Interview with ScanAlert, HACKER SAFE Published: Mar 28, 2005

• Rating

  3/5

ScanAlert offers a security and certification product for e-commerce sites called Hacker Safe. We had a chance to interview Ken Leonard, CEO of ScanAlert about his services.

March 28 , 2005 (WEB HOST GEAR), Interview with Ken Leonard, CEO of ScanAlert and creator's of Hacker Safe.
Interview by Steven Leggett of WebHostGear.com

When did your company officially launch? 
ScanAlert was formally founded in Nov. 2001. We introduced HACKER SAFE certification in the summer of 2002.

Tell us about HACKER SAFE certification and what it does
I have a long history in web hosting, having founded TABnet in 1995 when domain registration and hosting were just becoming established. I hired Mick Doherty to head our sales team and we grew very quickly. When Verio acquired TABnet in December 1998, we had more than 210 employees. After the acquisition, I became president of Verio’s web hosting division.

In 2001, Mick and I started talking about problems afflicting online retailing. Two of the more obvious ones are securing web sites against hackers and consumers’ concerns about the security of online shopping. HACKER SAFE certification addresses both.

The HACKER SAFE service combines thorough remote daily vulnerability assessments with real-time certification of site security through a dynamically generated trustmark image. A daily vulnerability assessment is a three step process, which is both safe and non-disruptive to the customer’s network operations. It starts with a port discovery scan, followed by a network services scan and ends with a web application scan.

This three phased approach to vulnerability scanning enables ScanAlert to perform more accurate audits with less load on servers. We can run any single test or test phase on a target to detect changes, test specific ports or vulnerabilities, or run web application only tests on multiple web sites residing on a single server.

The next phases of the daily audit are alerting and analysis and remediation. After each scheduled daily or manual audit, customers receive alerts whenever a vulnerability has been found. Customers then access a very rich Vulnerability Management Portal to learn more and remediate any security issues.

Consumers, of course, don’t see any of this activity; they just see the results of a real-time dynamic certification methodology. In short, we give customers a rolling 72 hour window to close any holes that our daily scans reveal. Assuming that they do, we then certify in real-time the site’s security status by serving a date stamped HACKER SAFE certification mark on the web site.

What’s the benefit to having a HACKER SAFE certified site for my customers?
There are two main benefits to web sites. The first one is a daily security audit by a third party that leads to certification of the site’s security to a level comprised of government regulations such as HIPAA and industry standards such as the credit card industry’s Payment Card Industry (PCI) requirements.

The other great benefit is that certification provides a considerable return-on-investment (ROI) in terms of increased revenue from online operations. More than 125 HACKER SAFE sites have run A/B tests, where half of their visitors were allowed to see the certification mark while the other half were not. The aggregate number of unique visitors from all tests exceeds 9 million. On average, sites recorded 14% more online sales from buyers who saw the certification, compared to the control. Regardless of the product or price point, average order value, the customer demographic, or the site’s brand equity, sites recorded more sales due to certification, from 3% to as much as 40%. Two well known national brand chain stores ran tests in January 2005 in which they each tracked more than 1.6 million visitors and approx. 19,500 orders. Interestingly, the results for both companies were very similar despite the fact that they are in two completely different verticals--consumer electronics and sporting goods. One recorded 5% more sales from the HACKER SAFE group, while the other saw 5.8%. 

The test data clearly shows that security concerns impact buying decisions for the majority of consumers, even repeat buyers. Given the opportunity to shop at a HACKER SAFE certified site or the same site without a certification mark, consumers strongly opt for the peace of mind the trustmark provides.

Because it has such a positive effect on site security and online sales, HACKER SAFE certification is on sites such as Linens and Things, Dick’s Sporting Goods, Musician’s Friend, Ritz Camera, The Sports Authority, Helzberg Diamonds, Do it Best, Hammacher Schlemmer, B&H Photo, and tens of thousands more in 30 countries.

What is the value of having HACKER SAFE for my business and what is the cost? Wouldn’t I just be better using a security scanner internally and joining BB Online?
The specific value of HACKER SAFE certification depends on the business. Some of our customers don’t even sell anything online. They selected ScanAlert after a competitive review of vulnerability scanning vendors based strictly on the merits of the technology. So while you won’t see a HACKER SAFE certification mark on Marines.com, the US Marine Corps still benefits from our technology. A small minority of our customer base fall into this scanning-only category. Probably 99.5% of our customers want the return-on-investment provided by certification.

HACKER SAFE is offered as a subscription service, directly through ScanAlert as well as through channel partners such as web hosts. An annual subscription costs $1,790 and covers five IP addresses, two of which can be web sites. We also have a monthly subscription option of $179. The threshold at which HACKER SAFE makes sense for online retailers based upon the expected marketing ROI is approx. $500/day in sales. In other words, any site whose monthly sales exceed $15,000 is a great candidate, regardless of the product or service they sell. (Pricing may be lower than the $179/$1,790 figures for customers that subscribe to HACKER SAFE directly through their web host).

In-house scanning, using NESSUS for example, provides absolutely no return-on-investment. In-house scanning enhances security and nothing else. There is no upside for the organization’s bottom line. In addition, you would still have to be audited regularly by a third-party approved PCI scanning vendor in order to produce proof of compliance to your merchant bank. Merchants cannot self-certify using an in-house scanning service.

There is also the question of resource allocation and efficient use of the scarce resources that most online merchants have. A company like Shari’s Berries (a retailer of gourmet hand dipped strawberries) has an extremely competent developer on staff. He contributes far more value to the company by fine tuning code, ensuring site availability and performance, and doing custom development projects than he would if he were spending a portion of each day hunting down information on the latest hacking exploits. We leverage our experience protecting tens of thousands of web sites and do the heavy IT security lifting for him. That Berries.com saw 14% more sales during a January 2005 A/B test was just an added bonus.

Many of our customers that have run A/B tests have web sites that sport seals from SSL certificates and privacy or other trustmark vendors. These seals remained on the sites for the entire duration of the tests. The test methodology changed a single variable, the appearance of HACKER SAFE certification mark. The appearance or absence of the HACKER SAFE certification mark changed consumers’ behavior; the other seals did not.

HACKER SAFE scans servers and websites remotely, do you need to install anything software wise or add code to your pages? Will this affect the performance of my server?
The HACKER SAFE certification service is provided remotely. It requires no installation, no set-up, no hardware purchases, no software development, and no IT security expertise. Customers do not even need special training to use it. Complete online, phone and email support provided by certified security professionals is included for every customer.

The scans are non invasive and will not lock-up the device under test. HACKER SAFE includes automated daily scans and unlimited manual scans.

While HACKER SAFE certification does not require installation of any software code on merchants’ servers, customers can access within our Vulnerability Management Portal some really useful complementary security tools such as ISAPI filters and software firewalls.

What types of scans and security checks are performed with your product to label my site as “HACKER SAFE”? Does it scan OS only security or site level such as Formmail exploits?
HACKER SAFE daily scanning audits all Internet services, ports, operating systems, servers, key applications, firewalls, addressable switches, load balancers and routers for all known vulnerabilities
 
Why is branding a site with a certification mark that says “HACKER SAFE” a deterrent for a hacker? Wouldn’t that attract someone to break into your site instead of leading them away?
First, none of our customers, notably some highly attractive targets, has ever been hacked. Second, the belief that “HACKER SAFE certification will make my site a target for hackers” does not reflect the reality of hacking attacks. The vast majority of successful hacking incidents exploit vulnerabilities whose existence have been very well documented. These “known vulnerabilities” are the point of entry for all sorts of activities including worms and viruses. Security industry statistics indicate that more than 99.9% of hacking incidents exploit these types of holes, which are targeted by automated scanning and exploit tools. ScanAlert’s daily audits help customer close these holes before hackers find them.

More than 75% of customers that initially subscribe to our service fail their initial audit. This indicates just how many web sites out there can be easily hacked. Clearly, there is no shortage of easily penetrated targets. Now for someone who is really determined and doesn’t want to bother using a web site to hack a company, a much better way to steal data from an organization is to get a job there or date someone.

The "HACKER SAFE" certification mark on the site provides information when the scans occur by date. If a hacker monitors the site, it becomes pretty easy to know exactly how many hours he's got to perform the hack and cover his trails. Wouldn't this count as an information security vulnerability?
No it doesn’t. We’re pretty far along in a patent application covering many of the key features of HACKER SAFE. One of them is a process which provides 24 hour protection against newly released vulnerabilities. We update our vulnerability database continuously with newly discovered vulnerabilities and validated fixes from hundreds of sources worldwide. When new vulnerabilities arrive, our system automatically cross checks them against customers’ most recent system configuration details. Any sites that could be susceptible will receive an alert, advising them to confirm the vulnerability. This process thus ensures 7/24 protection.

Do you offer any kind of insurance for a company if they are hacked and using your product? Does the HACKER SAFE certification mark on their site then change to Hacked or is the public not notified at all? Is that client then taken off your HACKER SAFE directory of “safe” sites to shop on?
We do not currently provide insurance for customers but we are working to integrate something our Japanese customers have. Last fall, we announced that all HACKER SAFE subscriptions in Japan would automatically include a HACKER SAFE insurance policy underwritten by AIG subsidiary AIU. It has been well received and we’re talking to several underwriters here in the US regarding bundling a similar policy.

HACKER SAFE isn’t just a jpeg you drop onto a site; it is real-time security certification.
The HACKER SAFE certification mark only appears on those sites that continue to meet our security standard. When a visitor to The Sports Authority’s web site, for example, sees the HACKER SAFE certification mark, they see an image served through Akamai that originated from our system. When the page loaded, The Sports Authority’s site made a call to our certification database to find out whether the site, at that moment, met our security criteria. As long as a site has no known vulnerabilities, we certify it as HACKER SAFE and the visitor will see a date stamped image served in real-time.

When sites fail to patch their vulnerabilities during the allotted time, the certification mark image simply does not appear.


How does your product prevent internal hacks inside the corporation?
One of the customer support tools we provide customers is an interactive security self assessment questionnaire document which helps companies establish proper internal practices and procedures to prevent internal incidents.


Does HACKER SAFE offer any fraud scanning abilities or known attacker IP blocking tools?
No. There are many good fraud screening services available. However, Binoculars.com told us that it had seen a double digit decrease in fraudulent order attempts during a two week A/B test in late 2003. Other HACKER SAFE sites have likely seen similar results but have not shared them with us. 

What does HACKER SAFE offer that SquareTrade and your competitors cannot?
The glib response would be that we protect over 60,000 sites in 30 countries and they don’t. Additionally, our technical support is provided by CISSP certified security professionals and we’re currently accredited by a variety of organizations including SANS, Visa and MasterCard.

If you’ve read this far, you should understand that HACKER SAFE certification is built on sophisticated technology, which has won ScanAlert new customers following extensive competitive reviews against pure play scanning vendors such as Qualys, Foundstone and Internet Security Systems. HACKER SAFE is now established as a reputable certification mark, with an objective certification methodology and a wealth of reporting, remediation, and technical features.

In contrast, SquareTrade and others like it simply offer seals and badges for purchase. Web sites are not buying independent security certification; they are just buying a jpeg to add to their site. Consider SquareTrade’s own disclaimer that reads, “the presence of the Seal does not indicate that any issues that may exist have in fact been fixed.”

ScanAlert counts more than 30 members of the 2004 Internet Retailer Top 300 list of the largest online merchants as customers. SquareTrade has two. When Internet Retailer releases its 2005 Top 400 list in June, we expect to have at least 80 customers on it. In addition to the list of notable customers above, other HACKER SAFE certified sites include: Interstate Batteries, Penske Truck Rental, eTronics, Summit Racing, Fogdog.com, StubHub.com, The City and County of San Francisco and The Smithsonian Institution’s online store.

The biggest distinction for web hosts reading this, however, is that ScanAlert offers them a proven opportunity to make money by selling security to new and existing customers. Michael Ayers (707-224-7656 X 113), former head of sales at TABnet, directs ScanAlert’s channel programs. With his background, he really understands the current market challenges facing hosts. He has crafted a program that enables hosts to sell or even bundle value added services as both sources of revenue and competitive advantage, including complementary PCI compliance certification. We have hosting partners across the country doing this right now and loving the additional revenue.

Where do you see yourself in 3 years?
HACKER SAFE has already become the world’s most widely used site security trustmark, protecting millions of online shoppers each day. In three years, we’ll be protecting hundreds of millions of shoppers by providing the most visible and most reputable site security trustmark.

We will also introduce new products and services addressing mobile security certification and remote access monitoring. We are interested in talking to any company with complementary products or services. We’re always analyzing opportunities to see whether it is better to expand the functionality of our own technology or address the need by partnering with someone else. We’ll continue with this approach as the technology of selling online evolves.

Do you have any final comments?
The hosting industry was much less competitive when I started TABnet ten years ago. Competition is very heavy now and the common business model of adding more features while dropping prices doesn’t look promising faced with the rise of Yahoo! Stores and 1and1. Hosts need to be creative, vastly improve their marketing and think of all of the services their customers currently buy from other vendors. Search Engine Optimization and payment processing are two, security is another. Obviously, the latter area is where we have a channel fit that makes absolute sense to readers. I invite them to visit us online at www.scanalert.com or contact Michael to learn more.

Contact Information
ScanAlert Inc.
860 Napa Valley Corporate Way, Suite R,
Napa, CA  94558
Tel: 707-224-7656
Web site: http://www.scanalert.com/
Tel: 707-224-7656