This phrase was hammered into my head during an uncharacteristically interesting AI class during college (I later dropped the class, my hats off to those of you who enjoy writing search algorithms all day, I’ll never compete with you for a job), and it’s something that I remind myself of constantly when doing assessments. Much of the work of attacking systems is doing the dumb thing first, a burglar wouldn’t bother to kick in a door without seeing if it’s unlocked first and neither would a hacker. As exciting as vulnerability research is, the truth is that systems usually aren’t compromised by using 0day, and most vulnerabilities aren’t going to be exploited until someone has put it in an easy to use tool.
The, nebulous at best, phrase “think like a hacker” is thrown around quite a bit when training administrators about securing systems, but most people taking a look at their security are going to have a lot more luck with thinking like a lazy employee who’s tired of having to walk from his cubicle to the control center. Look at the local security on their system, try to turn off the firewall/filtering software, see if the administrator account has a blank passwords, or “password”. If that doesn’t work start looking at the network, plug your business laptop into the ethernet port with a different color and see what happens, do the same thing with your personal laptop, maybe he gets as far as to poke at the firewall a bit.
The good news is that if you’re interested in the protection side of things you can do the dumb thing first too. Things like changing the default passwords on devices, putting in a firewall, patching, and using secure protocols. These all have huge and additive effects, but you have to start at the bottom, firewalls don’t do much good if you can login to the system behind them with “asdf”, and it doesn’t matter if your password is 80 characters long and nothing but symbols if you’re logging in over telnet.