Read to learn the basics of network segmentation, new PCI DSS 3.2 and 3.2.1 segmentation check requirements, and segmentation check best practices.
This post contains the text from the White Paper: 5 Top Tips to Perform Segmentation Checks.
To help protect your network and payment data, you need to examine your environment the way a hacker would. Ethical hacking or penetration testing is the art of analyzing network environments, identifying potential vulnerabilities, and trying to exploit those vulnerabilities, so that you can find and address security weaknesses.
Penetration testing is vital for your data security and compliance with the Payment Card Industry Data Security Standard (PCI DSS) requirement 11. PCI DSS has come out with new requirements for penetration testing and network segmentation (e.g., segmentation checks).
In this white paper, you will learn the basics of network segmentation, new PCI DSS segmentation check requirements, and segmentation check best practices.
PCI DSS 3.2 and supporting documents were released on April 28, 2016, which has already been replaced by version 3.2.1 since January 1, 2019. All 3.2 and 3.2.1 requirements need to be implemented (such as the segmentation check requirements).
Although most penetration testing requirement changes occurred with PCI DSS version 3.0 (e.g., introduction of segmentation checks), PCI DSS 3.2 and 3.2.1 came out with two new clarifications on segmentation checks (Requirement 11.3.4.1).
First, the segmentation check must be performed by an organizationally independent resource, which was already required for other penetration testing activities. These independent resources can be a third party or a qualified internal resource (who isn’t involved with managing, maintaining, or designing the environment).
Second, since February 2018, service providers need to perform penetration testing on segmentation controls (i.e., segmentation checks) at least every six months and after any changes to segmentation controls/methods.
Merchants often set-up large flat networks, where everything inside the network can connect to everything else. Flat networks make securing your card data extremely difficult because if an attacker gets inside of the network, they have access to everything, including the Cardholder Data Environment (CDE). To help secure your network and CDE, consider network segmentation.
Network segmentation is a common practice where organizations reduce their risk within a network environment by isolating (segmenting) access to sensitive data between high-security networks (such as the CDE) from less-secure networks (e.g., guest Wi-Fi).
When you use network segmentation, you can better ensure sensitive data is only sent to known and trusted users, devices, and/or sources.
There are three main types of segmentation that are typically used today:
Firewall rules are one of the most popular forms of network segmentation. We’ll discuss these different segmentation types later on.
By isolating less-secure networks from high-secure networks, businesses can ensure that a compromise in the less-secure network does not affect the security of other high-security networks. Generally, the more places that have access to payment data, the higher the chances for a PCI violation or data breach.
If all the machines within an organization were in the same network, then all of these machines would have to be evaluated with regards to their security at the same level as the machines within the secure zone. This higher level of testing would result in much higher costs for your organization.
In addition to reducing risk, network segmentation can also reduce the time and cost associated with becoming PCI compliant. When organizations create a secure payment zone separated from the rest of the day-to-day business traffic, they can better ensure their CDE only communicates with known and trusted sources. This limits the size of the CDE and potentially lowers your scope, which often reduces PCI requirements required for less-secure networks.
Yes, segmentation is not necessarily required to be compliant with PCI DSS. However, if you’re looking for one of the easiest ways to reduce cost, effort, and time spent on getting in-scope systems compliant, you may want to consider segmentation.
To set-up proper network segmentation, you must first understand how all card data flows in your organization, making sure you find both where you think the data is and where it shouldn’t be.
Create a card flow diagram, which is a graphical representation of how card data moves through an organization. As you define your environment, it’s important to ask all organizations and departments if they receive cardholder information, and then define how their answers may change card data flows. Your employees probably know about random processes where data exists that no one else knows about.
You should also ask yourself:
In addition, you should regularly run a cardholder data discovery tool (such as PANscan®). These tools help identify the location of unencrypted primary account number (PAN) data. Knowing where PAN data is stored helps identify where network segmentation should be implemented, as well as reduces your risk of data loss once you securely delete any unencrypted data.
Once you know where your card data is and how it flows in your environment, look at your network diagram and determine which devices/users and rules to use to keep information apart.
The most common way to segment is by implementing a firewall that sits between network zones to limit network traffic, specifically between the card environment and the rest of your network. The most important part of firewall implementation is configuring the Access Control List (ACL) to define exactly what traffic can pass. Firewall rules typically allow you to whitelist, blacklist, or block certain websites or IP addresses.
For example, if you haven’t already, think about the different roles or job functions that computers are used for. For instance, receptionists may need to access company email and websites. They probably don’t need Facebook, Twitter, Gmail, or anything else. You can whitelist these computers so that employees can only go to the websites you want them to go to.
On the other hand, employees may need the Internet for research purposes, so they need more open access. You can blacklist these computers so that they can go anywhere except to certain websites you don’t want them to visit. For example, they probably don’t need to use Facebook or YouTube.
You may also have some computers, such as one’s connecting to your CDE, which never needs Internet access. Block these computers from having any access to the Internet.
Although most merchants decide to segment internal network zones using a firewall, here are a few other options:
Segmenting your network can be extremely technical, so you’ll want to test your network segmentation controls (e.g., segmentation checks).
PCI DSS 3.2 and supporting documents were released on April 28, 2016, which has already been replaced by version 3.2.1 since January 1, 2019. All 3.2 and 3.2.1 requirements need to be implemented (such as the segmentation check requirements).
Although most penetration testing requirement changes occurred with PCI DSS version 3.0 (e.g., introduction of segmentation checks), PCI DSS 3.2 and 3.2.1 has come out with two new clarifications on segmentation checks (Requirement 11.3.4.1).
First, the segmentation check must be performed by an organizationally independent resource, which was already required for other penetration testing activities. These independent resources can be a third party or a qualified internal resource (who isn’t involved with managing, maintaining, or designing the environment).
Second, since February 2018, service providers need to perform penetration testing on segmentation controls (i.e., segmentation checks) at least every six months and after any changes to segmentation controls/methods.
AS A SERVICE PROVIDER, IF YOU USE SEGMENTATION, PERFORM PENETRATION TESTING ON SEGMENTATION CONTROLS AT LEAST EVERY SIX MONTHS AND AFTER ANY CHANGES.
A segmentation check is a series of penetration tests used to validate that less-secure networks are not able to communicate with high-secure networks (typically the CDE). You’re testing the controls to make sure the segmentation in your business is working properly and doesn’t have any security holes.
Penetration testers validate segmentation by running a port scan (often using Nmap) inside the network without access to the CDE to try and discover an IP address inside the CDE. If they can’t see any IP addresses inside networks with access to the CDE, that network segment is validated as properly segmented (or isolated from the CDE).
Basically, you’re testing the controls to make sure the segmentation in your business is working properly and doesn’t have any security holes.
Network segmentation can be extremely tricky, especially for those without a technical security background; therefore, the PCI DSS has stated that segmentation controls should be tested and validated on a regular basis, especially for SAQ A-EP, SAQ C, and SAQ D.
Even back in 2016, a year after the initial requirements were released by the PCI DSS, the majority of first-time segmentation checks performed by SecurityMetrics have received a failing status. Organizations who believed that less-secure zones (such as the guest Wi-Fi) were isolated from the CDE were incorrect. Their high-secure networks (CDE) were exposed.
There are many reasons that organizations fail their first segmentation check:
You need to decide who is performing your segmentation check (e.g. in-house or third party).
If you hire a third party, make sure the penetration tester you select follows acceptable penetration testing procedures and that you act on the report they give you (i.e., fix the problems they find). Then you should collect information for your penetration tester such as: have you experienced a vulnerability in the past 12 months (e.g., phishing malware)? Did you make changes? Tell your penetration tester about all this information so they can design tests to validate your changes.
If you use an in-house penetration tester, they must follow acceptable penetration testing procedures when conducting your check (e.g., NIST 800-115, OWASP Testing Guide, etc.). They also need to be aware of general vulnerabilities and threats prevalent in the industry and design tests to check for issues in your networks and applications. Make sure they are organizationally separate from the design, maintenance, or administration of the target environment.
Scanning can be a difficult task. If the address space of the secure zone is large, then a high number of access attempts are required to fully cover the space. In addition, the behavior of the isolation firewall will sometimes hinder the testing or produce confusing results. In these cases, the tester will sometimes have to make corrections to the testing parameters and retry the tests. This all takes time and considerable skill to perform successfully.
So while you can perform the testing in-house against your critical networks (through a resource independent from network segmentation), it often makes sense to use the services of outside specialists.
Obviously, to test network segmentation, some degree of presence on the actual network is required. This requirement could be met by actually sitting the tester in the physical location with the computer plugged into the untrusted network. However, the cost of sending a third-party tester to the physical location is high.
Another alternative is to send a proxy device to the testing location and have this plugged into the segment by onsite technicians. This device then creates a VPN tunnel to the third-party’s testing equipment. This is a less expensive solution that still meets the testing objectives.
Penetration testers should be well versed in:
If you plan to do in-house segmentation checks, there are a few things to consider. First, make sure the segmentation check is performed by an individual that is organizationally separate from the design, maintenance, or administration of the target environment and is qualified (with documented experience and expertise).
Next, depending on the type of segmentation used to isolate less-secure networks, the methodology used will differ. The majority of assessments SecurityMetrics performs is target rule-based (typically firewall) segmentation.
For these types of environments there are three parts to the test included in a standard test:
Where routing restrictions prevent any packets from being delivered to the destined segment, scanning techniques are not required. In these instances, providing evidence (such as traceroutes that demonstrate packets are not routed to the correct firewall) should be sufficient.
For systems that are air gapped, documentation is typically sufficient. Some QSA’s will occasionally request that ICMP, TCP, and UDP port scans be performed in order to validate that additional access (across the Internet) does not exists between the two systems.
First, establish what your organization considers a major change. What might be a major change to a smaller organization is only a minor change in a large environment. For any organization size, if you bring in new hardware or start accepting card data in a different way, that constitutes a major change.
Whenever large infrastructure changes occur, you’ll want to perform a formal penetration test to see if that change added any new vulnerabilities, as well as annual penetration tests.
In addition to performing a check after each major change to a network environment, PCI requires that segmentation checks be performed:
For environments where firewall rules are routinely changing (more than twice per year), SecurityMetrics recommends once per quarter.
MERCHANTS WHO USE NETWORK SEGMENTATION NEED TO PERFORM A SEGMENTATION CHECK AT LEAST YEARLY.
While the real goal is to actually have secure networks and systems, this objective is unmeasurable except through the means of documentation. So the sub-goal is to generate documents showing compliance to the guidelines. In the spirit of meeting the real security objectives, the documents should show confirmation that tests were performed from each of the untrusted zones and that the targeted secure zone was unreachable.
Perhaps the best way of demonstrate compliance would be to perform and document regular weekly or monthly tests of the network segmentation. Then, to clearly demonstrate that the security objectives have been met, contract with a third-party and have the rules also validated by the third-party on the required six-month interval.
Whenever your organization makes a significant network change, you should perform a segmentation check. To prepare for your segmentation check, decide who should perform these segmentation checks (e.g., in-house staff or third party vendors).
Typically, segmentation checks contain suggestions for remediation. Make sure to take adequate time to address the segmentation check report’s advice and fix the located vulnerabilities on a prioritized basis.
We help customers close security and compliance gaps to avoid data breaches. Our forensic, penetration testing, and audit teams identify best security practices and simplify compliance mandates (PCI DSS, HIPAA, HITRUST, GDPR). As an Approved Scanning Vendor, Qualified Security Assessor, Certified Forensic Investigator, we have tested over 1 million systems for security.
.svg)
