IRS failed to adequately protect its networks, IG reports
Security lapses with routers and switches left taxpayer information open to possible access.
The Internal Revenue Service failed to adequately protect its routers and switches, and may have put sensitive taxpayer information at risk of being accessed by unauthorized workers or hackers, according to a March 26 report released today by the agency's inspector general.
Comment on this article in The Forum.The Terminal Access Controller Access Control System, which the IRS uses to administer and configure routers and switches, was not properly configured to prevent unauthorized access, according to the report. The IRS had authorized 374 accounts, used by agency employees and contractors, to access routers and switches, and of those, 141, did not have proper authorization to access the system.
Another 86 accounts had expired by the time of the review, and the inspector general could not find evidence that another 55 accounts had ever been authorized. These 55 accounts are off particular concern as 27 had been used to access the routers and switches to change security configurations.
"Because the IRS sends sensitive taxpayer and administrative information across its networks, routers on the networks have to have sufficient security controls to deter and detect unauthorized use," wrote Michael R. Phillips, deputy inspector general of audit at the Office of the Treasury Inspector General for Tax Administration. "Access controls for IRS routers were not adequate, and reviews to monitor security configuration changes were not conducted to identify inappropriate use."
The IRS Enterprise Network is responsible for installing, operating and maintaining routers and switches for most of the IRS. According to the report, the IRS failed to properly configure and monitor the access controls by using the terminal system, which requires each user to enter a unique account name and password. Administrators were able to circumvent the requirement by setting up 34 unauthorized accounts that appeared to be shared-user accounts. "Any person who knew the passwords to these accounts could change configurations without accountability and with little chance of detection," the IG concluded.
The IRS requires that shared-user accounts be used only on a limited basis and be subjected to special authorization controls, the IG noted. But during fiscal 2007, 84 percent of the 5.2 million accesses to the terminal system were made using the 34 unauthorized accounts.
The report also noted that reviewing audit trails was necessary to detect unauthorized access, hacking, worms or viruses. An audit trail is a chronological record of activities that allows information security managers to reconstruct, review and examine a transaction from inception to final result. Audit trails can be used to detect unauthorized accesses to computer systems. According to the report, audit trail log reviews were not being conducted by the cybersecurity office and only a limited number of audit trails for the IRS routers and switches were being reviewed.
"Protecting taxpayer data is our top priority," the IRS wrote in reply to a request for comment. "We have taken a number of steps to improve the control and monitoring of routers and switches. The IRS emphasizes it is not aware that any taxpayer data has been compromised due to a security breach. We continue to work to improve our security capabilities of our technology assets, and we have extensive intrusion-monitoring capabilities to watch for potential breaches."
The IG recommended that the IRS chief information officer ensures that only authorized employees have access to the terminal system and configure the system to prevent employees and contractors from gaining access to routers and switches if they haven't used the system in 90 days. In addition, IT managers should eliminate unnecessary shared accounts and make sure that each account is properly authorized.
IRS administrators have begun examining the terminal system's user accounts and said inactive accounts are locked after 45 days of inactivity and removed after 90 days. The agency generally concurred with the report's recommendations.