Based on feedback I am getting, my previous posts regarding network segmentation are still not getting the point across regarding proper network segmentation. So, this time I am going to use my post regarding the Control Triad and hopefully everyone will now understand what constitutes appropriate network segmentation.
As a quick refresher, the control triad is compromised of preventative controls, detective controls and corrective controls. All of these control types are required to ensure a secure environment. The more individual controls you have under each of the three control types, the less likely an incident will occur and the more coverage you should be able to afford your organization should a control go temporarily out of compliance. However, an individual control can really only appear under one of the control types otherwise that control is diluted as it becomes a single point of failure causing the control triad to not function properly. With that explanation, let us look at proper network segmentation from the control triad perspective.
The following would be considered the minimum preventative controls when talking about network segmentation.
- Firewall(s) with rules that restrict traffic to a limited number of ports to/from the cardholder data environment.
- Router(s) with ACLs that restrict traffic to a limited number of ports to/from the cardholder data environment.
- VLAN(s) with ACLs that restrict traffic to a limited number of ports to/from the cardholder data environment.
- Private wireless network(s) use a separate VLAN(s) from the cardholder data environment with access controls enforced for any access to the cardholder data environment from wireless. Private wireless access points are configured with WPA2 using Enterprise authentication and AES 128-bit or greater encryption.
- Software firewall on server(s) in the cardholder data environment that restricts traffic to a limited number of ports/services to/from the server(s).
- Restricted administrative access to infrastructure devices in or controlling access to the cardholder data environment.
- Access controls that restrict administrative and end-user access to applications in the cardholder data environment or that access the cardholder data environment.
Remember, when I say. “limited number of ports to/from” I mean a very limited number of ports. Yes, there may be instances where you might have 100 ports open to/from your cardholder data environment, but you better have a valid business reason for every one of those 100 ports. And just so we are all clear, a valid business reason documents the reason why the port needs to be open, the risk presented to the cardholder data environment that the port is open, actions that have been taken to minimize the risks, and management approval of the port being open. And the business reason for opening a port needs to be more than just “it needs to be open” or “the application will not function unless it is open.” You need to document why it has to be open so that in the event of a breach you can quickly rule out the ports that might have been the cause based on the type of attack.
When we talk about restricting access, you need to be restricting access. In small and mid-sized organizations, restricting access might not be feasible. In those cases, forcing personnel to go to management to gain access is the way to properly provide control. In large organizations, what we are talking about is restricting access to fewer personnel than everyone that has access to normal production. The idea is that not everyone in support or business users should have access to the cardholder data environment. The rule here is the fewer the better but do not make it so few that you create issues.
If you want to go the extra mile, the following controls can further enhance your security. However, for some organizations, they come at a cost in operational efficiency that is unacceptable.
- Disable all unused physical jack connections on all infrastructure devices. Any activation of a jack requires a service ticket and standard management approvals.
- Disable dynamic host configuration protocol (DHCP) in all retail locations.
- Public wireless in retail facilities provided by a separate third party and on a separate circuit that connects to the Internet.
- Required use of encrypted, two-factor authenticated virtual private network (VPN) connections from any wireless network to gain access to any internal network.
- Access to the cardholder data environment is not allowed for users connecting through any remote access connection.
The following would be considered the minimum detective controls when talking about network segmentation.
- Network and host intrusion detection/prevention systems that monitors the aforementioned firewalls, routers, VLANs and servers that are protecting the cardholder data environment and generate alerts to appropriate personnel when an intrusion or incident is detected.
- Daily analysis of infrastructure device configurations to ensure that only approved configuration changes are made to these devices.
- Daily monitoring of devices to alert on any foreign devices that are added or when devices are removed from the network.
- Daily analysis of log data from the preventative controls to find potentially anomalous log entries that indicate a variance in the preventative controls or a potential incident.
- Change management records for all infrastructure devices, servers and applications in-scope for PCI compliance.
The key here is to generate alerts should any anomalous activity be detected. But that is the rub. What is anomalous? Anomalies are not always the easiest things to identify or define. As a result, your detective controls may take a while to fine tune. However, the organizations that do the best job of managing their detective controls organize their anomalies by the PCI DSS requirements they are trying to meet. This allows them to tweak their anomaly detection capabilities by PCI DSS requirement.
Then there is the issue of what do you do if you detect an anomaly? Most of the time, an anomaly is not dealt with because of one of two reasons. The first reason is because the detection solutions are new and are not functioning properly because no one has taken the time to tune them. The second reason is that because of changes in the environment, the detective controls need to be re-tuned to reflect the changes. Regardless of why, the detective controls need to be adjusted so that they are not generating excess false positives resulting in people chasing phantom issues.
If you want to go the extra mile, the following controls can further enhance your security. While these sorts of tools are available as open-source solutions, there are also many commercial solutions as well. Regardless of whether they are commercial or open-source solutions, tools that will perform these functions typically take a significant amount of time and effort to tune so that they provide the right amount of information for the right incidents.
- Real-time analysis of infrastructure device configurations to ensure that only approved configuration changes are made to these devices.
- Real-time monitoring of devices to alert on any foreign devices that are added or when devices are removed from the network.
- Real-time analysis of log data from the preventative controls to find potentially anomalous log entries that indicate a variance in the preventative controls or potential incident.
All real-time does is provide you with instantaneous alerting. Most small and even mid-sized merchants do not need real-time analysis and alerting. Not that they cannot use it, it is likely overkill for their environments given the threat of attack. However for governmental agencies/departments, financial institutions, health care organizations and most large merchants; real-time analysis and alerting is mandatory.
And if you think tuning for daily reviews was painful, tuning real-time analysis and alerting systems is at least twice as painful.
The following would be considered the minimum corrective controls when talking about network segmentation.
- Change management procedures.
- Incident response plan(s) for addressing any issues identified by the detective controls.
- Root Cause Analysis (RCA) procedures.
- Action plans that result from the incident response process that require changes to the preventative and/or detective controls. At a minimum, the action plans must document the correction needed, the person(s) responsible for getting the correction completed and the timeframe for the correction to occur.
- Internal audit review of the preventative and detective controls.
- QSA review of the preventative and detective controls.
Here is where a lot of organizations miss the boat. You have detected an anomaly, you dealt with the anomaly, but you do not analyze why the anomaly occurred or you do an analysis but then you do nothing to correct any issues that might have been identified. As a result, the anomaly continues to be encountered but actions are not taken to minimize or even eliminate occurrences. This is why the advanced persistent threat (APT) is successful. APT relies on the fact that eventually all organizations get sloppy and do not take corrective actions to maintain or even improve their controls.
There may be a number of preventative, detective and corrective controls that I may have missed or did not consider since everyone has unique environments. At a minimum, if your organization has implemented these controls and they are all operating effectively, you are going to better than the majority of organizations out there and much less likely to have a serious incident that could result in a breach.
And that is the problem all organizations face, keeping these controls functioning effectively every day without missing a beat. That is why we have defense in depth. If one control is not functioning properly, there are other controls that will cover in the interim until the control is back functioning properly.
Finally, as I always like to remind people, just because you implement all of these recommendations does make you invincible. All these recommendations do is just making the likelihood of an incident and the potential damage resulting from an incident lower than if you had little or no controls in place. How much lower depends on a number of factors, but the risk will be lower. And after all, it is all about lower risk.
Hopefully the issue of what constitutes appropriate network segmentation has now been put to rest.