a paper linked to by a recent post at the openbsd journal does a very good job at describing a (hypothetical) corporate network setup, that looks quite secure and then describes how it could be broken into. the author takes a few leaps (assuming the insider-attacker happened to get a trusted internal IP address is the biggest one) but it is all very plausible.
he elaborates on the (again, hypothetical) response by the company's internal security team, going into nice details.
anyone who thinks that even one of the most (if not the most) trusted Operating Systems in the world is unhackable, think again. everything can be broken. the point is to minimize potential opportunities, potential damage, and "be prepared" by keeping up with patches, using a secured loghost, deploying nIDS', educating users, and finally never simply trusting internal networks (don't forget Troy ;) )
go straight to the paper.