Rapid7 > Case Studies > Nexpose Busts Security Violations at Redflex Traffic Systems

Nexpose Busts Security Violations at Redflex Traffic Systems

Rapid7 Logo
Customer Company Size
Large Corporate
Region
  • America
Country
  • United States
Product
  • Rapid7 Nexpose Enterprise Edition
  • Metasploit
Tech Stack
  • Vulnerability Scanning
  • Exploit Identification
  • Automated Exploitation
Implementation Scale
  • Enterprise-wide Deployment
Impact Metrics
  • Cost Savings
  • Customer Satisfaction
  • Productivity Improvements
  • Digital Expertise
Technology Category
  • Cybersecurity & Privacy - Network Security
  • Cybersecurity & Privacy - Endpoint Security
  • Cybersecurity & Privacy - Security Compliance
Applicable Industries
  • Security & Public Safety
  • Transportation
Applicable Functions
  • Business Operation
  • Quality Assurance
Use Cases
  • Intrusion Detection Systems
  • Regulatory Compliance Monitoring
  • Remote Asset Management
Services
  • System Integration
  • Cybersecurity Services
  • Training
About The Customer
Redflex Traffic Systems, Inc. is the longest consistently operating company in the growing road-safety camera industry in the United States, with more than 20 years of experience partnering with cities to make an impact on dangerous driving behaviors. Redflex technology has proven its impact on U.S. public safety. Its road safety cameras have helped create safer communities. Rates of running stop signs, red lights, and railroad crossings—and subsequent accidents—drop significantly when people know they might get a ticket. Advanced license-plate reading technology cross checks numbers against police databases and alerts law enforcement when matches occur. Redflex video is also valid evidence for court proceedings. The heart of the Redflex solution is a high-end database that receives and processes all traffic video through secure connections. The system identifies violations and, with client approval, generates tickets and mails them to violators. Because Redflex passes financial transactions to processing institutions, its systems must pass SAS 70 audits and comply with data protection standards such as Payment Card Industry Data Security Standard (PCI DSS) to avoid fines. The data center also includes a range of standard business applications on a mix of Windows and Unix servers.
The Challenge
When Eric Nooden joined Redflex as Information Security Specialist, he found many out-of-date server operating systems. Because system stability was a priority with Redflex proprietary solutions, no one wanted to risk outages. The systems administrators were nervous about patching servers, fearing they might break them. The Redflex team had multilayer security in place, with firewalls, anti-virus software, and other technologies, but no dedicated security personnel to manage them. The undermanaged security posture was more reactive than proactive, and Nooden joined Redflex to change that. Additionally, because Redflex passes financial transactions to processing institutions, its systems must pass SAS 70 audits and comply with data protection standards such as Payment Card Industry Data Security Standard (PCI DSS) to avoid fines.
The Solution
Among the solutions Nooden inherited were vulnerability-scanning systems from three vendors. One of these systems was a Rapid7 Nexpose Enterprise Edition appliance. Nooden put it to work, performing a system-wide scan across all databases, Web servers, network components, and user computers. Nexpose scans for more than 14,000 vulnerabilities and performs about 54,500 checks to locate and identify threats and assess their risk to the environment. Integration with Metasploit provides remote scan control, exploit identification, and automated exploitation functionality. The scan report uses SANS guidelines to rank potential vulnerabilities according to severity, helping Nooden to prioritize tasks. The report also includes step-by-step procedures for effective remediation. Initial Nexpose scans found default passwords in many devices, especially in the network, identified easily exploitable vulnerabilities in unpatched server operating systems, and gave step-by-step plans to quickly address them. Nooden says the Nexpose user interface is highly intuitive and the reports are comprehensive. “It’s so straightforward, I didn’t need any formal training,” he says. But he hired a Rapid7 Professional Services consultant to teach him how to fine-tune configurations to look for specific information. Nooden uses Nexpose to scan critical systems daily and others weekly or monthly. He relies upon the information in scan reports to issue change requests with the appropriate server, network, and desktop administrators and track when vulnerabilities are fixed. Rapid7 Technical Support resolves his questions quickly, often within a few minutes.
Operational Impact
  • Of its three vulnerability-scanning solutions, Redflex only renewed its license for Rapid7 Nexpose. Nexpose catches vulnerabilities that other solutions miss and has shown no false-positives.
  • Rapid7 Nexpose Enterprise Edition provides detailed information that assisted the Redflex staff with a database upgrade project that increased the security posture of proprietary systems without compromising stability.
  • Nexpose helps prove compliance with financial standards and regulations, ensuring that Redflex meets necessary data protection standards.
  • Nooden plans to use Nexpose to pre-scan servers before they go online, ensuring that vulnerabilities are addressed proactively.
  • Nooden measures success by his ability to sleep well at night, without worries or phone calls, thanks to the proactive security posture enabled by Nexpose.
Quantitative Benefit
  • Nexpose scans for more than 14,000 vulnerabilities and performs about 54,500 checks to locate and identify threats.
  • Initial Nexpose scans found default passwords in many devices, especially in the network, and identified easily exploitable vulnerabilities in unpatched server operating systems.

Case Study missing?

Start adding your own!

Register with your work email and create a new case study profile for your business.

Add New Record

Related Case Studies.

Contact us

Let's talk!
* Required
* Required
* Required
* Invalid email address
By submitting this form, you agree that IoT ONE may contact you with insights and marketing messaging.
No thanks, I don't want to receive any marketing emails from IoT ONE.
Submit

Thank you for your message!
We will contact you soon.