Cheating on a firewall audit can be tempting. So much so that roughly 1 in 10 IT pros surveyed by firewall management vendor Tufin Technologies admitted to cutting corners to get an audit passed.
The results of the latest survey (PDF), which included responses from 242 IT pros that were mostly from organizations with 1,000 to 5,000 or more employees, is actually an improvement compared to last year’s study, which found twice as many had cheated. Those who cheated cited a lack of time and resources as the main reasons.
“Of the 10 percent who admitted to cheating on an audit, half of them cited time restraints and 22 percent cited resource constraints,” explained Shaul Efraim, vice president of products, marketing and business development at Tufin. “Eleven percent cited that they didn’t see the point of doing the audit and 11 percent had other reasons which they didn’t elaborate on.”
But the complexity of firewall audits means “cheating” may not necessarily be the right word, Forrester Research analyst John Kindervag said.
“There are many inherent challenges to firewall auditing,” he said. “How would a firewall engineer be able to handle a rule base of hundreds, if not thousands, of rules? How would they know which rules are needed and which are not…I doubt that these people actually cheated. I suspect they did the best they could with the time and information and tools that they had and then said they did an audit, although they knew that their audit was very incomplete.”
Similarly, Gartner analyst Greg Young said the 10 percent figure seems pessimistic for having to deal with exceptions and brush them under the carpet knowing they may fall outside the norm but are either an accepted or necessary risk or something that looks risky but isn’t.
“As for actual cheating in order to slip something past the auditors or management for evil purposes, I think that is pretty rare and not (one in 10),” he said. “Motivation is everything – if it is an MSSP or contractor I would say they let a lot more slip by as well or claim a rosier picture.”
According to the survey, 31 percent of the respondents audit their firewalls annually, and seven percent said they never do. More than one-third (36 percent) admitted their firewall rule bases are a mess, increasing their susceptibility to hackers, network crashes and compliance violations.
“If you have had a firewall in place for 10 years, it is more likely than not that you have been adding rules on a regular basis but not deleting them out of fear the one rule they delete will cause a business continuity issue,” Efraim said. “As a result, rule bases become bloated with hundreds to thousands of rules…(auditing) can be a real needle-in-a-haystack endeavor that can be virtually impossible to pinpoint without automation.”