When Russ Verbofsky first joined the State of New Mexico Department of Game and Fish as the Chief Information Officer almost four years ago, he says it was like entering a time warp in terms of how things were done. Over the last 18 months, Russ has replaced almost every piece of hardware the organization uses, from switches and routers to firewalls and servers.
Russ was working with a small IT team and limited resources. There were 14 people on staff, half on the help desk and the other half in application development and database administration, and they had to support almost 300 employees across the state. Roughly one-quarter of those employees worked in the field and connected to the network via a VPN. With all these variables, Russ faced a number of challenges when deciding the best approach to upgrading the department’s technology infrastructure.
It was also critical he find a way to securely manage the organization’s web application for selling hunting and fishing licenses to customers, transactions that account for roughly two-thirds of the department’s budget. “Our web application for selling licenses is custom-built,” Russ explains. “We also have about 140 vendors who sell licenses on our behalf using our vendor sales web application, and about 300k citizens across the world who access our online sales web application.”
Additionally, Russ was informed they needed to be PCI compliant. Credit card information had never gone through the PCI perspective in the department before. Looking at the state as one merchant, that resulted in about 36 different agencies that needed to become compliant.
Previously, the department’s IT team was applying patches and that’s pretty much it. So, Russ started looking for testing tools. He had a subscription with Gartner and got free trials with a number of companies. He ultimately selected Nexpose, stating, “I found Nexpose (now InsightVM) was the most intuitive and easy to follow. I would be able to pick it up, use it, and be productive in a short amount of time.”
Russ says there wasn’t much for him to figure out or a template for him to build in Nexpose. “I pretty much set up a site, I said these are the IPs I want to scan, and here’s the template I want to use. It was already built.” This was a big benefit to Russ, who’d previously had to build his own rules and templates.
The department measures progress by keeping critical vulnerabilities low. The first time Russ ran a scan through Nexpose, 130-200 critical vulnerabilities were found. Within 6-8 weeks, they were down to 3 or 4. And over the past year, the department had none. “Critical vulnerabilities are basically nil,” he says.
“I found Nexpose was the most intuitive and easy to follow. I would be able to pick it up, use it, and be productive in a short amount of time.”
Nexpose helped Russ perform his duties in a number of ways, particularly in its ability to run full auditing scans and prioritize which vulnerabilities to pay attention to first. Russ especially found value in prioritizing vulnerabilities with Nexpose’s unique Top Remediations Report.
“The Remediation Report is very good, because it tells us that if you do this, it’s going to correct these 10 or 20 criticals,” he says. “It allows us to give priority and say, ‘let’s do the ones that we know are going to have the most impact in our systems.’”
Today, Russ sets up auto scans to run every month, and then he conducts additional manual scans if the department has any type of major release. Russ has also been using the PCI template within Nexpose for internal scans to ensure the department maintains its PCI compliance.
Russ claims another big benefit he’s gotten from Nexpose is the time savings whenever a vulnerability like Heartbleed or the Bash Bug is announced. “When there’s any type of major vulnerability announcement, I know within 24 hours Nexpose will push out that vulnerability so I can test against it,” he says. “That’s critical from my perspective … it saves us time from knowing my system’s clean within a day.” Overall, Russ says Nexpose has been a blessing, allowing them to make huge strides in their security protection stack.
After the success he experienced with Nexpose, Russ added Metasploit to the department. Before Metasploit, all web app penetration testing was outsourced. Now, Russ runs it himself. As someone with no previous experience with penetration testing or Metasploit, Russ credits the Rapid7 Metasploit 101 training class with teaching him how to insource application penetration testing with Metasploit Pro. He hopes to start using other features like phishing campaigns and network penetration programs soon.
Russ names cost savings and flexibility as the two biggest benefits Metasploit has provided him. “It’s a lot cheaper, and I can do it as needed,” he says. “If there’s a major change we put in, I can go in [to Metasploit] and test it before we put it into production.” He’s also recently purchased InsightIDR to get insight into user behavior across all of his endpoints.
Since many of the department’s employees are in the field and access the network via VPN, Russ sees managing incident detection and response as an important step.
As for Russ’s experience with Rapid7 as a whole, he says the support has been excellent. “If I have an issue, I know I’m going to get it resolved very quickly. Both by phone and web posting.” When reaching out via telephone, he knows he’ll get someone within five minutes. He says the support team always follows up and doesn’t close a ticket unless he directs them to. “I’ve been in the business for 30-plus years. I’ve never worked with anybody that’s that efficient,” he says.
News of Russ’s work at the State of New Mexico Department of Game and Fish is getting around. His response when other agencies want to know how he’s made such strides in his security program? “Come on over. I’ll show you a live demo.”