I work in IT. Most systems have laughable security. Passwords are often saved in plain text in scripts or config files. I went to a site to help out a very large provincial governmental organization move some data out of one system and into another. They sat me down with a loaner laptop and the guy logged me into his user account on the server. When I asked for escalated privileges, he told me he'd go get someone who knew the service account passwords.
After a few minutes, I started poking around on my own... And had administrative access within an hour. I could read the database (raw data), access documents, start and stop the software, plus, figured out how to get into the upstream system that fed data to this server... I was working on figuring out the software's admin password when the guy came back. I'm sure that given some more time, I could have rooted the box because the OS hadn't been updated in years.
It's pretty common to have this as the only barrier. If someone got into my work PC they could easily take down a lot of critical infrastructure, if they knew where to look.
Yeah, getting access into the vpn and subsequently the server is the challenging part. Once you're in, there's so much that can be found quickly and somewhat easily.
I work as a pentester and Red Teamer, I can attest that even for some large companies, you always stumble upon something that's just dumb, and completely renders their multi-million investment they are probably making into security tools and solutions worthless.
Having worked network support, the number of times I've been on a screen share with someone who opens an excel sheet from the share drive that holds all the root passwords for every network device they own is high. A bad actor could take down some very large companies with some simple social engineering skills.
Whenever we work with a 3rd party vendor and run through the efforts to harden the systems, they freak out because it always breaks their app.
Then we go through the whole handholding process of getting their apps to work within our hardened environment. It ends with them not taking anything into account. App works, system is hardened.
Then when it's time to update the system, they get involved and it's always back to square one.
Like get the fuck on board with security if you are selling a software product. It's mind boggling thinking about how all their other customers just let them away with such exposed shitty communication and unencrypted passwords.