7 Overlooked Attack Vectors Lurking in Your Office Environment

Today’s cybercriminals prefer an easy entrance just as much as a sophisticated exploit. And most often, that’s where they start. 

Here is a list of seven overlooked attack vectors in which a serious threat could pop up, enter the network, and do serious damage. Remember: While many enterprise cybersecurity approaches are shooting high, a larger number of cybercriminals are “looking low.”

1. Printers and Smart Office Devices

Printers are a great place to start – if you’re a threat actor. Printers are seen as mundane pieces of office equipment, largely “on the way out” and overlooked by some security teams. Because they need to be used by everyone in the office, hypothetically, they often rely on easy passwords, if they have passwords at all.

While these security shortcuts may eliminate the need for repeated annoying questions (“Why can I still not access the printer?”), they also put the entire organization at unnecessary risk. These machines are connected to the network and can be used to pivot into systems that contain valuable and sensitive information. They are endpoint devices that provide just as good an access point as any, and a better access point than most because they often don’t get the cybersecurity attention they deserve.

These problems are mirrored in IoT and Bring Your Own Device (BYOD) policies, as every connected device – even a smart speaker - could be a potential inroad for attackers. Scanning with Fortra VM can help alleviate these problems and is designed to discover all assets within your IT environment. After all, this is what cybercriminals do as part of the reconnaissance stage of the attack chain. Beating them to it gives your organization time to fix errors before attackers exploit them.

2. Break Glass Admin Accounts

Break glass accounts, used to override security controls and access critical IT systems in case of an emergency, are given to highly privileged administrators for the purpose of disaster recovery. As you can imagine, however, they are a coveted target for attackers that want to hit the “override” button on a lot of hard security cracking.

For this reason, there are a few security best practices to keeping break glass accounts safe:

• Make at least two in case one gets compromised (yet this is also a risk in itself).
• Add MFA (at the very least) and consider padding with hardware security keys – there's no such thing as too safe.
• Make sure the account is configured correctly – as there is only one (or two) this should be reviewed with a fine-toothed comb.
• Use a standard naming convention so the “special account” doesn’t stand out to attackers.
• Create and regularly change a secure password - “up to 256 characters if possible,” according to one security researcher and Medium contributor.

Fortra can help you stay ahead of security misconfigurations in any form. With offensive security techniques like penetration testing and red teaming, you’ll be able to find and fortify any exposed weaknesses – like break glass accounts – before they give threat actors the keys to the kingdom.

3. Shadow IT: Unsanctioned or Forgotten

In the fast march of progress, many companies forget to take all their assets with them. Developers leave beta APIs hanging in the ether, old admin accounts of former employees are never decommissioned, and all manner of outdated hardware and software can be found drawing in attackers just looking for an easy strike.

Shadow IoT is another issue. Since IoT devices lean heavily, if not exclusively, on the cloud, being wary of cloud misconfigurations is also a must and can add a double-edge: not only are forgotten assets a liability in themselves, but if they are not properly configured, they are an instant and easy access point.

Shadow IT risks are present in any organization and can only exponentiate when you count connected suppliers. Finding all shadow devices, technologies, and machines – virtual and physical – is key to eliminating latent liabilities. Again, scanning with Fortra VM is the place to start.

4. Third-Party Integrations and Forgotten Vendor Access

Vendors, suppliers, and other third-party products can bring inherent third-party risk that may not be seen upfront. Supply chain attacks are rampant, with Gartner predicting that by 2025, 45% of all organizations would have experienced one. Every third-party integration – from SaaS to POS systems, to widgets, OS code and more – presents an element of risk.

Additionally, when vendors leave, their access to any and all assets must be revoked immediately. This diminishes the risk of “insider threats,” or handy credentials lying around in cyberspace. Years later, an attacker could infiltrate the former vendor and try their still-activated access keys, reaching into your network after-the-fact and wreaking havoc. This is a risk that be avoided completely by operating on principles of zero trust.

It is the same with privileged access management. Any individual, application, or organization with special access rights needs to have those rights monitored closely and revoked as soon as they are not needed. It goes without saying that these should be based on the principle of least privilege, including things like just-in-time (JIT) access.

Pen testing can help vet for lingering third-party access, and offensive security techniques like red teaming can tell you if your third-party integrations present more risk than you know.

5. Executive-Excluded Policies

While no one would admit to feeling “above the law,” sometimes certain policies leave us guessing. Indeed, while C-suite executives may feel that their accounts are somehow impervious to attack by the nature of their station, the reality is that anonymous cybercriminals lurking in the shadows have little to lose by going after big game. In fact, it’s common enough to have earned its own term—whaling. Knowing that these accounts may be endowed with super privileges only increases the draw.

6. Physical Oversights: Are You Using the Right Plug?

There is a temptation to focus so much on the cyber part of cybersecurity that we forget there are physical connections somewhere. And, that those are very, very important.

It’s like the server room found at many companies with a handwritten note posted on the door: “In the event of a major cyberattack, just start unplugging things.” That’s definitely one way to do it, and it’s not something attackers haven’t thought of. Locking the server room is essential, especially when you consider the risk of human error, the possibility of disgruntled employees, and the risk of unskilled hands among the wires.

7. Public GitHub/Code Repositories with Secrets

Just a few months ago the news was filled with headlines of (yet another) GitHub attack. The breach targeted the widely used GitHub Action tj-actions/changed-files, used to detect file changes and found within 23,000 current GitHub repositories.

The code was altered to spill secrets from the projects it was programmed to protect, meaning that “[i]n cases where these logs are publicly available, such as public repositories, it means that any project using tj-actions/changed-files would be leaking secrets for all to see.”

Unfortunately, these attacks are not uncommon. Code repositories will always be a highly coveted target for their distribution value alone. On top of that, weaknesses and vulnerabilities within public code repositories are rampant, so no software’s security – especially those that are publicly available – should be taken for granted.

Taking Action with Pen Testing

All of the above problems will serve as a starting point for pen testers. Vulnerability scans set up the environment so basic, low-hanging fruit (like old CVEs) are identified. Penetration testing with tools like Core Impact can begin to uncover hidden attack vectors during their engagements.

As security testers prowl around an environment, they will not be afraid to venture off the beaten path. Remember to include both ends of the spectrum within your testing scope: super high-powered APT-like exploits (with the right toolkit) and low, easily forgotten entry points (like the lobby Smart TV). Attackers do not like to work harder than they have to; showing security teams just how many angles they need to defend helps set the tone for more broad-reaching, creative security coverage going forward.