My Two Check Point Decades

February 1999 was the last time I willingly changed employers. That’s…20 years, which, in this day and age, is an eternity to stick with the same employer.

That’s not entirely true. I did change employers in April of 2009 when Check Point Software Technologies completed the acquisition of the Nokia Security Appliance business that I worked in. Because of this, when you look at my official start date at Check Point, it reflects the day I started at Nokia, which was in February of 1999.

More than Two Decades, Actually

But really, my Check Point experience goes back farther than that. It even predates the Check Point Experience conferences currently going on right now, starting in 1996. I began working for a company that resold, among other things, Check Point FireWall-1.

Back then, Check Point didn’t have a support site and there wasn’t much information out there on the Check Point product. I ended up building and maintaining a public FAQ, which got a lot of attention.

That FAQ did lead to my job at Nokia in 1999, where I was hired under a telecommuting arrangement, which at that time was unusual. Most of my co-workers were in the San Francisco Bay Area. I had just recently moved to Washington State, and telecommuted with the occasional trip to the office.

Quite a lot has happened in the decade that followed. Nokia acquired many companies, changed strategies a few times, reorganized, but our business unit that produced appliances that ran primarily Check Point’s software remained. The appliances were quite popular, as was our Technical Support, where I worked in various roles. Our business unit had many names over the years, including: IP Routing Group, Nokia Internet Communications, and Nokia Enterprise Solutions. Our revenues were effectively rounding error when compared to Nokia’s Mobile Phone business at the time, was profitable.

The Winds of Change and a Recession

By the end of 2007, the winds of change were definitely blowing. The iPhone was announced at the beginning of 2007 and took the world by storm. This had a massive effect on the mobile phone market as a whole, and Nokia in particular. More specific to our business unit, I saw an organizational chart that showed our business unit isolated from the rest of Nokia. Which, in some ways, made sense since we operated pretty independently of the larger Nokia. However, it foretold what was to come.

Near the end of September of 2008, a Nokia executive had inadvertently made public they were in the advanced stages of selling the Nokia Security Appliance business to a private investment firm. This began a rather tumultuous 7 month period in my professional career.

While trying to do our jobs keeping customers happy and secure, we were developing plans to become a company independent of Nokia. This involved quite a lot of details that, working for an established company like Nokia, you just don’t think about.

All this planning activity suddenly stopped, or at least management stopped asking about it. Things got oddly quiet. Turns out, the recession that kicked in during October 2008 “cooled off” the potential buyers.

Coming Home to Check Point

Just before Christmas 2008, it was announced that Check Point was buying the Nokia Security Appliances business. After three months of uncertainty, we were starting all over again with a whole different set of concerns. Who would be acquired? Who would end up staying at Nokia? Who would end up having to look for work? And was any of this a good thing?

I’ll spare you the details of the three months that followed, but it involved interviews with people at Check Point, a CFIUS review (we were a US asset that was being purchased by a foreign-owned company), and a lot of unknowns. All, meanwhile, while we were continuing to serve our customers.

In April of 2009, the acquisition of Nokia’s Security Appliance business by Check Point closed. Some ended up staying with Nokia, some came over to Check Point, others were given severance packages. And a whole new adventure began as this was not only a change in employer for me, I changed jobs. Which, as it turns out, was a great thing.

At first, my job wasn’t all that different. I was a sort of backline support for the sales organization, interfacing between sales, R&D, and Product Management. It wasn’t too different from what I was doing at Nokia, actually, just with a different focus (pre-sales).

Eventually, my role evolved into a Security Architect, where I went on customer sites, reviewing their security architecture, providing recommendations for addressing the identified issues along with what Check Point products would best address their needs. This got be a bit closer to the actual sales process.

Back to the Future

CheckMates

Then, at the end of 2016, I was offered an interesting proposal that leads me where I’m at now at Check Point: as the front man for Check Point’s user community: CheckMates. The funny thing is, I’m doing a lot of what I was doing running the FireWall-1 FAQ back in the 1990s, except Check Point is now paying me to do it.

A lot has changed in the last 20 years. The old days were fun, but I’m having the time of my life right now! I’m not just doing some online thing from my basement, I’m getting out there, meeting customers, spreading the good word. Given the significant increase in the velocity and impact of cyber threats, the work that Check Point is doing to prevent them is more important than ever!

And while I’m not talented enough to develop solutions to cyber threats, I can certainly communicate, educate, build trust, and collaborate. I can occasionally develop solutions to some problems as the hundreds of posts on CheckMates and the hundreds of FAQs I published years ago will confirm.

It’s what I’ve always done in my career, and yet, I’m just getting started.

An Updated Word About Competition in the Information Security Industry

A year ago, I had written a post about competition in the information security space, of which I work as a part of for a vendor that has been in it for nearly a quarter century: Check Point Software Technologies. A few things have changed since I wrote the post and I decided, rather than merely repost my previous post, create a new version of it and update with some relevant information. I’ve removed the old post because it largely says the same thing.

Why I’m In This Industry

The devices, networks, and social institutions we use today are only useful because, on the whole, most people largely trust them. If this trust erodes, people will not make use of them.

It took me many years of working at Nokia to realize that regardless of what I do in life, I am always going to be looking for where the flaws are in the systems and do what I can to improve these systems so they will remain trusted.

As a company, Check Point firmly believes customers deserve the best security for their digital information. That, plus my long-time history with Check Point was why I ultimately decided to go work for Check Point when they acquired Nokia’s Security Appliance Business back in 2009. The talented, smart people I work with day-in and day-out working toward the same goal is why I’m still here, even though some have left for what they see as greener pastures, or at the very least, a different pasture.

What About The Competition

One of the things I’ve always tried to do online is to bring facts, understanding, and details to light. This is what I did with the FireWall-1 FAQ back and the day and what I’m trying to do as part of my effort with Check Point’s user community: CheckMates.

You may have noticed that I occasionally delve into the subject of Check Point’s competition in my online discourse. The main reason I do this is because some of them are saying stuff that flat out isn’t true, a gross misrepesentation, or they advocate a poor approach.

To be clear, I think healthy competition is a good thing. It raises all boats, regardless of who you ultimately use. Despite our differences in approach, there is a common enemy: the malicious actors who attempt to penetrate and disrupt our customers networks. We would do better as an industry to remember that and work better together toward defeating that common enemy.

Despite that common goal, everyone who works for a security vendor, particularly in a sales or marketing capacity, wants to succeed over the competition. As part of that, each vendor puts outs information that puts their offering in the best light. Certainly Check Point has done this with some past marketing campaigns such as:

This is all part of normal, healthy competition that happens in any industry.

Palo Alto Networks is clearly a different competitor and seems to play by different rules, particularly with respect to Check Point.

It’s Personal for Palo Alto Networks

Nir Zuk, the co-founder of Palo Alto Networks, drives a car with the license plate CHKPKLR. This was widely known since at least 2005 and a picture of said license plate was featured prominently at their 2016 Sales Kick Off:

CHKPKLR

The guy up on stage? Their CEO Mark McLaughlin, propagating the “Check Point Killer” message to the assembled masses.

Over the years, I’ve heard countless stories of how Nir Zuk would come in to talk to a (potential) customer and spend a significant amount of time talking about Check Point, to the point where he was thrown out of at least one customer meeting! Given how some customers feel about Check Point, I’m sure that tactic did help to drive some sales.

In the following picture, you can see Palo Alto Networks Chief Marketing Officer Rene Bonvanie with a slide behind him of Check Point CEO Gil Shwed:

Gil Shwed is not my friend

To take it one step further, it was recently discovered that Palo Alto Networks has a so-called “Check Point Kill Squad.” This was disclosed by way of a screenshot of what appeared to be an internal portal from Palo Alto Networks. There was no real information in this screenshot, just partial bullet points of a few competitive talking points against Check Point SandBlast and the fact they also have a Competitive team–nothing that wasn’t already widely known or easily to deduce.

Rather than simply ignore it, Palo Alto Networks saw fit to issue a DMCA takedown notice, causing Moti Sagey’s LinkedIn account to be temporarily suspended. Given their propensity to use EULAs as a way to prevent the truth from being disclosed about their products, using a DMCA takedown to needle someone at a competitor doesn’t seem too far fetched.

Conclusion

It’s clear the hatred of Check Point is institutionalized at Palo Alto Networks and that it comes straight from the top. Given they still haven’t fixed potential bypasses in their product two years after they were reported, it makes me question what business they are truly in.

Disclaimer: My blog, my personal opinions. I’m sure you knew that.

Taking CheckMates On The Road

After a couple months of mostly being at home (nice change of pace), I’m now taking the Check Point CheckMates community on the road!

Aside from building the community site, where we’ve definitely seen an uptick in activity in recent weeks, part of my charter is to faciliate in-person Check Point meetups. We are starting these in a number of locations! Four in particular I’d like to draw your attention to are ones I will be at!

Sadly, I didn’t get the bright idea to do this before last week, where I was in Cincinnati. However, it’s not too late to see me in the following places over the next few weeks:

Also, while I have your attention, I’d be remiss if I didn’t point out the Ask Me Anything we’re doing with Dr. Dorit Dor and her management team on the 18th of September. Get your questions in now!

Ye Olde PhoneBoy FireWall-1 FAQ is Back…In A Manner of Speaking

Many of you probably remember the Check Point FireWall-1 FAQ I ran for many years. Many have told me it was their “go-to” source of information on all things Check Point, well before Check Point had SecureKnowledge.

Well, I’m here to say: it’s back…in a manner of speaking.

More specifically, I am back doing the activity I was doing twenty years ago, namely trying to help the Check Point community make the best use of the stuff they bought and make the resulting information available to everyone.

The one difference? I’m doing it for Check Point now, as opposed to doing it as an independent effort. The name of the site? CheckMates–and no, it’s not a dating site.

This site was previously called Exchange Point and was launched around the time R80 was released a little over a year ago. Previously the site was just focused on management, but it has been expanded to cover all of the products that make up Check Point Infinity.

Even in the past, I personally didn’t have all the answers. The one thing I did do was make what I did know and what others contributed available to all. I had plenty of help from people in the community back then, including from people at Check Point.

In that regard, nothing’s changed. CheckMates will be a collaborative effort. Unlike in the past, Check Point’s role will be more prominent, especially since they are hosting the site and paying my salary.

At the end of the day, I want CheckMates to be like phoneboy.com was back in the day: to be the go-to resource for all things Check Point. It’s a tall order, and I know what’s there is not much now, but phoneboy.com wasn’t much back when I started, either.

To give you a small sample of the discussions on CheckMates, I’ve put together a small sample of some of the threads that happened last week.

How Long is Long Enough for a Password?

As much as we might want to see different authentication methods available, passwords aren’t going anyway anytime soon. This means a significant part of our security online comes down to choosing good passwords.

There are three basic rules for choosing good passwords:

  1. The more complex the better
  2. The longer the better
  3. Don’t use the same password on multiple sites

Some services like Office 365 are being criticized for only allowing 16 character passwords. Some services offer even less than this.

If you actually do a little math, and choose the characters in your password carefully enough, perhaps using a tool like LastPass to generate and manage the passwords, even a 16 character password is more than strong enough to withstand a brute force attack!

To demonstrate that, I’m going to use the GRC Haystacks tool just to show the search space required in order to find a given password. Yes, I know there are some in the security community that poo-poo some of the contributions to information security that Steve Gibson has made. The tool is merely expressing the results of math and is being used for illustrative purposes.

A password can theoretically have four different types of characters:

  • Uppercase characters (26 possible options)
  • Lowercase characters (26 possible options)
  • Numbers (10 possible options)
  • Special characters (33 characters)

This gives us a total of 95 possible values for a given character of a password. Note that this may vary from site to site as some sites might restrict the special character space. Some sites might even allow for emoji, which I am excluding since outside of smartphone platforms, these are not universally available.

Let’s assume we pick a 16 character password that leverages all four character types and is relatively random. The time required to exhaustively search this space with a tool like hashcat or John The Ripper? A much longer time than I can even conceive of!

16 Character Complex Password

What about if I choose a 16 character password that is all lowercase, but random? Even if a lot of computing power is thrown at the password hash, we’re still looking at several years of computing time:

16 Character Lowercase Password

However, by adding a little bit of complexity, say, uppercase characters, the search space suddenly increases by orders of magnitude!

16 Character Upper and Lowercase Password

Even a 12 character complex password has a pretty large search space to search through:

12 Character Complex Password

All of this assumes you are choosing truly random characters for your password. If you’re using a well-known password manager, it’s probably random enough. Obviously, if you choose dictionary words for your password, or simple variations thereof, the odds of someone guessing your 16 character password are much higher.

Then again, how might someone perform a brute force attack on your password? Certainly if someone leaks the hashed passwords it’s possible. It’s likely not the result of an online brute force attack as that is likely to be detected and/or blocked and will most certainly take much longer.

And yes, the amount of time it takes to validate a password is a factor here. To illustrate this, let’s talk passcodes on phones. At least on Apple devices, if you enable the wipe feature, Apple will wipe the device after 10 failed passcode attempts. The phone only allows passcode entry via the screen and each attempt takes 80 milliseconds to process, as I discussed previously. After a few failed attempts, the phone will lock out additional attempts for a period of time. Which means, it’s not like someone can pick up your phone and a few seconds later, your phone is wiped.

With those constraints in place, how long and complex of a passcode do you really need to keep yours phone from being unlocked by someone other than you? Probably nowhere near as many as you think, so long as you avoid obvious and common ones. For the sake of argument, let’s look at an 8 digit passcode:

8 Digit PIN

To exhaustively search this space, assuming 80ms per guess and no other limiting factors, it would take about 103 days to try all possible combinations. Since there are other limiting factors as noted above, including the fact that the ability to automate passcode guessing is limited, it would take a bit longer. Of course, if the iPhone owner enabled the “erase after 10 failed attempts” option, all bets are off.

The bottom is line is, when you actually look at the math, you don’t need quite as long of a password as you think you do. Assuming the limit is at least 12 characters and all special characters are supported, you can make a complex enough password to sufficiently mitigate most brute force attacks. Even a 16 character password with just mixed case letters has a pretty large search space, assuming your passwords have sufficient entropy.

Having said all that, I’m all for sites supporting longer passwords. Length does allow people to make more complex passwords that are far easier to type, which can be good for people just learning good password hygiene. Also, if it helps people feel more secure to have a longer password and adding support for longer passwords is trivial, why not support it?

Obviously, if there is a massive increase in available computing power anytime soon, some of these assumptions will have to be reexamined. That said, I suspect we’ll have bigger issues to deal with than just the security of our passwords.

Disclaimer: My employer, Check Point Software Technologies, didn’t offer an opinion on this issue. The above thoughts are my own.