the Vulnerability exPerienCe 29
the environment. Ultimately, a list of criteria for systems that
can be scanned should be developed. A list of adverse effects
on systems should be well-documented and the candidates for
not-scanning identified.
Process: Change management must be carefully considered •
prior to any implementation. As it happens, in Harold’s
company, a new firewall system with a built-in IPS was
in the implementation phase. When scans began, San
Francisco had already deployed a new firewall. is firewall
answered discovery scans on every IP address in the range
allocated to that location. (More about this phenomenon
later in this book.) As Harold continued his scans, the fire-
walls continued to be rolled out. Eventually, ever ...