Chuck Norris doesn’t need cyber security. His IT enterprise sits behind his own custom-built firewall. Or as you probably call it, the sun.

Norris, the consummate tough guy who did for roundhouse kicks to the chops what Microsoft did for operating systems, celebrates his 74th birthday today (or, more accurately, as one Twitter wag posits, 74 celebrates its association with Chuck Norris). The happy occasion lit up social media as well as our cyber security staff meeting with proposed new Chuck Norris facts.

The Chuck Norris facts (e.g., "Chuck Norris has already been to Mars. That's why there are no signs of life."), make the actor something of a modern day Paul Bunyan of butt-whooping, and reflect Norris’ seminal place as America’s tough-guy-in-chief and unconquerable defender of.... well, everything. 

A major problem is that the goals of cyber security and the goals of connectivity often clash, leaving stated cyber defense capabilities as empty bold promises. In the modern digital enterprise, the proliferation of applications creates a mesh of software and and operating systems tethered to servers and mobile devices. These are joined at various interconnected points, creating a fishing-net effect for your IT enterprise, effective for networking but hardly defensible, exposing your IT enterprise to an increasing array of cyber attacks such as port scans, malicious software or keystroke loggers. This list of attack vectors expands virtually every week as the list of needs expands in front of it. Cyber security struggles to maintain an effective posture without getting left behind.For us, the contrast between the mythical Norris of Facts fame and the actual septuagenarian is a reminder that no matter how great your cyber security is, and how glowingly you may describe it, unless you have a digital Norris, nothing is impenetrable, including your IT enterprise.

(Norris, meanwhile, doesn’t have these cyber problems. For example, Nigerian lawyers e-mail Norris money. Patches get a Norris Tuesday. Malware has Norris Response Teams.)

Further, cyber security has grown as indispensable as it is specialized. Unlike a decade ago, when IT may have supported your organization, now your IT enterprise is your organization. Defending it must be your top priority, but the complex technologies that underlie different areas of cyber security, form networks to applications to end-user best practices, is all but impossible for most companies to keep apace.

Unfortunately, spending in preventative cyber lags behind, resulting in expensive data breaches (an average of $5.4 million per companies studied in the 2013 Ponemon Cost of Data Breach report.)

The best solution, short of hiring Norris as your CISO (Chief Information Security Officer), CIO (Chief Information Officer and CTO (Chief Threat-Actor-Tooth-Shattering Officer) is a simple one: Start with regular cyber security assessments.

Cyber Security assessments serve as the entry point to good cyber hygiene, an act of routine maintenance to avoid catastrophe, the same way in which we change the oil in our cars to promote engine life or visit the doctor to mitigate against sickness. (Except of course, Norris. Chuck Norris doesn't catch colds, but colds can't catch Chuck Norris, either, because nothing can catch Chuck Norris)

Consider the following questions. If you can't answer one of them, contact us for a cyber security assessment.

Do you know all the devices that are connected to your network?

Many end devices may be intermittent consumers of network services. Automated software tools to scan for known vulnerabilities will only work if they can be targeted against the full inventory of your end devices. Unknown devices cannot be scanned. Software exists to perform these software and network scans – but how can an organization be sure it has captured all end devices using network assets?  Using a system integrator such as NJVC that has explicit experience in this role can be the difference between understanding the full landscape of your IT enterprise, or only securing a fraction of it.

Do you utilize a third party to identify threats?

Multiple security companies specialize in aggregating data collected in the wild from end platforms or communication partners who perform real time network monitoring.  Alert services are intended to quickly warn subscribers of existing and evolving real world threats. 

In addition, the DHS (Department of Homeland Security) operates the United States Computer Emergency Readiness Team (US CERT) whose 24x7 mission is to identify risks and share cyber threat information. They operate a mailing list and RSS (Really Simple Syndication) feed that provides ongoing updates as they are uncovered and verified.

Do you know your most likely vulnerabilities?

Malicious software is increasingly being targeted in an industry-specific approach.  Variants of the code used for the recent Target retail Point Of Sale (POS) compromise showed up in other retailer application servers. Common tools are used across companies. Compare yourself against your peer organizations and join trade groups that share confidential breach information.

US CERT  also issues alerts that are intended to notify companies when a peer has been exploited, so they can be address similar vulnerabilities.

Do you prioritize existing threats?

Given an environment that is robust enough to identify and quantify multiple existing threats, such as malware uncovered on application servers, how are those threats mitigated?  Using some type of severity rating scale focuses mitigation efforts and allows the most serious cyber risks to be corrected first.  This reduces the likelihood of actual harm to an enterprise IT infrastructure.

Using something such as the CVSS (Common Vulnerability Scoring System) – which is an open and standardized method from National Institute of Standards and Technology NIST allows an organization to focus limited resources, optimize impact and reduce their overall risk profile.

Do you have a white list of all approved software?

A large amount of malware can be stopped if all software executables are compared against an approved list before being given permission to run. Periodic scans against an approved list can identify risk situations where a forensic analyst should concentrate expensive labor investigation efforts. This can occur when malicious code is identified and the originating source is being investigated to prevent re-infection.

Careful administrator control must be implemented to avoid targeted insider threats.  Properly implemented, this can be a very powerful method superior to simply trusting virus based signatures.

Not knowing where to start an approach to cyber security is a common predicament for any organization. After all, companies are in business to deliver a service or product that can generate revenue, not in the business of constant cyber security innovation against constantly evolving threats. The solution is to let an experienced third party security specialist such as NJVC conduct a technical cyber security assessment.

Nothing guarantees absolute security, of course, no more than the oil changes in you car guarantee you won’t be in accident. But regular cyber hygiene in the form of assessments, maintenance in the form of managed services, and instruction in best practices, like constant driving lessons, will greatly reduce the risk to your enterprise more than any other solution available.

Except of course, Chuck Norris.

After all, Norris doesn’t have to secure his sensitive data. He simply routes all traffic through port Chuck Norris. No one dares cross Chuck Norris.

 

NJVC is in not affiliated with Chuck Norris, ChuckNorrisFacts.com nor implying endorsement by, or association with, either.