We were recently engaged by a large, high-profile dental practice to perform an independent IT and cyber security review.
The owners were not confident in their current IT provider, but like many businesses, they didn’t have the technical visibility to understand exactly what was wrong.
Importantly, this initial review was performed without any administrative credentials.
We simply assessed the environment the same way any external person could — starting from the public-facing network.
What we found was concerning.
Starting Point: Guest WiFi Access
While onsite, we identified a publicly displayed guest WiFi password at reception. This is common in dental practices where patients need internet access due to poor mobile reception.
We connected to the guest WiFi network — exactly as any patient would.
At this point, the expectation is clear:
Guest WiFi should be completely isolated from the internal business network.
In this case, it was not.
Guest Network Was Not Segregated
After connecting to the guest WiFi, we performed basic network discovery.
Within minutes, we identified that the guest network had visibility into the internal network, including what appeared to be the management VLAN.
This meant it was possible to:
- Discover internal IP ranges
- Identify servers and infrastructure
- Communicate directly with internal systems
This is a critical misconfiguration. Guest networks should never have this level of access.
Internal Servers Were Reachable
From the guest network, internal servers were not only visible — they were reachable.
Remote Desktop services (RDP) were also responding on these systems.
While authentication was required, exposing RDP internally to a guest network significantly increases risk and expands the attack surface.
Weak Access Controls and Privilege Management
During further review on internal workstations, additional issues were identified:
- Standard domain users had full administrative privileges
- User Account Control (UAC) was effectively not enforced
- Users could install or modify software without restriction
This removes one of the most basic layers of protection in any business environment.
In this setup, if a single user account is compromised, the attacker effectively gains full control of the system.
Endpoint Security Could Be Disabled
The practice was using endpoint protection software; however, it was poorly configured.
We observed that the security agent could be disabled locally without any form of tamper protection.
This means:
- Malicious software could disable protection before executing
- No alerts or controls would prevent this action
- The system would effectively become unprotected
Modern endpoint protection platforms should prevent this entirely.
Exposed Network Shares and Data Access
Server shares, including administrative shares, were accessible from the network.
This level of access creates a direct pathway to sensitive data.
If an attacker gains valid credentials, they could:
- Access patient and business data
- Copy large volumes of information
- Deploy ransomware across shared drives
In environments like healthcare, this risk is particularly serious.
Multi-Site Network Exposure
This practice was connected to multiple other locations via site-to-site VPN tunnels.
However, network segmentation between sites was not properly restricted.
We were able to identify additional subnets across these locations.
This introduces a major risk:
A compromise in one site could lead to lateral movement across all connected practices.
The Real Problem: A Flat Network
What we observed is what’s commonly referred to as a flat network.
This means:
- No proper segmentation
- No separation between user devices, servers, and management systems
- Broad access across systems
In this type of environment, once an attacker gets in, they can move freely.
How This Leads to Real-World Breaches
Contrary to popular belief, most cyber attacks are not highly sophisticated.
They rely on:
- A user clicking a malicious email
- A compromised credential
- An exposed internal system
In a poorly segmented environment, that’s all it takes.
From there, attackers can:
- Move laterally across the network
- Disable protections
- Access sensitive data
- Deploy ransomware
And because everything is connected, the impact spreads quickly.
What Should Have Been in Place
This environment should have included, at a minimum:
- Proper guest WiFi isolation
- Network segmentation between VLANs
- Restricted access to servers
- RDP lockdown and controlled access
- Least privilege user access (no admin rights)
- Endpoint protection with tamper protection enabled
- Strict controls across site-to-site VPN connections
These are not advanced controls — they are baseline security practices.
Why This Happens
In many cases, environments are built to “work” rather than to be secure.
Over time:
- Shortcuts are taken
- Permissions are loosened
- Security controls are not reviewed
The result is an environment that appears functional on the surface but is exposed underneath.
Final Thoughts
This audit was performed without any privileged access.
That alone highlights the level of exposure.
For businesses handling sensitive data — especially in healthcare — security needs to be properly designed, implemented, and reviewed regularly.
If something doesn’t feel right with your IT environment, it’s worth having it independently assessed.
At Osmicro, we specialise in identifying hidden risks and helping businesses move to secure, structured environments that reduce exposure and improve reliability.
If you’re unsure about your current setup, our IT support and cyber security services can help uncover and fix these issues before they become serious incidents.