← Back to Blog Strategy

Zero Trust: The Security Model Every Business Should Understand

During a network penetration test, we gained access to a single workstation via a phishing email. From that one foothold - with no additional credentials - we reached the domain controller, the file server, and the accounting software. The internal network trusted everything inside it unconditionally.

That's the failure mode of perimeter-based security. Once an attacker is inside, there's nothing stopping them. The assumption that everything inside the firewall is safe is outdated and dangerous. Zero Trust is the answer.

What Zero Trust Actually Means

Never trust, always verify. Every user, device, and connection must continuously prove it has authorization for each specific resource - regardless of where the request originates. It's not a product. It's an architecture you build toward incrementally.

A Real Finding: Lateral Movement via SMB (OWASP A01 - Broken Access Control)

After compromising a standard user workstation on the engagement above, we used a combination of credential reuse and open SMB shares to move laterally across the network:

# Step 1: Discover SMB shares on internal network
nmap -p 445 --open 192.168.1.0/24
# Result: 12 hosts with port 445 open

# Step 2: Check for null session access (no credentials required)
smbclient -L //192.168.1.50 -N
# Sharename: FINANCE$, IT-BACKUP$, HR-DOCS$

# Step 3: Mount with compromised user credentials (same password reused)
smbclient //192.168.1.50/FINANCE$ -U "CORP\\jsmith%Password1!"
# Access granted. Found: payroll data, bank account info, QuickBooks files

# Step 1: Discover SMB shares on internal network
nmap -p 445 --open 192.168.1.0/24
# Result: 12 hosts with port 445 open

# Step 2: Check for null session access (no credentials required)
smbclient -L //192.168.1.50 -N
# Sharename: FINANCE$, IT-BACKUP$, HR-DOCS$

# Step 3: Mount with compromised user credentials (same password reused)
smbclient //192.168.1.50/FINANCE$ -U "CORP\\jsmith%Password1!"
# Access granted. Found: payroll data, bank account info, QuickBooks files

In a Zero Trust architecture, this lateral movement is impossible - internal SMB access requires verified identity, device health confirmation, and explicit role-based authorization, not just being on the right subnet.

Practical Zero Trust Steps

1. MFA everywhere. Every account, every application. This alone stops most lateral movement.
2. Least privilege. Staff access only what their role requires. Audit quarterly and revoke unused access.
3. Network segmentation. Finance, POS, guest Wi-Fi, and staff devices on separate VLANs with explicit firewall rules between them.
4. Device health checks. Only managed, patched devices should be able to reach sensitive resources.
5. Centralized logging. You cannot respond to what you cannot see. Log authentication events, file access, and network connections.

MFA and least privilege alone would have stopped the lateral movement on the engagement above before it started. Begin there.