Connections Between Trusted and Untrusted Networks
Description
Connections between the CDE and untrusted networks (internet, corporate network) must be controlled via firewalls/WAFs with documented business need.
⚠️ Risk Impact
Direct internet exposure of payment-processing systems is the highest-value target on the internet. Every minute of exposure produces probing traffic from automated scanners.
🔍 How EchelonGraph Detects This
EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected cloud accounts. Violations are flagged as critical-severity findings with remediation guidance.
🔧 Remediation
Route inbound CDE traffic through WAF + DDoS protection. No direct internet exposure. Document business justification for every external connection. Continuous monitoring of perimeter.
💀 Real-World Attack Scenario
Target 2013: HVAC vendor's VPN connection was used as initial access vector. Once on Target's network, attacker pivoted to the CDE which lacked sufficient segmentation. 40M card records exfiltrated; $202M total settlement. Modern variant: contractor SaaS apps with implicit network trust.
💰 Cost of Non-Compliance
Target 2013: $202M. Avg PCI breach with untrusted-network exposure: $4.45M-$50M+ depending on card count.
📋 Audit Questions
- 1.Show CDE perimeter architecture.
- 2.What systems have inbound internet access?
- 3.WAF deployed in blocking mode?
- 4.Connections from untrusted networks documented?
🎯 MITRE ATT&CK Mapping
⚡ Common Pitfalls
- ⛔VPN trust assumed = no internal segmentation
- ⛔WAF in monitor-only mode
- ⛔Contractor systems with implicit network trust
📈 Business Value
Strong perimeter controls are foundational to PCI + dramatically reduce attack surface.
⏱️ Effort Estimate
40-80 hours architecture review + WAF deployment
EchelonGraph monitors CDE perimeter + flags new external connections
🔗 Cross-Framework References
Automate PCI DSS 1.4 compliance
EchelonGraph continuously monitors this control across all your cloud accounts.
Start Free →