Download PDF
New Mexico Department of Game and Fish Relies on Rapid7 Nexpose for Selling Customer Licenses, Maintaining PCI Compliance
Technology Category
- Cybersecurity & Privacy - Application Security
- Cybersecurity & Privacy - Network Security
- Cybersecurity & Privacy - Security Compliance
Applicable Functions
- Business Operation
Use Cases
- Intrusion Detection Systems
- Regulatory Compliance Monitoring
- Remote Asset Management
Services
- System Integration
- Training
The Challenge
Russ Verbofsky, the Chief Information Officer at the State of New Mexico Department of Game and Fish, faced significant challenges when he joined the organization. The department's technology infrastructure was outdated, and he had to replace almost every piece of hardware, including switches, routers, firewalls, and servers. With a small IT team of 14 people, half of whom were on the help desk and the other half in application development and database administration, Russ had to support nearly 300 employees across the state. A quarter of these employees worked in the field and connected to the network via VPN, adding complexity to the task. Additionally, the department needed to securely manage its web application for selling hunting and fishing licenses, which accounted for two-thirds of its budget. Another critical requirement was achieving PCI compliance, as credit card information had never been processed through the PCI perspective before. This compliance needed to be achieved across 36 different state agencies.
About The Customer
The State of New Mexico Department of Game and Fish is a government organization responsible for managing the state's wildlife resources and enforcing related laws. The department employs nearly 300 people, with a significant portion working in the field. The department's operations include selling hunting and fishing licenses to customers, which is a major revenue source, accounting for approximately two-thirds of its budget. The department's IT infrastructure was outdated, and it faced challenges in securely managing its web application for license sales and achieving PCI compliance. Russ Verbofsky, the Chief Information Officer, led the efforts to modernize the department's technology and improve its security posture.
The Solution
To address the challenges, Russ Verbofsky selected Rapid7's Nexpose for vulnerability management. Nexpose was chosen for its intuitive interface and ease of use, allowing Russ to quickly set up and run scans. The tool helped the department reduce critical vulnerabilities from 130-200 to nearly zero within a year. Nexpose's ability to run full auditing scans and prioritize vulnerabilities was particularly valuable, as was its Top Remediations Report. Russ set up auto scans to run monthly and conducted additional manual scans for major releases. The PCI template within Nexpose was used for internal scans to ensure PCI compliance. After the success with Nexpose, Russ added Metasploit Pro for web application penetration testing, which was previously outsourced. The Rapid7 Metasploit 101 training class enabled Russ to insource penetration testing. Metasploit provided cost savings and flexibility, allowing Russ to test major changes before production. Additionally, Russ purchased InsightIDR to gain insights into user behavior across all endpoints, which was crucial for managing incident detection and response, especially with many employees accessing the network via VPN.
Operational Impact
Quantitative Benefit
Related Case Studies.
Case Study
Improving Vending Machine Profitability with the Internet of Things (IoT)
The vending industry is undergoing a sea change, taking advantage of new technologies to go beyond just delivering snacks to creating a new retail location. Intelligent vending machines can be found in many public locations as well as company facilities, selling different types of goods and services, including even computer accessories, gold bars, tickets, and office supplies. With increasing sophistication, they may also provide time- and location-based data pertaining to sales, inventory, and customer preferences. But at the end of the day, vending machine operators know greater profitability is driven by higher sales and lower operating costs.
Case Study
Remote Wellhead Monitoring
Each wellhead was equipped with various sensors and meters that needed to be monitored and controlled from a central HMI, often miles away from the assets in the field. Redundant solar and wind generators were installed at each wellhead to support the electrical needs of the pumpstations, temperature meters, cameras, and cellular modules. In addition to asset management and remote control capabilities, data logging for remote surveillance and alarm notifications was a key demand from the customer. Terra Ferma’s solution needed to be power efficient, reliable, and capable of supporting high-bandwidth data-feeds. They needed a multi-link cellular connection to a central server that sustained reliable and redundant monitoring and control of flow meters, temperature sensors, power supply, and event-logging; including video and image files. This open-standard network needed to interface with the existing SCADA and proprietary network management software.
Case Study
Marine and Industrial Displays by Caterpillar
Caterpillar needed a flexible platform for a new generation of connected human-machine interfaces across a wide variety of industrial environments. Examples include marine, petroleum pumping, generators, custom hydraulics, mining, and rail applications.
Case Study
Driving Digital Transformations for Vitro Diagnostic Medical Devices
Diagnostic devices play a vital role in helping to improve healthcare delivery. In fact, an estimated 60 percent of the world’s medical decisions are made with support from in vitrodiagnostics (IVD) solutions, such as those provided by Roche Diagnostics, an industry leader. As the demand for medical diagnostic services grows rapidly in hospitals and clinics across China, so does the market for IVD solutions. In addition, the typically high cost of these diagnostic devices means that comprehensive post-sales services are needed. Wanteed to improve three portions of thr IVD:1. Remotely monitor and manage IVD devices as fixed assets.2. Optimizing device availability with predictive maintenance.3. Recommending the best IVD solution for a customer’s needs.