The conversation that reordered my understanding of enterprise network security happened in a conference room in London in early 2019. The CISO of a mid-size financial services firm — precise, methodical, someone whose threat modeling I trusted — was describing her organization’s response to a pen test finding. The testers had gotten onto one internal server through a phishing email. From that single initial access point, within seventy-two hours, they had lateral movement access to fourteen other systems, including two that handled customer account data.
The perimeter had been intact throughout. The firewall logs showed nothing anomalous crossing the network boundary. Everything that happened after the initial email was internal traffic, authenticated by the fact that it came from inside the network. There was no enforcement, no verification, nothing that asked whether this particular server had any business talking to those other fourteen.
Read the original article: