There are a multitude of items that Cyber Security professionals view as attack vectors but none are more
prevalent and exploitable than application code or as readily available as the network perimeter.
There are many ways that these areas are exploited. The application side has its beginning with code which is poorly designed from a security perspective.
One of the code items that is exploited by fraudsters to pivot across an organization's internal network is the Web.cfg file - in this file non security minded programmers often leave the User ID and password for connecting to the associated database in plaintext.