By Matthew Weigelt
Aug. 10, 2006
A recent audit found inappropriate e-mail, including pornography, on
more than half of Internal Revenue Service employees' computers,
according to a report from the Treasury Inspector General For Tax
Administration. The audit also uncovered security holes in many of the
agency's e-mail servers.
The IG reviewed 96 IRS employees' electronic mailboxes and found that
71 had messages violating the agency's personal use policy, according
to the July 31 report . The inspectors found chain letters, jokes,
offensive content and sexually explicit content. The report said 74
percent of employees have such prohibited e-mail messages on their
Such content is often used to lure people into opening e-mail messages
that contain viruses and other malicious software.
The risk of computer viruses had earlier prompted the IRS to issue a
personal-use policy for e-mail. The agency also gave employees
awareness training on the policy's importance.
"While these efforts established a good foundation for e-mail
security, employees are not following the IRS' personal e-mail use
policy," the IG's report states.
The IG recommended monitoring e-mail message content, which could lead
to more employees being disciplined for abusing their privileges.
Systems administrators should be held accountable for ensuring that
only authorized computers are allowed to perform as e-mail servers,
the report recommends.
Moreover, the IRS' chief information officer should make sure that
technology employees follow existing procedures for installing
security updates and patches on all e-mail servers.
The IRS maintains 228 authorized e-mail servers. The IG's office
evaluated security on 28 servers and found 687 vulnerabilities.
"People can exploit security vulnerabilities to shut down the servers
and disrupt e-mail service or to use the servers to access or attack
other computers in the network, which could disrupt other critical
operations in the IRS," the report states.
The report also recommends that the IRS cut down on the number of
e-mail servers. The audit found an additional 4,913 IP addresses
linked to devices that had been configured to operate as unauthorized
e-mail servers. Messages entering through such servers skirt the
security screening that identifies malicious software.
Visit the InfoSec News store!