Weak Security Controls and Practices Routinely Exploited for Initial Access