I. Compare and contrast an Internet vulnerability assessment with an intranet vulnerability assessment. Explain the differences and similarities.
II. Construct the sequence of processes that make up an intranet vulnerability assessment. Although they are the same steps as an Internet assessment, the details of each step are different:
• Planning, scheduling, and notification of the penetration testing: There will be substantially more systems to assess. Intranet administrators often prefer that penetration testing is performed during working hours.
• Target selection: At first, the penetration test scanning and analysis should focus on testing only the highest-value and most critical systems. As the configuration of these systems is improved, and fewer candidate vulnerabilities are found in the scanning step, the target list can be expanded.
• Test selection: The selection of the tests to be performed usually evolves over time to correspond with the evolution of the threat environment. Most organizations focus their intranet scanning efforts on a few critical vulnerabilities at first, and then expand the test pool to include more scripts.
• Scanning: Just as it is in Internet scanning, the process should be monitored so that if an invasive penetration test causes disruption, it can be reported for repair.
• Analysis: It follows the same three steps as Internet analysis: classify, validate, and document.
• Record keeping: It is identical to the one followed in an Internet vulnerability analysis.