The document discusses packet sniffing and its implications on network security, specifically focusing on ARP spoofing vulnerabilities in the SICS network. It highlights the use of Wireshark for capturing packets, the risk assessment process, and the need for effective mitigation strategies, including the configuration of switches for better security. Various methods for addressing ARP poisoning are evaluated, with recommendations for actions to enhance security and reduce risks.

2. Packet sniffing is a term used to describe
Capturing of packets that are transmitted over a network

3. Wireshark is a free and open-source packet analyser. It is used for network troubleshooting, analysis, software and communications protocol development, and education.

4. The SICSR network is susceptible to ARP spoofing which is a technique whereby an attacker sends fake (“spoofed”)Address resolution protocol(ARP) messages onto a LAN.
Generally, the aim is to associate the attacker's Mac address with the IP of another host (such as the default gateway), causing any traffic meant for that IP address to be sent to the attacker instead.

6. After downloading and installing Wireshark, you can launch it and click the name of an interface under Interface List to start capturing packets on that interface. For example, if you want to capture traffic on the wireless network, click your wireless interface. You can configure advanced features by clicking Capture Options, but this isn’t necessary for now.

8. As soon as you click the interface’s name, you’ll see the packets start to appear in real time. Wireshark captures each packet sent to or from your system. If you’re capturing on a wireless interface and have promiscuous mode enabled in your capture options, you’ll also see other the other packets on the network.

10. The captured packets can be filtered according to protocol , IP, method and various other parameters.

11. Wireshark was a tool used to analyze the network and identify that ARP poisoning is possible on the network.
The sniffer would not give any result if the poisoning failed.

12. Audit Plan
Auditor Name: Viren Rao
Date of Auditing :24/8/2014
Scope
Plan Audit
Selection area
Selection criteria for auditors
Training plan for auditors
Audit goal
Audit status Reporting
Audit archival location
To evaluate whether ARP poisoning is possible
Check for new needs for improvement, Start Date: 24/8/2014 , Closure Date: 7/9/2014.
Last audit results: ARP poisining is still possible hence enabling packet sniffing
Selection of auditors: risk analyst, project manager and system admin
The system admins will be needed to trained to take appropriate actions
Is packet sniffing possible ?
Level of risk is HIGH
SICSR network

13. FMEA is a disciplined procedure, which allows anticipating failures
and preventing their occurrence in implementation/development.
FMEA Process in Packet sniffing :
 Select the design for FMEA team.
 Identify critical areas
Analyse network
 Identified associated failure mode and effects.
Are the Analysis tools giving any output ?
Just avoid that risk.
 Assign severity, occurrence and detection rating to each
cause.
Severity :High
Occurrence: 1/10
 Calculate Risk Priority Number (PRN) for each cause
RPN : 8/10
 Determine recommended action to reduce all RPN
 Take appropriate actions.
 Recalculate all RPN;’s with actual results.

14. RISK mitigation PLAN
TITLE:Packet sniffing
analyst:Viren Rao
Date:10/8/2014
Risk id
Date
identified risk
Source
Catgory
Severity
probability index
impact in $
Exposure to risk identified
Response
Mitigation plan
Contengency plan
Threshold trigger for contengency plan
ownership
Risk status
Progress
1
10-08- 2014
Packet sniffing
SICSR
Technical Risk
High
least likely
No $ harm
less
Accepted
Risk Avoidance
Configure and purchace appropriate firewalls
SICSR
Yet to be mitigated
Packet sniffing is still possible

15. Security is something that most organizations try to work upon .
However it is observed that most organizations seldom look into an untouched area which is the Layer 2 of the OSI which can open the network to a variety of attacks and compromises.

16. Currently this vulnerability has not been exploited. If at all this vulnerability is exploited this could be a major security breach as all packets moving around a single subnet on the network can be intercepted .

17. To allocate resources and implement cost-effective controls,
organizations, after identifying all possible controls and
evaluating their feasibility and effectiveness, should conduct a
cost-benefit analysis for each proposed control to determine
which controls are required and appropriate for their
circumstances.
Benefits could be:
 Tangible: Quantitative
 Intangible: Qualitative

18. Cost factor
New in Rs.
Enhancements in Rs.
Hardware
90,000
30,000
Software
--
--
Policies and procedures
50,000
20,000
Efforts
100000
50000
Training
50000
10000
Maintenance
50000

19. Man In The Middle attacks(MITM) which are done using ARP poisoning can be prevented in numerous ways.
However all methods are not suitable in all scenarios .

20. To prevent ARP spoofing you need to add a static ARP on the LAN.
This method become troublesome if your router changed frequently, so if you use this prevention method you need to delete the old one and add the new one if it change.

21. Configuration of existing switches to use Private VLANS where one port can only speak with the gateway.
Even things on the same subnet must go through the gateway to talk.

22. According to a white paper ,Cisco Catalyst 6500 Series Switches have an mechanism to prevent such attacks .It provides a feature called Dynamic ARP Inspection (DAI) which helps prevent ARP poisoning and other ARP- based attacks by intercepting all ARP requests and responses, and by verifying their authenticity before updating the switch's local ARP cache or forwarding the packets to the intended destinations

23. The first method is This method is strictly not suitable for the SICSR network as it is a temporary solution for small networks.
Considering the fact that we have Webservers running on our network, the second method will significantly hamper the performance of the network ,and therefore is not suitable for the network infrastructure.
The third method is the best solution for this vulnerability and should be implemented on priority basis.

25. • Purpose: To assess the risk involved in packet sniffing.
• Scope of this risk assessment: Components are SICSR network.

26. Briefly describe the approach used to conduct the risk assessment,
such as—
 Risk Assessment Team Members
 Check whether PR poisoning is possible

27. Server, Network, Interface.
 The mission is to avoid sniffing.

28. Packets on network can be intercepted.

29. List the observations:
 Identification of existing mitigating security controls: Implementing use of tools to detect poisoning.
 Likelihood and evaluation: low likelihood
 Impact analysis and evaluation: High impact
 Risk rating based on the risk-level matrix: Medium

30. Packet sniffing is a technical risk, Risk level is high, we can use features in new switches or configure existing switches for patching the risk