SEARCH

Blog

  Home Community Security Initiative
Posted on

During Pesach, heightened vigilance is required

April 10, 2017

EVENT ASSESSMENT

While there are no reports indicating a specific threat to New York City or Jewish institutions during the Passover holiday, religious institutions and religious figures remain attractive targets for multiple terrorist groups—to include al-Qa’ida and the Islamic State of Iraq and ash Sham(ISIS)—and their adherents. Al-Qa’ida and ISIS have consistently called for attacks against Israel and Jewish interests and recent propaganda from both groups have urged sympathizers to carry out attacks using a range of tactics, including vehicle ramming, edged weapons, improvised explosive devices, and Molotov cocktails.

Terrorist groups and their sympathizers have targeted synagogues and other Jewish locations in the past, both abroad and here in the United States. In December 2016, Austrian authorities disrupted an alleged plot to target a synagogue on the first night of Hanukkah. Two individuals, one of whom was known to authorities, were questioned by police and found to be carrying knives intended for use against the rabbi and his congregants. In May of 2014, ISIL-linked French operative Mehdi Nemmouche opened fire with an assault rifle on a Jewish museum in Brussels, Belgium, resulting in the deaths of four people. In 2016, there were several foiled attack attempts at Jewish institutions in the United States. On April 29, James Gonzalo Medina, a convert to Islam, was arrested by the FBI for attempting to bomb the Aventura Turnberry Jewish Center in Florida during services on the seventh day of Passover. The FBI also foiled the plot of Mahin Khan, a self-described “American jihadist,” after he sought to build pipe and pressure cooker bombs.

Khan considered several targets, including the JCC in Tucson, Arizona. He was arrested in July 2016 after he contacted an individual he believed to be an ISIS fighter.

In addition to the threat from foreign terrorist organizations, domestic terrorism increasingly threatens minority groups and institutions in the United States. In February 2017, a South Carolina white supremacist was arrested after an undercover investigation indicated that he was planning to attack minorities in the local area, and had by that point purchased a weapon to do so. The suspect, Benjamin McDowell, allegedly wanted to replicate Dylann Roof’s mass casualty attack and made a number of online threats against a local synagogue. He further made public statements in support of violent white supremacist ideology, according to press reports.

Hate crimes continue to rise around the United States, a number of which have been anti-Semitic in nature. In addition to the desecration of grave sites at cemeteries in Philadelphia and St. Louis, the Anti-Defamation League stated that there have been at least 166 bomb threats made to Jewish institutions across 38 states in the U.S. and three Canadian provinces since January 2017, none of which resulted in the discovery of explosives. On March 23, 2017, 18-year-old Michael Ron David Kadar, a dual US-Israeli citizens, was arrested by Israel on suspicion of making more than 100 bomb threats against JCCs in the United States, Canada, Australia and New Zealand over the past six months. Kadar’s motive remains unknown. In St. Louis, Juan Thompson was arrested for making at least eight threats to Jewish institutions around the country, including the Jewish History Museum in Manhattan, and Jewish schools and a local JCC.

Despite the arrests of two individuals associated with the multiple, unfounded bomb threats, it is probable that other like-minded individuals may seek to carry out similar threats against Jewish locations given the extensive high-profile media coverage these threats received.

The series of anonymous, unfounded bomb threats against multiple targets was likely intended to spread fear, create considerable disruptions to business and people’s lives, and generate financial costs. Bomb threats can also create soft targets; evacuations of large groups of people into the open offer possible attackers a large, predictable target in a desired location vulnerable to a variety of attacks, to include active shooters, improved explosive devices, edged weapons, and vehicle-ramming assaults.

If You See Something, Say Something – 1-888-NYC-SAFE (1-888-692-7233)

Posted on

New York State Security Funding

April 10, 2017

This year’s New York State budget includes the following allocation. Obviously, the details are still pending.

“Capital Projects Funds – Other Capital Project Fund Program Improvement/Change Purpose For competitive grants to provide safety and security projects at nonpublic schools, community centers and day care facilities at risk of hate crimes or attacks because of their ideology, beliefs or mission.

Provided that an assessment of facilities at risk may include, but not be limited to, considerations of the vulnerabilities of the organization based on its location and membership, and the potential consequences of a hate crime or attack at the facility. The amount appropriated herein may be transferred or suballocated to the division of homeland security and emergency services to accomplish the intent of this appropriation.”

Note: the language “considerations of the vulnerabilities of the organization based on its location and membership” differs from the classic definition of vulnerability,”any weakness that can be exploited by an aggressor, or in a non-terrorist environment, make an asset susceptible to hazard damage. (FEMA, Building Design for Homeland Security)”, i.e., gaps in physical security. Location and membership are usually considered in a threat analysis in the classic security equation: risk=threat + vulnerability + consequences.

The language gives DHSES responsibility for the grants. Stay tuned for more information.

Posted on

Israeli-American Teen Arrested for Bomb Threats

March 23, 2017

See the links below for information about today’s arrest of a suspect believed to be responsible for the majority of the bomb threats over the past months. Remember, another individual was already arrested and law enforcement authorities believe that there are other copycats.

It is important that we stay vigilant and continue to hone our response plans. We greatly appreciate the work of the FBI, NYPD and the Israeli National Police for their work.

 

 

Posted on

Nonprofit Grant? Get started now, webinar next week

March 17, 2017

NSGP 2017

The timing of the 2017 applications is still up in the air. We won’t be able to determine the due date for the applications until the US Department of Homeland Security posts its guidance. They will only do so once there is a federal budget.

We don’t anticipate any significant changes in the application process and most of the requirements of the application process can be met before the deadline. Our advice is to get started now! Here’s what you can do.
Webinar Our annual webinar will be
Tuesday, March 21, 2017, 12:30-1:30 PM
No RSVP required; click here to join when webinar begins.
Prequalification NY nonprofits should register at https://grantsgateway.ny.gov/ &
complete their Document Vault . See JCRC-NY’s additional information at: /document-vault-faqs/ .If your nonprofit was previously prequalified, you will still have to update certain documents or your document vault is expired. Check our your document vault for more information.
E-Grant registration If you have an existing account (and remember the
username/password), you’re fine; to register for the DHSES E-Grant system, email: grants@dhses.ny.gov
Risk assessment Find guidance and contacts at:
/security-assessment/ and JCRC-NY’s guide to security consultants here.There are some self-assessment tools available. Check out:
Investment Justification The 2017 forms are not ready. Download the 2016 Investment Justification here to see what the applications looks like.
For the most up-to-date info /securitygrants
Posted on

So when is the NSGP grant be coming out?

February 15, 2017

Short answer, we don’t know. The U.S. Department of Homeland Security cannot formally announce any grant program before there is a federal budget and Congress gave itself up to April 28, 2017 to come to an agreement. Both the House and the Senate included the program in their appropriations, but they must still work out the funding level of the program (We want it raised to $25 million.). It could be that the grant deadline is only days, rather than weeks, after the grant announcement, so get started now! 

We don’t expect many changes in the application process this year. Our best advice, complete all of the preliminary steps below and a draft of your application (known as the “Investment Justification” or “IJ”) as soon as possible. If there are any changes, you will be able to concentrate on the changes.

One final piece of advice. If you think that your organization is at high risk because of ideology-based/spiritual/religious reasons, think about how you would document them, especially if you follow mission implementing policies or practices that may elevate your risk. If you are a religious corporation, the answer is clear. If not, there may be an opportunity to document the risk.

NSGP 2017
Prequalification NY nonprofits should register at https://grantsgateway.ny.gov/ &
complete their Document Vault . See JCRC-NY’s additional
information at: /document-vault-faqs/ .If your nonprofit was previously prequalified, you will still have to update certain documents or your document vault is expired. Check our your document vault for more information.
E-Grant registration If you have an existing account (and remember the
username/password), you’re fine; to register for the DHSES E-Grant system, email: grants@dhses.ny.gov
Risk assessment Find guidance and contacts at:
/security-assessment/ and JCRC-NY’s guide to security consultants here.There are some self-assessment tools available. Check out:
Investment Justification The 2017 forms are not ready. Download the 2016 Investment Justification here to see what the applications looks like. Just make sure that the
For the most up-to-date info /securitygrants
Questions? Click here to send questions about the grant program.
Posted on

To evacuate or not to evacuate? That is the question.

February 01, 2017

With over 150 hoax bomb threats reported, you should have already have a plan. However, the ongoing threats should serve as a reminder to review our ongoing guidance, make use of the resources and implement the recommendations, as appropriate.

Should we be worried? At this time the experts conclude that the series of
incidents referencing threats against schools, Jewish facilities and businesses likely do not represent a credible terrorist threat for two reasons:

  1. terrorists’ rarely provide operational insight into their planning, and
  2. the fact that nearly all hoaxes in the United States are conducted by criminal actors or those instigating a nuisance prank.
From “Bomb Threat Guidance” from US DHS and the FBI. Click on the image to download the brochure.

What are my options? Many security experts question the wisdom of the policy of evacuation. After all, a terrorist could trigger an evacuation of a facility with a simple phone call and then attack the evacuees in multiple ways. On the other hand, someone could place 100 hoax bomb threat calls, but actually plant a bomb on the 101st. (In rebuttal, why make a warning phone call when simply planting the bomb works).

The bottom line is that there is no perfect solution, so all institutions should think about their options and consult with local law enforcement in the absence of the pressure of an actual emergency.

Think about options

Your response should be tailored to the nature of the threat. Don’t expect people to gather information, to analyze the situation and to identify the best option in the wake of a threat. Understand the risk (use the chart to the left) and define actions that can be taken under various circumstances.

Some other ideas:

  • Set up a meeting with your local police to review and discuss your options.
  • There is no perfect solution. This is an issue that should be raised at a security committee or board meeting. Remember, your reputation is at stake and your decision may create liability issues.
  • Identify possible options leading to a sheltered evacuation, i.e., one that minimizes the dangers of an attack on evacuees:
  • Is your parking lot a relatively safe area? Could you evacuate there and stand an appropriate distance from your facility? Is there a sheltered path to an adjoining building? Can the local police establish a perimeter to protect the evacuees?
  • Develop appropriate protective measures based on your facility’s characteristics. For example, some facility managers have identified areas (e.g., a pool or gym) that are not cluttered and therefore, easy to check for bombs. If the architecture of the building is engineered so that the building would not likely collapse on those inside, one option is to evacuate people to these safe (or more accurately, safer) places (HT to Steve Levy of ISA).
  • Communicate, early and often. If you decide not to evacuate, some stakeholders will question your judgement and try to second-guess you. A well-planned sheltered evacuation option is easy to explain and to show that your highest priority is the safety of your stakeholders. Whatever you choose, have pre-written messages ready to go should you become a target.

No one can give you a perfect answer. Identify your options, consult with the best people possible and keep your people safe.

Posted on

Hoax threats can be scary, too.

January 09, 2017

Should we be worried? At this time the experts conclude that the series of incidents referencing threats against schools, Jewish facilities and businesses likely do not represent a credible terrorist threat for two reasons:

  1. terrorists’ rarely provide operational insight into their planning, and
  2. the fact that nearly all hoaxes in the United States are conducted by criminal actors or those instigating a nuisance prank.

Due to the common occurrence of bomb threats across the country over the last few years, the experts judge malicious terrorism hoaxes such as bogus emails and phoned-in threats, including robo-calls, will almost certainly continue, diverting resources as they create disturbances and send false alarms. However, don’t become blasé. Someone might take advantage of the hoaxes to accomplish a real attack.

What should we be doing? Consider these incidents to be a teaching moment. How would your organization handle such threats.

  1. Know what you should do. Have a bomb threat plan before an incident happens.  For starters, check out DHS’ Bomb Threat Guidance and Introduction to Bomb Threat Management. Add JCRC-NY’s post, Manhattan bomb threat: lessons learned to your reading list. Now is a good time to review, or to think through your own plans. Our own Emergency Planning: Disaster and Crisis Response Systems for Jewish Organizations has a longer chapter discussing the issue.
  2. Train your phone answerers. Everyone answering the phone (including those who might answer) should be taught how to handle a phone threat with this checklist. Have copies of the bomb threat checklist posted nearby.
  3. You have to communicate.
    • First things first. Call 911. Bring in the cavalry…ASAP. Whether you think the incident is real or a hoax, contact the experts and defer to them. Have a system (with primary and backup callers) that ensures that someone calls 911 immediately. Remember, don’t use a cell phone or walkie-talkie in the area of a suspicious package … you might set it off. Get to your landline.
    • Get the word out. Even if your people know what to do (i.e., you’ve conducted bomb scare drills) you have to let them know that they have to do it. Does your building have a public address system? Do you have cell phone numbers for all of your staff so that you can text them with updates? Can you modify your fire alarm system so that it sounds a distinctive signal for a bomb scare?
    • Let your constituencies know what’s happening. Bomb scares create angst and the possibility of physical danger, but there is the potential for risk to your reputation. No one wants a parent to learn about an incident from the media. Have pre-written messages ready for distribution directly to your constituencies (e.g., by text) stressing the steps you’ve taken and that everyone is safe. Have a point of assembly where worried parents can go for additional information from your best staffers. Work with the police to direct people to the appropriate areas. Do not post specifics on social media.  Click here for resources on crisis communication.
  4. Decisions, decisions. Have someone in charge (and a backup). OK, you receive a threat, now what? Certainly, dial 911, but should you evacuate or not (might someone use a bomb threat in order to trigger an evacuation setting up an active shooter or vehicle ramming?)? In reality there is no perfect answer to this question. Someone has to give the order and there will be no time to waste.
  5. Know where to go. If you decide to evacuate out of an abundance of caution you probably don’t want to stand in the street, especially if the weather is bad. Do you have an agreement with a neighboring institution that allows you to bring people into their facility. By doing so you can keep your people warm and dry and out of harms way.
  6. Keep unused parts of your building locked. It’s good practice to have your staff check your facilities daily, looking for something that “Just Doesn’t Look Right”. As they move through the rooms they should lock the doors. Closets and other storage areas should be kept locked. If you develop such procedures and do receive a bomb threat, the bomb sweep of your building can be accomplished faster.
  7. Consult your leadership about security plans. There will always be Monday morning quarterbacks, but a review of your plans at the Board level should empower those making difficult decisions under duress. As they say, “once is not enough.” Revisit security planning and procedures on a regular basis.

How can we know if the threat is real? The intelligence firm, Stratfor, recently published an article: How to distinguish a bomb threat from a bomb warning. The experts suggest some other possible indicators of a hoax:

  • Most genuine bombers wouldn’t specify the exact timing and target of an attack (since providing that information would jeopardize the success of an event);
  • Most genuine bombers wouldn’t use threats with complex scenarios involving chemical weapons or other advanced capabilities, or cite geographically dispersed targets; and
  • Most genuine bombers wouldn’t use threats involving large numbers of operatives.

Remember, there are no guarantees in security. You will have to weigh the options and make the best decisions possible. If you’ve thought about the options and have made decisions ahead of time, the odds of making the right decision increase dramatically.

Posted on

Awareness 101: When it “Just doesn’t look right”

December 23, 2016
Regularly check around your facility for anything that "Just doesn't look right"
Regularly check around your facility for anything that “Just doesn’t look right”. Shown is a car parked in a “No Parking” zone with strange wires.

Experts note that terrorist attacks don’t appear out of thin air. In virtually every situation (and that includes active shooter events) an attacker practices “pre-operational surveillance.” More mundanely, they “case the joint” or just show up to observe, orient themselves to the situation and to decide how they will act during their attack. When suspect behavior is reported (1-888-NYC-SAFE) it can be investigated and an attack can be interrupted.

Determining that it “Just doesn’t look right”

The NYPD Intelligence Bureau just released some excellent guidance. Its primary focus is to help detect suspicious signs along special event routes (e.g., parades) or areas designated for large-scale public gatherings (e.g., demonstrations, celebrations, street fairs, etc.), but can apply to houses of worship, schools, community centers and other gathering points. The following examples of activity, though not fully inclusive, may be of possible concern to law enforcement (Click here for a PDF of the NYPD Indicators of Terrorist Activity guidance):

  • The appearance of a suspicious vehicle (including bicycles with a storage basket; motorcycles; utility storage boxes, etc.) parked near the area designated for the event to take place. Items left for a protracted period of time and disregarded.
  • Actions by an individual that suggest the pre-event videotaping or still photography of the route or location (and surrounding area) for no apparent reason (i.e., no aesthetic value). Sketching of the area e.g., cross streets, access streets into and out of the area.
  • Any request to videotape from a roof or a vacant unit/apartment overlooking the event venue.
  • The sudden appearance of a new street vendor in an area adjacent to the event route, the venue’s access doors, or gathering location.
  • Unclaimed or suspicious packages/objects found along the special event route/location.
  • Individuals sitting or standing at a bus stop and not boarding a bus; Individuals sitting at a particular location (e.g., park bench) at the same time each day for numerous days.
  • The very. recent placement of a garbage can, postal mailbox, newspaper kiosk or other stationary object along the special event route/location.
  • Recent attempts by unknown individuals to gain access to your building’s roof overlooking the parade route/special event location/venue.
  • Inquiries about short-term rental of an apartment or space above your store/business – or in your residential complex — that also happens to offer a view of a parade route or special event location. (Terrorist operatives will often cohabitate to facilitate operational planning.Additionally, they may attempt to position themselves in an area that will ease their surveillance of potential targets.)
  • Large plastic drums being stored inside a building (commercial or residential space).
  • Reports of small fires or smoke conditions being reported from a particular store or apartment.
  • Suspicious inquiries by unknown individuals regarding:
    • The security measures anticipated for the event (e.g., extensive questioning as to
      the searching of backpacks, stopping of vehicles, etc.)
    • The seating of public officials, dignitaries, or other VIPs at an event.
Posted on

Ransomware: Lessons learned

December 20, 2016

Don’t say that we didn’t warn you (see here, here and especially here). Here’s a tale about a synagogue in the NYC area, but it could happen to anyone.

In mid-November the rabbi’s secretary was going about her business on the shul computer. Whether she was duped to click on an infected popup advertisement or she visited an infected website the damage was done. What we do know is that this ransom note appeared on her screen:

ransomware-warning

Then the panic. The note was accurate, they were locked out of the shul’s only computer. What should the shul do?

  • They couldn’t get to their Quickbooks.
  • They couldn’t get to their member software.
  • They couldn’t get to the file with the Yahrzeits.
  • They couldn’t get to their record of Kol Nidre pledges

Some computer-savvy members tried various tools, but no luck. The problem was eventually brought to the synagogue board and a hearty debate followed. Would they just be paying a ransom and get nothing in return (See the FBI guidance here)?  Finally, the vote was to pay the ransom, 3 bitcoins (almost $2,400).  Fortunately, the thieves were relatively honest. The synagogue’s files were decrypted and they could recover their data. Many other victims pay, but their computers remain locked.

Lessons learned

People, there’s nothing new here. Check out JCRC-NY’s Cybersecurity Resources page and our cybersecurity blog posts. This episode is an expensive reminder that it’s crucial to practice good cyber-hygiene.

  1. Backup, backup, backup. There is no excuse. External thumb drives and hard drives are cheap. Buy one and take the time to configure the backup program so that it automatically, regularly keeps critical data safe. There are many free or low-cost cloud options. Backup to Google Drive, Dropbox or a cloud server provided by your anti-virus/backup program. The data in some shul membership management programs are automatically saved to the cloud which may even be monitored by full-time cybersecurity staff. Finally, more than one backup (e.g., one onsite, one offsite or in the cloud)  is better than one … one is better than none.
  2. Keep your anti-virus software up-to-date. The bad guys are smart and they’re getting smarter. Somehow, the bad guys got the rabbi’s secretary to click on the infected link. Our poor synagogue had anti-virus software, but it was a year out-of-date (duh, it turns itself off).  Most of the better anti-virus programs are updated constantly and will probably stop a ransomware attack before your data is seized. Buy a license that will protect all of your computers. (see bargain software rates for nonprofits at Techsoup).
  3. Have strong passwords and record them. Whoever set up the synagogue’s computer did follow “best practice” and didn’t give the users “Administrator” access (pardon the techy-talk). The trouble was that no one knew that password so the consultant who assisted the synagogue had to get permission from the board to reset the password before she could revive the computer. Click to https://www.lockdownyourlogin.com/ for the latest guidance on passwords.
  4. Beware of residual “bread crumbs”. Some ransomware leaves malware on a computer so that the bad guys can re-infect the computer. After all, you paid once, won’t you pay again? Once you have recovered the encrypted files, use multiple products to scan your computer: first your new, up-to-date anti-virus program, then a some others (the trial or basic versions are available free online) such as Malwarebytes, CCleaner, SUPERAntispyware, to name a few. There is no perfect solution. Each may find something that the others missed.
  5. Cybersecurity is a board responsibility. The incident was an expensive lesson. When no one on staff has computer skills, the board has a fiduciary responsibility to make sure that the staff know the basics of cyber-hygiene: the software is being updated, the backups are made, the anti-virus programs are working.

Finally, kudos to JCRC-NY’s outside computer maven from Dragonfly Technologies, who dropped everything to travel to the shul and spent many hours into the night to get them back in business and up-to-date.

1 15 16 17 18 19 47