Jeremy Johnson

Penetration Test vs the Vulnerability Assessment Some say Potato, some say Patato. The term "Penetration Test" has been thrown around a lot in the Information Security industry. Some vendors and institutions use the term Penetration Test interchangeably with "Vulnerability Scan" (or Assessment), when in fact, the two define very different scopes, methodologies, and deliverables. The recently updated FFIEC Information Security Booklet discusses these types of tests and offers definitions and expectations of what is required of financial institutions in these areas. The short story is that yes, both are different, and yes, both are needed as part of an effective [...]

The Patch Sometimes it is only the beginning. Not all patches work out of the gate. Anyone who has been responsible for patch management knows that it is a never ending cycle of download, test, patch and repeat. What is often overlooked, unfortunately, is that sometimes, even when a patch is applied, the vulnerability it is supposed to fix isn't always fixed…not right away at least. Over the past few years, there have been several Microsoft vulnerabilities that need additional action after the patch is applied to actually render the vulnerability remediated. When performing Internal Vulnerability Scanning, time and again [...]

Exposed Management Consoles - A look at Microsoft Exchange In most organizations where we find Microsoft Exchange, we find Outlook Web Access (OWA) open to the internet. Generally, external access to OWA and ActiveSync is allowed when mobile users are accessing Exchange email. This is all hosted using Microsoft's Internet Information Services (IIS). What many administrators may not realize is what other websites are running by default and may be exposed to the internet as well. Microsoft Exchange uses different server roles to determine what services a server offers and hosts. The Client Access role generally is what provides services [...]