Performance Issues | Active Scanning Technology Detection Methods

We have discussed at some length the process of identifying ports and handling TCP connections. All of these factors have to be taken into consideration during the scan; however, the scanner cannot wait too long. At some point, the transaction attempt will “time out.” This phenomenon can be referred to as discovery tolerance. Various vendors have different levels of discovery tolerance. The amount of tolerance is loosely proportional to the accuracy of the discovery with rapidly diminishing probability of successful identification. Fortunately, we know from experience that there is no point waiting for a reply beyond a certain amount of time. Determining that point is the real skill in any fingerprinting activity. The goal is to be complete and accurate, but there is a law of diminishing returns. Two key timers affect the speed of the discovery process: the connection establishment timer and the retransmission timer.

For many TCP implementations, the connection establishment timer (TCP_KEEPINIT parameter) waits 75 seconds for response. A simple scan on a single port for 200 hosts would require over four hours to complete if none of the hosts responded. This must be adjusted to wait far less time. One effective approach is to take the maximum roundtrip time (RTT) of ICMP echo reply exchanges and add two seconds. This provides ample time for an application to respond on the required port and is likely to be far shorter than the default of 75 seconds.

With TCP connections, a discovery process can also vary the retransmission timer when additional packets are to be exchanged with the target. In normal communications, the timer begins with a value of 1.5 seconds. If no response is received, then the value is doubled to three seconds. If there is still no SYN-ACK, the timer is doubled again and we wait six seconds. This continues repeatedly until we reach a limit of 64 seconds. The process is called exponential backoff (EB). In theory, this should parallel the exponential probability that a response will ultimately be received. However, this is often impractical for host discovery purposes in vulnerability scanning. A typical OS can spend several minutes waiting for a connection to time out.

A more practical approach would be to sequentially increase the retransmission timer by smaller values for a total period of time to be some factor above the average for the target IP range. For example, let’s suppose that we are performing a discovery of network A (192.168.10.0/24) with an upper limit of 30 seconds for retransmission. If the first 16 hosts required an average of 10 seconds to respond and the mode was five seconds, we might start our retransmission timer at five seconds and increase the value by five seconds until an upper limit of 20 seconds was reached (2× average). This is a more sensible approach that will avoid a common IP stack value that can reach several minutes for a single connection. Remember that our goal is discovery of open ports and live hosts, not the reliable transmission of data to another host.

There is one other item that can be manipulated, which is not exactly a timer and can speed the discovery process considerably:

to implement all the timers TCP only requires that two functions are called periodically: (1) the fast timer is called every 200 ms and (2) the slow timer every 500 ms. TCP uses these two periodic ‘ticks’ to schedule and check all the timers described…as well as measuring round trip times.^[*]

Basically, the OS kernel must check every 200 ms to see if an acknowledgment has been received. In modern networks and operating systems, this is a very long time.

By decreasing this period, the discovery processes can recognize that the probing SYN packets it has sent have been acknowledged in a shorter time, and move on to the next probe. If the RTT from SYN to SYN-ACK is 10 ms, then under normal circumstances, the discovery process can wait for up to 190 ms to proceed with the next action. Multiply this number by hundreds of hosts and dozens of ports, and the wasted time can be tremendous.

The one caveat to modifying TCP timers is that some applications are simply slow to respond. This approach works best when probing for open ports but not necessarily for applications. There is a lot of room for creativity in scan performance optimization. This section simply illustrates some of the challenges designers can be confronted with when trying to optimize the scan process and minimize the impact on the network.

1 Black Box Testing

Once the presence of a host has been established and that presence recorded in the memory of the scanner, a series of tests or “checks” are performed to find vulnerabilities. The types of checks are dependent upon the type of host and the configuration of the scanner. Generally, two types of checks are performed. A network-based or surface check is performed, which involves the probing and analysis of what is evident with limited or no access to services on the machine other than what is offered to any other peer on the same network as that which exists between the scanner and the target. This is also known as an unauthenticated check. The other type of check is an authenticated, internal check or white box test. It is performed when the scanner is given special information and credentials to access details of the host, which are generally reserved for trusted entities.

The difference between surface and internal checks is obviously significant not only in the way they obtain information, but also in the value and quality of that information. Clearly, more detailed data can be obtained by logging into a host and perusing its configuration. Although the information tells us a lot about the host, it does not typically represent the view of an attacker who performs reconnaissance on an unknown host. Although valuable from an analysis standpoint, some attacks take place by probing the host from the view of an outsider; therefore, information that can be obtained in the same fashion is often more valuable. To summarize, a vulnerability discovered and exploitable from outside a host represents a greater exposure than if the same vulnerability could only be discovered and exploitable from a credentialed or internal check.

There is a common perception that authenticated checks are more accurate than remote checks but that’s often not true. The Windows registry is commonly used for authenticated checks but is often wrong. It’s important to consider that not all authenticated checks are created equal and that a remote check is a good method of validating authenticated information.

The black box testing process involves some straightforward testing over the network and possibly some creative use of IP and other protocols. Usually, the simple tests are harmless and efficient. The more exotic manipulation of IP protocols can cause problems on scanned hosts with applications that are ill-prepared to handle many variations. This is a vulnerability in itself. The IP stack of the host is usually capable of handling nearly any variety of traffic, but the overlying applications sometimes are not. It is another area that calls for extensive testing in order to avoid adverse effects on production systems. Most vendors are able to provide a list of known negative application interactions.

Following is a list of some common methods of reconnaissance:

• Malformed packets are sent to the host to identify the presence of a vulnerability in the response. This is similar to the discovery process and is sometimes incorporated into the same phase for efficiency. The information sent to the target can be at any one layer or multiple combinations of layers 3 through 7 in the OSI Model.
• Normal packets are sent to a known application to obtain results that will reveal vulnerability information. This is very common in the http protocol to obtain information about the Web server, application server, or back-end databases.
• Valid information is sent to the target to gather valid header response data that will reveal the version of software answering the service request. This is known as banner checking. Many software applications can obfuscate this information with simple configuration changes, so it is not the most reliable method.

These methods can be summarized conceptually in pseudo code form:

Send X to target
Listen for response Y
Match Y to possible response list
If Y is on list, note vulnerability
If Y is not on list, ignore
Get next check; Loop

TRAINING ISSUES | Population

The purpose of an active training program designed around your disaster plan is to ensure every staff person and your resident population will react automatically and appropriately in an emergency or disaster situation. The staff must be familiar with the plan, understand their responsibilities within it, and be comfortable in carrying them out.

The best way to ensure staff and resident familiarity with the plan is to include them in its development. During a disaster, critical staff may become victims themselves. Overall understanding and cross-training is a good insurance policy against possible confusion and chaos. Turnover in staff also creates an ongoing need to constantly train staff and residents in disaster planning

One of the best ways to fine-tune staff training is through the use of in-house emergency drills and exercises and through participation in all community disaster drills and exercises. Emergency drills and exercises are an integral part of the preparedness phase of your crisis management program. They provide a mechanism to reveal planning strengths and weaknesses; identify resource shortfalls; improve internal and external coordination, collaboration, and communication; and clarify the roles and responsibilities of your staff during an emergency or disaster. They also provide an excellent opportunity to develop or improve your relationship with your local emergency organizations. 

DISASTER-RESPONSE ISSUES

Your facility disaster-response plan is vital to the safety and well-being of special-needs residents and staff during and following any emergency or disaster. How you organize and assign responsibility for these functions depends on your staffing pattern, the number of residents under your care, their level of physical mobility, and the size of your facility.

Be sure to address and assign responsibility for each function in terms of a staffing schedule. Adapt procedures to fit your needs—daytime, evening, and nighttime coverage or by alternative shift schedules, according to your facility. When a disaster response is activated, each shift should plan at least six hours ahead so the next shift will be able to continue the work already underway and have the benefit of the information posted on the walls to provide a picture of the most current situation (e.g., number of residents injured, locations of damage, availability of drinking water, etc). It is important to remember that the situation will be changing, and planning must be flexible to adjust to and reflect these changes.

Command Center

The command center should be located in a secure area and have sufficient space to accommodate necessary staff. An alternate site should also be selected as a backup. Communications equipment should include telephones, fax machines, cellular phones, and two-way or ham radios, if available. A status board—white board, flip chart, bulletin board—must be available to track response actions, decisions made, staff schedules, status of facility/resident needs, and other disaster- and facility-specific information. Laptop computers and printers are helpful tools, as long as power is available to operate them. A conference room can easily be converted into a command center with the equipment and supplies prepositioned and stored until needed.

Staffing Priorities

If adequate staff are available, disaster-response activities should be undertaken simultaneously, as appropriate depending on the incident, with staff preassigned their primary responsibility. You may wish to establish a preparedness committee of residents, if their physical condition allows, and include members of this committee in both preparedness and response planning for the facility. Involving interested and capable residents and assigning them responsibilities in planning efforts and organized response functions can greatly enhance your overall capability.

If adequate staff members are not available to undertake response functions simultaneously, those functions should be carried out in the following order:

1. Direction and control Determine who is in charge of the emergency response at the time of the disaster. Evaluate the situation and activate response staff as needed. Activate the command center to coordinate emergency activities.

2. Site security. Check and turn off gas and/or electricity. Make sure the emergency generator is functioning and emergency power is on. Turn off the water supply if pipes are broken or leaking.

3. Fire suppression. Check for fires and suppress small fires. Notify the fire department.

4. Search and rescue. Quickly search the facility for people who may be trapped or injured. Assist if possible. Note and record the situation for other responders, including name and location of those trapped.

5. First aid. Administer first aid to injured persons. Note and record injury for assistance from other responders, including name and location.

6. Damage assessment. Inspect facility. Record damage and report to the command center. Request barricades, off-limits signs, and additional support from security or law enforcement as needed.

Community resources will be overwhelmed in a major disaster, and you could be on your own for a long time. Self-sufficiency is required.

Considerations for Handling Special Populations During a Catastrophic Event

Regardless of the size and type of facility, a catastrophic event that requires an evacuation of clients will challenge facility staff in many ways. By thinking of the worst-case scenarios, safeguards and redundancies can be included in your planning that will make the experience much easier for you, your staff, your clients, and the receiving facility. The following are provided for consideration as you plan to manage clients and provide necessary resources and supplies when evacuating from special-care environments.

Planning should ensure

• proper identification and monitoring of patients or clients once they are relocated;

• mechanisms for patient data transfer to continue regularly scheduled treatments and medications after relocation;

• sufficient number of caregivers to ensure proper care of relocated patients/clients at the receiving facility; and

• sufficient support of staff in stressful conditions with time off for proper rest and time with families. Remember: staff at both the receiving and sending facility may be victims of the disaster, too.

Be aware and plan for lack of services and other problems, such as

• water, sewer, gas, and electrical services;

• supplies such as linens, food, medicine, and water for days;

• creative planning for proper nutrition in lieu of hot meals for several days;

• delivery of meals and provision of services in multistory facilities if elevator not operational;

• assistance for patients who need help with activities of daily living;

• fluid loss in patients and staff due to lack of power, air conditioning and/or heating; and

• communication within the facility and to the outside if phones lines or cell connections are down.

Needs of Pediatric Patients

HRSA reiterates that a host of special anatomical, physiological, and psychological considerations leave children more susceptible to the effects of disasters and acts of terrorism. Planning must consider, but not be limited to, special treatment areas for mass pediatric casualties in hospitals, triage areas, and health centers; development of pediatric response protocols, paying special attention to appropriate medications and dosages; pediatric-specific training and exercise procedures; and provision of psychological support to children and families, including methods to ensure reunification of children with family members, as needed (HRSA 2003).

MITIGATION ISSUES

An all-hazards approach for the domestic and international emergency management framework applies to the threat of terrorism. Better plans, more training, and greater awareness enhance capabilities to manage natural and technological disasters, day-to-day emergencies that may occur, as well as terrorist incidents. A course recently developed for the Federal Emergency Management Agency’s Higher Education Project, “Social Vulnerability Approach to Disasters,” is an excellent tool to help in understanding our vulnerability while suggesting strategies and actions (Enarson et al. 2003).

The course describes structural and nonstructural mitigation strategies. Both provide security measures that may be taken to prevent or reduce loss of life and property from terrorist events and acts of violence. The distinction between structural mitigation techiques and nonstructural mitigation techniques is often made in terms of reducing potential loss (nonstructural) rather than in terms of reducing hazards (structural).

It is relatively easy to provide physical or structural mitigation measures to secure a facility or person by providing guards, iron bars, eleo trified fences, surveillance cameras, and other physical security measures. But these measures are often consuming and are most effective in controlled-access areas; they may be less effective in areas where large numbers of people have access (Enarson et al. 2003).

Nonstructural mitigation measures include training to reduce vulnerability and implementing measures into response plans to reduce the likelihood of losses and to speed recovery. These measures may be easier for public agencies to fund and implement than are physical or structural changes to a building (Enarson et al. 2003). For example, facility staff members who are keenly aware and trained to alert their supervisor or shift leader to anything out of the ordinary—a suspicious package or vehicle, someone in the building without a visitor’s badge—enhance your facility’s safety factor.

Staff skilled in the tools necessary to handle emergency and disaster situations are valuable assets and increase your chances of responding to and recovering from any disaster in a more expedient and timely manner. Training reduces your vulnerability while building capacity and confidence among your facility team players. If residents are competent and willing to help with disaster management and facility security, they can be trained as well. This type of cooperative effort and vested interest in the mutual safety and security of your facility is wise and cost effective. Its benefits are immeasurable in terms of your facility’s greatest asset—human resources—and personal self-sufficiency and pride.

In keeping with all-hazards, or “dual purpose,” emergency management planning, it is significant to note that terrorism is not the only form of violence common to institutions, workplaces, and all aspects of American society. The primary justification for preparedness is to ensure the readiness of your facility for the potential unknown that may be faced at any time. In addition to terrorism, Americans daily face threats of criminal (physical and sexual), domestic (spouse, family, or other intimates), and other common types of violence (Enarson et al. 2003).

These same threats of violence are present in healthcare facilities and patient care environments. The size and nature of the facility, number of residents and staff, physical location, population and demographics of the area, and many other factors may determine the amount of security measures implemented. Many mitigation actions that reduce vulnerability to all types of violence can be accomplished at little or no cost.