Many tests used by Internet Scanner push the limits of the system’s operation, looking for vulnerabilities. While you are planning or implementing a test plan, consider these issues:

• Notify Users—Notify individuals of scanned devices before you start scanning. This way, system owners know which scans are authorized, and can take action and make improvements based on the scan results.

• Vary Scan Times—Run scans at various times of the day and the week to improve the chances of accessing systems that may be unavailable at certain times.

• Run unscheduled scans on verified systems—After a network is known to be secure, use occasional unscheduled scans to maintain the secure state of the network. Only run unscheduled scans against systems that have passed a scheduled scan.

• Scan new systems as soon as possible—Scan new systems as soon as possible after adding them to a secure network. Do this in cooperation with the parties responsible for the system and network connectivity.

• Scan selectively—Allow systems to opt out of scans if special needs, circumstances, or justifications (such as pending upgrades) are in effect.

• Schedule Denial of Service checks cautiously—Schedule Denial of Service tests, which are known to cause system interruptions in vulnerable systems, after you have notified the system owner.

• Identify critical systems and services—Contact your vendors or security agencies to obtain corrective actions and advisories if Internet Scanner uncovers an unknown vulnerability. Obtain updates for Internet Scanner at the ISS Web site at http://www.iss.net.