New Mexico Department of Game and Fish Relies on Rapid7 Nexpose for Selling Customer Licenses, Maintaining PCI Compliance

• Cybersecurity & Privacy - Application Security
• Cybersecurity & Privacy - Network Security
• Cybersecurity & Privacy - Security Compliance

• Business Operation

• Intrusion Detection Systems
• Regulatory Compliance Monitoring
• Remote Asset Management

• System Integration
• Training

Russ Verbofsky, the Chief Information Officer at the State of New Mexico Department of Game and Fish, faced significant challenges when he joined the organization. The department's technology infrastructure was outdated, and he had to replace almost every piece of hardware, including switches, routers, firewalls, and servers. With a small IT team of 14 people, half of whom were on the help desk and the other half in application development and database administration, Russ had to support nearly 300 employees across the state. A quarter of these employees worked in the field and connected to the network via VPN, adding complexity to the task. Additionally, the department needed to securely manage its web application for selling hunting and fishing licenses, which accounted for two-thirds of its budget. Another critical requirement was achieving PCI compliance, as credit card information had never been processed through the PCI perspective before. This compliance needed to be achieved across 36 different state agencies.

The State of New Mexico Department of Game and Fish is a government organization responsible for managing the state's wildlife resources and enforcing related laws. The department employs nearly 300 people, with a significant portion working in the field. The department's operations include selling hunting and fishing licenses to customers, which is a major revenue source, accounting for approximately two-thirds of its budget. The department's IT infrastructure was outdated, and it faced challenges in securely managing its web application for license sales and achieving PCI compliance. Russ Verbofsky, the Chief Information Officer, led the efforts to modernize the department's technology and improve its security posture.

To address the challenges, Russ Verbofsky selected Rapid7's Nexpose for vulnerability management. Nexpose was chosen for its intuitive interface and ease of use, allowing Russ to quickly set up and run scans. The tool helped the department reduce critical vulnerabilities from 130-200 to nearly zero within a year. Nexpose's ability to run full auditing scans and prioritize vulnerabilities was particularly valuable, as was its Top Remediations Report. Russ set up auto scans to run monthly and conducted additional manual scans for major releases. The PCI template within Nexpose was used for internal scans to ensure PCI compliance. After the success with Nexpose, Russ added Metasploit Pro for web application penetration testing, which was previously outsourced. The Rapid7 Metasploit 101 training class enabled Russ to insource penetration testing. Metasploit provided cost savings and flexibility, allowing Russ to test major changes before production. Additionally, Russ purchased InsightIDR to gain insights into user behavior across all endpoints, which was crucial for managing incident detection and response, especially with many employees accessing the network via VPN.

• Nexpose significantly reduced the number of critical vulnerabilities, enhancing the department's security posture.
• The tool's intuitive interface and pre-built templates saved time and effort in setting up and running scans.
• Metasploit Pro enabled the department to insource web application penetration testing, reducing costs and increasing flexibility.

• Reduced critical vulnerabilities from 130-200 to nearly zero within a year.
• Achieved PCI compliance across 36 different state agencies.
• Cost savings from insourcing web application penetration testing with Metasploit Pro.