Risk
3/19/2013
04:46 PM
50%
50%

IRS Leaves Taxpayer Data Insecure, GAO Finds

Annual audit of the agency's financial and tax systems notes that some earlier problems remain and identifies new ones.

Mobile Government: 10 Must-Have Smartphone Apps
Mobile Government: 10 Must-Have Smartphone Apps
(click image for larger view and for slideshow)
The Internal Revenue Service still has IT security holes that could put taxpayer data at risk, according to a report from the Government Accountability Office.

The IRS identified the security of taxpayer data as its top management priority for fiscal 2013, and the GAO credits the agency for steps taken in response to security issues identified in earlier audits of its computer systems. But the report notes that some problems with the agency's financial and tax-processing systems remain and identifies new ones.

The GAO notes that the IRS collects and maintains personal and financial information on U.S. taxpayers in data centers in Detroit, Memphis and Martinsburg, W.V. "Protecting the confidentiality of this sensitive information is paramount. Otherwise, taxpayers could be exposed to loss of privacy and to financial loss and damages resulting from identity theft or other financial crimes," the report says.

[ What can federal IT teams do to protect their systems, networks and data? Read Next Steps In Data Center Security. ]

The GAO audited the IRS's security efforts over the past 12 months. Among the vulnerabilities identified in the GAO report are easily-guessed passwords, passwords that hadn't been changed in almost two years, and storing unencrypted user names and passwords in a file with a revealing name. The report makes no mention of actual security breaches during the period audited.

The IRS also has been lax with data encryption and in controlling access to databases, servers, and systems, the GAO found. And the tax-collection agency has failed to update its systems within 30 days of software patches being released, according to the GAO.

Cybersecurity training is another area where the IRS needs to improve. Although the agency's policies require that all new employees and contractors receive security awareness training during their first two weeks on the job, the GAO found that more than half of contractors were not in compliance.

The Obama administration has made the continuous monitoring of federal IT systems a government-wide initiative. The report found that although the IRS has taken steps toward implementing continuous monitoring, it has not defined monitoring and assessment metrics.

The GAO made four recommendations for remediation. The IRS needs to:

-- Update policies and procedures for system access.

-- Strengthen the testing and evaluation of authentication controls.

-- Update mainframe testing and evaluation processes.

-- Establish more comprehensive documentation of continuous monitoring strategies.

In a separate report with limited distribution, the GAO also made 30 specific recommendations on a range of other issues it identified.

InformationWeek's 2013 Government IT Innovators program will feature the most innovative government IT organizations in the 2013 InformationWeek 500 issue and on InformationWeek.com. Does your organization have what it takes? The nomination period for 2013 Government IT Innovators closes April 12.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
3/22/2013 | 4:12:11 PM
re: IRS Leaves Taxpayer Data Insecure, GAO Finds
Coincidence that this article comes out on the same day that FITARA passes the House Oversight Committee? No, I don't think so.

Given the list of recommendations that the GAO is making, it sounds like our friends at the IRS need to make a call to the SEC and get some of the documentation regarding IT controls required of publicly traded companies bound by Sarbanes-Oxley.

For example, back when I was working in an environment that required SOX compliance, if you didn't meet the requirements for access, you didn't have any, period. But, since the IRS doesn't keep anything of value to them in their databases...

Andrew Hornback
InformationWeek Contributor
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2009-5027
Published: 2014-12-26
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2010-2062. Reason: This candidate is a reservation duplicate of CVE-2010-2062. Notes: All CVE users should reference CVE-2010-2062 instead of this candidate. All references and descriptions in this candidate have been removed to pre...

CVE-2010-1441
Published: 2014-12-26
Multiple heap-based buffer overflows in VideoLAN VLC media player before 1.0.6 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted byte stream to the (1) A/52, (2) DTS, or (3) MPEG Audio decoder.

CVE-2010-1442
Published: 2014-12-26
VideoLAN VLC media player before 1.0.6 allows remote attackers to cause a denial of service (invalid memory access and application crash) or possibly execute arbitrary code via a crafted byte stream to the (1) AVI, (2) ASF, or (3) Matroska (aka MKV) demuxer.

CVE-2010-1443
Published: 2014-12-26
The parse_track_node function in modules/demux/playlist/xspf.c in the XSPF playlist parser in VideoLAN VLC media player before 1.0.6 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty location element in an XML Shareable Playlist Format...

CVE-2010-1444
Published: 2014-12-26
The ZIP archive decompressor in VideoLAN VLC media player before 1.0.6 allows remote attackers to cause a denial of service (invalid memory access and application crash) or possibly execute arbitrary code via a crafted archive.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.