TIGTA: IRS routers need stronger security

The IRS did not put in place sufficiently strong access controls for its routers and did not monitor security configuration changes in order to identify inappropriate use, putting information about taxpayers at risk, the Treasury Inspector General for Tax Administration (TIGTA) said in a report released April 7. The IRS sends sensitive taxpayer and administration information across its networks, so routers on the networks must have adequate security controls to deter and detect unauthorized use. “A disgruntled employee, contractor or hacker could reconfigure routers and switches to disrupt computer operations and steal taxpayer information in a number of ways, including diverting information to unauthorized systems,” said Michael Phillips, TIGTA’s deputy inspector general for audit.. Of the 374 users that IRS managers authorized to have entry to the Terminal Access Controller Access Control System to administer and configure routers and switches, 38 percent did not have proper authorization, the report said. Of those, 27 employees and contractors had accessed the routers and switches to change security configurations, TIGTA said. Systems administrators had circumvented a security application for the system that requires a login and password by establishing 34 unauthorized accounts that appeared to be shared-user accounts. “Any person who knew the passwords to these accounts could change configurations without accountability and with little chance of detection,” Phillips said. During fiscal 2007, 84 percent of the 5.2 million accesses to the system were through the 34 accounts, and none were properly authorized. IRS’ Cybersecurity office, part of the agency's Modernization and Information Technology Services organization, did not conduct audit trail log reviews, which can reveal potential security events, such as hacking attempts, virus or worm infections and attempts to change information. Arthur Gonzalez, IRS chief information officer, said that the agency has improved the control and monitoring of routers and switches and would implement most of TIGTA’s recommendations by July. All 369 access control system users now have valid authorizations, and IRS provides the minimum level of permission for those users. IRS also has implemented configuration management and compliance initiatives to assure their appropriate maintenance and configuration, he said. “Our policy has always been to prohibit shared accounts and to require every user to have his or her own user ID and password with authorization,” Gonzalez said. In 2009, IRS will deploy a new CiscoWorks infrastructure that will reduce from 24 to six the number of service accounts, and likewise reduce the number of transactions from 5.2 million t