Packet sniffing is a term used to describe

Capturing of packets that are transmitted

over a network

Wireshark is a free and open-source

packet analyser. It is used for network

troubleshooting, analysis, software and

communications protocol development,

and education.

The SICSR network is susceptible to ARP

spoofing which is a technique whereby an

attacker sends fake (“spoofed”)Address

resolution protocol(ARP) messages onto a

LAN.

Generally, the aim is to associate the

attacker's Mac address with the IP of another

host (such as the default gateway), causing

any traffic meant for that IP address to be

sent to the attacker instead.

After downloading and installing Wireshark,

you can launch it and click the name of

an interface under Interface List to start

capturing packets on that interface. For

example, if you want to capture traffic on

the wireless network, click your wireless

interface. You can configure advanced

features by clicking Capture Options, but

this isn’t necessary for now.

As soon as you click the interface’s

name, you’ll see the packets start to

appear in real time. Wireshark captures

each packet sent to or from your system.

If you’re capturing on a wireless

interface and have promiscuous mode

enabled in your capture options, you’ll

also see other the other packets on the

network.

The captured packets can be filtered

according to protocol , IP, method and

various other parameters.

Wireshark was a tool used to analyze the

network and identify that ARP poisoning is

possible on the network.

The sniffer would not give any result if the

poisoning failed.

Audit Plan

Auditor Name: Viren Rao Date of Auditing :24/8/2014

Scope Plan Audit Selection area

Selection

criteria for auditors

Training plan for auditors

Audit goal Audit status Reporting

Audit

archival location

To evaluate whether ARP poisoning is

possible

Check for new needs for improvement, Start Date: 24/8/2014 ,

Closure Date: 7/9/2014.

Last audit results: ARP poisining is still possible

hence enabling packet sniffing

Selection of auditors: risk analyst, project

manager and system admin

The system admins will be needed to trained to take

appropriate actions

Is packet sniffing possible ?

Level of risk is HIGH

SICSR network

FMEA is a disciplined procedure, which allows anticipating failures and preventing their occurrence in implementation/development. FMEA Process in Packet sniffing : Select the design for FMEA team. Identify critical areas Analyse network Identified associated failure mode and effects.

Are the Analysis tools giving any output ? Just avoid that risk. Assign severity, occurrence and detection rating to each cause. Severity :High Occurrence: 1/10

Calculate Risk Priority Number (PRN) for each cause RPN : 8/10 Determine recommended action to reduce all RPN Take appropriate actions. Recalculate all RPN;’s with actual results.

RISK mitigation PLAN

TITLE:Packet sniffing analyst:Viren Rao

Date:10/8/2014

Risk id Date identified risk Source Catgory Severity probability index impact in $

Exposure to risk identified

Response

Mitigation plan

Contengency plan

Threshold trigger for contengency plan

ownership

Risk status Progress

1 10-08-

2014 Packet sniffing SICSR Technical Risk High

least likely No $ harm less

Accepted

Risk Avoidance

Configure and purchace appropriate firewalls SICSR

Yet to be mitigated

Packet sniffing is still possible

Security is something that most

organizations try to work upon .

However it is observed that most

organizations seldom look into an

untouched area which is the Layer 2 of the

OSI which can open the network to a

variety of attacks and compromises.

Currently this vulnerability has not been

exploited. If at all this vulnerability is

exploited this could be a major security

breach as all packets moving around a

single subnet on the network can be

intercepted .

To allocate resources and implement cost-effective controls,

organizations, after identifying all possible controls and

evaluating their feasibility and effectiveness, should conduct a

cost-benefit analysis for each proposed control to determine

which controls are required and appropriate for their

circumstances.

Benefits could be:

Tangible: Quantitative

Intangible: Qualitative

Cost factor New in Rs. Enhancements in Rs.

Hardware 90,000 30,000

Software -- --

Policies and

procedures

50,000 20,000

Efforts 100000 50000

Training 50000 10000

Maintenance 50000

Man In The Middle attacks(MITM) which

are done using ARP poisoning can be

prevented in numerous ways.

However all methods are not suitable in all

scenarios .

To prevent ARP spoofing you need to add

a static ARP on the LAN.

This method become troublesome if your

router changed frequently, so if you use

this prevention method you need to delete

the old one and add the new one if it

change.

Configuration of existing switches to use

Private VLANS where one port can only

speak with the gateway.

Even things on the same subnet must go

through the gateway to talk.

According to a white paper ,Cisco Catalyst

6500 Series Switches have an mechanism to

prevent such attacks .It provides a feature

called Dynamic ARP Inspection (DAI) which

helps prevent ARP poisoning and other ARP-

based attacks by intercepting all ARP

requests and responses, and by verifying their

authenticity before updating the switch's

local ARP cache or forwarding the packets to

the intended destinations

The first method is This method is strictly not suitable for the SICSR network as it is a temporary solution for small networks.

Considering the fact that we have Webservers running on our network, the second method will significantly hamper the performance of the network ,and therefore is not suitable for the network infrastructure.

The third method is the best solution for this vulnerability and should be implemented on priority basis.

• Purpose: To assess the risk involved in

packet sniffing.

• Scope of this risk assessment:

Components are SICSR network.

Briefly describe the approach used to

conduct the risk assessment,

such as—

Risk Assessment Team Members

Check whether PR poisoning is possible

Server, Network, Interface.

The mission is to avoid sniffing.

Packets on network can be intercepted.

List the observations:

Identification of existing mitigating

security controls: Implementing use of

tools to detect poisoning.

Likelihood and evaluation: low likelihood

Impact analysis and evaluation: High

impact

Risk rating based on the risk-level matrix:

Medium

Packet sniffing is a technical risk, Risk

level is high, we can use features in new

switches or configure existing switches for

patching the risk