Risk
3/19/2013
04:46 PM
Connect Directly
RSS
E-Mail
50%
50%

IRS Leaves Taxpayer Data Insecure, GAO Finds

Annual audit of the agency's financial and tax systems notes that some earlier problems remain and identifies new ones.

Mobile Government: 10 Must-Have Smartphone Apps
Mobile Government: 10 Must-Have Smartphone Apps
(click image for larger view and for slideshow)
The Internal Revenue Service still has IT security holes that could put taxpayer data at risk, according to a report from the Government Accountability Office.

The IRS identified the security of taxpayer data as its top management priority for fiscal 2013, and the GAO credits the agency for steps taken in response to security issues identified in earlier audits of its computer systems. But the report notes that some problems with the agency's financial and tax-processing systems remain and identifies new ones.

The GAO notes that the IRS collects and maintains personal and financial information on U.S. taxpayers in data centers in Detroit, Memphis and Martinsburg, W.V. "Protecting the confidentiality of this sensitive information is paramount. Otherwise, taxpayers could be exposed to loss of privacy and to financial loss and damages resulting from identity theft or other financial crimes," the report says.

[ What can federal IT teams do to protect their systems, networks and data? Read Next Steps In Data Center Security. ]

The GAO audited the IRS's security efforts over the past 12 months. Among the vulnerabilities identified in the GAO report are easily-guessed passwords, passwords that hadn't been changed in almost two years, and storing unencrypted user names and passwords in a file with a revealing name. The report makes no mention of actual security breaches during the period audited.

The IRS also has been lax with data encryption and in controlling access to databases, servers, and systems, the GAO found. And the tax-collection agency has failed to update its systems within 30 days of software patches being released, according to the GAO.

Cybersecurity training is another area where the IRS needs to improve. Although the agency's policies require that all new employees and contractors receive security awareness training during their first two weeks on the job, the GAO found that more than half of contractors were not in compliance.

The Obama administration has made the continuous monitoring of federal IT systems a government-wide initiative. The report found that although the IRS has taken steps toward implementing continuous monitoring, it has not defined monitoring and assessment metrics.

The GAO made four recommendations for remediation. The IRS needs to:

-- Update policies and procedures for system access.

-- Strengthen the testing and evaluation of authentication controls.

-- Update mainframe testing and evaluation processes.

-- Establish more comprehensive documentation of continuous monitoring strategies.

In a separate report with limited distribution, the GAO also made 30 specific recommendations on a range of other issues it identified.

InformationWeek's 2013 Government IT Innovators program will feature the most innovative government IT organizations in the 2013 InformationWeek 500 issue and on InformationWeek.com. Does your organization have what it takes? The nomination period for 2013 Government IT Innovators closes April 12.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
3/22/2013 | 4:12:11 PM
re: IRS Leaves Taxpayer Data Insecure, GAO Finds
Coincidence that this article comes out on the same day that FITARA passes the House Oversight Committee? No, I don't think so.

Given the list of recommendations that the GAO is making, it sounds like our friends at the IRS need to make a call to the SEC and get some of the documentation regarding IT controls required of publicly traded companies bound by Sarbanes-Oxley.

For example, back when I was working in an environment that required SOX compliance, if you didn't meet the requirements for access, you didn't have any, period. But, since the IRS doesn't keep anything of value to them in their databases...

Andrew Hornback
InformationWeek Contributor
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2006-1318
Published: 2014-09-19
Microsoft Office 2003 SP1 and SP2, Office XP SP3, Office 2000 SP3, Office 2004 for Mac, and Office X for Mac do not properly parse record lengths, which allows remote attackers to execute arbitrary code via a malformed control in an Office document, aka "Microsoft Office Control Vulnerability."

CVE-2014-1391
Published: 2014-09-19
QT Media Foundation in Apple OS X before 10.9.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted movie file with RLE encoding.

CVE-2014-4350
Published: 2014-09-19
Buffer overflow in QT Media Foundation in Apple OS X before 10.9.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted MIDI file.

CVE-2014-4376
Published: 2014-09-19
IOKit in IOAcceleratorFamily in Apple OS X before 10.9.5 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (NULL pointer dereference) via an application that provides crafted API arguments.

CVE-2014-4390
Published: 2014-09-19
Bluetooth in Apple OS X before 10.9.5 does not properly validate API calls, which allows attackers to execute arbitrary code in a privileged context via a crafted application.

Best of the Web
Dark Reading Radio