The country’s Internal Revenue Service has some work to do – and not just because it’s tax season.
According to a recent report from the Government Accountability Office, the IRS has corrected only about a third of the 89 security problems the GAO found in an audit of the agency in fiscal 2008. Among the ongoing problems are weak password and access management, and a lack of logging and activity monitoring. The agency also failed to always “physically protect its computer resources.”
The problem with passwords is nothing new, and is a reoccurring theme on security blogs (see here and here). Notably however, the IRS has made some progress in this area.
According to the report, the agency has made an effort to avoid storing password information in the clear and changing vendor-supplied user accounts and passwords. The practice of using weak passwords, however, has unfortunately continued, the GOA found.
“The combination of identification and authentication–such as user account/password combinations–provides the basis for establishing individual accountability and for controlling access to the system,” the report reads. “According to the Internal Revenue Manual, maximum password age should be 60 days for administrator accounts … [but] administrator passwords for two servers located at one center were not set to comply with IRS’s password age policy. In both instances the administrator password age was set to 118 days, which exceeded IRS’s requirement by 58 days.”
Then there was the area of user account management. The agency gave employees access levels they did not need. For example, about 120 IRS employees had access to key documents such as cost data for input to its administrative accounting system and a critical process-control spreadsheet used in the agency’s cost allocation process. Fewer than 10 employees actually needed this information, the GAO reported.
Such user account management issues are not uncommon among enterprises struggling with issues such as overburden IT departments, frequently changing job roles and lack of automated access management tools, noted Paul Smith, president and CEO of PacketMotion.
“To maximize productivity and avoid work interruptions, users are typically granted broad access across multiple systems and data centers,” he said. “Without some type of automated activity management tool, it becomes next to impossible to keep pace with which employees have access to what, changing job roles and departures from the company.
“While user access auditing needs to be done in accord with internal and external policies and regulations, it should be done once per quarter at the minimum and more often if resources allow,” he said.
The good news for the IRS is that the GAO left it with some recommendations. For starters, ensure contractors receive security awareness training within their first 10 working days. In addition, the GAO suggested the agency implement policies for more securely configuring routers to encrypt network traffic, configuring switches to defend against attacks that could crash the network and notifying its Computer Security Incident Response Center of network changes that could affect its ability to detect unauthorized access.
The report goes into greater detail about what the GAO uncovered and is available here (PDF).