TIGTA: IRS routers need stronger security

The IRS did not put in place sufficiently strong access controls for its routers and did not monitor security configuration changes in order to identify inappropriate use, putting information about taxpayers at risk, the Treasury Inspector General for Tax Administration (TIGTA) said in a report released April 7.

The IRS sends sensitive taxpayer and administration information across its networks, so routers on the networks must have adequate security controls to deter and detect unauthorized use.

“A disgruntled employee, contractor or hacker could reconfigure routers and switches to disrupt computer operations and steal taxpayer information in a number of ways, including diverting information to unauthorized systems,” said Michael Phillips, TIGTA’s deputy inspector general for audit..

Of the 374 users that IRS managers authorized to have entry to the Terminal Access Controller Access Control System to administer and configure routers and switches, 38 percent did not have proper authorization, the report said. Of those, 27 employees and contractors had accessed the routers and switches to change security configurations, TIGTA said. Systems administrators had circumvented a security application for the system that requires a login and password by establishing 34 unauthorized accounts that appeared to be shared-user accounts.

“Any person who knew the passwords to these accounts could change configurations without accountability and with little chance of detection,” Phillips said. During fiscal 2007, 84 percent of the 5.2 million accesses to the system were through the 34 accounts, and none were properly authorized.

IRS’ Cybersecurity office, part of the agency's Modernization and Information Technology Services organization, did not conduct audit trail log reviews, which can reveal potential security events, such as hacking attempts, virus or worm infections and attempts to change information.

Arthur Gonzalez, IRS chief information officer, said that the agency has improved the control and monitoring of routers and switches and would implement most of TIGTA’s recommendations by July. All 369 access control system users now have valid authorizations, and IRS provides the minimum level of permission for those users. IRS also has implemented configuration management and compliance initiatives to assure their appropriate maintenance and configuration, he said.

“Our policy has always been to prohibit shared accounts and to require every user to have his or her own user ID and password with authorization,” Gonzalez said.

In 2009, IRS will deploy a new CiscoWorks infrastructure that will reduce from 24 to six the number of service accounts, and likewise reduce the number of transactions from 5.2 million t

About the Author

Mary Mosquera is a reporter for Federal Computer Week.

FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.

Featured

  • Anne Rung -- Commerce Department Photo

    Exit interview with Anne Rung

    The government's departing top acquisition official said she leaves behind a solid foundation on which to build more effective and efficient federal IT.

  • Charles Phalen

    Administration appoints first head of NBIB

    The National Background Investigations Bureau announced the appointment of its first director as the agency prepares to take over processing government background checks.

  • Sen. James Lankford (R-Okla.)

    Senator: Rigid hiring process pushes millennials from federal work

    Sen. James Lankford (R-Okla.) said agencies are missing out on younger workers because of the government's rigidity, particularly its protracted hiring process.

  • FCW @ 30 GPS

    FCW @ 30

    Since 1987, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

  • Shutterstock image.

    A 'minibus' appropriations package could be in the cards

    A short-term funding bill is expected by Sept. 30 to keep the federal government operating through early December, but after that the options get more complicated.

  • Defense Secretary Ash Carter speaks at the TechCrunch Disrupt conference in San Francisco

    DOD launches new tech hub in Austin

    The DOD is opening a new Defense Innovation Unit Experimental office in Austin, Texas, while Congress debates legislation that could defund DIUx.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group