New 3.2 Requirements for Penetration Testing and Segmentation: What You Don’t Know

Do you segment your networks? If so, you’ll want to listen up. 

By: Chad Horton Penetration Testing Manager CISSP, QSA

PCI 3.2 has come out with new requirements for penetration testing and network segmentation. With new requirement 11.3.4.1, service providers that use segmentation are required to perform penetration tests on segmentation controls every six months. Previously, it was once per year.

SEE ALSO: Different Types of Penetration Tests for Your Business Needs

Many businesses may not know much about what network segmentation entails.

Here are some answered questions about network segmentation and penetration testing.

Tweet

What is network segmentation? 

Network segmentation is a common practice to reduce risk within a network environment by restricting access to high-security networks (such as the Cardholder Data Environment (CDE) from less-secure networks (guest Wi-Fi).

There are three main types of segmentation that are typically used today:

1. Firewall rules
2. Route restrictions
3. Air gap (physically independent infrastructure)

The most common form of segmentation that SecurityMetrics encounters is through firewall rules.

Why use network segmentation?  

Keep in mind that while network segmentation isn’t required by the PCI DSS, it’s a recommended strategy to reduce your PCI scope and secure your data.

By isolating less-secure networks from high-secure networks, businesses can ensure that a compromise in the less-secure network does not affect the security of other high-security networks.

In addition to reducing risk, network segmentation can also reduce the time and cost associated with becoming PCI compliant. Through isolation of less-secure networks from the CDE, the requirements defined in the PCI DSS do not apply to the less-secure networks.

SEE ALSO: How Does Network Segmentation Affect PCI Scope?

What is a segmentation check?

A segmentation check is a series of penetration tests used to validate that less-secure networks are not able to communicate with high-secure networks (typically the CDE).

Basically, you’re testing the controls to make sure the segmentation in your business is working properly and doesn’t have any security holes.

SEE ALSO: How Much Does a Pentest Cost? 

Why do segmentation checks?

The PCI DSS has stated that segmentation controls must be tested and validated on a regular basis.

Even in 2016, a year after the initial requirements were released by the PCI DSS, the majority of first-time segmentation checks performed by SecurityMetrics have received a failing status. Organizations who believed that less-secure zones (such as the guest Wi-Fi) were isolated from the CDE were incorrect. Their high-secure networks (CDE) were exposed.

There are many reasons that organizations fail their first segmentation check:

• Misconfigured firewall 
• Legacy rules were not removed
• Third party management service incorrectly added access

How to perform a segmentation check 

Depending on the type of segmentation used to isolate less-secure networks, the methodology used will differ. The majority of assessments SecurityMetrics performs target rule-based (typically firewall) segmentation. For these types of environments, there are three parts to the test included in a standard test:

• ICMP scan
• TCP port scan
• UDP port scan

Where routing restrictions prevent any packets from being delivered to the destined segment, scanning techniques are not required. In these instances, providing evidence, such as traceroutes that demonstrate packets are not routed to the correct firewall, is sufficient.

For systems that are air gapped, documentation is typically sufficient. Some QSAs will occasionally request that ICMP, TCP, and UDP port scans to be performed in order to validate that additional access (across the Internet) does not exist between the two systems.

How often should a segmentation check be performed? 

In addition to performing a check after each major change to a network environment, PCI requires that segmentation checks be performed:

• Once every year for merchants
• Once every six months for merchant service providers

For environments where firewall rules are routinely changing (more than 2x per year), SecurityMetrics recommends once per quarter.

Who can perform this test?

Segmentation checks must be performed by any individual that:

• is organizationally separate from the design, maintenance, or administration of the target environment 

AND

• Is qualified (has documented experience and expertise) 

Why SecurityMetrics?

SecurityMetrics has recently developed a product, specifically equipped to perform segmentation checks at an affordable price.

Separating and securing your networks

Network segmentation is a great way to isolate and reduce the cost and time of securing your business’s data. You just need to regularly validate that you actually are separating and securing your networks.

Remember, network segmentation is useless if it’s not done correctly.

Need help with segmentation checks and penetration testing? Talk to us! 

Chad Horton has been the Penetration Testing Manager at SecurityMetrics for over five years. His responsibility includes managing a team of eight employees who conduct manual assessments of web applications and corporate networks. In addition, Horton is QSA, CISSP, and CompTIA Security+ certified, and has written numerous web application tools to assist in exploiting vulnerabilities.