Basic IT security amiss at IRS

Maria Horton

EmeSec CEO Maria Horton says basic security can be challenging for large organizations such as the IRS.

One federal agency is in the hot seat after an audit found that it had failed to take rudimentary steps to protect its 100,000 computers, but some experts say even the most basic IT security can present challenges for a sizable organization.

A new report from the Treasury Inspector General for Tax Administration (TIGTA) states that the Internal Revenue Service has failed to take an enterprisewide approach to installing and monitoring software patches to mitigate the security risks associated with known vulnerabilities. Specifically, IRS officials had not implemented key patch management policies and procedures or completed an inventory of its IT assets, an essential element of a patch management strategy.

The report found two main reasons why patches were not always installed: The automated approach used to install patches on Windows-based systems at times lacked valid connections to the systems requiring patching, and administrators believed manually patching numerous systems would be a labor-intensive process.

“I think it's shocking that something as basic as an enterprisewide patch management policy is not being done at the IRS,” said Jeffrey Carr, founder and CEO of IT security firm Taia Global. “That's one of the most basic cybersecurity housekeeping tasks that any responsible organization should do.”

Carr, who wrote “Inside Cyber Warfare: Mapping the Cyber Underworld,” said the IRS case demonstrates that the federal government “is incapable of protecting its own networks, let alone privately owned critical infrastructure.”

“Perhaps rather than trying to pass cybersecurity legislation that will accomplish next to nothing, Congress and the president should focus on putting their own house in order,” Carr said.

However, another expert said even a basic practice like patch management can be a laborious, challenging process for multiple reasons.

“The first challenge is that it is hard for organizations, particularly larger ones, to identify all the systems that need patching,” said Irving Lachow, director of the Program on U.S. National Security in the Information Age at the Center for a New American Security. “It seems like a very fundamental thing for an organization to know what systems they have on the network, but it’s actually very difficult to keep track because it’s a very dynamic process.”

Part of the problem is that the network’s boundaries have become porous. New devices are constantly being added to the network, Lachow said, and old devices are not always removed in a timely manner.

Furthermore, agencies often have to test patches before implementing them to ensure that they do not cause conflicts with other systems — a process that could take weeks or even months depending on the number of systems in need of testing, Lachow said.

“The longer you go with that testing process, the more positive you are that you’re not going to cause harm,” he said. “But the interval between when the patch was needed to the time it’s rolled out is a time of vulnerability.”

At an agency like the IRS, individual divisions have a mix of mainframe, Windows and Unix computers, which requires a tie-in across the agency to coordinate the patch management process, said Maria Horton, founder and CEO of IT security firm EmeSec.

“But as the report pointed out, it’s not just about patch management but the overall process of how can a large agency get funding and implementation in place,” she said. “I’m not saying there is a single point of failure. I think it’s complicated and complex to run all of that across the organization.”

TIGTA said the IRS should improve its patch installation and monitoring processes to ensure that patches are applied in a timely fashion and institute agencywide adoption of its standardized patch management program, among other recommendations.

However, even if the IRS achieved 100 percent compliance with its patch management policy, it should not be the agency’s only approach to cybersecurity, said Horton, who formerly served as CIO at the National Naval Medical Center.

“Patch management itself is not the only way people are being scammed, socialized or broken into so it’s not the only silver bullet,” she said.

About the Author

Camille Tuutti is a former FCW staff writer who covered federal oversight and the workforce.

The Fed 100

Read the profiles of all this year's winners.


Reader comments

Mon, Nov 5, 2012 FedSecurityGuy

IRS gets the "privilege" of being micro-audited to death by TIGTA. If other agencies got audited even 25% as much as the TIGTA audits IRS, all Federal agencies would be drowning in doing nothing but responding to the never end stream of somewhat exagerated audit reports that don't acknowledge the outstanding work IRS has accomplished over the past 9 years in securing its systems.

Mon, Nov 5, 2012

No surprise; the IRS is a Symantec ALTIRIS shop. It's a terrible patch management product on Windows OS and offers next to nothing for third party patching. It's always a combination of product and process, but if your product is subpar you're already at a significant disadvantage. Everyone is shooting for true continuous monitoring and the IRS is just not going to get there doing what they've always been doing.

Mon, Nov 5, 2012

The federal government IS capable of patching and keeping it's systems up to date. Most do a very good job of it. The IRS has been notorious at not protecting systems. I know because I worked there for 5 years 16 years ago. That is why I won't e-file my taxes. They are better at protecting paper.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group