New 3.2 Requirements for Penetration Testing and Segmentation: What You Don’t Know
Do you segment your networks? If so, you’ll want to listen up.
|By: Chad Horton|
Penetration Testing Manager
SEE ALSO: Different Types of Penetration Tests for Your Business Needs
Many businesses may not know much about what network segmentation entails.
Here are some answered questions about network segmentation and penetration testing.
What is network segmentation?
There are three main types of segmentation that are typically used today:
- Firewall rules
- Route restrictions
- Air gap (physically independent infrastructure)
Why use network segmentation?Keep in mind that while network segmentation isn’t required by the PCI DSS, it’s a recommended strategy to reduce your PCI scope and secure your data.
By isolating less-secure networks from high-secure networks, businesses can ensure that a compromise in the less-secure network does not affect the security of other high-security networks.
In addition to reducing risk, network segmentation can also reduce the time and cost associated with becoming PCI compliant. Through isolation of less-secure networks from the CDE, the requirements defined in the PCI DSS do not apply to the less-secure networks.
SEE ALSO: How Does Network Segmentation Affect PCI Scope?
What is a segmentation check?A segmentation check is a series of penetration tests used to validate that less-secure networks are not able to communicate with high-secure networks (typically the CDE).
Basically, you’re testing the controls to make sure the segmentation in your business is working properly and doesn’t have any security holes.
SEE ALSO: How Much Does a Pentest Cost?
Why do segmentation checks?The PCI DSS has stated that segmentation controls must be tested and validated on a regular basis.
Even in 2016, a year after the initial requirements were released by the PCI DSS, the majority of first-time segmentation checks performed by SecurityMetrics have received a failing status. Organizations who believed that less-secure zones (such as the guest Wi-Fi) were isolated from the CDE were incorrect. Their high-secure networks (CDE) were exposed.
There are many reasons that organizations fail their first segmentation check:
- Misconfigured firewall
- Legacy rules were not removed
- Third party management service incorrectly added access
How to perform a segmentation checkDepending on the type of segmentation used to isolate less-secure networks, the methodology used will differ. The majority of assessments SecurityMetrics performs target rule-based (typically firewall) segmentation. For these types of environments, there are three parts to the test included in a standard test:
- ICMP scan
- TCP port scan
- UDP port scan
For systems that are air gapped, documentation is typically sufficient. Some QSAs will occasionally request that ICMP, TCP, and UDP port scans to be performed in order to validate that additional access (across the Internet) does not exist between the two systems.
How often should a segmentation check be performed?In addition to performing a check after each major change to a network environment, PCI requires that segmentation checks be performed:
- Once every year for merchants
- Once every six months for merchant service providers
Who can perform this test?Segmentation checks must be performed by any individual that:
- is organizationally separate from the design, maintenance, or administration of the target environment
- Is qualified (has documented experience and expertise)
Why SecurityMetrics?SecurityMetrics has recently developed a product, specifically equipped to perform segmentation checks at an affordable price.
Separating and securing your networksNetwork segmentation is a great way to isolate and reduce the cost and time of securing your business’s data. You just need to regularly validate that you actually are separating and securing your networks.
Remember, network segmentation is useless if it’s not done correctly.
Need help with segmentation checks and penetration testing? Talk to us!
Chad Horton has been the Penetration Testing Manager at SecurityMetrics for over five years. His responsibility includes managing a team of eight employees who conduct manual assessments of web applications and corporate networks. In addition, Horton is QSA, CISSP, and CompTIA Security+ certified, and has written numerous web application tools to assist in exploiting vulnerabilities.