The firewall was configured with several ip-any-any rules. That means, for several computers on our internal network, any computer on the Internet could connect using any protocol - in other words, the firewall was wide open for about 16 computers on my company's network. With an ip-any-any rule, you essentially have no firewall at all, because it's allowing all the same traffic you would get from directly connecting a network cable.
If you're familiar with firewalls, you probably know the sensation of horror I felt. If not, I'm not sure I can really describe it -- but it's basically my worst nightmare. My network had a huge hole that hostile attackers were exploiting. It was like emptying out a cupboard in your kitchen and finding a hole in the wall that nasty critters were using to get at your food.
I sent the network admin off to close the firewall holes and initiated an audit of configurations on all our firewalls. Naturally, I had been auditing our firewall configurations on a regular basis, but with my lack of staffing and resources, I hadn't been able to do it very often. And these changes appear to have been fairly recent.
I think there are a lot of lessons to be learned from this experience, not the least of which is "trust nobody."
Sign up for MIS Asia eNewsletters.