Where do I start with this open-ended statement? I guess from a pen testing perspective, quite a lot. Internal pen test results tend to open up a can of worms for a company. There you are, managing your network, covering all the bases:
- AV updated daily - tick
- OS updates regurly -tick
- Password policy in place -tick
- Software patch management - tick
- User groups and network segregation - tick
- (by the way the list should go on for sometime yet!)
Anyway, you get the idea. So, time for the internal pen test.
A friendly (or not-so-friendly) chap comes on site, sits down and within the first day manages to chuck all that good practice stuff they teach you in courses and certifications in the rubbish dump...he got domain admin!