> "...likely through a hole in a poorly configured digital
> firewall that was supposed to stop unauthorized access. .."
'Every' penetration tester I talk to says that this is what they find all the time: actual 'reality' within networks does not align with assumed network policies or topology.
But, I don't talk to that many. Is this really the case? We put great care to have network architectures and policies that define network segmentation, isolation, and other strategies to harden and protect the network. But those policies are not implemented properly, or over time their technical enforcement isn't guaranteed?
Yeah, I don't think I've ever seen an 'airgapped' network that was actually airgapped.
About half the time no discernable effort was ever put into airgapping and it was only ever a paper goal. Most of the rest of the time it started out configured reasonably but either drifted out as business needs changed ("Chloe get me a port!" is a pretty common joke) or someone just didn't realize it was special and configured it badly.
The rest of the time you just stack up edge cases: bad management credentials, forgotten management interfaces, canned router or switch exploits, broken q-in-q implementations, etc. The list is endless. And all that's without getting someone authorized to carry you onto the airgapped network, which happens facepalmingly often.
Yeah, it's pretty common. The network admins don't necessarily have security training, so they might not understand the reasoning behind the recommendations from the security team. Ideally they'll work together, but most of the time our recommendations get ignored or implemented incorrectly. For example, after one test I performed on a Fortune 500 company, we recommended that they have separate VLANs for different parts of the company; employee workstations could connect to management interfaces on network hardware. The networking people just created separate subnets and called it good, even though every subnet could still talk to every other subnet.
'Every' penetration tester I talk to says that this is what they find all the time: actual 'reality' within networks does not align with assumed network policies or topology.
But, I don't talk to that many. Is this really the case? We put great care to have network architectures and policies that define network segmentation, isolation, and other strategies to harden and protect the network. But those policies are not implemented properly, or over time their technical enforcement isn't guaranteed?