There are several factors to consider when determining the times to run vulnerability scans.
Is this the first time you have run this scan?
Is the scan going to run against an ecommerce site?
Do you have standing approval from your operational areas to run a scan?
Do you have security monitoring and logging systems that will alert on the scanning?
Contact the administrators of your websites to determine the best times to run a vulnerability scan.
Most site admins will know their peak periods of website activity, it is best to avoid those periods for routine scanning simply due to the scans increasing the load on the site.
Scans can often cause increased error logging and alerting. So you need to be extra diligent and careful the first time you run scans. Assume that you may break things the first time.
- Talk to the stakeholders for the systems you are scanning to determine the best time to scan.
- Notify the stakeholders and any support areas that may be involved if there are issues or alerts generated by the scan.
- Follow your normal change control management procedures and treat initial scans like a system change.
One piece of information that your stakeholders will need to know is the source where your scans will originate. They may want to whitelist or ignore those ip addresses in their monitoring.
If you are able to perform vulnerability scanning on your network and e-commerce sites without anybody noticing, then you likely have a gap in your ability to detect malicious scanning also. 🙂