Security Experts:

GAO Blasts IRS Over Information Security Weaknesses

GAO Issues Scathing Report IRS's Security Posture, Says it Failed to a Meet Majority of Security Recommendations

The Government Accountability Office (GAO) has blasted the Internal Revenue Service (IRS) for failing to implement stronger security measures after a succession of dismal reports on the subject. In a report issued to the Secretary of the Treasury last week, the GAO said that the IRS had met just 15 percent of the 105 previously reported recommendations where information security is concerned.

IRS Information Security WeakTaking a blunt approach, the GAO said that the IRS “lacks reasonable assurance as to the accuracy of financial information or the adequate protection of sensitive taxpayer information.”

The GAO said that while the IRS is trying, “the agency made limited progress in correcting information security weaknesses” identified in previous audits. As such, the IRS addressed approximately 15 percent of the 105 open recommendations that were previously reported.

“IRS informed us that it had addressed 29 of the 105 previously reported information systems security–related recommendations we made. However, we determined that 13 (about 45 percent) of the 29 recommendations had not yet been fully resolved. This was due in part to the fact that while 6 of the 29 recommendations related to multiple systems, IRS had not yet implemented corrective actions for all of the affected systems,” the report said.

When it comes to what they’ve done right, the IRS has implemented cross-functional working groups, including a roster of staffers with knowledge of the IRS internal systems in order to address areas considered at risk. These working groups took steps to address problems with encrypted data transfers for its Integrated Financial System (IFS) for example, limiting the chance that sensitive information can be captured in transit.

Yet, despite the movement forward, there is plenty of room to grow according to the GAO’s report. While IFS implemented encryption, sensitive data is still transferred unencrypted. Also, certain database security controls were not yet in place for systems such as IFS, and the Electronic Federal Payment Posting System (EFPPS).

In addition, access control weaknesses persist, and database software maintenance has not yet been performed, the GAO said. According to the watchdog, the agency’s strategy to address these weaknesses is to replace the existing system. However, implementation of the replacement system has been repeatedly delayed and is not expected until the third quarter of fiscal year 2012. Further, several physical security–related issues remain unresolved, including issues concerning management validation of access to restricted areas, proximity cards allowing inappropriate access, and unlocked cabinets containing network devices.

But there’s more. “The agency uses automated tools to test compliance with IRS’s security policies for its three major computing environments -Windows, UNIX, and mainframes,” the report added.

“However, the UNIX tool does not test whether appropriate security patches have been applied, and the mainframe tool only tests compliance with a limited subset of the agency’s policies. Thus, results from IRS’s use of these tools do not provide management the information necessary to allow it to arrive at appropriate conclusions about the security status of these systems.”

Host-based intrusion detection systems deployed to monitor financial applications were configured to spot attack patterns for network security incidents, but were not correctly configured to flag attacks on the specific financial applications themselves.

IRS IT Security Problems, GAO Says

Other security issues, according to the GAO include:

• A key application used for processing tax payment information employs a system design that exposes the configuration used to control logon to alterations by its users, allowing circumvention of the application’s controls; additionally, insecurely configured software used to support this application exposed it to unauthorized users.

• Servers supporting important financial management applications were not patched in a timely manner.

• A major system used to facilitate user access to IFS relied upon operating system software that was no longer supported by its vendor and was not receiving security updates, leaving these servers and systems exposed to known vulnerabilities.

• A system used to process tax accounts had database and server weaknesses similar to weaknesses identified in previous audits for other systems that exposed the system and data to unauthorized access.

• Unit Security Representatives, who perform important security duties for the IRS’s Integrated Data Retrieval System, did not complete either the required initial training prior to assuming their responsibilities nor the required annual refresher training at the IRS visited by GAO officials.

“Until IRS takes additional steps to implement more-comprehensive testing and effective validation processes and to implement effective corrective actions to address the identified vulnerabilities, its facilities, computing resources, and information will remain vulnerable to inappropriate use, modification, or disclosure, and agency management will have limited assurance of the integrity and reliability of its financial and taxpayer information,” the GAO concluded.

“Considered collectively, the unresolved deficiencies from prior audits, combined with less-than-fully effective compensating and mitigating controls and the additional control deficiencies identified in fiscal year 2011, impair IRS’s ability to ensure that its financial and taxpayer information is secure from internal threats...”

The GAO said that it plans to issue a separate report to the IRS on the information security control deficiencies identified during fiscal year 2011 and the status of actions to address previous recommendations. It also said it would issue a limited distribution report to the IRS that addresses details omitted from this most recent report due to the sensitivity of the information.

Subscribe to the SecurityWeek Email Briefing
view counter
Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.