IRS fails to scrutinize network activity properly, audit says

The Internal Revenue Service tightened the security of its computer network but failed to save and review records adequately that could indicate if hackers were trying to break into the agency's systems, according to a report released on Monday by the IRS inspector general.

The IRS deployed an effective intrusion detection system that monitors and tracks suspicious activity on its networks, the IG reported. The agency also developed appropriate access controls to ensure only authorized employees can view or download information on the network.

But the IRS failed to comply with its own guidelines for saving and reviewing the audit logs that show what traffic the agency's routers and firewalls had blocked or allowed into the network, according to the report. Each connection from the IRS network to the Internet uses firewalls, which serve as barriers to block unwanted data, and routers, which perform basic filtering before passing communications through to firewalls. Audit logs track these activities.

"Audit logging is critical . . . to detect potential security events such as hacking attempts and other malicious threats," the IG reported. The audit showed that "audit logs were not adequately saved and reviewed."

IRS guidelines require someone other than the system or database administrator reviews audit logs to identify questionable network activities and to report security incidents. According to the report, the database administrator for routers, who was responsible for creating and assigning privilege levels for system administrator accounts, was the only person with access to the audit logs. The IG said restricting the access was a high risk.

The IG rated as moderate risk the IRS's failure to comply with its guidelines or those set by the National Security Agency to save firewall and router audit logs to two separate servers to protect against unplanned loss of data.

Also rated as a moderate risk was inaccurate and inconsistent time stamps on the router and firewall clocks that track when specific network activities occur. This could prevent identification of coordinated attacks on Internet gateways and hamper subsequent criminal procedures, the IG reported.

Unnecessary services also were enabled on routers, but the IG redacted details about the services in the publically released version of the report. The IG also blacked out results of its evaluation of the security configurations of IRS firewalls and routers and remote devices. The report did note, however, that 32 local system administrators had mid-level and full system administrator privileges, which could introduce vulnerabilities if not properly managed.

"If passwords are compromised," the IG reported, "an unauthorized user could use accounts with high-level privileges to access routers and make changes to gain access to sensitive data on the IRS network."

In response to the report, the IRS says it has assigned independent review of audit logs for routers and firewalls to the associate chief information officer of cybersecurity, configured all gateway firewalls and routers to use appropriate time stamps, and developed procedures for ensuring standard security configurations are installed consistently. By February, the agency also will implement procedures for saving audit log data from firewalls and routers to backup servers.