By Mary Mosquera
April 8, 2008
The IRS did not put in place sufficiently strong access controls for its
routers and did not monitor security configuration changes in order to
identify inappropriate use, putting information about taxpayers at risk,
the Treasury Inspector General for Tax Administration (TIGTA) said in a
report released April 7.
The IRS sends sensitive taxpayer and administration information across
its networks, so routers on the networks must have adequate security
controls to deter and detect unauthorized use.
.A disgruntled employee, contractor or hacker could reconfigure routers
and switches to disrupt computer operations and steal taxpayer
information in a number of ways, including diverting information to
unauthorized systems,. said Michael Phillips, TIGTA.s deputy inspector
general for audit..
Of the 374 users that IRS managers authorized to have entry to the
Terminal Access Controller Access Control System to administer and
configure routers and switches, 38 percent did not have proper
authorization, the report said. Of those, 27 employees and contractors
had accessed the routers and switches to change security configurations,
TIGTA said. Systems administrators had circumvented a security
application for the system that requires a login and password by
establishing 34 unauthorized accounts that appeared to be shared-user
.Any person who knew the passwords to these accounts could change
configurations without accountability and with little chance of
detection,. Phillips said. During fiscal 2007, 84 percent of the 5.2
million accesses to the system were through the 34 accounts, and none
were properly authorized.
IRS. Cybersecurity office, part of the agency's Modernization and
Information Technology Services organization, did not conduct audit
trail log reviews, which can reveal potential security events, such as
hacking attempts, virus or worm infections and attempts to change
Arthur Gonzalez, IRS chief information officer, said that the agency has
improved the control and monitoring of routers and switches and would
implement most of TIGTA.s recommendations by July. All 369 access
control system users now have valid authorizations, and IRS provides the
minimum level of permission for those users. IRS also has implemented
configuration management and compliance initiatives to assure their
appropriate maintenance and configuration, he said.
.Our policy has always been to prohibit shared accounts and to require
every user to have his or her own user ID and password with
authorization,. Gonzalez said.
In 2009, IRS will deploy a new CiscoWorks infrastructure that will
reduce from 24 to six the number of service accounts, and likewise
reduce the number of transactions from 5.2 million.
Subscribe to InfoSec News