Uncovering a Hidden Risk in a Segmented Network: A Municipal Government’s Wake-Up Call

Client: Mid-Sized Municipal Government

Service: Internal Network Penetration Test

Objective: Evaluate the effectiveness of internal network segmentation, with a focus on isolating high-sensitivity environments.

Executive Summary

A mid-sized municipality brought us in to take a closer look at their internal network security. Their main goal? To see if their network segmentation was really doing its job, especially around one of their most sensitive departments: the Concealed Carry Permit Division. This team handles a lot of sensitive information, including personal data and legal firearm documentation, so keeping that area secure was a top priority.

The municipality believed this part of their network was completely isolated, essentially air-gapped. But during our internal penetration test, we uncovered some major issues. Our team was able to access the supposedly secure segment, revealing serious flaws in the network’s segmentation. It was a clear example of how there can be a big difference between how secure a system seems and how secure it actually is.

Assessment Overview

For this type of network testing, we follow a proven, structured approach based on the NIST SP 800-115 framework, the same guide used across the industry for effective security assessments. It helps us take a methodical look at the network, from mapping out the environment and spotting vulnerabilities to documenting findings in a clear and actionable way.

Our approach doesn’t just scratch the surface. We simulate the full attack lifecycle, from gaining initial access all the way to assessing potential post-compromise impact. It’s a thorough evaluation that helps uncover gaps in internal defenses, controls, and detection capabilities.

Before testing began, we worked closely with the client to clearly define the scope, timeline, and any operational guardrails. Everything was captured in a formal Rules of Engagement to make sure the testing was safe, controlled, and in line with their expectations.

The internal penetration test included the following activities:

• Reconnaissance and Enumeration:
  Identified internal network assets, services, and misconfigurations within the general environment.

• Exploitation:
  Gained elevated access through common credential and configuration weaknesses.

• Privilege Escalation and Lateral Movement:
  Pivoted into the restricted concealed carry network due to improperly enforced segmentation controls.

While our testing process goes well beyond these initial steps, we had already confirmed a critical issue early on: Segmentation had failed. That was the main objective, and it was clearly compromised. It just goes to show that attackers don’t always need to complete a full-blown attack to cause serious damage. When core security controls break down early, the impact can be immediate and significant.

Key Findings

Despite assurances of strict isolation, we achieved unauthorized access to systems within the concealed carry permit division. The root causes included:

• Improper Network Segmentation: Misconfigured VLANs and overly permissive firewall rules enabled lateral traversal.

• Lack of Segmentation Validation: There were no routine audits or verification procedures in place to ensure that segmentation controls were effective.

• Overreliance on Assumptions: The belief in “air-gapping” was not substantiated by technical controls or monitoring.

What’s especially concerning is that we didn’t need to use any advanced hacking techniques. Basic reconnaissance and standard pivoting methods were all it took to break into the segmented environment.

Business and Compliance Impact

• Critical Data Exposure: Full access to sensitive PII and legal firearm documentation was demonstrated.

• Regulatory Non-Compliance: The findings posed clear violations of Criminal Justice Information Services (CJIS) compliance and relevant state data handling mandates.

• Operational Risk: The engagement highlighted a systemic blind spot in the organization’s network security strategy.

Remediation Recommendations

Post-engagement, the municipality took decisive steps to remediate the identified risks:

• Re-architected segmentation boundaries and VLAN structures.

• Enforced granular firewall rules and network access controls.

• Instituted regular internal penetration testing as part of a proactive, ongoing security program.

Outcome

In a follow-up assessment, we were pleased to confirm that the issues we had uncovered had been fully addressed, and the vulnerable pathways were no longer present. Since then, the municipality’s IT team has made internal segmentation testing a regular part of their annual security plan. They’ve seen firsthand that merely having security controls in place isn’t enough; those controls need to be tested and validated regularly.

Internal penetration testing plays a key role in finding risks that traditional perimeter defenses often miss. It helps identify things like misconfigurations, weak access controls, and pathways for lateral movement, exactly the kinds of gaps attackers or insider threats can exploit. Ongoing internal testing ensures your segmentation, permissions, and detection tools are actually working the way they’re supposed to.