TIGTA: IRS routers need stronger security

The IRS did not put in place sufficiently strong access controls for its routers and did not monitor security configuration changes in order to identify inappropriate use, putting information about taxpayers at risk, the Treasury Inspector General for Tax Administration (TIGTA) said in a report released April 7.

The IRS sends sensitive taxpayer and administration information across its networks, so routers on the networks must have adequate security controls to deter and detect unauthorized use.

“A disgruntled employee, contractor or hacker could reconfigure routers and switches to disrupt computer operations and steal taxpayer information in a number of ways, including diverting information to unauthorized systems,” said Michael Phillips, TIGTA’s deputy inspector general for audit..

Of the 374 users that IRS managers authorized to have entry to the Terminal Access Controller Access Control System to administer and configure routers and switches, 38 percent did not have proper authorization, the report said. Of those, 27 employees and contractors had accessed the routers and switches to change security configurations, TIGTA said. Systems administrators had circumvented a security application for the system that requires a login and password by establishing 34 unauthorized accounts that appeared to be shared-user accounts.

“Any person who knew the passwords to these accounts could change configurations without accountability and with little chance of detection,” Phillips said. During fiscal 2007, 84 percent of the 5.2 million accesses to the system were through the 34 accounts, and none were properly authorized.

IRS’ Cybersecurity office, part of the agency's Modernization and Information Technology Services organization, did not conduct audit trail log reviews, which can reveal potential security events, such as hacking attempts, virus or worm infections and attempts to change information.

Arthur Gonzalez, IRS chief information officer, said that the agency has improved the control and monitoring of routers and switches and would implement most of TIGTA’s recommendations by July. All 369 access control system users now have valid authorizations, and IRS provides the minimum level of permission for those users. IRS also has implemented configuration management and compliance initiatives to assure their appropriate maintenance and configuration, he said.

“Our policy has always been to prohibit shared accounts and to require every user to have his or her own user ID and password with authorization,” Gonzalez said.

In 2009, IRS will deploy a new CiscoWorks infrastructure that will reduce from 24 to six the number of service accounts, and likewise reduce the number of transactions from 5.2 million t

About the Author

Mary Mosquera is a reporter for Federal Computer Week.

Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.