Auditor IRS must review network audit logs
The Internal Revenue Service should bolster network and information
security by improving how it manages audit logs, the Treasury Inspector
General for Tax Administration said.
TIGTA made the
recommendation while acknowledging that the agency has effectively
deployed systems to detect network intrusions at Internet gateways.
logs record who accessed a computer system, what operations they
performed and when, TIGTA said in a report released today. The auditor
redacted portions of the report.
The IRS did not properly save
and review its audit logs, which increased the likelihood that
intruders could use the Internet to gain access to sensitive taxpayer
data without detection, the report states.
Auditing system logs
is essential for detecting potential security events, such as hacking
attempts and other threats, said Michael Phillips, TIGTA’s deputy
inspector general for audit. Proper management of audit logs ensures
that operations performed on a system can be traced back to an
individual at a specific time, he added.
To minimize the risk to
taxpayer data, the IRS has consolidated about 95 percent of its
Internet traffic into a limited number of gateways, the report states,
although TIGTA redacted the number of external connections. The Office
of Management and Budget has directed all agencies to reduce the number
of gateways they have under the Trusted Internet Connections initiative.
IRS uses firewalls, routers and intrusion-detection systems for each of
its Internet gateways to make sure that only authorized traffic passes
through, the report states.
Although the agency effectively
operated the access controls, TIGTA recommended that the IRS Enterprise
Networks organization establish and regularly test security
configurations on firewalls and routers.
administrators should configure the firewalls and routers to prevent
unauthorized traffic from gaining access to the IRS internal network,”
Based on TIGTA’s recommendations, Arthur Gonzalez, IRS’ chief information officer, said he would:
• Make sure the IRS conducts an independent review of the audit logs for routers and firewalls.
• Implement a redundant audit log collection system for firewall and router events.
• Use an automated security application to conduct biweekly tests of routers and firewalls.
IRS has already configured audit logs to use Coordinated Universal Time
for time stamps and correlate security events across devices regardless
of their physical location, Gonzalez said.
Mary Mosquera is a reporter for Federal Computer Week.