PCI-DSS

The Payment Card Industry Data Security Standard (PCI-DSS) mandates multiple requirements for companies that handle customer credit card information.  Multiple high-profile breaches have made the news in recent years, including the first widely publicized breach that occurred at Target in 2013.

The PCI Data Security Standard has evolved over the years, most recently with the publication of PCI-DSS v3.2.1 in 2018.  PCI-DSS v3.2.1 makes multiple recommendations and imposed many requirements, including monitoring of security controls and network segmentation, both areas where Firebind Recon can be applied.

                       Excerpted from page 5 – PCI-DSS – Requirements and Security Assessment Procedures – Version 3.2.1 – May 2018

Firebind Recon Related PCI DSS Requirements

PCI DSS Requirement

Testing Procedures

Guidance

1.3.4 Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet.

1.3.4 Examine firewall and router configurations to verify that outbound traffic from the cardholder data environment to the Internet is explicitly authorized.

All traffic outbound from the cardholder data environment should be evaluated to ensure that it follows established, authorized rules. Connections should be inspected to restrict traffic to only authorized communications (for example by restricting source/destination addresses/ports, and/or blocking of content).

11.3.4 If segmentation is used to isolate the CDE from other networks, perform penetration tests at least annually and after any changes to segmentation controls/methods to verify that the segmentation methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE.

11.3.4.a Examine segmentation controls and review penetration-testing methodology to verify that penetration-testing procedures are defined to test all segmentation methods to confirm they are operational and effective, and isolate all out-of-scope systems from systems in the CDE.

Penetration testing is an important tool to confirm that any segmentation in place to isolate the CDE from other networks is effective. The penetration testing should focus on the segmentation controls, both from outside the entity’s network and from inside the network but outside of the CDE, to confirm that they are not able to get through the segmentation controls to access the CDE. For example, network testing and/or scanning for open ports, to verify no connectivity between in-scope and out-of-scope networks.

As per section 1.3.4 above, all outbound traffic should be blocked unless it is an authorized communication.  By deploying a Firebind Recon customer agent in the CDE (cardholder data environment), the user can schedule continuous egress testing across all 64k TCP and UDP ports, ensuring that all outbound ports are in fact blocked with the exception of the authorized ones.  If Firebind Recon finds a port open that should be blocked, it will immediately send an alarm.