Risk
3/19/2013
04:46 PM
Connect Directly
RSS
E-Mail
50%
50%

IRS Leaves Taxpayer Data Insecure, GAO Finds

Annual audit of the agency's financial and tax systems notes that some earlier problems remain and identifies new ones.

Mobile Government: 10 Must-Have Smartphone Apps
Mobile Government: 10 Must-Have Smartphone Apps
(click image for larger view and for slideshow)
The Internal Revenue Service still has IT security holes that could put taxpayer data at risk, according to a report from the Government Accountability Office.

The IRS identified the security of taxpayer data as its top management priority for fiscal 2013, and the GAO credits the agency for steps taken in response to security issues identified in earlier audits of its computer systems. But the report notes that some problems with the agency's financial and tax-processing systems remain and identifies new ones.

The GAO notes that the IRS collects and maintains personal and financial information on U.S. taxpayers in data centers in Detroit, Memphis and Martinsburg, W.V. "Protecting the confidentiality of this sensitive information is paramount. Otherwise, taxpayers could be exposed to loss of privacy and to financial loss and damages resulting from identity theft or other financial crimes," the report says.

[ What can federal IT teams do to protect their systems, networks and data? Read Next Steps In Data Center Security. ]

The GAO audited the IRS's security efforts over the past 12 months. Among the vulnerabilities identified in the GAO report are easily-guessed passwords, passwords that hadn't been changed in almost two years, and storing unencrypted user names and passwords in a file with a revealing name. The report makes no mention of actual security breaches during the period audited.

The IRS also has been lax with data encryption and in controlling access to databases, servers, and systems, the GAO found. And the tax-collection agency has failed to update its systems within 30 days of software patches being released, according to the GAO.

Cybersecurity training is another area where the IRS needs to improve. Although the agency's policies require that all new employees and contractors receive security awareness training during their first two weeks on the job, the GAO found that more than half of contractors were not in compliance.

The Obama administration has made the continuous monitoring of federal IT systems a government-wide initiative. The report found that although the IRS has taken steps toward implementing continuous monitoring, it has not defined monitoring and assessment metrics.

The GAO made four recommendations for remediation. The IRS needs to:

-- Update policies and procedures for system access.

-- Strengthen the testing and evaluation of authentication controls.

-- Update mainframe testing and evaluation processes.

-- Establish more comprehensive documentation of continuous monitoring strategies.

In a separate report with limited distribution, the GAO also made 30 specific recommendations on a range of other issues it identified.

InformationWeek's 2013 Government IT Innovators program will feature the most innovative government IT organizations in the 2013 InformationWeek 500 issue and on InformationWeek.com. Does your organization have what it takes? The nomination period for 2013 Government IT Innovators closes April 12.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
3/22/2013 | 4:12:11 PM
re: IRS Leaves Taxpayer Data Insecure, GAO Finds
Coincidence that this article comes out on the same day that FITARA passes the House Oversight Committee? No, I don't think so.

Given the list of recommendations that the GAO is making, it sounds like our friends at the IRS need to make a call to the SEC and get some of the documentation regarding IT controls required of publicly traded companies bound by Sarbanes-Oxley.

For example, back when I was working in an environment that required SOX compliance, if you didn't meet the requirements for access, you didn't have any, period. But, since the IRS doesn't keep anything of value to them in their databases...

Andrew Hornback
InformationWeek Contributor
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4734
Published: 2014-07-21
Cross-site scripting (XSS) vulnerability in e107_admin/db.php in e107 2.0 alpha2 and earlier allows remote attackers to inject arbitrary web script or HTML via the type parameter.

CVE-2014-4960
Published: 2014-07-21
Multiple SQL injection vulnerabilities in models\gallery.php in Youtube Gallery (com_youtubegallery) component 4.x through 4.1.7, and possibly 3.x, for Joomla! allow remote attackers to execute arbitrary SQL commands via the (1) listid or (2) themeid parameter to index.php.

CVE-2014-5016
Published: 2014-07-21
Multiple cross-site scripting (XSS) vulnerabilities in LimeSurvey 2.05+ Build 140618 allow remote attackers to inject arbitrary web script or HTML via (1) the pid attribute to the getAttribute_json function to application/controllers/admin/participantsaction.php in CPDB, (2) the sa parameter to appl...

CVE-2014-5017
Published: 2014-07-21
SQL injection vulnerability in CPDB in application/controllers/admin/participantsaction.php in LimeSurvey 2.05+ Build 140618 allows remote attackers to execute arbitrary SQL commands via the sidx parameter in a JSON request to admin/participants/sa/getParticipants_json, related to a search parameter...

CVE-2014-5018
Published: 2014-07-21
Incomplete blacklist vulnerability in the autoEscape function in common_helper.php in LimeSurvey 2.05+ Build 140618 allows remote attackers to conduct cross-site scripting (XSS) attacks via the GBK charset in the loadname parameter to index.php, related to the survey resume.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Where do information security startups come from? More important, how can I tell a good one from a flash in the pan? Learn how to separate ITSec wheat from chaff in this episode.