Even just 30 years ago, the scope that CISOs and security teams had to manage was significantly smaller than today’s vast IT asset landscape. While security teams have made significant strides in the measures they take to protect their hardware, software, and cloud assets, bad actors have matched them every step of the way in their efforts to exploit gaps.
Hackers aren't wasting time trying to break through fortified security barriers like firewalls and antivirus programs. They're slipping in through the forgotten devices in storage rooms, the improperly wiped laptops awaiting refurbishment, or the printer lingering on an employee’s desk. They’re going through back doors that aren’t even on your radar.
Digital transformations, hybrid workforces, and increasingly complex and unsecure supply chains have created a broader, more fragmented environment of IT assets. Every new device, app, or workflow adds another potential entry point in this “Overlooked Perimeter.”
In this blog, we'll look at:
- Ways the attack surface is not only expanding but evolving
- Specific ways threat actors are going around active endpoints
- Why traditional security tools don’t measure up
- How modern ITAM platforms deliver the asset visibility needed to protect your entire landscape
Attackers Have More Room to Work With
As enterprises become more distributed and interconnected, the number of entry points for attackers has multiplied. No longer confined to a corporate office or physical data center, IT assets now span multiple locations across in-house and third-party ecosystems. That’s for a few specific reasons.
Remote Work
IT teams are no longer just handing laptops and hardware setups to employees directly in-office. Remote workers make up nearly 30% of all employees. As a result, teams are shipping hardware to all corners of the globe and having to monitor, patch, and enforce security measures under a variety of conditions—leaving more room for cyberattacks.
Bring Your Own Device Programs
As of 2023, 90% of employees reported using some combination of corporate-sponsored and personal devices for work purposes. While this helps keep employees online and can improve productivity, these programs often lack standardized security controls, endpoint protection, or proper patching.
If employees don't keep their devices running on the latest operating systems or sensitive data intermingles with personal apps or cloud storage, bad actors have a wider opening for attacks.
Shadow IT
As much as IT tries to prevent it, there are still plenty of employees who use non-IT-approved software, apps, and hardware. These untracked assets greatly expand the attack surface because they lack formal governance under IT asset management (ITAM) processes. It's no surprise that 52% of organizations that struggle with shadow IT have experienced data breaches.
Ownership and Complexity Gaps
As enterprises move to using third parties to outsource device management, a lack of oversight can leave IT teams without a way to establish clear, chain-of-custody ownership over their assets.
On top of that, organizations going through mergers and acquisitions may not have a clear picture of the assets they are inheriting. If orphaned assets fall through the cracks, they are ripe for hackers to take advantage of.
Supply Chain Spoofs
Threat actors know that large enterprises receive new devices every day to accommodate their needs. Neither a new or uncommon tactic, they can spoof a vendor and send their own laptop, preloaded with malware, to an office or individual remote employee, hoping that IT is too overwhelmed to double-check the serial numbers. Once that device is onboarded, they have full access to your entire organization.
While attackers can go after IT assets at any stage using these entry points, they’ve realized the value in going after the areas you aren’t watching.
The Lifecycles Outside Your Purview
Major security tools focus on assets that are online and visible. They don’t account for tools that you’ve yet to deploy or those that you’ve taken offline. In fact, according to the 2023 IBM Security Cost of a Data Breach Report, conducted by the Ponemon Institute, 67% of breaches were not detected by internal security tools or teams, and follow-on analysis indicates that shadow IT, unmanaged or misconfigured assets, and unmanaged data repositories were implicated in over 33% of breaches.
Hacker groups like UNC3944, PlayCrypt, 8Base, Medusa, and Black Basta recognize those low-friction entry points and are going after devices before security is installed and after they’re retired but still accessible.
Pre-Network Vulnerabilities
As threat actors do their reconnaissance to learn where they can infiltrate your organization, they’re now focusing on a few key lifecycle stages before you have the chance to protect those assets.
Supply Chain and In-Transit
Hacker groups like Volt Typhoon and APT41 aim to intercept shipments, swapping devices with compromised hardware or inserting backdoors into firmware before they reach your business.
This phase is particularly vulnerable in organizations with decentralized procurement, email-based purchase workflows, insufficient supplier vetting, and weak segmentation between procurement and operational systems.
Receive, Storage, and Staging
Attackers like UNC3944 exploit the devices you have sitting in storage closets and depots and use “living off the land” bins to gain remote control access or harvest default credentials.
This phase is particularly vulnerable in high-volume refresh cycles, remote depot setups, contractor-led deployments, or environments with loosely monitored storage rooms on staging areas.
Provision, Ownership Assignment, and Deploy
Bad actors exploit setup misconfiguration via imaging flaws or unsecured API access. They can impersonate service accounts or OAuth tokens to silently interject themselves into your devices.
This phase is particularly vulnerable in fast-scaling environments, remote onboarding setups, and DevOps pipelines.
Post-Network Vulnerabilities
After you’ve decided to take a device offline, because an employee has been offboarded, a device is ready for retirement, or otherwise, there are still exposed security gaps that threat actors can climb through.
Disposition or Reuse
Hackers like Medusa go after devices that have been improperly wiped, resold, recovered, or subject to a supply chain attack to gain backdoor hardware access and steal data.
This phase is particularly vulnerable when organizations delay final disposition, rely on manual offboarding workflows, or lack automated reconciliation between ITAM, directory services, and endpoint agents.
Final Depreciation and Closure
Threat groups like APT32 exploit gaps in asset records and reporting to reactivate ghost assets, commit asset fraud, or infiltrate data retention lapses.
This phase is particularly vulnerable when sanitization processes are manual or inconsistently verified, or when decommissioned devices are handed off to third parties, resellers, or recycling centers without strict controls.
So why are these lifecycles so susceptible to attacks from bad actors? Because IT and security leaders mistakenly assume they’re protected by cybersecurity tools in their existing tech stack.
Traditional Security Tools Fall Short
While many cybersecurity products deliver sophisticated detection and prevention when the device is known, visible, and actively monitored, these tools fail to address assets outside active deployment—leaving significant gaps in coverage.
- EDR and XDR solutions focus on deployed, known assets without giving any visibility into procurement, staging, or retirement.
- SIEM and CAASM tools can detect incidents but need clean lifecycle data from external sources to be effective.
- Next-Gen Firewalls (NGFW) offer preventive network control but cannot correlate lifecycle phases or track individual assets.
- Vulnerability Management solutions have limited visibility into actively scanned assets and offer no insight into offline, staged, or decommissioned assets.
The reality of these tools is that they are built for security, not IT asset management.
When Gartner reports that over 30% of security incidents now involve unknown, unmanaged, or retired assets, it’s clear that IT leaders need to invest in tools that deliver full, accurate visibility into every stage of an asset’s lifecycle.
Oomnitza Offers Full Cycle Visibility to Cover the Expanding Attack Surface
You can’t secure assets you can’t see. As enterprise organizations work to protect their devices and data from ever-emerging cybersecurity threats, Oomnitza extends IT asset management into the spaces where traditional security and compliance tools fall short.
From forecasting and procurement through decommissioning and disposal, our modern ITAM platform provides continuous visibility, governance, and automation that eliminates the blind spots attackers exploit.
Where traditional security tools are limited to active assets, Oomnitza persists in delivering audit-grade, timestamped records that map custody, access, and disposition across time. These immutable records clearly demonstrate ownership verification, controlled decommissioning, and secure data sanitization, all while reducing operational friction.
By closing lifecycle gaps, Oomnitza not only mitigates risk exposure but strengthens compliance readiness and operational resilience. The result is a unified platform that enables you to reduce risk and establish control over the perimeter too often ignored: the full lifecycle of every IT asset.
Learn more about the specific ways threat actors go after traditionally-invisible assets in our white paper “The Overlooked Perimeter” and reach out to our team to start strengthening your security posture with complete, 98%+ accurate asset data.
