Cyberattacks are increasing in scale, scope, and complexity with every passing day. As hackers and their attack methods become more sophisticated your business must respond in kind or else have your security perimeter overwhelmed.
These days internal network segmentation is one of the primary ways that you can minimize risk of a successful attack, improve data flow, and isolate critical payment data.
However, if you go that route, the most recent version—3.2—of the Payment Card Industry Data Security Standard (PCI-DSS) compels service providers to conduct penetration tests on segmentation controls every six months.
Below we’ll review the purpose of network segmentation and how penetration testing can ensure that the network is properly segmented and secured.
What is Internal Network Segmentation?
To understand the reasons for and merits of network segmentation penetration testing it’s vital to detail how network segmentation actually works.
Network segmentation splits up a computer network into smaller network segments within virtual local area networks (VLANs). It groups and isolates applications or systems into subnet partitions according to security priority. By segmenting off high security networks from less-secure networks you significantly reduce risk in several ways:
- Control flow of traffic between subnets
- Block entire traffic flows
- Boost network performance by restricting traffic
- Localize network issues
- Prevent unauthorized network traffic or attacks from reaching high-security areas
Most organizations that receive electronic payments have to find a way to securely store cardholder data (CD) such as:
- Card number
- Cardholder name
- Expiration date
A cardholder data environment (CDE) is a network segment that’s intended to keep all of that cardholder information protected. It’s regulated by the PCI-DSS, which stipulates various restrictions on access.
The Security Threat Posed by Flat Networks
Most networks are set up as flat networks. Every server and workstation operates on the same Local Area Network (LAN), so each app and system inside the network is able to communicate with and connect to everything else.
While this practice might create some efficiencies, from a security standpoint, the openness is a detriment since most of these systems have no need to interact. Providing that open communication channel creates a vulnerability that hackers or malware can exploit.
After a hacker breaches a network they use a methodology known as “pivoting,” wherein they leverage a compromised device to access other devices and move throughout the network.
If a network is not segmented, once a hacker breaks through the firewall, they can pivot and then move throughout the system at will. In hours, if not minutes, the hacker or malicious code can then compromise the entire system, making off with all of the critical private data, including:
- Social security numbers
- Credit card numbers
- Bank account information
Types of Internal Network Segmentation
Today, each company employs a different variation of network segmentation. There’s no universal configuration for all businesses and networks since each has its own functionalities and prerequisites; however, there are four primary types of network segmentation that many companies will use:
- Physical layer Segmentation – Two networks are separated by a physical layer, “meaning that there is a change or disruption in the physical transmission medium that prevents data from traversing from one network to another.”
- Firewall segmentation – Firewalls are deployed to limit attack surface by creating internal zones, separating functional areas from sensitive ones. Naturally, enforcement depends on thousands of firewall rules being properly installed and configured.
- Software-defined networking (SDN) – “A category of technologies that separate the network control plane from the forwarding plane to enable more automated provisioning and policy-based management of network resources.”
- Micro-segmentation – Instead of subnets or firewalls some segmentation relies on host workloads to compartmentalize subnets. Every workload operating system has a native firewall, which blocks traffic unless expressly permitted.
Internal Pentesting Network Segmentation
Before we can dive into testing it’s important to clarify three basic terms:
- CDE in-scope – VLANs that store, hold, process, and transmit private cardholder data. This segment needs to be isolated, have high security levels, and restrict external access.
- Non-CDE in-scope – VLANS that do not store, hold, process, and transmit private cardholder data, but depend on CDE in-scope such as patch servers.
- Non-CDE out-of-scope – VLANs that do not fall into the previous two categories and which should be restricted from communicating with CDE in-scope segments.
Pentesting is a crucial way you can maintain compliance and ensure that you’re taking the right steps to protect your customers. According to the PCI 11.3.4:
Penetration testing is an important tool to confirm that any segmentation in place to isolate the CDE from other networks is effective. The penetration testing should focus on the segmentation controls, both from outside the entity’s network and from inside the network but outside of the CDE, to confirm that they are not able to get through the segmentation controls to access the CDE. For example, network testing and/or scanning for open ports, to verify no connectivity between in-scope and out-of-scope networks.
You should be aware of the fact that the newest version of PCI-DSS has added two new stipulations:
- A segmentation check has to be conducted by an independent organization, whether a third party or a qualified internal resource (someone who doesn’t manage, maintain, or design the environment).
- Service providers must perform segmentation checks every six months, and following any major change to segmentation methods or controls.
What’s a Segmentation Check?
To check your network segmentation security, your company must perform a series of penetration tests to ensure that CDE don’t communicate with less-secure networks. The goal of these tests is to confirm that segmentation is working as intended and that there aren’t cybersecurity gaps which could be exploited by a hacker or malicious program.
Pentesters run a port scan—typically using a Nmap—inside the network to try and uncover the IP address of a CDE. If they’re unable to find IP addresses inside networks with CDE access, that verifies that the network segment is working.
Although there are a several reasons why a segmentation check might fail, the most common failures involve:
- Misconfigured firewall
- Legacy rules that weren’t removed
- Third-party management service erroneously added access
Tips for Segmentation Checks
If you’re required to perform network segmentation penetration testing, there are several considerations to keep in mind. Steps to follow include:
Carefully Choose the Tester
As mentioned, you have two options for an independent tester—a third party or an in-house tester.
- Third party – If you use a third party, the tester must comply with standard penetration testing procedures. Should they report issues, fix them immediately. After, document vulnerabilities and changes, which will then inform the next set of verification tests.
- In-house – An internal tester must be organizationally separate from the design of the targeted system; they can’t take any part in the design, maintenance, or administration. The tester then must abide by approved penetration testing procedures and document their efforts.
Although it is possible to perform a test in-house, it typically is less effective than enlisting the help of an outside specialist.
Set Third-Party Testing Standards
A network can be tested in one of two ways: physically or by a proxy device. A physical location test is often the more expensive route, especially when it provides few benefits compared to simply connecting the tester to the system using a VPN tunnel.
When selecting a tester, it’s vital that they know:
- Internal and external testing procedures and philosophies
- Black hat attack methods
- Scripting languages
- Segmentation testing
- Testing tools
- Operating systems
- Network technologies
- Web front-end technologies
- Networking protocols
- Web APIs
Determine the Frequency of Segmentation Checks
Major changes to the system or infrastructure necessitate segmentation checks. What constitutes a major change in the system largely depends on the size of your organization; a significant change to a smaller business may be an insignificant one to a larger enterprise. Whatever you decide, it’s important that you clearly define it.
In addition to this, PCI stipulates that a segmentation check happen:
- Biannually for merchant service providers
- Annually for merchants
Demonstrate PCI Compliance
While it’s important that you’re internally verifying that your cybersecurity defenses and segmentation are impenetrable, the test also can demonstrate to outsiders that you’re abiding by the rules.
The only way to prove that you’re PCI compliant is through rigorous documentation.
Documents should show:
- Required tests were performed regularly
- Target secure zones couldn’t be reached
- Corrective actions were taken (if they could be reached)
- New tests were conducted to verify that CAs were effective
How Do You Segment a Network?
Segmentation isn’t an easy process. In most cases, it’s best to work with experts to help you perform both the configuration set up as well as the tests. Regardless, there are some simple steps you can follow to facilitate the process, including:
- Assign a data flow monitor – It’s vital that you know how your business runs and where the card data flows within the organization (such as where it’s used or stored). Doing so helps reduce the scope of the CDE.
- Conduct employee interviews – Whether its accounting, sales, customer service, or web development, your employees can provide insights about random data processes. The more you know about the card data environment, the better.
- Create a data flow diagram – To better visualize how data flows throughout the organization build flow diagrams that show the location and movement of card data.
- Utilize card data discovery tools – Some data can reach systems that would be undetectable with a manual search. Various scanning tools can help comb through the entire system for unencrypted payment data.
- Select your segmentation methodology – As discussed, there are several different ways you can segment CDEs, the most popular of which is firewall segmentation.
Benefits of Segmentation
There are dozens of reasons why segmentation is a critical addition to your cybersecurity defenses, including:
- Reduces attack options – If you can’t communicate with a machine it’s practically impossible to compromise it. Segmentation blinds a hacker so that even if they can get into the network, there’s nowhere they can pivot to.
- Increases chances of detection – When hackers move between segmented networks they increase the likelihood that they’re detected at an internal monitoring choke point. Your intrusion detection system sensors and firewalls can alert you when something wrong is happening. By monitoring choke points you make it harder for a hacker to have unfettered access without your knowledge.
- Improved performance – When there are fewer hosts per subnet the local traffic is reduced. By limiting broadcast traffic to a local subnet you increase data flow on the entire network.
- Better containment – Even if a hacker successfully gains access the damage is limited to that local subnet. Each subnet must be hacked individually.
- Hacking becomes harder work – Thieves in general look for easy targets. They want to be in and out before anyone can find out. Network segmentation forces them to compromise several systems to get anything useful. Each additional segmentation increases the time and skill investment required to succeed, which also increases the chances that they’re caught in the process.
- Separates sensitive and vulnerable machines – Most companies use a variety of functional technologies that don’t deal with sensitive data. Servers are where the vulnerability lies, which is why they must be segmented away.
RSI Security — Your Network Segmentation Security Partner
Internal network segmentation is one of the most important steps you can take to protect cardholder data from malicious programs or hackers. But the only way to confirm that segmentation is working as intended is via frequent penetration checks
Introducing network segmentation adds significant complexity to your network environment. To implement it correctly and then verify that it’s working you need a team to help you plan, execute, and test the segmentation.
At RSI Security we specialize in all things cybersecurity and provide a host of compliance and penetration testing services. With over a decade of experience under our belt we’re confident that we can help you bolster your cybersecurity defenses. Interested? Contact RSI today!