By Daniel Pulliam
dpulliam (at) govexec.com
April 17, 2007
The Internal Revenue Service has jeopardized sensitive taxpayer
information by failing to lock down its wireless networks, according to
an audit report released Tuesday.
The report from the Treasury Inspector General for Tax Administration
cited weaknesses similar to those described in a 2003 assessment.
In that report, auditors found unauthorized wireless devices directly
connected to an IRS-wide network. They recommended that the agency issue
policies and procedures for the use of wireless technology and scan for
unauthorized networks and devices.
But an inspection of 20 IRS buildings in 10 cities in 2006 found at
least one unauthorized wireless network and strong indications of three
others, according to the report. While the unauthorized network was not
directly connected to the agencywide network, anyone with a wireless
detection tool could pick up the signal and gain access to a computer
connected to it, auditors found.
In addition, an improperly configured agency computer connected to the
wireless network could give a hacker access to the agencywide network,
the report stated.
According to the IG, the IRS is trying with limited success "to detect
unauthorized access points on an ad hoc basis." As of May 2006, the
agency had scanned less than 6 percent of all locations and had
concentrated its efforts in the Washington and Baltimore regions.
"We believe this scanning is of limited value, considering wireless
access points can be set up easily anywhere in the nation and can place
the confidentiality of the data at risk," the report stated.
The agency has one authorized wireless network - the Enterprise
Logistics Information Technology network -- in Bloomington, Ill. This
network receives, stores and distributes IRS publications; agency
officials consider it a low security risk.
But a penetration test conducted by the IRS' Computer Security Incident
Response Center identified that one wireless access point to that
network had an improper security configuration and that security devices
were not in place to detect attacks, the auditors said.
While the IRS fixed the problems, its Enterprise Networks Division has
yet to install the necessary software to monitor the configurations of
the other wireless devices connected to the network, according to the
The IRS agreed with the audit recommendations, which included using
tools to scan the entire agency network for unapproved wireless devices
and giving employees periodic advice on the risks of using wireless
(c) 2007 by National Journal Group Inc. All rights reserved.
Subscribe to InfoSec News