Most Companies In Thailand Perform Vulnerability Tests and Not Penetration Tests

In the security industry, it is not uncommon for there to be a misunderstanding when it comes to what a particular term means. This is no more true than with security services. This happens for many reasons but in our opinion, it primarily arises when non-security players try to provide security services. They never really understood what they were providing in the first place. That makes it easy to come up with something that does not quite match what was intended. This is not helped by the fact that many companies, even those in the security space, want to redefine services in such a way as to require less technical people because less technical people are cheaper. By doing so, they can charge high prices for very technical services, but have it cost them much less because they are using less technical people. This results in a much bigger profit margin for them.

Whether or not this is what happened in Thailand, who knows but what we do know is that penetration tests are rarely if ever performed here in Thailand. They call it that but that is not what is performed based on what we have seen. We’ll show you what we mean by first defining a vulnerability test and then, defining a penetration test.

Vulnerability Tests

Vulnerability tests intend to identify any vulnerabilities in an enterprise. Vulnerability tests involve the use of scanning tools and are often augmented by manual procedures. These manual procedures are learned by the tester from any number of classes that they may have taken. There is no attempt to understand the environment, to identify the attacks that would work best in that environment, nor plan the series of attacks that would be needed to go from a position of low privileges to a position of high privileges without being seen. There is no hacking, per se. They just find as many vulnerabilities as they can, no matter how minor they may be. The testing team is essentially a group of human vulnerability scanners. As findings reflected in a vulnerability test report are often not backed by an attempt to exploit them, many of them may be false positives.

Penetration Tests

On the other hand, with a penetration test, the testing team reverse engineers the target environment. They identify what attacks would work best in that environment and they plan the series of attacks that would be needed to go from a position of low privilege to a position of high privilege without being seen. There is genuine hacking. They aren’t looking to find every vulnerability. Not every vulnerability is worth fixing. You don’t have the time to fix every vulnerability anyway. The team is just looking for the important vulnerabilities. The vulnerabilities that could be used by a hacker to get inside. You know that because they were used to get inside by your testing team. As the vulnerabilities identified are exploited, no findings, then, found in a penetration test are false positives.

Implications

Spending so much time on the minor issues, the vulnerability testing team misses many more serious issues. Lacking the skill to execute them, they weren’t likely to find them anyway. FYI. Penetration testing teams are generally much more skilled than a team performing a vulnerability test. So, with a vulnerability test, you generally end up with a lot of much lower quality findings.

With a penetration testing team, then, you are going to get many more serious issues because that is what they spend their time on. This is especially true being that they operated in stealth. Operating in stealth, they don’t encounter the same obstacles that a vulnerability testing team does so they end up being more successful in their execution. They are essentially better at getting exploitation done because they are able to do so without interference, intended or otherwise. They get to the end of the road. They get the data! They prove how serious the findings are.

That being said, don’t be fooled by what may be a high or critical severity vulnerability on a vulnerability test report though, even if the finding is genuine. The likelihood is generally much lower than they suspect as most vulnerability testing teams get help. Without help, such as subnets and a list of applications, how would they know where to point their vulnerability scanners. The impact is generally much lower as well because the vulnerability is not used to acquire anything like additional access or company data. That is true even if they attempt to exploit. They find it, validate it, and move on. That means that they are guessing at the impact and they are likely to guess higher than it actually is. Bottom line, lower likelihood x lower impact means lower risk for those findings on that vulnerability test report. Also, don’t be fooled if the assessment is called a VAPT. It is still a vulnerability test.

Bottom line, companies in Thailand are probably paying a lot but not getting a lot in return. OK. That is it for this blog post. In the next blog post, we will show you what a difference a penetration test can make by comparing a vulnerability test that was run for a company against a penetration test that was run for that very same company. Hopefully, we’ll see you there.