Tim Tebow and Non-Microsoft Mail Systems

Exchange, Office 365 and Outlook dominate the business email market today and we are forecasting that they will gain market share over the next two years. There are three basic reasons for Microsoft’s dominance in the business email market.

  1. First, these offerings are pretty good – they work more or less as advertised and they integrate nicely with a wide variety of other solutions from Microsoft and other vendors.
  2. Second, they’re from Microsoft, the “IBM of the 1960s” choice for decision makers who often want to take the more conservative route by using only established, household names for their IT infrastructure.
  3. Finally, whether this was intentional or accidental, it was genius on Microsoft’s part for “Outlook” to become synonymous with “our corporate email system”. As I’ve written about in a previous blog post, many business decision makers have pushed their IT department toward Exchange because they like Outlook, assuming the latter is the email system and not simply an email client.

Non-sequitur: Tim Tebow is an incredibly polarizing figure in the NFL: virtually anyone who knows about his brief tenure in professional football either loves or hates him, but there are scant few in the middle. Despite leading the Denver Broncos to the playoffs in 2011, he never started another NFL game and today is only a memory in professional football.

Why? It might have to do with his outspoken Christian faith, charges that he doesn’t practice well, or his being a “distraction”. While the reasons for his not being in the NFL vary, it probably wasn’t because of his performance. For example, Tebow’s career Total Passer Rating is better than the rating for some of this year’s NFL starters. In his playoff-clinching 2011 season, he threw for 12 touchdowns, tied with or better than eight of this year’s NFL quarterbacks. In his first year in the NFL, his passing yards-per-attempt stats would place him fifth among this year’s quarterbacks, ahead of Russell Wilson, Andrew Luck, Philip Rivers, Tom Brady and Cam Newton.

In some ways (and, yes, I know this will be a bit of a stretch for some), many mail systems are like Tim Tebow in one important respect: they’re better than some of the mail systems that are more commonly deployed, even though there are good reasons they should be selected. For example, a single administrator can run a Novell GroupWise deployment for 15,000 users, a level of administrator efficiency that more commonly deployed mail systems can’t match. Alt-N MDaemon Messaging Server is dramatically cheaper than Exchange Server 2013 Standard – 94% cheaper. Notes/Domino runs on a much wider variety of server platforms than Exchange. Zimbra has a number of advantages over Exchange in terms of cost-of-ownership and ease of deployment.

Again, this is not to say that Exchange is not a solid offering from an even more solid vendor. But there are reasons to at least consider other email platforms that might not be as conventional, “safe” or popular.

What if North Korea had…

The recent cyberattack on Sony Pictures has been definitively linked to the government of North Korea, presumably in response to Sony’s upcoming release of the comedy The Interview. The US government said that North Korea was “centrally involved” in the attack, which has resulted in the leakage of several pre-release films, lots of embarrassing emails, and a variety of other content that Sony Pictures would rather not have had released – in total, up to 100 terabytes of data. North Korea upped the stakes following this cyberattack, threatening to create what amounted to another 9/11 if theatres showed the film. Clearly, Kim Jong-un does not have a sense of humor (or a good hair stylist).

The most recent result of this cyberattack, other than lots of apologies and hand-wringing from Sony executives, was the announcement by several major US theatre chains that they would not show The Interview, followed shortly thereafter by Sony’s cancellation of the $42 million film.

An attack on any major company is bad enough, even if the primary result is the cancellation of something as innocuous as a film. But what if North Korea had decided its target was the IT infrastructure of a major US utility, including its nuclear facilities? Black & Veatch published a report this year indicating that fewer than one-third of the electric utilities it surveyed have appropriate security systems with the “proper segmentation, monitoring and redundancies” necessary to deal with cybersecurity threats. How about if North Korea had decided to attack a major hospital network? One of the largest US hospital groups, Community Health Systems, was the victim of a Chinese cyberattack earlier this year, resulting in “only” the loss of data on 4.5 million patients. What about a North Korean cyberattack on the military? An investigation by the US Senate revealed that there were 50 successful hacking attempts against the US Transportation Command between May 2012 and May 2013. Serious and debilitating cyberattacks on utilities, healthcare providers and the military could make us long for “the good old days” when the result of a cyberattack was just the cancellation of a film.

What if it was your company? Have you taken precautions to prevent ransomware from infecting your users? 500,000 victims of Cryptolocker weren’t so lucky. Are your users trained to detect phishing attempts and take appropriate action when they encounter them? Is your security infrastructure sufficient to detect and weed out malware, phishing attempts and other threats that could make you a Sony-like victim? Is your vendor’s threat intelligence protecting your organization sufficiently?

We have done a lot of research on security issues and will be launching another major survey just after the first of the year to find out just how prepared organizations really are.

Why Aren’t Cloud Vendors Pushing Encryption More?

Microsoft is currently embroiled in a major legal dispute with the US government. US prosecutors, seeking to gather evidence from a Microsoft cloud customer in a drug-related case, are asking for Microsoft to turn over various customer records even though the data in question is held in an Irish data center. Microsoft has argued that the US government has gone too far with this request because the data is held in a foreign country and that authorities in that country are not involved in gathering the data. The government has argued that this case does not violate the sovereignty of a foreign state, since Microsoft can produce the requested data remotely without use of its staff members in another country. The case, which started in 2013, has been escalating: Microsoft has refused, thus far, to turn over the data and a number of companies (including AT&T and Apple) and others have filed friend-of-the-court briefs in support of Microsoft’s position.

Aside from a number of legal, ethical and political issues – as well as the big issue of how successful cloud computing can be in the future if any government can demand information from a data center in any other nation – this case raises the importance of encrypting data in the cloud. For example, if Microsoft’s customers could encrypt data before it ever got to the company’s data centers, and if Microsoft did not have access to the keys to be able to decrypt this content, requests for data from government or anyone else would be rendered moot. Of course, the US government in this case could have pushed the party whose data is being requested to provide the keys, but the important point for Microsoft is that they would have been only minimally involved in this case, if at all, since they would not have had the ability to produce the data. This presupposes that the US government could not crack the encryption that was employed, but that’s another matter.

Moreover, if the customers of cloud providers encrypted their data before it ever reached a provider’s data center, this would offer the latter the quite significant benefit of not being culpable if their customers’ data was hacked in a Sony-style incursion. Unlike the Sony situation, which has resulted in the publication of confidential emails, pre-release films and other confidential material, well encrypted content could probably not be accessed by bad guys even if they had free run of the network. This would help cloud providers not only to avoid the substantial embarrassment of such a hacking incident (which, I believe, is inevitable for at least one or two major cloud providers during 2015), but it would also help them to avoid the consequences of violating the data breach laws that today exist in 92% of US states.

Cloud providers should be pushing hard for their customers to encrypt data, if for no other reason than it gets the providers off the hook for having to deal with subpoenas and the like for their customers’ content. In this case, for example, Microsoft could have avoided the brouhaha simply by being unable to turn over meaningful data to the government.

The bottom line: cloud providers should push hard for their customers to encrypt data where it’s possible to do so, and customers should be working to encrypt their content where they can.

The Importance of Good Authentication and Data Asset Management

Stories about the use of easy-to-guess passwords based on common words, consecutive numerical strings, or simply the use of “password” are fairly common. Millions of users, in an effort to make their passwords easy to remember, fall prey to this problem, or they will write their passwords down on sticky notes, not change them periodically, or use the same password for multiple applications.

I wanted to see how just the strength of a password would affect its ability to be guessed by brute force using a PC, so I went to howsecureismypassword.net. I am not affiliated with the host of this site or its sponsor, and so cannot vouch for the security of any content they manage. So, as a precaution, don’t use any site like this to test your actual passwords.

For the test, I chose five passwords: rabbit, rabbit9, rabbit99, rabbit99K and rabbit99K). I ran each password through their checker and found the following lengths of time that would be required to guess each one:

  • rabbit: a desktop PC could guess this password more or less instantly
  • rabbit9: 19 seconds
  • rabbit99: 11 minutes
  • rabbit99K: 39 days
  • rabbit99K): 58 years

Obviously, the longer and more complex the password, the longer it will take to guess it through brute force. Yhn-P9q9Km4-9UtQw)7*, for example, would require 425 quintillion years according to howsecureismypassword.net.

But strong passwords are just part of the security story. Organizations should undertake other steps, as well:

  • Use multi-factor authentication that will require, for example, the entry of a password and a code that a user receives on his or her smartphone.
  • Impose password expiration requirements at regular intervals that will require users to create a new password every so often. The more sensitive or critical the data asset or application that is being accessed, the more frequently that IT might want passwords to change.
  • Lockout inactive users after a certain number of days.
  • Implement strict strikeout limits for sensitive data assets or applications that will allow only a small number of authentication errors.
  • Don’t allow passwords to be reused.
  • Implement self-service password functionality, but only if two-factor authentication or similar controls are in place.
  • Employ risk-based authentication that imposes stricter requirements based on the sensitivity of the data assets being accessed, the location of those accessing them, the time of day they are being accessed, etc.
  • Finally, establish policies for the data assets that really need to be accessible online and what can/should be disconnected from the Internet.

These are all fairly simple steps that would go a long way toward improving corporate security.

Some Thoughts on Trend Micro Insight

It has been my privilege to attend all of Trend Micro’s analyst meetings, the first in 2007 and the most recent of which was at the end of October in Boston. While there was no “earth-shattering” news presented at the event (hence, my somewhat delayed blog post about it) here are some random thoughts from the meeting:

  • Trend’s management – and management style – tends to be a bit edgier than most, a style that I enjoy as an analyst because there is no veneer to dig through in order to find out what decision makers really think. This may come from the fact that Trend, while based in Japan, does not have a particularly national focus like some of their competitors: the US headquarters is in the Dallas area, analyst relations is in Ottawa, the CTO is based in Munich, and the company’s senior executives are scattered elsewhere around the world. This may also explain why Trend was more willing than some of their competition to readily respond to last year’s inquiry by the Electronic Frontier Foundation, presented to a large number of security vendors, about their willingness to detect state-sponsored malware.
  • The company was exceptionally – and surprisingly – open about sharing highly detailed sales figures, customer counts and other sensitive information. While analysts sometimes get this information in private sessions after signing an NDA, the level of detail that Trend’s executives presented was quite unusual – it even surprised some of Trend’s own staff members. Sometimes, vendors will share this level of detail if the company is in trouble and they are trying to reassure analysts, investors and others about the long-term viability of the company, but this was obviously not the case here. While I can’t share the numbers that Trend offered, the company is doing very well with regard to both revenue and customer acquisition.
  • A substantial proportion of Trend’s business comes from the consumer segment. While in the past the company’s consumer focus was on the protection of devices and the data they managed, the focus is shifting to individuals and families. For example, Trend will be using their Deep Packet Inspection (DPI) engine to monitor every device in the home, including more traditional platforms like PCs and smartphones to garage door openers, refrigerators and routers. This should position the company quite nicely in the rapidly growing market for security of the Internet of Things.
  • Trend does almost all of their business through the channel and was very detailed in their explanation about how they divide the channel by type and segment. The company is planning major advancements in the US channel that I cannot share here, but suffice it to say that the company’s channel presence will be significant.

This is not to say that the company is doing everything right. For example, Trend is not as well known in the consumer space – a market from which it draws a large share of its revenue – as some of its competitors. Some of the company’s offerings have received poor reviews in the past (although NSS Labs recently found that Trend was the highest scorer in its analysis of breach detection offerings). However, Trend Micro is hitting on just about all cylinders, doing quite well financially (substantially better than some of its competitors), and will be announcing some interesting offerings in the coming months.