A few years back, I went to visit a friend in San Diego. I stayed in a hotel that was known and very expensive - it was the only thing I could get that was both closed to Coronado and was in a centric area. When I first arrived, I checked in, and immediately after I went to my room. As usual, I didn't take the elevator, I took the stairs.
The first landing on the staircase, from the ground floor, was not a floor. It was a bigger landing and on one of the walls there was a door. Strange, but ok. I continued to my room. After settling my ruck, an calling my friend, I went down the stairs to wait for him. On the way down, that door picked my curiosity and when I tried to open it, it was unlocked.
Inside I see a few offices and customer counters. Looking a little closer, I saw that this was from a bank. Right next to the hotel, there was a rather big bank. This was an access to the upstairs offices, I can assume, for the employees. But why was it unlocked? And why were the computers on the office and counters powered on and unlocked!!!!????
Putting myself in the shoes of a bad guy, I immediately began to see how to attack the bank, the things I could do and the exits I needed to get out.
And then I froze in place, and began to think: WTF? How come this door is open? How come there are no cameras outside the door? How come no badge or code is needed to enter, even if it as locked at night, what about the day? Anyone could get in from the hotel? Unchecked?
I don't know. But often is the forgotten little things, the lack of overall security assessment, and the trust that attackers can exploit to bring to life the worst case scenario. I mean, what? DO you think that because this is a 5 start, very expensive hotel, bad people will not come? And people will not open that door to see what it is? Or a bad guy doing his/her recon will not note this? Really?
Worst case scenarios are often discarded because they are too extreme and the risk of it happening is low. I would disagree. There are many parts on a worst case scenario. Any of those parts can lead to the worst case scenario. They all need to be explored, and tested. And also the worst case scenario. Once you have you tech, people, policies and plans stressed to the limit by this test, you can then be more resilient and address the things that don't work.
Bad guys do what they do, and they don't play by your rules. The pentest way of "scan this, and don't scan that", doesn't work in the real world. Adversaries will exploit any and all things to get what they want.
You need situational awareness.
Don't discard the worst case scenario, and begin gaining the 360 degrees plus up and down situational awareness you security need.