Case Study

The Threat Is Inside the Network

Two internal network penetration tests, two well-secured environments — and two critical findings in devices nobody had assigned ownership to. A leased Xerox multifunction printer and a networked APC UPS, both running factory default credentials, opened paths to silent document interception and selective server outages inside a data center. Both risks were identified and remediated.

Corporate & Data Center Penetration Testing

At a Glance

Industry Corporate & Data Center
Duration 2–3 weeks per engagement
Services Penetration Testing
Approach Assumed-breach internal penetration test with full network enumeration
Outcome Critical default-credential findings on a leased photocopier and a networked UPS — devices nobody had assigned ownership to

The Challenge

Most organizations approach internal security with a clear mental model: lock down user accounts, harden servers, control access. They invest real effort in these areas, and increasingly, they do it well. But two engagements stand out because the most significant findings had nothing to do with any of that. They came from devices nobody had thought to include in their threat model at all.

A photocopier. And a UPS.

The first client had invested seriously in their security posture. Access controls were well-designed, network segmentation was in place, and remote access was tightly managed. The security team was confident, and for the systems they were responsible for, that confidence was earned.

The second engagement covered a brand-new, purpose-built data center. Servers were hardened. Access was controlled. Privileged credentials were properly managed. There were no obvious paths to escalation. Everything that was supposed to be locked down was locked down.

In both cases, the core infrastructure was solid. The blind spots were the devices nobody had formally assigned to anyone.

These are the places attackers look when the obvious paths are closed — not because they require sophistication, but because they require patience and a wider field of view than most internal teams have time for.

Our Solution

EliteSec performed assumed-breach internal network penetration tests at both clients, enumerating every device connected to the network — not just the systems on the formal asset inventory — and reviewing any management interface those devices exposed. Two findings stood out. Both were sitting in plain sight, and neither was technically complex.

Engagement details:

  • Internal network penetration test, assumed-breach methodology
  • Full enumeration of every device on the network — not just the formal asset inventory
  • Management-interface review for any device exposing one
  • Coordinated reporting, credential rotation, and ownership assignment for findings

Both clients had strong security programs. Both had invested in the right areas. What they shared was a gap that is remarkably common: devices and infrastructure that fall between teams, between vendors, between ownership boundaries — leased equipment, physical infrastructure, devices that connect to the network but never appear in a formal asset inventory because no one formally onboarded them. Both findings were reported with clear remediation steps: default credentials were rotated and management interfaces secured. More importantly, formal ownership was assigned, and asset onboarding was extended to cover networked peripherals and physical infrastructure with management interfaces. The fix wasn't the device itself — it was closing the gap that let it sit unowned in the first place.

Client A — Corporate

The Photocopier Nobody Thought to Secure

A Xerox multifunction printer — the kind that handles printing, scanning, copying, and faxing for an entire office — was sitting on the network, fully accessible, running factory default credentials. Nobody had claimed ownership of it. It was leased from a vendor, and somewhere along the way, the assumption formed that the vendor had taken care of it. They hadn't.

Default access let us review fax logs, silently configure the device to retain copies of outbound documents, redirect scans and faxes to destinations we controlled, and access queued jobs across the organization.

Consider what that means for a legal or sales team sending contracts, NDAs, or financial documents. Those records could be captured and retrieved without leaving any obvious trace. By the time anyone noticed something was wrong, reconstructing what was taken — and when — would be an enormous undertaking.

The risk here wasn't technical complexity. It was organizational: nobody had asked who was responsible for securing this device, because nobody had thought of it as a security asset.

Client B — Data Center

The UPS That Could Take Down a Data Center

Among the devices connected to the network: a power distribution unit from APC with a live management interface. Default credentials gave us full administrative access.

Most people think of a UPS as physical infrastructure — a battery backup sitting in a rack. But networked models expose a management console, and that console can control which outlets receive power and which do not. As an attacker, that means the ability to selectively shut down servers — not through a software exploit or a compromised account, but by simply turning off the power.

If half the servers in a data center dropped offline, the instinct of any operations team would be to look at hardware: a failed power supply, a tripped breaker, a rack fault. The management software on a UPS would be a late suspect, if it appeared on the list at all. Worse, the remediation path — swapping out the unit — could easily repeat the same mistake if default credentials aren't changed as part of the process.

This team did everything right for the assets on their radar. The UPS wasn't on anyone's radar.

Technical Approach

Methodology
Assumed-breach internal network penetration test with full network enumeration and management-interface review
Timeline
2–3 week internal network engagements per client
Key Finding
Default credentials on network-connected, vendor-leased and physical infrastructure devices
Response
Coordinated reporting, credential rotation, and ownership assignment for previously unmanaged network devices

Results & Impact

Peace of Mind & Risk Mitigation

Critical risks in unmanaged network devices identified and removed

  • • Risk of silent document interception eliminated at the corporate client
  • • Risk of attacker-controlled power loss eliminated at the data center
  • • Leadership gained assurance that the network's blind spots had been examined, not just the well-owned systems

Cost of What Was Avoided

Findings remediated before they could turn into incidents with real-world cost

  • • Avoided breach response costs from intercepted contracts, NDAs, or financial documents
  • • Avoided incident response triggered by unexplained, attacker-driven server outages
  • • Avoided the worst-case remediation pattern: swapping a compromised unit for an identical one with the same default credentials

Operational Continuity

Threats removed before they could cause real-world disruption

  • • No selective, attacker-driven outages in the data center
  • • No silent document leakage from a leased peripheral nobody owned
  • • Remediation paths reviewed so future hardware swaps don't reintroduce the same risk

Process & Ownership Improvements

Findings translated into structural changes, not just one-off fixes

  • • Formal ownership and security responsibility established for all networked peripherals going forward
  • • Asset onboarding extended to physical infrastructure with network interfaces — power, environmental controls, facilities equipment
  • • Vendor-managed and leased equipment formally pulled into the threat model

Key Takeaways for Your Business

  • Security ownership gaps are as dangerous as technical gaps — if no one is responsible for a device, no one is securing it.
  • Vendor-managed or leased equipment carries risk that transfers to you, not to the vendor.
  • Physical infrastructure with network interfaces belongs in your threat model — power, environmental controls, and facilities equipment included.
  • A strong security program for known assets doesn't protect against unknown ones — asset visibility is a prerequisite for asset security.
  • The most impactful findings are often the simplest — complexity is not a reliable indicator of risk.

What's connected to your network that isn't on anyone's list?

If your security program is built around your known environment, it may be worth asking what's connected to your network that isn't on anyone's list. Get in touch to talk through what a thorough internal network assessment looks like for your organization.

Schedule a Consultation View Sample Reports