Interview with Steven Dabbs, CEO & President of ScannerX

Have you read the latest issue of our digital (IN)SECURE Magazine? If not, do it now.

Steven Dabbs, CEO & President of ScannerX, has more than 15 years experience in the Internet and real estate industries. He founded an early Internet web hosting company in 1993, which he sold to Interliant, Inc. in 1998. With Interliant he worked as a Vice President of Customer Care and Business Development. He was also Vice President of a Reg. D partnership with Johnstown American, a public company. Prior to this experience he was a CPA and tax accountant with Price Waterhouse. Dabbs graduated with a Masters of Accounting from the University of Georgia in 1981.

When and with what mission was ScannerX started?

We started developing our systems in 2001 when we could not find an affordable and easily implemented vulnerability scanning solution. IT Managers and System Integrators are under a tremendous amount of pressure. They have multiple and, many times, conflicting demands on their time and financial resources. We found that these people were forced to either invest significant amounts of time and effort to build their own systems or pay substantial licensing fees to other companies. We believed that an affordable easy-to-use subscription based vulnerability scanning service would have broad appeal to people who are held accountable for securing their networks and meeting their budgets.

What are the security services your company specializes in?

ScannerX provides web-based vulnerability assessment products and services to enable security providers, security professionals, and corporate customers to automatically audit Internet-connected networks for security vulnerabilities.

From the technical perspective, how are your security audits setup?

Our security audits are completely initiated and managed through our secure web interface. Through this secure web interface a client can launch on-demand scans against a specific IP or range, or schedule a scan to run at a specific time and date, whether it’s every day or week or month, etc. The client has the ability to choose from many different scan types that perform different functions like stealth scanners, denial-of-services attacks, and much more. Once a scan is finished, the customer is automatically notified via email that the scan is completed and ready for them to pickup in our easy to navigate reports directory. Our system has easy-to-read executive reports as well as detailed technical reports for the systems administrators & staff.

What are the pros and cons of automated vulnerability assessment?

Remote vulnerability scanning has many great features that enable users to remotely assess their network just like an intruder would. The benefit of automated vulnerability scanning is that you are empowered with the ability to scan your own system from an outside source from anywhere! Scanning from an external source provides you with the ability to ensure the security of your routers, switches, firewalls and their rules, as well as ensure your intrusion detection system is working properly.

Which operating system do you find to be most secure and why?

There are no really secure out-of-the-box operating systems out there, especially if it is connected to the Internet. New vulnerabilities come out every day, even for systems that may have been secured the day before. Security is not a product, it’s a process. Any operating system can be secure if you keep it up-to-date, and check for vulnerabilities on a regular basis and ensure the system’s security.

From your experience, what are the top security issues your service usually discovers?

ScannerX has performed thousands of security scans and I would have to say we see a lot of web server based vulnerabilities for the IIS (Internet Information Server, Microsoft® Servers), SQL vulnerabilities and recently a lot of Apache web server vulnerabilities on the unix based web servers. There have also been a large number of SMTP related vulnerabilities.

What security problems will we see in 2003?

In 2003, we expect an increase in vulnerabilities due to the heightened awareness in security. As more companies begin to tighten down the reigns on their Internet-enabled devices (Firewalls, Intrusion Detection systems, Web and Mail servers), more holes and vulnerabilities will be found which will lead to an increased number of security related problems this year. 2003 will bring the same types of vulnerabilities as in previous years, just more of them.

What to expect from ScannerX in this business year?

ScannerX’s future expansion of products and plans for growth include the following:

Managed Vulnerability Assessments: For customers who want to know what is going on with their network but do not want to manage the process themselves. The anticipated cost is $20 per month plus $5 per scan. ScannerX will ensure the customer’s servers are scanned periodically and that the results are reviewed and compared to prior scans. Any significant developments or changes will be reported immediately to the customer.

Assessment Reviews and Consultations: Customers who want an explanation of the results of a scan can order a complete review and consultative session. The customer will receive the analysis and recommendation by email and as a bound hard copy delivered by next day express service. With this service, ScannerX will review the results of the scans, analyze the impact and give the customer a written summary of the risks and an explanation of how to patch the servers. The anticipated price point will be $150 for a single one-time analysis of up to 5 IPs.

Audits of Assessments and Penetration Testing: This service is for customers who want both an explanation and ScannerX to remotely logon onto their servers and look for other issues. The customer will receive the analysis and recommendation by email and as a bound hard copy delivered by next day express service.

Clustered Dedicated Servers: In cases where the customer has simultaneously initiated multiple C Class scan ranges with a high number of ports to be tested, the machines bog down. ScannerX has developed a method of specialized circulating so that more than one server can be used to scan the various ranges. Internally, ScannerX will use multiple machines to handle the load.

Secured Dedicated Servers: For customers who want to host their service on a system that is constantly monitored for new vulnerabilities and is continuously patched. Final pricing is not complete but is expected to be at a 25% monthly premium over comparable dedicated hosting services that do not offer such security.