Skip to content

Network segmentation’s role in PCI DSS

PCI-DSS is the set of security standards that seeks to extend consistent data protection practices across the credit processing industry. Any organization handling credit card data must comply with PCI-DSS regulations.

PCI-DSS compliance places a major burden on businesses, especially small and medium-sized enterprises. But companies can reduce the cost of compliance by intelligently scoping their credit processing environment.

Segmentation allows IT teams to apply network segmentation to protect credit card data while reducing the need to secure less critical system components.

This blog will introduce network segmentation in PCI-DSS. We will look at how segmentation works and how it contributes to robust financial sector cybersecurity strategies.

What is network segmentation?

Network segmentation separates network resources to control access and enhance security. In the context of PCI-DSS, network segmentation divides the cardholder data environment (CDE) from other system components.

Separating the cardholder data environment from other resources allows businesses to secure cardholder data. This is a major challenge of cybersecurity in finance. With proper segmentation, hackers will struggle to move from off-scope endpoints and apps to the CDE. Data breaches are much less likely.

Segmentation is not a PCI-DSS requirement. It complements other compliance tools such as encryption, access management, and firewall protection. If you have any doubts about core requirements, check out our PCI-DSS compliance checklist for more information.

However, the PCI Security Standards Council (SSC) has issued guidance advising companies to employ segmentation if possible.

As the SSC says, “Effective segmentation can greatly reduce the risk of CDE systems being impacted by security weaknesses or compromises originating from out-of-scope systems.” But it is not a magic bullet. Segmentation must work with other technologies and controls to achieve PCI-DSS compliance.

Understanding PCI DSS network segmentation scope

When discussing network segmentation for PCI-DSS, it’s important to assess the “scope” of controls required.

Scope refers to the extent of protection required to achieve compliance. Establishing PCI-DSS scope is a critical priority before applying segmentation.

Proper scoping provides security teams with the visibility and knowledge needed to locate and defend critical data. Scoping allows you to segment cardholder data from other parts of the network, boosting security and cutting costs.

There are three main categories to think about when carrying out a PCI-DSS assessment.

In-scope assets

Network resources that make direct contact with cardholder information. This includes payment systems, points of sale, credit card databases, communication tools, and even CRM systems. If an app or device holds credit card data, it is “in scope.”

Connected-to assets

These systems connect to in-scope assets but do not hold card data themselves. They may not require segmentation but must be tightly secured as part of the CDE.

Out-of-scope assets

Anything without access to the cardholder data environment is defined as “out of scope” and does not require the same level of protection.

The PCI-DSS regulations state that “even if the out-of-scope system component was compromised, it could not impact the security of the CDE.” This is a good way of approaching the scoping task.

If system components provide attackers with indirect access to cardholder data, it qualifies as in-scope. If not, you can relegate it to a lower priority level and concentrate resources where they matter most.

“Flat” networks where system components are connected to a single network switch are an important exception. In these cases, the entire network is categorized as in-scope.

In flat network settings, there is no such thing as an out-of-scope system. If an attacker gains access to any node on the network, they can potentially spread to systems handling credit data.

Why scoping matters to network segmentation

PCI-DSS scoping is a crucial first step in the segmentation process. You cannot create segments protecting cardholder data unless you know where that data resides.

Scoping maps data locations and flows. Compliance teams build a picture of how credit card data moves throughout the network, where it is stored, and who requires access. This provides a solid foundation for creating accurate and effective network segments.

Scoping also ensures that the segmentation process covers every asset. Security teams can start from the assumption that everything is in scope. They can then eliminate out-of-scope assets from the CDE and apply precise segmentation for cardholder data.

How to implement network segmentation for PCI DSS?

When carrying out a PCI-DSS assessment, it’s essential to keep one thing in mind: segmentation is not a substitute for comprehensive cybersecurity controls and policies. Network segmentation is part of a wider toolkit, not a solution to your compliance worries.

Having said that, PCI-DSS best practices advise that companies segment the cardholder data environment from other network systems. So how should you approach this task?

Network segmentation applies specific security controls to create sub-networks containing critical cardholder data. There are various ways of achieving this, including:

Firewall barriers between the rest of the network and cardholder data

Firewalls regulate network traffic across the CDE perimeter, preventing unauthorized access requests.

Data loss prevention (DLP) solutions

DLP tracks the movement of critical data, and works in tandem with firewall protection. Users cannot move or copy protected data without authorization. Security controls automatically block any unauthorized transfers.

Physical access controls for in-scope devices

Some workplaces may impose physical identity checks between CDE-connected devices and other offices or workstations.

Air gaps

Physical air gaps can also divide cardholder data from other network assets. Companies may choose to use two separate systems for payment processing and general operations.

Identity and access management (IAM) systems and multi-factor authentication (MFA)

Authentication systems require multiple credentials for any login. Secure network zones can require extra credentials before granting access.

Zero Trust controls on user privileges

Network managers should keep the number of users with administrative privileges as low as possible. Cardholder data environment access should only be available for users with appropriate permissions. All user access is seen as illegitimate until proven otherwise.

Continuous activity monitoring

Security teams can automate monitoring to track suspicious behavior. Tracking systems raise alerts when out-of-scope assets request access to a network segment within the CDE.

When you decide how to apply segmentation, the core challenge is determining which assets are in-scope and what lies out-of-scope.

Security teams must interview employees throughout the organization to understand how they use data. Employees can provide invaluable information about where cardholder data resides – knowledge that may not be immediately obvious.

The next step in PCI-DSS compliance is ensuring that network segmentation covers every part of the CDE. Elements to consider include:

  • Applications handling cardholder data. This could cover web apps and locally hosted databases.

  • Authentication servers and internal firewalls that connect with or defend the CDE. Protecting sensitive authentication data is a critical priority.

  • Security services that ensure data security and guard cardholder data. This includes intrusion detection systems, malware scanners, and anti-virus tools.

  • Log storage servers and backups. Any audit logs must be properly secured, including connections between active payment databases and historical logs.

  • Virtual machines, apps, hypervisors, or virtual routers that store or process cardholder data.

  • Network infrastructure such as routers, switches, hardware firewalls, and any other equipment that connects to the CDE.

  • Network servers handling cardholder data flows from sites of payment and within the corporate network. This may include web, mail, proxy, and DNS servers.

  • Third parties. Any third-party applications or users with access to payment or cardholder data storage systems lie within the CDE.

The critical task when applying PCI-DSS controls is mapping connections. Any endpoint or application that can access cardholder data needs to be secured.

It isn’t always easy to discover connections between system components. But a comprehensive planning process will generate enough information to keep your data breach risk low.

How can NordLayer solutions help?

Network segmentation is a critical part of PCI-DSS compliance. It allows organizations to separate the cardholder data environment from other system components. Attackers seeking access via remote devices or insecure endpoints will find it much harder to extract cardholder data.

NordLayer can help you build a security setup that meets PCI-DSS requirements. Our PCI-DSS compliance solutions make it easy to segment networks to protect cardholder environments. With Nordlayer, you can:

  • Create groups of network users and assign different network access privileges to each group.

  • Create Virtual Private Gateways for specific groups, resources, or websites.

  • Use IP allowlisting with Dedicated IP addresses to allow authorized users and block others.

In the near future, we will also offer Cloud firewall functionality. This will simplify segmenting cloud-based credit processing environments with granular and flexible access controls.

However, network segmentation is not a single solution. Companies must couple PCI-DSS network segmentation with other security tools to be compliant. Nordlayer can help here as well. In addition to segmentation, our tools can help you:

  • Install secure remote access solutions to transmit cardholder data safely.

  • Set user permissions to block unauthorized access to every network segment.

  • Employ quantum-safe cryptography in tunnel encryption to hide your traffic and online activity from users on the open internet.

  • Put in place multi-factor authentication for users accessing cardholder data. Ensure only trusted users can handle customer information and keep data breach risks low.

Make PCI-DSS compliance manageable by partnering with an experienced security provider. Get in touch with the NordLayer team to explore smart data security solutions that make damaging data breaches much less likely.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About NordLayer
NordLayer is an adaptive network access security solution for modern businesses – from the world’s most trusted cybersecurity brand, Nord Security.

The web has become a chaotic space where safety and trust have been compromised by cybercrime and data protection issues. Therefore, our team has a global mission to shape a more trusted and peaceful online future for people everywhere.

Traveling your Zero Trust journey with ESET

Zero Trust seeks to transform how we secure business processes but not to the detriment of people 

In one sense, preaching under the banner of “Zero Trust” can feel misleading because if you don’t really trust anyone, you had better close up shop. Can you run a business if you can’t trust your employees, at least to some degree? If that banner were to read “Zero Unverified Trust”, that would explain itself much better, even if it is a less catchy phrase, because it clearly denotes that trust should be verified.

Traditionally, trust was granted rather freely to employees within the perimeter of a business’s network. With the revelation of international hacking attempts and incidents like the Morris worm in the 1980s, IT administrators were strongly reminded about the need to lock down access at their network perimeters. However, cloud infrastructure became increasingly popular in subsequent decades, making fuzzy the concept of a perimeter, and a perimeter-only defense security approach increasingly unfitting.

The concept of Zero Trust originated in 2009 when Forrester pointed out the need for a better approach to handling trust and, thus, for a new security model to replace the traditional perimeter-based approach. Despite the unqualified use of the term “zero”, the goal of the Zero Trust model is not to revoke all trust, but to consider more carefully when to give trust, and then monitor the trust that is given, along with the time and resources given it.

Challenges to implementing Zero Trust

The main contribution of the Zero Trust model is its call to verify and constantly reevaluate the trust given. To achieve this, at least two challenges must be addressed.

First, trust controls may fail to account for employees’ workflows fully or cause frustration if employees or clients feel they deserve more trust. Trust is complex because human behavior is complex, the tools used are varied, and business processes, resources, and staff can change frequently or unexpectedly.
For trust policies not to cause disruption, IT admins need to tailor them to the business’s processes, test them before deployment, and monitor them assiduously. This will require the IT staff to understand the business better.

Second, the business may lack the budget to invest in technologies that help enforce, monitor, and reevaluate the trust assigned. But even if the budget is lacking, there’s a good chance that existing tools and resources can be repurposed à la Zero Trust.

For example, IT admins can increase the collection of logs about user activity and access to company resources, analyze the logs to understand normal patterns and spot anomalies, or fine-tune the permissions and configurations in existing tools. Even if you have already taken these steps, you can do them again with a Zero Trust vision in mind – thinking about how to grant trust only to specific resources and for a specified time, and, as much as possible, how to monitor that trust once given. This should lead to different practical outcomes that can improve the business’s security posture.

Supporting your Zero Trust journey

ESET’s security technologies can support organizations from small businesses to large enterprises on their road to Zero Trust. An easy way to depict the comprehensiveness of the support we provide is with the following pyramid:

The pyramid sits on a bedrock layer made up of the ESET PROTECT Platform and Support Services. ESET PROTECT consists of various slices from ESET’s suite of protective technologies depicted in the pyramid’s layers above. Support services make ESET’s experts available to your staff to help ensure the best configuration of ESET products for your particular security needs and environment.

Using a pyramid can help to visualize your level of investment into technologies that support Zero Trust. Roughly speaking, the technologies at a higher layer either build on or extend the protection of those at a lower layer. Let’s quickly go through the layers from bottom to top.

The lowest layer contains technologies indispensable for business security, like endpoint protection; therefore, we characterize this as essential protection. At the extended protection layer, we find technologies to help address specific business security needs or fend off advanced threats.

Detection and response, the next layer up, is a game changer because it flips a business’s security posture from reactive to proactive. With ESET’s detection and response tool – ESET Inspect – deployed, security defenders are empowered to monitor and investigate low-level events happening on endpoints in their network.

Finally, the pyramidion at the peak of the pyramid, called threat intelligence, contains threat data feeds and advanced persistent threat (APT) reports. These reports are chock-full of research and technical analysis of new threats, available by subscription only.

In short, the pyramid above lays out some of the technologies that should accompany an organization’s Zero Trust journey. Of course, every company has its own needs fueled by local regulations, the nature of the business, the available IT security budget, and the current state of its IT infrastructure – meaning that your investment in the ESET PROTECT platform serves as no more than a rough guide on what is necessarily a bespoke security journey. What the ESET PROTECT offering does make clear is that it can be a reliable partner at multiple stages of this journey.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

U.S. School Cyber Attacks Are On the Rise. It’s Time to Fight Back.

school cyber attacks portnox

In recent years, U.S. school districts have increasingly become targets for cyber attacks. These school cyber attacks have ranged from ransomware attacks to data breaches, resulting in a significant loss of data and resources for school districts. The reasons for this are varied, but a common issue is the lack of proper network access controls in place. In this article, we’ll explore why school districts are easy targets for hackers and how implementing network access control can help prevent future attacks.

Why Are U.S. School Cyber Attacks On the Rise?

First and foremost, school districts are an easy target for cybercriminals because they often lack the necessary security measures to protect their networks. Unlike larger organizations that have dedicated IT teams and resources to implement security measures, many school districts have limited budgets and staff resources that can be dedicated to cybersecurity. This makes them vulnerable to attacks that exploit weaknesses in their network security, such as unsecured Wi-Fi networks or outdated software and hardware.

One example of such a cyber attack occurred in 2019, when the Baltimore County Public Schools in Maryland suffered a ransomware attack that disrupted its operations for several days. The attack impacted the district’s communication systems, preventing staff from accessing emails and important files. Similarly, in March 2021, the Miami-Dade County Public Schools in Florida was hit with a ransomware attack that disrupted online learning for several days.

Another reason why school districts are easy targets is the large amount of sensitive data they store, including student and staff personal information, financial data, and academic records. This makes them attractive targets for hackers looking to steal data for financial gain or to sell on the dark web. In 2020, the Clark County School District in Nevada suffered a data breach that exposed the personal information of more than 350,000 students and staff members.

Stopping School Cyber Attacks with NAC

So, how can school cyber attacks be stopped? One solution is to implement network access control (NAC) measures. NAC is a security solution that ensures only authorized users and devices can access a network, while blocking unauthorized users and devices from gaining access.

With NAC, school districts can implement policies that require users and devices to meet specific security requirements before they are granted access to the network. This includes verifying the identity of users, ensuring that devices have the necessary security software and patches installed, and checking for any signs of malware or other security threats.

By implementing NAC, a significant reduction of school cyber attacks can be achieved. This was demonstrated in 2020 when the Newhall School District in California implemented NAC and was able to prevent an attempted ransomware attack. The NAC solution detected the unauthorized access attempt and prevented the malware from spreading throughout the network.

In conclusion, school districts are easy targets for cyber attacks due to their limited resources and vulnerabilities in their network security. However, by implementing network access control measures, school districts can significantly reduce their risk of cyber attacks and protect the sensitive data they store. With the rise of online learning and remote work, it’s more important than ever for school districts to prioritize cybersecurity and take proactive steps to secure their networks.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Portnox
Portnox provides simple-to-deploy, operate and maintain network access control, security and visibility solutions. Portnox software can be deployed on-premises, as a cloud-delivered service, or in hybrid mode. It is agentless and vendor-agnostic, allowing organizations to maximize their existing network and cybersecurity investments. Hundreds of enterprises around the world rely on Portnox for network visibility, cybersecurity policy enforcement and regulatory compliance. The company has been recognized for its innovations by Info Security Products Guide, Cyber Security Excellence Awards, IoT Innovator Awards, Computing Security Awards, Best of Interop ITX and Cyber Defense Magazine. Portnox has offices in the U.S., Europe and Asia. For information visit http://www.portnox.com, and follow us on Twitter and LinkedIn.。

SafeDNS Wins the Spring 2023 Top Performer Award

We are thrilled to announce that SafeDNS has won the Top Performer award in Cloud Cybersecurity Software category from SourceForge, the world’s largest software reviews and comparison website.This award recognizes exceptional companies and products with a significant amount of recent favorable user reviews that puts them in the top tenth percentile of highly reviewed products on SourceForge.

At SafeDNS, we are committed to providing our customers with the best web filtering solutions that keep them and their businesses safe online. Our cloud-based platform offers comprehensive protection against malicious websites, phishing, and other online threats, while also allowing users to customize their browsing experience based on their unique needs. 

Great support and very effective system. Easy to setup for a multi-site company with many simple to use features and good written support materials. [Leonides Daniel C.]

We would like to thank all of our customers who took the time to share their positive experiences with SafeDNS on SourceForge. Your feedback and support are what drive us to continuously improve our products and services.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About SafeDNS
SafeDNS breathes to make the internet safer for people all over the world with solutions ranging from AI & ML-powered web filtering, cybersecurity to threat intelligence. Moreover, we strive to create the next generation of safer and more affordable web filtering products. Endlessly working to improve our users’ online protection, SafeDNS has also launched an innovative system powered by continuous machine learning and user behavior analytics to detect botnets and malicious websites.

CVE-2021-45456 Apache Kylin RCE Exploit

Introduction

This is an exploitation script written in Python to exploit #Apache #Kylin Command Injection #CVE-2021-45456 and get RCE.

You can find the script here: https://github.com/mhzcyber/CVE-Analysis/blob/main/CVE-2021-45456/CVE-2021-45456Exploit.py

To understand more about the CVE, you can check the previous PoC and Analysis blog that we published.

Testing Lab

The lab here is the same as the one mentioned in the analysis blog, but we will add a minor modification.

Since this is a docker container, it’s minimalized with the requirements only to run the solution.

Usually, we have more features to abuse in the system, for example, netcat or nc, so we are going to install nc.

  • Access the container using the following command:

sudo docker exec -it container_id bash

  • Install nc

yum install nc -y

Exploitation Script

We are going to start by explaining the script

  • The script starts with defining the libraries

create_project function

  • After that, we have the create_project function, where we create a project and inject the malicious payload.

The function takes the following args host, lhost, lport, username, password

Those args are entered by the user when running the script.

This line checks if there is “.” in the lhost and removes them.

so if the lhost is 172.17.0.2 the result is 1721702

if "." in lhost:
        lhost = lhost.replace(".", "")

structuring the URL

url = f"http://{host}/kylin/api/projects"

takes the username and password and encodes them with base64 to create basic auth.

auth_header = f"Basic {base64.b64encode(f'{username}:{password}'.encode('ascii')).decode('ascii')}"

Structuring the headers, and the project data which includes the name, description ..etc, we have also the project_desc_data with is the project data but in a JSON format

Proxy setting to be able to intercept the requests from the script

Send the HTTP request, and check for the error message if the project already existed.

If the HTTP code is 200 which means the request success

It will retrieve the jsessionid

If there’s some other error it will be printed and it will return none

trigger_diagnosis function

The function takes those args host, jsessionid, lhost, lport

all entered by the user except jessionid returned from create_project function.

Structuring the project_name i.e. the malicious payload, the URL to trigger the exploitation, and the headers.

Proxy setting to be able to intercept the requests from the script

Send the request, if it’s 200 OK, it will print “[+] Request is successful.”

otherwise, it will print the error code.

Here’s a banner with usage instructions and example.

Unless there are 5 args entered, the tool will exit.

The returned value of jsessionid from create_project function is stored in the variable jsessionid

it checks if jsessionid variable is not none and has the value false, it runs the trigger_diagnosis function. otherwise, it will quit.

Run the exploitation script

I’m going to run the exploit and use the proxy to intercept the requests in burpsuite demonstrating better understanding.

  • This is the create_project function request

  • This is the trigger_diagnosis function request

  • Received a connection and gained access

Video of the exploitation tool from here:

https://youtu.be/gg8Qrs-zo_E

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About VRX
VRX is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.

×

Hello!

Click one of our contacts below to chat on WhatsApp

Social Chat is free, download and try it now here!

×