Rapid7 Case Studies New Mexico Department of Game and Fish Relies on Rapid7 Nexpose for Selling Customer Licenses, Maintaining PCI Compliance

Edit This Case Study Record

	New Mexico Department of Game and Fish Relies on Rapid7 Nexpose for Selling Customer Licenses, Maintaining PCI Compliance Rapid7

New Mexico Department of Game and Fish Relies on Rapid7 Nexpose for Selling Customer Licenses, Maintaining PCI Compliance

Rapid7

Technology Category	Cybersecurity & Privacy - Application Security Cybersecurity & Privacy - Network Security Cybersecurity & Privacy - Security Compliance
Applicable Functions	Business Operation
Use Cases	Intrusion Detection Systems Regulatory Compliance Monitoring Remote Asset Management
Services	System Integration Training
Challenge	Russ Verbofsky, the Chief Information Officer at the State of New Mexico Department of Game and Fish, faced significant challenges when he joined the organization. The department's technology infrastructure was outdated, and he had to replace almost every piece of hardware, including switches, routers, firewalls, and servers. With a small IT team of 14 people, half of whom were on the help desk and the other half in application development and database administration, Russ had to support nearly 300 employees across the state. A quarter of these employees worked in the field and connected to the network via VPN, adding complexity to the task. Additionally, the department needed to securely manage its web application for selling hunting and fishing licenses, which accounted for two-thirds of its budget. Another critical requirement was achieving PCI compliance, as credit card information had never been processed through the PCI perspective before. This compliance needed to be achieved across 36 different state agencies. Read More
About Customer	The State of New Mexico Department of Game and Fish is a government organization responsible for managing the state's wildlife resources and enforcing related laws. The department employs nearly 300 people, with a significant portion working in the field. The department's operations include selling hunting and fishing licenses to customers, which is a major revenue source, accounting for approximately two-thirds of its budget. The department's IT infrastructure was outdated, and it faced challenges in securely managing its web application for license sales and achieving PCI compliance. Russ Verbofsky, the Chief Information Officer, led the efforts to modernize the department's technology and improve its security posture. Read More
Solution	To address the challenges, Russ Verbofsky selected Rapid7's Nexpose for vulnerability management. Nexpose was chosen for its intuitive interface and ease of use, allowing Russ to quickly set up and run scans. The tool helped the department reduce critical vulnerabilities from 130-200 to nearly zero within a year. Nexpose's ability to run full auditing scans and prioritize vulnerabilities was particularly valuable, as was its Top Remediations Report. Russ set up auto scans to run monthly and conducted additional manual scans for major releases. The PCI template within Nexpose was used for internal scans to ensure PCI compliance. After the success with Nexpose, Russ added Metasploit Pro for web application penetration testing, which was previously outsourced. The Rapid7 Metasploit 101 training class enabled Russ to insource penetration testing. Metasploit provided cost savings and flexibility, allowing Russ to test major changes before production. Additionally, Russ purchased InsightIDR to gain insights into user behavior across all endpoints, which was crucial for managing incident detection and response, especially with many employees accessing the network via VPN. Read More Log in to view content
Contents

Technology Category

Cybersecurity & Privacy - Application Security

Cybersecurity & Privacy - Network Security

Cybersecurity & Privacy - Security Compliance

Applicable Functions

Business Operation

Use Cases

Intrusion Detection Systems

Regulatory Compliance Monitoring

Remote Asset Management

Services

System Integration

Training

Challenge

Russ Verbofsky, the Chief Information Officer at the State of New Mexico Department of Game and Fish, faced significant challenges when he joined the organization. The department's technology infrastructure was outdated, and he had to replace almost every piece of hardware, including switches, routers, firewalls, and servers. With a small IT team of 14 people, half of whom were on the help desk and the other half in application development and database administration, Russ had to support nearly 300 employees across the state. A quarter of these employees worked in the field and connected to the network via VPN, adding complexity to the task. Additionally, the department needed to securely manage its web application for selling hunting and fishing licenses, which accounted for two-thirds of its budget. Another critical requirement was achieving PCI compliance, as credit card information had never been processed through the PCI perspective before. This compliance needed to be achieved across 36 different state agencies.

About Customer

The State of New Mexico Department of Game and Fish is a government organization responsible for managing the state's wildlife resources and enforcing related laws. The department employs nearly 300 people, with a significant portion working in the field. The department's operations include selling hunting and fishing licenses to customers, which is a major revenue source, accounting for approximately two-thirds of its budget. The department's IT infrastructure was outdated, and it faced challenges in securely managing its web application for license sales and achieving PCI compliance. Russ Verbofsky, the Chief Information Officer, led the efforts to modernize the department's technology and improve its security posture.

Solution

To address the challenges, Russ Verbofsky selected Rapid7's Nexpose for vulnerability management. Nexpose was chosen for its intuitive interface and ease of use, allowing Russ to quickly set up and run scans. The tool helped the department reduce critical vulnerabilities from 130-200 to nearly zero within a year. Nexpose's ability to run full auditing scans and prioritize vulnerabilities was particularly valuable, as was its Top Remediations Report. Russ set up auto scans to run monthly and conducted additional manual scans for major releases. The PCI template within Nexpose was used for internal scans to ensure PCI compliance. After the success with Nexpose, Russ added Metasploit Pro for web application penetration testing, which was previously outsourced. The Rapid7 Metasploit 101 training class enabled Russ to insource penetration testing. Metasploit provided cost savings and flexibility, allowing Russ to test major changes before production. Additionally, Russ purchased InsightIDR to gain insights into user behavior across all endpoints, which was crucial for managing incident detection and response, especially with many employees accessing the network via VPN.

Impact #1	Nexpose significantly reduced the number of critical vulnerabilities, enhancing the department's security posture.
Impact #2	The tool's intuitive interface and pre-built templates saved time and effort in setting up and running scans.
Impact #3	Metasploit Pro enabled the department to insource web application penetration testing, reducing costs and increasing flexibility.

Impact #1

Nexpose significantly reduced the number of critical vulnerabilities, enhancing the department's security posture.

Impact #2

The tool's intuitive interface and pre-built templates saved time and effort in setting up and running scans.

Impact #3

Metasploit Pro enabled the department to insource web application penetration testing, reducing costs and increasing flexibility.

Benefit #1	Reduced critical vulnerabilities from 130-200 to nearly zero within a year.
Benefit #2	Achieved PCI compliance across 36 different state agencies.
Benefit #3	Cost savings from insourcing web application penetration testing with Metasploit Pro.

Benefit #1

Reduced critical vulnerabilities from 130-200 to nearly zero within a year.

Benefit #2

Achieved PCI compliance across 36 different state agencies.

Benefit #3

Cost savings from insourcing web application penetration testing with Metasploit Pro.

Download PDF Version

Overview

New Mexico Department of Game and Fish Relies on Rapid7 Nexpose for Selling Customer Licenses, Maintaining PCI Compliance

Operational Impact

Quantitative Benefit