PCI DSS De-Scoping Risk
The PCI DSS security requirements apply to all system components included in or connected to the cardholder data environment. The cardholder data environment (CDE) is comprised of people, processes and technologies that store, process, or transmit cardholder data or sensitive authentication data. “System components” include network devices, servers, computing devices, and applications.
Source: PCI DSS v3.2.1 pg. 10
Despite the fact that segmenting your network is not compulsory, it can de-scope your compliance obligations and make things easier. 'In scope' (RED Zone) is any IT systems that are involved in the processing, storage or transmission of cardholder data (CHD), or any IT systems that can impact these systems. Therefore, with a 'Flat Network' everything would be brought into scope, making things extremely difficult. However, given that today's cyber-attackers are constantly seeking opportunities to compromise corporate networks and create a persistent, hidden, presence within the network (exploiting weakness in the 'Out of Scope' environment (BLACK zone) to undermine a RED Zone. Take for example the Citrix data breach which was thought to have been perpetrated by Iranian hackers in a group called IRIDIUM and who are believed to have remained, undetected, for 10 years.
If an organisation chooses to de-scope their environment (creating a bordering 'Badlands') does this increase the opportunity for the cyber-attacker and as a result the risk? With all the defences being focused on the cardholder data environment (CDE) and not on the adjacent BLACK zone within a corporate zone, could this present an opportunity for the cyber-attackers to create a staging ground?
Lessons-Learned From History
These type of incidents are not new and are not the only occasions that attackers have managed to compromise an environment, using the out of scope areas. Take for instance, in 2013, when the 15 year old Russian hacker that managed to compromise Target's CDE, through the 'piggy-backing' onto the connection from a 3rd party air conditioning company's network connection.
Looking further back into history, the City of Troy suffered a similar fate to their physical security defences around 1200 BC, when their outer defences were compromised after a clandestine army was wheeled inside. This enabled a refreshed enemy to launch an offensive from insider the perimeter, leaving the Troy army little time to respond and react.
Consequently, any business that de-scopes their environment, without considering the potential implications of completely disregarding the need to protect the BLACK zone' topologies.
The Way Forward
It is important to treat the de-scoping as an opportunity to decrease the complexities of PCI DSS compliance and to make things more difficult for the opportunist attackers. Treat the 'Out of Scope' environment as additional layers of defence for 'wannabe' intruders. Think of your network and web infrastructure along the lines of a Bank's Branch/Store, where a stranger is prevented from walking straight in off the street to directly access the contents of the safe, or safety deposit box:
Perimeter Door Access.
Counter Access Control.
Safe Access Control.
Safety Deposit Box Access.
Note. At each point of access personnel are monitored and access control filtered based upon their authorised need to access and to gain entry to these restricted zones, diversion measures are prevented (customers would be prevented from going to a fake branch/counter).
The attackers are now employing either the traditional 'Cyber Kill Chain' to the 'Cognitive Attack Loop' approaches, where their 1st step is to carry out recon and to establish potential opportunities (This may include the seamless redirection of the customers' journey).
Consequently, it is important to look at your PCI DSS scope from the view of a potential opportunist attacker and to consider the potential benefits for risk reduction through the application of additional defensive controls, for the early detection and response to incursions into the BLACK zone.
What do you get if you blur the colours RED & BLACK?
I am extremely hopeful that the changes to PCI DSS, with the release of version 4, will help address the issue of de-scoping and to help businesses to understand the potential impact that an 'Out of Scope' environment can have on the 'In Scope' environment. Let's hope this is included in the new goals for PCI DSS:
The 12 core PCI DSS requirements are not expected to fundamentally change with PCI DSS v4.0, as these are still the critical foundation for securing payment card data. However, based on feedback received, PCI SSC is evaluating how to evolve the standard to accommodate changes in technology, risk mitigation techniques, and the threat landscape. PCI SSC is also looking at ways to introduce greater flexibility to support organizations using a broad range of controls and methods to meet security objectives.
Key high-level goals for PCI DSS v4.0 are:
Ensure the standard continues to meet the security needs of the payments industry
Add flexibility and support of additional methodologies to achieve security
Promote security as a continuous process
Enhance validation methods and procedures.