the community. The release of these resources is timely and welcome.
Assistant Director Harrell has been a great partner to FB-ISAO and the community that we serve by way of our mission, which is to provide members with information, analysis, and capabilities to help reduce risk while enhancing preparedness, security, and resilience.
Thank you again for your continued partnership and dedication to maintaining your houses of worship safe and secure. Please always remember that you have a committed partner in CISA; together, we can enhance our collective capabilities and develop innovative solutions to mitigate the dynamic threat environment.
Assistant Director Harrell
Please see the letter below where Assistant Director Harrell re-iterates his commitment from April 2020 to the community of faith by writing “The Cybersecurity and Infrastructure Security Agency (CISA) is committed to supporting efforts to maintain safe and secure houses of worship and related facilities while sustaining an open and welcoming environment”. He also writes “Thank you again for your continued partnership and dedication to maintaining your houses of worship safe and secure. Please always remember that you have a committed partner in CISA; together, we can enhance our collective capabilities and develop innovative solutions to mitigate the dynamic threat environment.”
On 14 May, Gate 15 presented a webinar on Hostile Event Preparedness for the community of faith. In light of reopening, the Gate 15 analysts took the first 15 minutes of the webinar to discuss special security considerations for re-opening facilities. Topics addressed were:
As we look at reopening and reentry, what are some of the concerns Faith-Based Organization may want to consider for their security personnel?
Are there mental health concerns, stressors or other issues that could develop into violence, against oneself or others?
What are some of the external security concerns we may want to think about at this time?
Information Sharing Organizations are driven by the members – the organization itself simply provides the venue for members to collaborate in a way that works best for their respective communities. Since its inception, the Faith-Based Information Sharing & Analysis Organization (FB-ISAO) has added capabilities to enhance member participation and collaboration. Reference these posts for more information:
Largely due to the health threat we are all grappling with, it is important, now more than ever, to further develop relationships and foster geographic-specific information sharing and collaboration so we can work together to reduce risk while enhancing community preparedness, security, and resilience.
FB-ISAO recently implemented an incident reporting workflow capability in Slack for members to report and share incidents occurring in their communities. In contrast, the intent of the ISCs are to share information that may not rise to the level of an incident, but would be good for situational awareness, such as other local security incidents, law enforcement, or fusion center reports. Likewise, ISCs could be used to share other regional / locally-specific items of interest such as upcoming events, questions of others in the community, requests for assistance, or preparedness, response and recovery needs or ideas, as well as other information local members may want to share with one another.
FB-ISAO is supported by a great team and has fantastic volunteer leaders contributing to our Advisory Board, the Business Resilience Group, and in other ways. The ISCs are intended to further enhance our community and collaboration in support of the FB-ISAO mission to provide members with information, analysis, and capabilities to help reduce risk while enhancing preparedness, security, and resilience. ISCs will help inform and support a critical aspect to a healthy community and realistic understanding of our environment by fostering a “boots on the ground” level perspective on what is happening in our faith-based communities nationwide.
ISCs have been established for Central Florida, Northern Virginia, Virginia Beach, Nevada, Minnesota, Northern California, and Wisconsin. Additional ISCs will be added as members request them. Current FB-ISAO Hero and Champion members can request to be added to those channels now.
Though our current challenges seem daunting and the current threat seems never ending, we can work together locally and nationally to enhance our response, and eventually our recovery.
Join FB-ISAO! We welcome faith-based organizations, charities and critical partners to join FB-ISAO. Access our TLP AMBER and TLP GREEN reports, join our collaborative forums, working groups, participate in leadership opportunities and take the next step in enhancing your organization’s preparedness, security and resilience!
“The ongoing coronavirus (COVID-19) pandemic has temporarily altered our daily activities. People are rightly practicing social distancing to limit community spread, in line with the President’s Coronavirus Guidelines for America. Many houses of worship have also suspended or significantly reduced services to avoid mass gatherings. Although many people undoubtedly continue to practice their faith, including through remote services and prayer, most are inevitably eager to return to normalcy and join their fellow congregants in practicing their faiths. The American people are resilient, and we will achieve this goal soon.”
The above is an excerpt from a letter written by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) Assistant Director of Infrastructure Security, Mr. Brian Harrell.
In addition to the letter, CISA wanted to make sure FB-ISAO members are familiar with a valuable resource page, CISA’s Hometown Security can be found here: https://www.cisa.gov/hometown-security. From the webpage “These tools and resources are offered free to communities because the Department recognizes that communities are the first line of defense in keeping the public safe and secure.” Brian Harrell continues with “As I mentioned in my February 2019 letter to the Faith-Based Community, the Cybersecurity and Infrastructure Security Agency (CISA) within the U.S. Department of Homeland Security (DHS) is committed to supporting your efforts to maintain safe and secure houses of worship and related facilities while sustaining an open and welcoming environment. In partnership with entities such as the DHS Center for Faith and Opportunity Initiatives and the Faith-Based Information Sharing and Analysis Organization, we provide resources that assist in securing physical and cyber infrastructure.”
Assistant Director Brian Harrell
“In partnership with entities such as the DHS Center for Faith and Opportunity Initiatives and the Faith-Based Information Sharing and Analysis Organization, we provide resources that assist in securing physical and cyber infrastructure.”
“Thank you again for everything you do to champion the American people’s Constitutional First Amendment rights, as well as your leadership in keeping our houses of worship safe and secure. You have a committed partner in DHS who is steadfast in ensuring you have the resources to enhance your security programs.” – Assistant Director Harrell
Through relationships with leaders and organizations, such as Assistant Director Harrell and CISA, with the Federal Bureau of Investigation, state and local fusion centers, and other public sector partners, we will continue to grow our private-public collaboration, and the continued awareness, preparedness, security, and resilience of the American community of faith. Please read the entirety of Assistant Director Harrell’s letter, above, and thank you for your commitment to building a stronger, more prepared nation.
This post was originally informed by a TLP AMBER FB-ISAO Weekly Physical Security Report, distributed on 14 August 2019.
During the aftermath of any suspicious
activity, emergency, hostile event, or disaster is a prime opportunity to
examine organizational incident response procedures for any potential weakness.
When weaknesses are identified, the solution may require a change in procedure,
but many times will simply require more intentional training regarding
established procedures – whether the procedures changed or not.
Over the past few months there have been several hostile events which organizations can draw from to assess their own security preparedness. Specifically, there were several incidents where effective training was credited for saving potentially hundreds of lives. Training is one element of the preparedness cycle and of an effective risk management program. Training is also a challenge for many organizations in terms of resources, time, ability, and effectiveness. However, well trained people and prepared organizations are better positioned to respond to events and potentially save lives, such as were the cases in the Walmart incidents in El Paso, Texas and Springfield, Missouri as demonstrated by store employees and alert bystanders. In a time when threats are evolving daily, training is essential in fostering staff (and to some extent volunteers and visitors) who are alert, aware, and security-conscious. Effective training is also an important investment in people that benefits every organization and person in the long run.
Walmart embraces the training
philosophy. Walmart employees undergo
active shooter training during orientation and afterwards
on computers four times per year. The company had done annual
active shooter training until the Las Vegas attack in 2017, at which time they
increased it to quarterly. Reassessing risks and preparedness are important to
do periodically based on evolving threats and after notable events.
As exemplified in the above events, employees often represent the first line of defense, and in some physical security situations, they may be the first to make contact with a threat. Effective emergency preparedness means that everyone knows what to do when an event happens. The situation is already stressful, but lack of training will create confusion and add to the chaos. Regardless of organizational size or staff composition, every employee and volunteer has a role in the organizational security and preparedness plan.
Who to Train: Everyone – full-time, part-time,
seasonal, organizational leadership, administrative, facility staff, volunteers and remote workforce. Every employee within
an organization should be required to complete organization-wide mandated
training. Faith-Based Organizations (FBOs) may also want to consider training
members who regularly attend services, and potential higher-risk targets. With
the number of attacks against FBOs during service hours, it is important for congregants
to be aware of the emergency preparedness plan and what to do in exceptional
circumstances. This should account for those with special needs or otherwise
requiring assistance.
What to Train: “What to train” will vary for each organization and should be informed by the organization’s risk assessment, primary areas of concern, and available resources. Training focus could be broken into three phases or stages: mandatory/baseline, reinforcement, and enhanced.
Baseline/Mandatory Training. General training for all staff. Many people may arrive at your organization with a baseline knowledge, but organizations should ensure general training is completed in accordance with each organization’s unique policies and procedures. Baseline training should be provided during the hiring/onboarding process before new staff are granted access to any physical or computer assets.
Reinforcement Training. This builds upon Baseline Training and includes workplace training and refreshers at regularly scheduled intervals. This also represents training unique to a specific team or function within your organization and can be focused on a specific job or skill set.
Enhanced Training. Organizations need to critically assess and identify gaps in current training and provide opportunities for more specialized/advanced topics and training exercises. Through the assessment, you can identify gaps and propose solutions to leadership for consideration.
When to Train: Timeframes will vary, but the key is making training a routine part of the
organization’s culture. It’s important to have a clearly established training
calendar. Even if the organization uses online/automated training, it is still
important to have training modules planned out to ensure staff completion.
Ideally, this calendar will be part of a multi-year preparedness plan.
In the end, training does not take away from time on
the job – safety and security directly impacts all jobs and should be required
for all organizations. Some considerations for developing a training program:
Leadership Buy-In. Creating a culture of security must be demonstrated from the top.
Tailorable. Training should be creative and tailorable to your specific organization and employees.
Where appropriate, integrate online training. To promote accountability and comprehension, it is encouraged to incorporate short quizzes to reinforce key elements of training.
Delegate responsibility. Make training an extra duty/responsibility “as assigned.” This will provide staff goals and additional criteria to evaluate performance.
Integrate relevant topics and real-world examples. No one wants to sit through “death by PowerPoint.” Make training engaging by integrating real world examples and inviting guest speakers.
Lessons Learned/After Action Reviews. It’s important to identify successes and failures and adjust accordingly.
David Pounder is Gate 15’s Director of Threat and
Risk Analysis. He advises on both physical and cyber security issues.
Dave spent over 20 years in the Army as an Intelligence and Security
Officer, specializing in counter-terrorism, force protection, and
counterintelligence efforts as well as serving in the private sector for
leading financial institutions responsible for information security and
mobile applications. Dave twice served in senior command positions
responsible for both counterintelligence operations and investigations.
He has briefed Senior Army Leadership on intelligence and security
issues and operations to include General David Petraeus and General
Martin Dempsey. David was a regular guest instructor at the Department
of Defense Joint Counterintelligence Training Academy in Quantico, VA.
Dave graduated from George Mason University and from the US Army’s
Command and General Staff College and has served internationally to
include tours in Iraq, Cuba and Qatar.
Brett Zupan is a Risk Analyst at Gate 15 with
experience in all-hazards analysis, exercise development, and
information sharing. He has supported analysis, preparedness and
operations for a number of critical infrastructure communities,
including support to Water and Wastewater Systems Sector, the Commercial Facilities Sector, and with Higher Education in support of REN-ISAC,
among other projects. Before joining the company in 2016, he worked at
the Georgia State Senate. Brett received his Masters of International
Relations from American University.
Join FB-ISAO!
We welcome faith-based organizations, charities and critical partners to join FB-ISAO. Access our TLP AMBER and
TLP GREEN reports,
join our collaborative forums, working groups, participate in leadership
opportunities and take the next step in enhancing your organization’s
preparedness, security and resilience!
This post was originally informed by a TLP AMBER FB-ISAO Weekly Physical Security Report, distributed to members on 11 July 2019.
There
are threats not inherent in day-to-day activities or related to direct threats
routinely confronted by an organization. For example, most faith-based organizations (FBOs) may never
encounter a hostage situation, an extremist demonstration, or a major sport championship
parade. Nonetheless, these types of incidents or events may pose indirect
threats to FBOs in proximity to such activity.
While many FBOs occupy standalone buildings, many houses of worship, other faith-based and charity facilities are adjacent, co-located, or otherwise in proximity to other organizations that are also widely accessible to the public. These relationships to other facilities and organizations constitute a risk from potential indirect threats that FB-ISAO refers to as “Associated Risk.” Examining these associated risks allows organizations to look beyond just the direct threats, and consider risks that emanate from potential incidents that bring other, perhaps less likely, or asymmetrical, threats with them. Planning for associated risk requires close coordination with local partners, awareness of local events and activities, and making appropriate risk-based decisions to minimize impact or effectively responding to the threat.
What Are Associated Risks?
Associated
risks are potential unwanted outcomes resulting from an incident, event, or
occurrence in nearby proximity, that may not be connected to the specific
organization or location. In many instances, the associated risk stems from the
impact of threats against people, places or event that are actually the
intended target. While the direct threat may be to something specific, the
associated risk is to everything and everyone that may be associated with the
target.
Associated Risks can occur in instances when an entity becomes a “second-hand” target by way of an attacker’s intended target, or when the second-hand target, or incident, is located in close proximity of the intended target.
Associated risks are not typically planned for and may not be identified during normal planning and preparedness efforts.
Keeping
abreast of local events and maintaining close coordination with local authorities
and neighbors will help organizations recognize and prepare for associated risks.
Indirect Threats; Associated Risks
From protest events to celebratory parades, in recent months there have been several instances in which facilities were impacted from an associated risk, as opposed to a direct threat to their business or location. Types of such activities could include:
A protest taking place in proximity to an FBO, charity, or other non-profit facility. Such events could escalate and include acts of violence, vandalism, threaten uninvolved personnel, or otherwise indirectly impact a facility. A recent demonstration in Portland saw multiple assaults reported and items that looked like milkshakes, but actually contained quick-dry concrete, thrown at demonstrators and officers.
A shooting incident, criminal or a mass shooting event, may occur in proximity to an FBO, charity, or other non-profit facility, or (as was the case in the recent Odessa shooting spree) may implicate a large area and cause massive confusion. Such events may be particularly impactful to organizations during peak service or business hours, and lead to necessary decisions on evacuations, sheltering in place, or otherwise responding to protect people.
Sports celebrations, holiday, and other notable parades can be proud times for a city but the festivities around the victory can cause physical damage to local establishments, and parade routes can disrupt normal day-to-day operations. Whether real or not, extremists or ardent supporters on either side of an issue could use such events to promote their agendas or show their disapproval, creating an possible associated risk for FBOs.
For FBOs,
the above incidents may not immediately present a risk
or indicate a threat, but that often depends on the location of the
organization, its members or other visitors, and a number of other factors that
may extend beyond the FBO, charity, or other non-profit facility
itself. Maintaining
situational awareness of these types of events and the potential spill-over
impact will be beneficial to overall organizational preparedness.
Mitigate Associated Risks
Coordinate with local law enforcement and neighborhood partners. These valuable relationships need to be established in advance of any threat or incident and are a vital part of incident response planning. Keep in touch with local law enforcement and fusion centers for potential threat updates and upcoming events that may represent potential targets for attacks.
Review local activity and events. Maintaining situational awareness of community activities and incidents allows organizations to consider potential threats and make risk-based decisions.
Develop appropriate incident response. While it is difficult to anticipate every possible associated risk, organizations should still develop response plans that will enable more effective response to an evolving threat and make real-time decisions. This could include evacuating the immediate area, shutting down business operations, or alerting employees to remain at home.
Convene key personnel when appropriate. Once events are identified that could cause associated risk, it will be important for the organization to coordinate and assess the potential impacts.
Communicate, communicate, communicate. Last, but certainly not least, if operational changes are required, these need to be communicated to employees so they can comply or respond accordingly. For example, an organization may choose to work from home when there are big events near the office. This requires a direct communication channel to employees.
David Pounder is Gate 15’s Director of Threat and Risk Analysis. He advises on both physical and cyber security issues. Dave spent over 20 years in the Army as an Intelligence and Security Officer, specializing in counter-terrorism, force protection, and counterintelligence efforts as well as serving in the private sector for leading financial institutions responsible for information security and mobile applications. Dave twice served in senior command positions responsible for both counterintelligence operations and investigations. He has briefed Senior Army Leadership on intelligence and security issues and operations to include General David Petraeus and General Martin Dempsey. David was a regular guest instructor at the Department of Defense Joint Counterintelligence Training Academy in Quantico, VA. Dave graduated from George Mason University and from the US Army’s Command and General Staff College and has served internationally to include tours in Iraq, Cuba and Qatar.
Omar Tisza graduated from American University in
2017 with a bachelor’s in International Relations. After a brief stint
in business development on the federal market, he began his role as Jr.
Risk Analyst at Gate 15 in 2018 and currently supports the Health
Information Sharing and Analysis Center (HISAC) and the Healthcare
Sector Coordinating Council – Cybersecurity under the leadership of
Executive Director Greg Garcia, former Assistant Secretary for Cyber
Security and Communications at DHS.
Join FB-ISAO!
We welcome faith-based organizations, charities and critical partners to join FB-ISAO. Access our TLP AMBER and
TLP GREEN reports,
join our collaborative forums, working groups, participate in leadership
opportunities and take the next step in enhancing your organization’s
preparedness, security and resilience!
This post was originally informed by a TLP AMBER FB-ISAO Weekly Physical Security Report, distributed on 01 August 2019.
Special note: In light of the
on-going hostile events and mass violence attacks, a Pittsburgh, PA parish
cancelled a scheduled festival in response to a suspicious note.
On 13 August, a parish in Pittsburgh, PA painstakingly chose to cancel a
scheduled festival that would have taken
place 14-17 August. While no direct threat was made, the parish decided to
cancel the festival out of an abundance of caution in response to a suspicious
handwritten note received by the Diocese of Pittsburgh; the note said, “Cancel
August 14-17 Festival Security Problem is Huge.”
FB-ISAO stresses the importance of considering all suspicious activity and treating threats seriously as leaders and organizations make threat-informed, risk-based decisions for their communities, as exemplified by the parish.
In our previous post in
the Hostile Events Attack Cycle (HEAC) series, we reviewed the target selection phase of the HEAC. We
highlighted three recent incidents (recapped below) to illustrate the process
attackers go through when determining potential targets to wage attacks. Since
that post was written, a recent arrest was made of a Las Vegas suspect with
ties to a hate group accused of plotting to bomb synagogues and an LGBTQ bar.
On 28 July, three people were killed when a shooter opened fire at the Gilroy Garlic Festival in Gilroy, California – the attacker’s reported target set was religious and political groups.
On 3 August, a 21-year old killed 20 people and injured 26 more at a Walmart in El Paso, Texas – the attacker indicated his desire to “kill as many Mexicans as he could.” In the early morning of 4 August, a 24-year old attacker killed nine people and another 26 were injured at the popular Oregon District in Dayton, Ohio – target set is inconclusive, but FBI reports the attacker had a history of violent obsessions and had mused about committing mass murder.
On 8 August, a 23-year old suspect was arrested in Las Vegas in connection with plans to surveil a Las Vegas bar he believed catered to LGBTQ clientele. An FBI-led task force found a notebook with “hand-drawn schematics” for a possible attack in the Las Vegas area. The suspect is identified as a registered security guard in Nevada. According to authorities, the suspect allegedly attempted to recruit a homeless person to conduct “pre-attack surveillance” on at least one Las Vegas synagogue and “other targets.”
As a quick review, target selection usually involves some symbolic value to the attacker, or motivation to gain publicity for a cause. The target selection process can occur consciously or subconsciously and is often influenced by a grievance and a sense of injustice, leading the attacker to feel the need to right the wrong. In this post, we explore how attackers build out their plan against their selected target by engaging in more detailed surveillance (intense surveillance) to increase the best chance of attack success.
Intense Surveillance
Once a target is selected, the
attacker will resolve outstanding questions about the target environment,
expand collection efforts through surveillance, and seek to adequately address remaining
unknowns in order to ensure their attack is as successful as possible. While
initial surveillance will help identify potential weaknesses within a target, the
period of intense surveillance will go into much more detail and will involve a
lot more “time on target” – time spent getting to know the target in-depth. Reports
regarding the El Paso and Dayton attacks indicate the attackers spent time
casing the areas before returning to their cars to arm themselves in
preparation for the massacres. This intense surveillance allows the attacker to
learn as much as possible and validate the initial attack plan. Likewise, it
may even identify additional vulnerabilities that could make the target
susceptible to a larger attack, or confirm alternate targets if the initial
target is seen as too secure to permit an effective attack.
While all phases of the attack cycle are important, it could be argued that the intense surveillance phase can have the most impact in determining attack success or failure. This phase of the HEAC can take a long time. Depending on the target, some key questions intense surveillance will address include, but are certainly not limited to:
What are the layers of security outside and inside the location; are there roving patrols on foot by security personnel or vehicle patrols; how often and how many people are involved?
Does the facility have external surveillance platforms?
Does the facility have a receptionist or check in area; what is that like?
Are there alternate entrances that are not secure?
Does the facility have a loading dock or delivery area; what is that security like?
How often are deliveries made and on what schedule?
What is the security response to suspicious events or materials?
In the Gilroy attack, it’s likely the attacker knew about the security processes in place at entrances, or at least knew there would be security to frustrate direct entry, but also understood the venue well enough to know that there would be access through the perimeter fence. Either way, research and surveillance conducted by the attacker allowed him to bypass security and exploit a gap. In the El Paso incident, the attacker was not from the area, but likely knew enough about these types of retail locations to inflict as much damage as possible prior to security response. Likewise, given that he surrendered to police, it is likely that he had anticipated how much time he had before police arrived.
It’s important to note, surveillance
of a target does not always have to be done solely at the target site. Attackers
can use similar type locations to identify potential vulnerabilities (and increasingly,
attackers may conduct more and more of their targeting virtually). Recognizing similar
venues will follow comparable protocols in their security plans, attackers can benefit
from performing surveillance at other, like locations.
Know the Threat
As stated last time, all facilities, including
places of worship, faith-based offices, other non-profits, and charities are
potential targets for hostile attacks. The importance of maintaining awareness of
the threat environment, potential threats to your organization(s), and an attack’s
desired outcome is imperative – KNOW THE THREAT. FB-ISAO and its partners are
dedicated to collecting and analyzing threat information to develop usable
threat and risk intelligence to be disseminated/reported to the community of
faith and to help organizations keep abreast of the current threat environment.
Furthermore, through our ongoing work, resources, and Hostile Events
Preparedness Series (HEPS) webinars, FB-ISAO aims to keep our members equipped
to successfully prepare for and respond to any threat that should come against
them.
David Pounder is Gate 15’s Director of Threat and
Risk Analysis. He advises on both physical and cyber security issues.
Dave spent over 20 years in the Army as an Intelligence and Security
Officer, specializing in counter-terrorism, force protection, and
counterintelligence efforts as well as serving in the private sector for
leading financial institutions responsible for information security and
mobile applications. Dave twice served in senior command positions
responsible for both counterintelligence operations and investigations.
He has briefed Senior Army Leadership on intelligence and security
issues and operations to include General David Petraeus and General
Martin Dempsey. David was a regular guest instructor at the Department
of Defense Joint Counterintelligence Training Academy in Quantico, VA.
Dave graduated from George Mason University and from the US Army’s
Command and General Staff College and has served internationally to
include tours in Iraq, Cuba and Qatar.
Brett Zupan is a Risk Analyst at Gate 15 with
experience in all-hazards analysis, exercise development, and
information sharing. He has supported analysis, preparedness and
operations for a number of critical infrastructure communities,
including support to Water and Wastewater Systems Sector, the Commercial Facilities Sector, and with Higher Education in support of REN-ISAC,
among other projects. Before joining the company in 2016, he worked at
the Georgia State Senate. Brett received his Masters of International
Relations from American University.
Join FB-ISAO!
We welcome faith-based organizations, charities and critical partners to join FB-ISAO. Access our TLP AMBER and
TLP GREEN reports,
join our collaborative forums, working groups, participate in leadership
opportunities and take the next step in enhancing your organization’s
preparedness, security and resilience!
This post was originally informed by a TLP: AMBER FB-ISAO Weekly Cybersecurity Report, distributed on 10 July 2019.
Over the past several weeks, ransomware has been a widespread topic. However, on 02 July there was a bit of good news for a change. St John Ambulance, a “not-for-profit provider of specialist patient transport services across England” advised customers they were “subjected to a ransomware attack.” Fortunately, having a plan in place allowed St John Ambulance to resolve the issue within 30 minutes without paying any ransom demands. While the company was “temporarily blocked from accessing the system affected and the data customers gave [them] when booking a training course was locked” there did not appear to be any information shared or exposed. Even though the UK-based company did not have to report the incident, they still performed due diligence by advising the Information Commissioner’s Office (ICO) and the Charity Commission, as well as the police in accordance with their established procedures. These notifications and the speed in which they were delivered is another indicator of strong preparedness processes in place.
This recent report is
another encouragement for non-profit organizations, especially on the heels of
news about Father Bill’s and MainSpring, a Massachusetts-based non-profit homeless
shelter, successfully blocking a ransomware attempt. These incidents demonstrate
how, with advance planning and preparedness, organizations can recover from
ransomware without having to pay costly fees to malicious actors or suffer further
financial impacts. However, it is still
important to note that an incident did occur; the attack was successful in that
it locked out an aspect of the organization’s business and delivered the ransom
demands. The difference is, as security researcher Graham Cluley noted, St John was “able to put in place emergency
recovery plans to restore from unaffected backup systems. That’s in marked
contrast to ransomware attacks that
have hit American cities in recent weeks – which have
resulted in extortionists being paid over a million dollars.” St John
Ambulance’s recovery and response plan worked. But a plan on paper needs to be validated
through exercises and testing in order to ensure gaps and vulnerabilities in
the plan are addressed prior to implementation. In contrast, the city of
Baltimore, which is still battling the effects of their ransomware attack, also opted not to pay the demands but ran into
recovery challenges with an untested plan, and the financial impact has already exceeded $18 million.
There is a lot of no-cost government and third-party guidance
to help inform faith-based organizations, charities, and other non-profits what
to put into a ransomware recovery plan. In general, adhering to good cyber
discipline goes a long way to reducing or mitigating threats posed by
ransomware. Some other key principles include FBI recommendations:
“Back up data regularly. Verify the integrity of those backups and test the restoration process to ensure it is working.” This is extremely important to ensure that not only are the backups conducted, but that there are no bumps in the road when you attempt to restore them.
“Conduct an annual penetration test and vulnerability assessment.”
“Secure your backups. Ensure backups are not connected permanently to the computers and networks they are backing up. Examples are securing backups in the cloud or physically storing backups offline. Some instances of ransomware have the capability to lock cloud-based backups when systems continuously back up in real time, also known as persistent synchronization.” With regards to backing up data – one suggestion would be to use the “3-2-1 backup process” – 3 backups, 2 different mediums, 1 offsite.
If impacted by ransomware, the ultimate question is: do we
pay the ransom? In FBI guidance, the U.S. Government “does not encourage paying a ransom to criminal actors. However, after
systems have been compromised, whether to pay a ransom is a serious decision,
requiring the evaluation of all options to protect shareholders, employees, and
customers. Victims will want to evaluate the
technical feasibility, timeliness, and cost of restarting systems from backup.
Ransomware victims may also wish to consider the following factors:
“Paying a ransom does not guarantee an organization will regain access to their data; in fact, some individuals or organizations were never provided with decryption keys after paying a ransom.
“Some victims who paid the demand were targeted again by cyber actors.
“After paying the originally demanded ransom, some victims were asked to pay more to get the promised decryption key.
“Paying could inadvertently encourage this criminal business model.”
Ultimately, in the
event of a ransomware attack, all organizations need to have a list of pre-determined
responses. This list should be established by leaders before, not during, an
attack.
Understand the situation. What is the extent of the infection? What data is being ransomed? What decision points determine whether to pay or not to pay?
Implement your security incident response and business continuity plan. Ideally, organizations will ensure they have appropriate backups, so their response to an attack will simply be to restore the data from a known clean backup. Having a data backup can eliminate the need to pay a ransom to recover data.
Immediately secure backup data or systems by taking them offline. Ensure backups are free of malware.
If available, collect and secure partial portions of the ransomed data that might exist.
If possible, change all online account passwords and network passwords after removing the system from the network. Furthermore, change all system passwords once the malware is removed from the system.
Delete Registry values and files to stop the program from loading.
David Pounder is Gate 15’s Director of Threat and Risk Analysis. He advises on both physical and cyber security issues. Dave spent over 20 years in the Army as an Intelligence and Security Officer, specializing in counter-terrorism, force protection, and counterintelligence efforts as well as serving in the private sector for leading financial institutions responsible for information security and mobile applications. Dave twice served in senior command positions responsible for both counterintelligence operations and investigations. He has briefed Senior Army Leadership on intelligence and security issues and operations to include General David Petraeus and General Martin Dempsey. David was a regular guest instructor at the Department of Defense Joint Counterintelligence Training Academy in Quantico, VA. Dave graduated from George Mason University and from the US Army’s Command and General Staff College and has served internationally to include tours in Iraq, Cuba and Qatar.
Brett Zupan is a Risk Analyst at Gate 15 with experience in all-hazards analysis, exercise development, and information sharing. He has supported analysis, preparedness and operations for a number of critical infrastructure communities, including support to Water and Wastewater Systems Sector, the Commercial Facilities Sector, and with Higher Education in support of REN-ISAC, among other projects. Before joining the company in 2016, he worked at the Georgia State Senate. Brett received his Masters of International Relations from American University.
Join FB-ISAO!
We welcome faith-based organizations, charities and critical partners to join FB-ISAO. Access our TLP AMBER and
TLP GREEN reports,
join our collaborative forums, working groups, participate in leadership
opportunities and take the next step in enhancing your organization’s
preparedness, security and resilience!
