GAO finds more security problems in the Treasury Department

The IRS is at fault again, as is the agency protecting the U.S. financial system

Data used to fight money-laundering and funding for terrorists is at risk because of significant security weaknesses within the networks used by a crime-fighting arm of the U.S. Treasury Department, according to a government study.

The U.S. General Accounting Office cites lax authentication and access controls, inadequate encryption, insufficient firewalling and inconsistent logging of database activity as problems that the Financial Crimes Enforcement Network (FinCEN) needs to address.

As a result of the problems found, the confidentiality, integrity and availability of sensitive data is at risk, the GAO says in a recently issued report, "Futher Actions Needed to Address Risks to Bank Secrecy Act Data." 

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Data used to fight money-laundering and funding for terrorists is at risk because of significant security weaknesses within the networks used by a crime-fighting arm of the U.S. Treasury Department, according to a government study.

The U.S. General Accounting Office cites lax authentication and access controls, inadequate encryption, insufficient firewalling and inconsistent logging of database activity as problems that the Financial Crimes Enforcement Network (FinCEN) needs to address.

As a result of the problems found, the confidentiality, integrity and availability of sensitive data is at risk, the GAO says in a recently issued report, "Futher Actions Needed to Address Risks to Bank Secrecy Act Data." 

The report also criticizes the Internal Revenue Service (which was the subject of a separate report issued last month that pointed out problems within IRS networks).

FinCEN has its own computer network, but it depends on two other Treasury networks – those of the IRS and the Treasury Communications System (TCS) – to do its work of enforcing the Bank Secrecy Act (BSA), which seeks to protect the U.S. financial system.

BSA data from the three networks can be accessed through a FinCEN Web portal.

Data used by FinCEN includes detailed, sensitive information about the financial activity of private individuals, the report says. Compromising it not only threatens individuals' privacy but also "could undermine the ability of the federal government, financial institutions, and law enforcement agencies to combat money laundering and terrorist financing," the GAO says.

Authentication problems included allowing multiple users to share access to the single workstation used to download BSA data from the IRS. Both the IRS and TCS used easily guessable, simple passwords for access to certain sensitive assets, the report says.

Authorization for sensitive data was granted to users who didn't need it, including 600 IRS employees who didn't need access to a FinCEN mainframe but were authorized to have programming and system-administrator access.

The IRS also kept no record of who had been assigned access rights to what network resources, making it hard to monitor access privileges, according to the report.

FinCEN required encrypting data transmitted or stored, but user IDs and passwords were passed unencrypted, and laptop encryption did not protect data on systems that had been booted to a running state. The IRS failed to use certificates to ensure the path between its network and the BSA could be trusted.

FinCEN didn't use personal firewalls on its computers and had no controls to ensure that devices connecting to the VPN were secure. FinCEN also failed to inspect laptops being brought in and out of its secure facility.

The GAO makes five public recommendations to help fix the problems, but in a separate, limited-distribution report on the same topic, it makes 88 more.

The five public recommendations are:

•  Update policies and procedures to address patch prioritization and inspecting outbound traffic as well as detailing how to securely configuration the VPN.