In this the heavy tax season where billions of dollars and tons of personal information is relayed to and from the government, it's more disconcerting to hear that the Internal Revenue Service is still struggling to keep private information secure.
A report out today from watchdogs at the Government Accountability Office says about 69% of the tax agency's previously noted security flaws remain unfixed and continue to jeopardize the confidentiality, integrity, and availability of IRS's systems. The problems put the IRS at increased risk of unauthorized disclosure, modification, or destruction of financial and taxpayer information, the GAO concluded.
For example, the GAO stated that the IRS continues to:
- use passwords that are not complex,
- ineffectively remove application accounts in a timely manner for separated employees,
- allow personnel excessive file and directory permissions,
- allow the unencrypted transmission of user and administrator login information,
- install security patches in an untimely manner
More specifically, the GAO says the IRS did not always enforce strong identification and authentication. For example, administrator passwords for two servers located at one IRS center were not set to comply with IRS's password age policy. In both instances the administrator password age was set to 118 days, which exceeded IRS's requirement by 58 days. Consequently, an increased risk exists that compromised administrator passwords will be used by unauthorized users for a longer period of time to gain unauthorized access to server resources, the GAO stated.
IRS employees continued to use weak passwords for UNIX systems at two centers and stored clear text passwords in computer program scripts at another center, the GAO found. Further, the IRS did not sufficiently protect passwords during transmission. For example, the IRS implemented weak authentication protocols for network logons. Ten servers, including domain controllers, located at five sites, were configured to accept an authentication protocol that was vulnerable to widely published attacks for obtaining user passwords. As a result, increased risk exists that malicious individuals could capture user passwords and use them to gain unauthorized access to IRS systems, the GAO stated.
And the IRS configured routers to use protocols that allow unencrypted transmission of sensitive information. For example, 18 routers the GAO reviewed at the three computing centers used a protocol that was configured to authenticate information using plain text. In addition, IRS did not use encryption for routing table messages for six routers at two of the centers. Enabling encryption on routing table messages helps to prevent someone from purposely or accidentally adding an unauthorized router to the network and either corrupting routing tables or launching a denial of service attack, the GAO stated.
The GAO report wasn't all doom and gloom though. It did say the IRS has While IRS has corrected 28 security control weaknesses previously identified by the GAO and continues to work on other information security weaknesses at its three computing centers. In commenting on a draft of the GAO report, the IRS agreed to develop a detailed corrective action plan addressing each of the GAO's points.
The GAO acknowledged the IRS' daunting tasks in collecting taxes, processing tax returns, and enforcing the nation's tax laws, and said it relies extensively on computerized systems to support its financial and mission-related operations. IRS collected about $2.7 trillion in tax payments in fiscal years 2008 and 2007; processed hundreds of millions of tax and information returns; and paid about $426 billion and $292 billion, respectively, in refunds to taxpayers.
Follow Michael Cooney on Twitter: nwwlayer8
Layer 8 Extra
Check out these other hot stories: