In a survey of IT professionals, nearly 10 percent admitted cheating to pass a firewall audit. But what is called cheating may be the result of a lack of time or resources more so than malicious intent.
Cheating on a firewall audit can be tempting. So much so that
roughly 1 in 10 IT pros surveyed by firewall management vendor
Tufin Technologies admitted to cutting corners to get an audit passed.
The results of the latest survey
which included responses from 242 IT pros that were mostly from
organizations with 1,000 to 5,000 or more employees, is actually an
improvement compared to last year's study
, which found twice as many had cheated. Those who cheated cited a lack of time and resources as the main reasons.
"Of the 10 percent who admitted to cheating on an audit, half of them cited time restraints and 22 percent cited resource constraints
explained Shaul Efraim, vice president of products, marketing and
business development at Tufin. "Eleven percent cited that they didn't
see the point of doing the audit and 11 percent had other reasons which
they didn't elaborate on."
But the complexity of firewall audits
means "cheating" may not necessarily be the right word, Forrester Research analyst John Kindervag said.
"There are many inherent challenges to firewall auditing," he said.
"How would a firewall engineer be able to handle a rule base of
hundreds, if not thousands, of rules? How would they know which
rules are needed and which are not...I doubt that these people actually
cheated. I suspect they did the best they could with the time and
information and tools that they had and then said they did an audit,
although they knew that their audit was very incomplete."
Similarly, Gartner analyst Greg Young said the 10 percent figure
seems pessimistic for having to deal with exceptions and brush them
under the carpet knowing they may fall outside the norm but are either
an accepted or necessary risk or something that looks risky but isn't.
"As for actual cheating in order to slip something past the auditors
or management for evil purposes, I think that is pretty rare and not
(one in 10)," he said. "Motivation is everything - if it is an MSSP or
contractor I would say they let a lot more slip by as well or claim a
According to the survey, 31 percent of the respondents audit their
firewalls annually, and seven percent said they never do. More than
one-third (36 percent) admitted their firewall rule bases are a mess,
increasing their susceptibility to hackers, network crashes and
"If you have had a firewall in place for 10 years, it is more likely
than not that you have been adding rules on a regular basis but not
deleting them out of fear the one rule they delete will cause a
business continuity issue," Efraim said. "As a result, rule bases
become bloated with hundreds to thousands of rules...(auditing) can be a
real needle-in-a-haystack endeavor that can be virtually impossible to
pinpoint without automation."