This slideshow shows the threat ARP poisoning poses by allowing Packet sniffing attacks using Wireshark on a college network and provides possible mitigation action for the vulnerability
2. Packet sniffing is a term used to describe
Capturing of packets that are transmitted over a network
3. Wireshark is a free and open-source packet analyser. It is used for network troubleshooting, analysis, software and communications protocol development, and education.
4. The SICSR network is susceptible to ARP spoofing which is a technique whereby an attacker sends fake (“spoofed”)Address resolution protocol(ARP) messages onto a LAN.
Generally, the aim is to associate the attacker's Mac address with the IP of another host (such as the default gateway), causing any traffic meant for that IP address to be sent to the attacker instead.
5.
6. After downloading and installing Wireshark, you can launch it and click the name of an interface under Interface List to start capturing packets on that interface. For example, if you want to capture traffic on the wireless network, click your wireless interface. You can configure advanced features by clicking Capture Options, but this isn’t necessary for now.
7.
8. As soon as you click the interface’s name, you’ll see the packets start to appear in real time. Wireshark captures each packet sent to or from your system. If you’re capturing on a wireless interface and have promiscuous mode enabled in your capture options, you’ll also see other the other packets on the network.
9.
10. The captured packets can be filtered according to protocol , IP, method and various other parameters.
11. Wireshark was a tool used to analyze the network and identify that ARP poisoning is possible on the network.
The sniffer would not give any result if the poisoning failed.
12. Audit Plan
Auditor Name: Viren Rao
Date of Auditing :24/8/2014
Scope
Plan Audit
Selection area
Selection criteria for auditors
Training plan for auditors
Audit goal
Audit status Reporting
Audit archival location
To evaluate whether ARP poisoning is possible
Check for new needs for improvement, Start Date: 24/8/2014 , Closure Date: 7/9/2014.
Last audit results: ARP poisining is still possible hence enabling packet sniffing
Selection of auditors: risk analyst, project manager and system admin
The system admins will be needed to trained to take appropriate actions
Is packet sniffing possible ?
Level of risk is HIGH
SICSR network
13. FMEA is a disciplined procedure, which allows anticipating failures
and preventing their occurrence in implementation/development.
FMEA Process in Packet sniffing :
Select the design for FMEA team.
Identify critical areas
Analyse network
Identified associated failure mode and effects.
Are the Analysis tools giving any output ?
Just avoid that risk.
Assign severity, occurrence and detection rating to each
cause.
Severity :High
Occurrence: 1/10
Calculate Risk Priority Number (PRN) for each cause
RPN : 8/10
Determine recommended action to reduce all RPN
Take appropriate actions.
Recalculate all RPN;’s with actual results.
14. RISK mitigation PLAN
TITLE:Packet sniffing
analyst:Viren Rao
Date:10/8/2014
Risk id
Date
identified risk
Source
Catgory
Severity
probability index
impact in $
Exposure to risk identified
Response
Mitigation plan
Contengency plan
Threshold trigger for contengency plan
ownership
Risk status
Progress
1
10-08- 2014
Packet sniffing
SICSR
Technical Risk
High
least likely
No $ harm
less
Accepted
Risk Avoidance
Configure and purchace appropriate firewalls
SICSR
Yet to be mitigated
Packet sniffing is still possible
15. Security is something that most organizations try to work upon .
However it is observed that most organizations seldom look into an untouched area which is the Layer 2 of the OSI which can open the network to a variety of attacks and compromises.
16. Currently this vulnerability has not been exploited. If at all this vulnerability is exploited this could be a major security breach as all packets moving around a single subnet on the network can be intercepted .
17. To allocate resources and implement cost-effective controls,
organizations, after identifying all possible controls and
evaluating their feasibility and effectiveness, should conduct a
cost-benefit analysis for each proposed control to determine
which controls are required and appropriate for their
circumstances.
Benefits could be:
Tangible: Quantitative
Intangible: Qualitative
18. Cost factor
New in Rs.
Enhancements in Rs.
Hardware
90,000
30,000
Software
--
--
Policies and procedures
50,000
20,000
Efforts
100000
50000
Training
50000
10000
Maintenance
50000
19. Man In The Middle attacks(MITM) which are done using ARP poisoning can be prevented in numerous ways.
However all methods are not suitable in all scenarios .
20. To prevent ARP spoofing you need to add a static ARP on the LAN.
This method become troublesome if your router changed frequently, so if you use this prevention method you need to delete the old one and add the new one if it change.
21. Configuration of existing switches to use Private VLANS where one port can only speak with the gateway.
Even things on the same subnet must go through the gateway to talk.
22. According to a white paper ,Cisco Catalyst 6500 Series Switches have an mechanism to prevent such attacks .It provides a feature called Dynamic ARP Inspection (DAI) which helps prevent ARP poisoning and other ARP- based attacks by intercepting all ARP requests and responses, and by verifying their authenticity before updating the switch's local ARP cache or forwarding the packets to the intended destinations
23. The first method is This method is strictly not suitable for the SICSR network as it is a temporary solution for small networks.
Considering the fact that we have Webservers running on our network, the second method will significantly hamper the performance of the network ,and therefore is not suitable for the network infrastructure.
The third method is the best solution for this vulnerability and should be implemented on priority basis.
24.
25. • Purpose: To assess the risk involved in packet sniffing.
• Scope of this risk assessment: Components are SICSR network.
26. Briefly describe the approach used to conduct the risk assessment,
such as—
Risk Assessment Team Members
Check whether PR poisoning is possible
29. List the observations:
Identification of existing mitigating security controls: Implementing use of tools to detect poisoning.
Likelihood and evaluation: low likelihood
Impact analysis and evaluation: High impact
Risk rating based on the risk-level matrix: Medium
30. Packet sniffing is a technical risk, Risk level is high, we can use features in new switches or configure existing switches for patching the risk