Cyber & IT Supervisory Forum - November 2023

3.) When and how should execu Ɵ ve management and the Board receive informa Ɵ on on the results of threat monitoring? As we men Ɵ oned before, threat informa Ɵ on cannot exist in a vacuum within the IT area. There is, however, a poten Ɵ al to overshare informa Ɵ on with senior management and the Board. There is no formal rule on how o Ō en such no Ɵ fi ca Ɵ ons should take place but, ideally, IT sta ff learning of a poten Ɵ al threat will possess the knowledge and discre Ɵ on to iden Ɵ fy and inform management (at an appropriate cadence) of those threats that are most germane to the organiza Ɵ on. This will vary from ins Ɵ tu Ɵ on to ins Ɵ tu Ɵ on and may vary according to individual appe Ɵ tes for informa Ɵ on. a. Is reported to be speci fi cally targe Ɵ ng fi nancial sector organiza Ɵ ons of all types, and b. Has already impacted organiza Ɵ ons opera Ɵ ng within the company’s footprint. As a result, one might expect that this par Ɵ cular threat might warrant a “heads ‐ up” to senior management and the Board, even if the threat has not materialized within the organiza Ɵ on. Again, we go back to the concept of “early prepara Ɵ on is the best kind of prepara Ɵ on.” If senior management and the Board have that ini Ɵ al awareness, they will be be Ʃ er prepared to step into any roles they may be assigned should the threat materialize within the organiza Ɵ on. Chaos o Ō en reigns when incidents happen, and ini Ɵ al awareness of what’s poten Ɵ ally on the horizon will be a key to implemen Ɵ ng a more e ff ec Ɵ ve response. These are the monitoring prac Ɵ ces that should generally be u Ɵ lized at all Ɵ mes within the organiza Ɵ on (as incidents can and do happen with li Ʃ le or no warning) and are prac Ɵ ces that become par Ɵ cularly important when a known threat is iden Ɵ fi ed. Thinking back to our severe weather analogy, these are the process that would be equivalent to turning on the TV or radio and listening for warnings, looking out the window to observe cloud and sky condi Ɵ ons, or using a weather radio or a phone app to provide instant warning alerts. These are, of course, not representa Ɵ ve of everything an en Ɵ ty should be doing, but they are basic controls that do provide a good founda Ɵ on for every organiza Ɵ on to capture anomalies and suspicious behaviors associated with actual or a Ʃ empted system compromises. a.) Automated mechanisms for blocking and aler Ɵ ng of any executable fi les a Ʃ emp Ɵ ng to connect to the Internet. b.) Ac Ɵ ve monitoring of network management tools used on worksta Ɵ ons, such as Windows Management Instrumenta Ɵ on (WMI), PsExec, and other PowerShell scripts. 4.) What are some of the key monitoring prac Ɵ ces that an organiza Ɵ on might u Ɵ lize for servers, backup systems, worksta Ɵ ons, networks, and other endpoints? In this exercise, our scenario paints a picture of a threat that:

12