What is Segmentation Testing and Why Do I Need It?

What is Segmentation Testing?

As anyone who has ever visited a bank could explain, visitors are generally not given direct access to the central vaults that hold a bank's assets. But did you also know that similar restrictions exist on the computer networks and systems responsible for handling financial processing as well? In the case of computer controls, the central concept at play is known as Network Segmentation.

For those working in the realm of payment processing, network segmentation and the controls surrounding it comes as no surprise. The Payment Card Industry Data Security Standard (PCI DSS) mandates periodic checkups to certify that the Cardholder Data Environment (a payment processor's highest security environment) remains appropriately secured from unauthorized access.

The process of dividing a network into segments and designing the firewall or routing policies to enforce the boundaries between those segments is called the Segmentation Policy. The segmentation policy is the gold standard of expectations on the network. It is what any Segmentation Testing results will be measured against to ensure everything is working as designed.

There are many potential paths available for those looking to implement network segmentation. The technologies involved can include Network Firewalls configured with restrictive Access Control Lists (ACLs), a carefully laid out topology using Network Switches, or an implementation through Software Defined Networking.

Who Needs a Segmentation Policy?

While the need to implement a segmentation policy is widespread, some industries are subject to additional legal requirements to certify that the policy's implementation remains effective over time, with some also being required to prove that to outside auditors. As previously touched on, payment processors are subject to the PCI DSS, which requires revalidation of environments every six months, or whenever significant changes are made to the segmentation controls. Similarly, healthcare organizations are subject to the requirements of the Health Insurance Portability and Accountability Act (HIPAA). Organizations dealing with power and utilities and any that must interface with critical Industrial Control Systems (ICS) must abide by the requirements of the North American Energy Reliability Critical Infrastructure Protection (NERC CIP) framework.

After all the work thoughtfully designing a Segmentation Policy and all the hours to implement it, it inevitably comes when it must be validated against its intended design. So begins Segmentation Testing.

When a penetration tester conducts a Network Segmentation Test to fulfill the PCI DSS requirements, the work primarily revolves around conducting network reconnaissance to identify the systems and services available on the network, both within the PCI environment and around it. Once the ‘surface area' of the network has been identified, the tester will attempt to extract sensitive information from the transaction processing systems outside the PCI environment. This testing helps to validate the efficacy of the controls in place and checks for the existence of misconfigurations or vulnerabilities that an adversary could leverage to wreak havoc. Once this testing has been done from the perspective of an untrusted internal and external network user, the work is repeated from within the high-security environment. This ensures that users cannot access data. They should not work within a high-security environment. They cannot access data outside of the segmented environment from the segmented environment. Only by comparing the scan and manual testing results from multiple vantage points can there be a certainty that the trusted systems are appropriately segmented away from the untrusted network and its users.

But hold on, validating a segmentation policy is not just for banks and hospitals. Every company, industry, or individual who regularly deals with sensitive information should periodically do their due diligence to ensure their most sensitive assets are difficult for the wrong people to access through access control and network segmentation.

In the end, network segmentation can be viewed as a means of controlling the number of variables in play in your environment. Fewer variables, by way of fewer computers talking to each other, will bring the environment closer to a true ‘least privilege' design. And in a network designed around the least privileged concept, unauthorized users and systems are never allowed to access privileged systems as no direct communication routes exist.

If you are responsible for your systems' integrity or your users' safety and would like to have a further discussion around the network security of the most sensitive structures in your environment, schedule a consultation to speak with a security consultant to learn more.