Segmentation, Scoping, and Penetration Testing

Are you a service provider? Do you use segmentation for the purpose of PCI scope reduction? PCI Requirement 11.3.4.1 outlines new PCI penetration testing requirements and caused confusion among many service providers. PCI Requirement 11.3.4.1 states, “If segmentation is used, confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after any changes to segmentation controls/methods.”

PCI Requirement 11.3.4.1 requires that a penetration test, which validates the scope and effectiveness of segmentation controls, be performed every six months or after any changes to segmentation controls. The purpose of this additional penetration test is to ensure that segmentation controls continue to operate effectively throughout the year. The continual, complete isolation between CDE and non-CDE systems is key to your PCI compliance.

Our approach to compliance with PCI Requirement 11.3.4.1 involves more than simply validating segmentation controls through port scanning activities. The PCI DSS specifies that penetration testing must be performed, meaning that it is not sufficient to only perform something like nmap scans from non-CDE to CDE networks. Additional effort is required in order to meet this requirement for penetration testing, and our team of penetration testers is ready to help.

There was a new requirement introduced in PCI DSS v3.2, which is PCI Requirement 11.3.4.1. It states that if you are a service provider, you need to validate that your segmentation is in place at least bi-annually, and then after any significant changes to the environment or controls that might affect your segmentation.

Segmentation and Penetration Testing

Does your organization use segmentation to isolate your cardholder data environment from other networks? Penetration testing can be a tool to ensure that your segmentation controls are working. PCI Requirement 11.3.4 addresses this methodology. It states, “If segmentation is used to isolate the cardholder data environment from other networks, perform penetration tests at least annually and after any changes to segmentation controls/methods to verify that the segmentation methods are operational and effective, and isolate all out-of-scope systems from systems in the cardholder data environment.”

The PCI Requirement 11.3.4 guidance explains, “The penetration testing should focus on the segmentation controls, both from outside the entity’s network and from inside the network but outside of the cardholder data environment, to confirm that they are not able to get through the segmentation controls to access the cardholder data environment.”

If your organization is using segmentation as a control or as a means to reduce the scope of your environment, their penetration test needs to include validation that the penetration testing took place to validate that whatever segmentation controls you have are effective and in place. For this test, we are looking for something within the documentation from the penetration test report that says that segmentation was tested and validated.

What To Do with Exploitable Vulnerabilities

The purpose of penetration testing is to find vulnerabilities before an attacker does; when you find them, those vulnerabilities need to be corrected. PCI Requirement 11.3.3 states, “Exploitable vulnerabilities found during penetration testing are corrected, and testing is repeated to verify the corrections.”

During an assessment, you will provide your assessor with penetration testing results that verify that you found and implemented a solution to exploitable vulnerabilities, and you repeated testing to confirm this.

During the test, your penetration testers will identify any vulnerabilities. It is expected that you resolve those things. It is also required that you keep a copy of that original penetration test for your assessor to review. We’re also going to ask that you perform a retest to validate that after you have gone through your remediation that those particular items have been resolved. It is also required that you perform a secondary penetration test to make sure that any of those vulnerabilities that have been identified as part of that original penetration test have been appropriately resolved and are no longer a vulnerability within your environment.

Internal Penetration Testing

PCI Requirement 11.3.2 requires that organizations perform internal penetration testing at least annually and after any significant upgrade or modification. Internal penetration tests focus on servers, workstations, and other network devices that are within the target environment. The goal is to identify exploitable weaknesses that could allow an attacker to gain access to these systems, ultimately leading to access to sensitive data.

When determining what constitutes a significant change, the PCI DSS guidance states, “The determination of what constitutes a significant upgrade or modification is highly dependent on the configuration of a given environment. If an upgrade or modification could allow access to cardholder data or affect the security of the cardholder data environment, then it could be considered significant. Performing penetration tests after network upgrades and modifications provides assurance that the controls assumed to be in place are still working effectively after the upgrade or modification.”

PCI Requirement 11.3.2 is much the same to PCI Requirement 11.3.1. You need to perform an internal penetration test for your environment. We have already talked about internal and external tests, but these tests need to be performed by qualified, competent staff. The tests also need to be performed annually after any significant changes. Anything that was identified during that test needs to be resolved, and then retests will occur to validate that you have closed out those issues.

From an assessment perspective, we are looking at your penetration testing methodology. We are looking at the results of this, and we are making sure that you have done your internal and external tests. We are also making sure that those individuals who have done these tests are qualified to do so.

External Penetration Tests

PCI Requirement 11.3.1 requires that organizations perform external penetration testing at least annually and after any significant upgrade or modification. External penetration tests focus on servers, workstations, and other network devices that are within the target environment. The goal is to identify exploitable weaknesses that could allow an attacker to gain access to these systems, ultimately leading to access to sensitive data.

When determining what constitutes a significant change, the PCI Requirement 11.3.1 guidance states, “The determination of what constitutes a significant upgrade or modification is highly dependent on the configuration of a given environment. If an upgrade or modification could allow access to cardholder data or affect the security of the cardholder data environment, then it could be considered significant. Performing penetration tests after network upgrades and modifications provides assurance that the controls assumed to be in place are still working effectively after the upgrade or modification.”

When a penetration test is conducted, it needs to be conducted against your external environment and your internal environment. We are looking from the Internet, trying to get in and, typically from your corporate environment, try to get into the cardholder data environment as well. From an assessment perspective, we’re looking at the results of the penetration test and the subnets of those results. For example, we’re looking at where the test took place and the directions for where the attack happened.