• United States
Editor in Chief

CEO to you: Why is that server exposed?

May 26, 20033 mins

The nightmare scenario I spelled out a few weeks ago about your CEO being able to check up on you by running simple yet effective external network security scans from his desktop became decidedly less dreamlike last week.

At a security roundtable in Boston, Qualys announced Qualys FreeMap, a free Web-based service that companies can use to identify network entry points and devices that should be secured from attacks.

To refresh your memory, Qualys has been offering a service it calls QualysGuard to map customer networks from inside and out, looking to see what devices are visible, what servers and services are available, etc. Besides revealing immediate concerns, that baseline – generated by 65 network scanners in the U.S., Europe and Asia, and appliances installed behind firewalls – then can be used to watch for change over time.

Qualys, founded in 1999, says it has 1,000 paying customers, including HP, Fireman’s Fund and BlueCross BlueShield.

But to grow the company Chairman and CEO Philippe Courtot was convinced he needed something that would attract attention – hence the decision to start to give away external scans for free.

Courtot knows something about building successful companies. He joined cc:Mail when it had 12 people, drove it up to 40% market share and sold it to Lotus. And more recently he was head of Signio, an electronic payment start-up that ultimately was sold to VeriSign.

To lend credibility to the concept of scans being delivered as a service, Qualys used the Boston roundtable to unveil the free offering. The event was kicked off by Richard Clarke, most recently of homeland security fame and now a consultant.

Clarke said he learned about Qualys when he was working for the Feds and he asked the company to demonstrate its service on “I can’t say what they found, but there was a lot we didn’t know about.”

Without coming out and saying Qualys is the answer, Clarke said the government’s 22 federal agencies do their own security scans once per year, and last year 14 of them got an “F.” “You don’t know what is on your net,” he said. “Contractors come in, plug stuff in and leave. People bring in technology from home. And even when you are told something is fixed, can you be sure it was?”

Tools like QualysGuard make it possible to do daily checks, Clarke said. And that can only be a good thing. But do it before your boss does.