The Internal Revenue Service left taxpayer data exposed by deploying two major computer systems despite knowing that they harbor security vulnerabilities, according to a report released publicly today by the Treasury Inspector General for Tax Administration (TIGTA).
CADE contains vulnerabilities that could lead to potential administrative privilege abuse, malware attacks, and unauthorized access to the system and its data. Among the other flaws highlighted in the report is a lack of configuration management, storage, and disaster recovery deficiencies, and no actual security guidelines or plans for connecting the system to other government agencies systems. The IRS also sends personally identifiable information from CADE within its data centers in clear text, and leaves its backup systems unencrypted.
AMS, meanwhile, includes taxpayer identification numbers in its application error log, and its operating system has only a 77.8 percent compliance rate with the required security settings, according to the report.
TIGTAs Inspector General didnt mince words on the severity of IRSs handling of the new systems. "The IRS continues to struggle with security vulnerabilities in its modernized systems. It recognizes, as we all do, the inherent risk in any IT system," said J. Russell George, Inspector General for TIGTA in a prepared statement. "In the case of the CADE and AMS the Service was aware of, and even self-identified, these weaknesses. This is very troublesome."
The IRS discovered the flaws both during the software development process and during the security testing after the systems were deployed, but still went ahead with the partial rollout. And the agency didnt run vulnerability assessment scans on the software, either, according to the report. We believe that the IRS processes for ensuring that security controls are implemented before systems are deployed failed because key organizations did not consider the known security vulnerabilities to be significant, which affected vulnerability resolution and system deployment decisions, according to the report.
The report doesnt specify whether the vulnerabilities are buffer overflows, SQL injection, or other common security flaws in software. But these applications wouldnt have passed the PCI standard muster with the brand of vulnerabilities they have, says Chris Wysopal, CTO of Veracode. Some of this wouldnt be allowed for processing credit-card data [under PCI], and here we are with someones full financial picture in this system, Wysopal says. This is much more sensitive data.
If known vulnerabilities existed in a mainframe storing credit card information, it wouldnt pass PCI, he says, and transmitting data in the clear like these systems do wouldnt pass, either.
One bright spot in the report is that the IRS has set up policies and procedures for security and privacy in its software, Veracode's Wysopal says. The downside, however, is that the agency didnt follow those rules in the design and implementation of CADE and AMS, according to the report.
The IRS will address TIGTAs recommendations for remedying the security vulnerabilities and weaknesses, and the Inspector General will conduct another review to follow up.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.