Highlights for Children Solves Vulnerability Management Puzzle

With its move to the Enterprise TruRisk Platform, Highlights for Children was able to move away from ad hoc vulnerability assessments and better manage its network and web application risks.

Family media brand Highlights for Children, Inc., is fully committed to helping kids to be their absolute best by sparking their inner creativity, curiosity, thinking ability and imagination. The company’s motto, Fun with a Purpose, can be found on every page of its magazines and educational products and includes games, puzzles, and crafts such as Puzzlemania, Puzzle Buzz, and Which Way USA. Highlights for Children has come a long way since its first issue run of 20,000 copies in June 1946. Since then, more than one billion copies of the magazine have been shipped.

While Highlights for Children’s mission hasn’t changed since it launched 70 years ago, the technology used to publish children’s magazines is certainly dramatically different than it was seven decades ago. This means the IT infrastructure and apps, if not managed and secured properly, could be susceptible to cyber attacks, malware, and other forms of costly disruption.

From Ad Hoc to Automated Vulnerability Assessments

To keep its business-technology systems secure, Highlights for Children had relied on a number of automated patch management tools to periodically dispatch software updates to at-risk systems. While that was effective to deploy known patches that needed to be updated, the patch management system didn’t provide Highlights the ability to proactively identify out-of-date software, system configurations that had deviated from established policy, new devices entering the network, or patches that failed to update properly.

With that in mind, Highlights for Children needed a way to ensure that all of its networked devices – including its 100 servers, nearly three dozen web applications, firewalls, and other infrastructure devices – are all securely maintained. “We were looking for something that would provide us the ability to identify vulnerabilities on the network and supply reporting that we’d understand,” says Dale Kinnear, network services engineer, corporate network operations at Highlights for Children.

Because Kinnear runs Highlights’ vulnerability management program independently, it was essential to have a system that was straightforward to use, automated, accurate, and provided the ability to delegate assessments and remedies. Additionally, because Highlights sells subscriptions and products in its online store, it’s important for the company to keep those processes secure, and complaint to the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS mandates that those who handle credit card data have the associated systems maintained securely and kept up to date, requires that the appropriate reports be provided to the acquiring banks.

Highlights for Children Standardizes on Enterprise TruRisk Platform

To manage all of those efforts, Highlights for Children chose the Enterprise TruRisk Platform. The Enterprise TruRisk Platform identifies and helps to remedy software vulnerabilities, outdated systems, and associated weaknesses that jeopardize compliance with government and industry regulations such as PCI DSS. Delivered from a highly scalable multi-tenant cloud infrastructure, it delivers a suite of information security and regulatory compliance management services. And having been designed and optimized to scan networked devices to deliver highly accurate assessments, Qualys scales well to all sized environments.

Because the Enterprise TruRisk Platform is cloud native, there’s no software or hardware to install and maintain. In fact, its centrally managed with all of its vulnerability data and system updates are made in real time and are available to all customers concurrently. In addition, Qualys provides the largest KnowledgeBase of vulnerability signatures in the industry and performs more than one billion IP scans a year. This cloud delivery and associated subscription model means that Qualys is affordable to organizations of all sizes that need to secure their systems and also prepare for internal policy or external regulatory audits.

The Results: Comprehensive, Continuous Vulnerability Assessments

After the initial assessment, Highlights for Children got to work delegating the mitigation tasks to the appropriate application and system owners. “The reports are tailored to the specific needs of different application owners, so each group knows the state of its specific systems,” Kinnear says.

The PCI DSS reporting also has proven to be extremely beneficial. “About half the reports that we present in our meetings are PCI related,” Kinnear says. And Qualys helps present that information so that it is pertinent to each audience there, as well. “We have reports that provide our nontechnical business managers everything they need to know, and we have more technical reports for those who need them,” he says.

Qualys’ ability to automate Highlight’s for Children’s vulnerability assessments helps Kinnear and the various IT team members to stay thoroughly up to date with their vulnerability management duties. “Everything's scheduled, and scans are conducted within biweekly processes. Our automated scan updates keeps our status continuously updated,” he says.

Additionally, Qualys enables the creation of user profiles that establish the appropriate user rights and network ranges for assessments. “With those profiles set up, they can go and do their scans at will,” Kinnear says.

Following each vulnerability assessment and patch deployment, the teams conduct an assessment to validate that all of the necessary fixes are in place. “We meet on a monthly basis and discuss where our assessments stand. We discuss the previous month. We look at trends and our progress, and the Qualys reports are central to all of this,” he says.

Shoring Up Web App Security

Another area where Qualys has helped Highlights for Children improve the security of its systems is with its Qualys Web Application Scanning (WAS). Qualys WAS provides highly automated custom web application testing and app crawling to spot such common vulnerabilities as cross-site scripting (XSS) and flaws that make SQL injection attacks possible.

Built on the world’s leading cloud security and compliance platform, Qualys WAS frees Highlights for Children from the substantial cost, resource, and deployment hassles associated with traditional on-premises software. “Qualys WAS provides us visibility into security of all of our three dozen web applications,” Kinnear says. “We recently switched to Qualys WAS from another product and we’ve been very happy with the move.” Highlights for Children found that the previous web application security product didn’t provide all of the capabilities that it wanted, such as specific remediation information. “The teams really appreciate the detail on the vulnerabilities it finds as well as the comprehensive information on how to best fix those flaws,” he says.

Most of all, the Highlights for Children web application team appreciates how Qualys WAS provides everything it needs to make the applications more secure. “They really like the detail provided by Qualys WAS. It’s more specific, and they are able to fine-tune the assessments to get very precise fixes for their vulnerabilities. Qualys has proven itself to be much better,” Kinnear says.