TIGTA: IRS routers need stronger security

The IRS did not put in place sufficiently strong access controls for its routers and did not monitor security configuration changes in order to identify inappropriate use, putting information about taxpayers at risk, the Treasury Inspector General for Tax Administration (TIGTA) said in a report released April 7.

The IRS sends sensitive taxpayer and administration information across its networks, so routers on the networks must have adequate security controls to deter and detect unauthorized use.

“A disgruntled employee, contractor or hacker could reconfigure routers and switches to disrupt computer operations and steal taxpayer information in a number of ways, including diverting information to unauthorized systems,” said Michael Phillips, TIGTA’s deputy inspector general for audit..

Of the 374 users that IRS managers authorized to have entry to the Terminal Access Controller Access Control System to administer and configure routers and switches, 38 percent did not have proper authorization, the report said. Of those, 27 employees and contractors had accessed the routers and switches to change security configurations, TIGTA said. Systems administrators had circumvented a security application for the system that requires a login and password by establishing 34 unauthorized accounts that appeared to be shared-user accounts.

“Any person who knew the passwords to these accounts could change configurations without accountability and with little chance of detection,” Phillips said. During fiscal 2007, 84 percent of the 5.2 million accesses to the system were through the 34 accounts, and none were properly authorized.

IRS’ Cybersecurity office, part of the agency's Modernization and Information Technology Services organization, did not conduct audit trail log reviews, which can reveal potential security events, such as hacking attempts, virus or worm infections and attempts to change information.

Arthur Gonzalez, IRS chief information officer, said that the agency has improved the control and monitoring of routers and switches and would implement most of TIGTA’s recommendations by July. All 369 access control system users now have valid authorizations, and IRS provides the minimum level of permission for those users. IRS also has implemented configuration management and compliance initiatives to assure their appropriate maintenance and configuration, he said.

“Our policy has always been to prohibit shared accounts and to require every user to have his or her own user ID and password with authorization,” Gonzalez said.

In 2009, IRS will deploy a new CiscoWorks infrastructure that will reduce from 24 to six the number of service accounts, and likewise reduce the number of transactions from 5.2 million t

About the Author

Mary Mosquera is a reporter for Federal Computer Week.

Featured

  • FCW PERSPECTIVES
    sensor network (agsandrew/Shutterstock.com)

    Are agencies really ready for EIS?

    The telecom contract has the potential to reinvent IT infrastructure, but finding the bandwidth to take full advantage could prove difficult.

  • People
    Dave Powner, GAO

    Dave Powner audits the state of federal IT

    The GAO director of information technology issues is leaving government after 16 years. On his way out the door, Dave Powner details how far govtech has come in the past two decades and flags the most critical issues he sees facing federal IT leaders.

  • FCW Illustration.  Original Images: Shutterstock, Airbnb

    Should federal contracting be more like Airbnb?

    Steve Kelman believes a lighter touch and a bit more trust could transform today's compliance culture.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.