Basic IT security amiss at IRS

IG report finds software patch management is lacking at IRS -- a problem experts say is all too common in large organizations.

Maria Horton

EmeSec CEO Maria Horton says basic security can be challenging for large organizations such as the IRS.

One federal agency is in the hot seat after an audit found that it had failed to take rudimentary steps to protect its 100,000 computers, but some experts say even the most basic IT security can present challenges for a sizable organization.

A new report from the Treasury Inspector General for Tax Administration (TIGTA) states that the Internal Revenue Service has failed to take an enterprisewide approach to installing and monitoring software patches to mitigate the security risks associated with known vulnerabilities. Specifically, IRS officials had not implemented key patch management policies and procedures or completed an inventory of its IT assets, an essential element of a patch management strategy.

The report found two main reasons why patches were not always installed: The automated approach used to install patches on Windows-based systems at times lacked valid connections to the systems requiring patching, and administrators believed manually patching numerous systems would be a labor-intensive process.

“I think it's shocking that something as basic as an enterprisewide patch management policy is not being done at the IRS,” said Jeffrey Carr, founder and CEO of IT security firm Taia Global. “That's one of the most basic cybersecurity housekeeping tasks that any responsible organization should do.”

Carr, who wrote “Inside Cyber Warfare: Mapping the Cyber Underworld,” said the IRS case demonstrates that the federal government “is incapable of protecting its own networks, let alone privately owned critical infrastructure.”

“Perhaps rather than trying to pass cybersecurity legislation that will accomplish next to nothing, Congress and the president should focus on putting their own house in order,” Carr said.

However, another expert said even a basic practice like patch management can be a laborious, challenging process for multiple reasons.

“The first challenge is that it is hard for organizations, particularly larger ones, to identify all the systems that need patching,” said Irving Lachow, director of the Program on U.S. National Security in the Information Age at the Center for a New American Security. “It seems like a very fundamental thing for an organization to know what systems they have on the network, but it’s actually very difficult to keep track because it’s a very dynamic process.”

Part of the problem is that the network’s boundaries have become porous. New devices are constantly being added to the network, Lachow said, and old devices are not always removed in a timely manner.

Furthermore, agencies often have to test patches before implementing them to ensure that they do not cause conflicts with other systems — a process that could take weeks or even months depending on the number of systems in need of testing, Lachow said.

“The longer you go with that testing process, the more positive you are that you’re not going to cause harm,” he said. “But the interval between when the patch was needed to the time it’s rolled out is a time of vulnerability.”

At an agency like the IRS, individual divisions have a mix of mainframe, Windows and Unix computers, which requires a tie-in across the agency to coordinate the patch management process, said Maria Horton, founder and CEO of IT security firm EmeSec.

“But as the report pointed out, it’s not just about patch management but the overall process of how can a large agency get funding and implementation in place,” she said. “I’m not saying there is a single point of failure. I think it’s complicated and complex to run all of that across the organization.”

TIGTA said the IRS should improve its patch installation and monitoring processes to ensure that patches are applied in a timely fashion and institute agencywide adoption of its standardized patch management program, among other recommendations.

However, even if the IRS achieved 100 percent compliance with its patch management policy, it should not be the agency’s only approach to cybersecurity, said Horton, who formerly served as CIO at the National Naval Medical Center.

“Patch management itself is not the only way people are being scammed, socialized or broken into so it’s not the only silver bullet,” she said.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.