Vulnerability Management assists with compliance for Hillsborough County

Hillsborough County, situated midway along the west coast of Florida, includes the city of Tampa as its county seat. The County’s IT Services (ITS) department provides technology integration and support services to approximately 4,200 clients at over 100 administrative sites. To improve manageability of this large network infrastructure the Hillsborough County ITS team identified five key security and administrative initiatives for 2005. This project encompassed selecting a set of security technologies to ensure compliance with HIPAA regulations, security policies and standards based on ISO17799, and audit findings. Technology implemented in 2005 included network intrusion prevention, patch management, security information management, policy compliance and vulnerability assessment. Facilitating network security and complying with HIPAA regulations lead the County’s Information Security team to Rapid7 and Nexpose.

Before Hillsborough County acquired a vulnerability management solution, ensuring that their over 250 servers were secure and compliant proved difficult for ITS’ team of three security engineers. The County’s process was to contract with outside vendors to run periodic vulnerability assessment scans. With new security requirements increasing the need for more frequent auditing, they needed an in-house solution. The County’s security engineers required detailed reports that identified vulnerabilities to be remedied before they could pose substantial risk to the network environment. To evaluate vulnerability management solutions, ITS defined a set of technical requirements against which to measure selected vulnerability assessment scanners. The desired solution would need the ability to perform stealth scans, schedule routine scans, support multiple platforms including Windows and Linux, scan multiple platforms, applications and devices, support unauthenticated and authenticated scans, scan all systems without installing an agent, perform incremental scans, and provide future support for wireless protocols.

After testing several vulnerability assessment products, Hillsborough County selected Nexpose. David Rippel, a senior security engineer for Hillsborough County ITS, led the process for selecting the software. He states, “Our customers ultimately are the taxpayers of Hillsborough County. Any tool that assists us in better protecting our information assets and frees up available staff hours helps us to keep operating costs low and ensures that we are providing quality service to the citizens.” After a thorough evaluation and selection process, the County purchased Rapid7’s system stating that Nexpose is the most accurate at operating system detection. Nexpose is able to enumerate exact software revisions and minor version numbers. This is critical to reducing the number of false positives in a penetration test. Nexpose provides comprehensive reporting. Scan results are organized for the types of reports and analysis customers need, including a management summary, trend analysis and detailed remediation reports. The Remediation Report has step-by-step directions that provide system administrators information on how to resolve a specific security issue and an estimated duration of how long the work will take. Nexpose is intuitive and easy to use such that our security engineers were immediately productive with the Nexpose web-based user interface. It’s a more natural end-user experience compared to other products and has clearly defined steps for setting up and running a scan. Nexpose offers flexible licensing based on IP address and supports both the Windows and Linux platforms. Clients are not bound to using unfamiliar hardware found in similar appliance-based products.

• Hillsborough County currently uses Nexpose to audit 254 hosts from three scan engines. “Installing the product is a snap,” said David. “Deployment options are flexible including support for multiple operating systems and distributed scan engines. The web-based user interface makes it easy to support scanning from a remote office. Nexpose has given us the foundation we needed to build a strong vulnerability assessment practice.”
• Nexpose has already shown a return on Hillsborough County’s initial investment. According to David, “Being proactive about identifying vulnerabilities in our computing infrastructure equates to reduced potential downtime of mission-critical services that we provide for the public. Not having to commit countless staff hours to penetration testing enables us to employ a smaller staff than our peers, based on an administrator to server ratio, which helps to keep operating costs low.”

• 254 hosts scanned from 3 scan engines