新墨西哥州渔猎局依赖Rapid7 for Selling Customer Licenses, 维护PCI合规性

Challenge

When Russ Verbofsky first joined the State of 新墨西哥州渔猎局 as the Chief Information Officer almost four years ago, he says it was like entering a time warp in terms of how things were done. 在过去的18个月里, Russ has replaced almost every piece of hardware the organization uses, 从交换机和路由器到防火墙和服务器. 

Russ的IT团队很小，资源有限. 有14名员工, half on the help desk and the other half in application development and database administration, 他们必须支持全州近300名员工. Roughly one-quarter of those employees worked in the field and connected to the network via a VPN. 有这么多变量, Russ faced a number of challenges when deciding the best approach to upgrading the department’s technology infrastructure.

It was also critical he find a way to securely manage the organization’s web application for selling hunting and fishing licenses to customers, transactions that account for roughly two-thirds of the department’s budget. “Our web application for selling licenses is custom-built,” Russ explains. “We also have about 140 vendors who sell licenses on our behalf using our vendor sales web application, and about 300k citizens across the world who access our online sales web application.”

此外，Russ被告知他们需要符合PCI标准. Credit card information had never gone through the PCI perspective in the department before. 把国家看成一个商人, that resulted in about 36 different agencies that needed to become compliant.

Solution 

Previously, the department’s IT team was applying patches and that’s pretty much it. 所以，Russ开始寻找测试工具. He had a subscription with Gartner and got free trials with a number of companies. 他最终选择了Nexpose，他说:“我(现在)找到了Nexpose InsightVM)是最直观、最容易理解的. I would be able to pick it up, use it, and be productive in a short amount of time.”

Russ says there wasn’t much for him to figure out or a template for him to build in Nexpose. “我基本上建立了一个网站, 我说过这些是我要扫描的ip, 这是我要用的模板. 它已经建成了.” This was a big benefit to Russ, who’d previously had to build his own rules and templates.

The department measures progress by keeping critical vulnerabilities low. The first time Russ ran a scan through Nexpose, 130-200 critical vulnerabilities were found. 在6-8周内，它们减少到3或4个. 而在过去的一年里，该部门一个也没有. “关键漏洞基本上是零，”他说.

“我发现Nexpose最直观，也最容易上手. I would be able to pick it up, use it, and be productive in a short amount of time.”

expose在很多方面帮助Russ履行了他的职责, particularly in its ability to run full auditing scans and prioritize which vulnerabilities to pay attention to first. Russ especially found value in prioritizing vulnerabilities with Nexpose’s unique Top Remediations Report.

“补救报告非常好, 因为它告诉我们，如果你这样做, 它会纠正这10到20个临界,” he says. “这让我们能够优先考虑, ‘let’s do the ones that we know are going to have the most impact in our systems.’”

Today, 拉斯设置自动扫描每个月运行一次, and then he conducts additional manual scans if the department has any type of major release. Russ has also been using the PCI template within Nexpose for internal scans to ensure the department maintains its PCI compliance.

Russ claims another big benefit he’s gotten from Nexpose is the time savings whenever a vulnerability like Heartbleed or the Bash Bug is announced. “当有任何类型的重大漏洞宣布时, I know within 24 hours Nexpose will push out that vulnerability so I can test against it,” he says. “That’s critical from my perspective … it saves us time from knowing my system’s clean within a day.” Overall, 拉斯说，曝光是一件幸事, allowing them to make huge strides in their security protection stack.

从Rapid7的其他投资组合中获得见解

After the success he experienced with Nexpose, Russ added Metasploit to the department. 在Metasploit出现之前，所有的web应用渗透测试都是外包的. 现在，拉斯自己经营. As someone with no previous experience with penetration testing or Metasploit, Russ credits the Rapid7 Metasploit 101 training class with teaching him how to insource application penetration testing with Metasploit Pro. He hopes to start using other features like phishing campaigns and network penetration programs soon.

Russ names cost savings and flexibility as the two biggest benefits Metasploit has provided him. 他说:“这要便宜得多，而且我可以根据需要来做。. “如果我们做出了重大改变, I can go in [to Metasploit] and test it before we put it into production.” He’s also recently purchased InsightIDR to get insight into user behavior across all of his endpoints. Since many of the department’s employees are in the field and access the network via VPN, Russ sees managing incident detection and response as an important step.

As for Russ’s experience with Rapid7 as a whole, he says the support has been excellent. “如果我有问题，我知道我会很快解决它. 通过电话和网络发帖.” When reaching out via telephone, he knows he’ll get someone within five minutes. He says the support team always follows up and doesn’t close a ticket unless he directs them to. “我从事这一行已经30多年了. 我从来没有和这么有效率的人合作过。.

News of Russ’s work at the State of 新墨西哥州渔猎局 is getting around. His response when other agencies want to know how he’s made such strides in his security program? “Come on over. 我将向您展示一个现场演示.”