[ISN] IG: IRS employees abusing e-mail privileges

From: InfoSec News (alerts@private)
Date: Thu Aug 10 2006 - 22:51:44 PDT


By Matthew Weigelt
Aug. 10, 2006

A recent audit found inappropriate e-mail, including pornography, on 
more than half of Internal Revenue Service employees' computers, 
according to a report from the Treasury Inspector General For Tax 
Administration. The audit also uncovered security holes in many of the 
agency's e-mail servers.

The IG reviewed 96 IRS employees' electronic mailboxes and found that 
71 had messages violating the agency's personal use policy, according 
to the July 31 report [1]. The inspectors found chain letters, jokes, 
offensive content and sexually explicit content. The report said 74 
percent of employees have such prohibited e-mail messages on their 

Such content is often used to lure people into opening e-mail messages 
that contain viruses and other malicious software.

The risk of computer viruses had earlier prompted the IRS to issue a 
personal-use policy for e-mail. The agency also gave employees 
awareness training on the policy's importance.

"While these efforts established a good foundation for e-mail 
security, employees are not following the IRS' personal e-mail use 
policy," the IG's report states.

The IG recommended monitoring e-mail message content, which could lead 
to more employees being disciplined for abusing their privileges. 
Systems administrators should be held accountable for ensuring that 
only authorized computers are allowed to perform as e-mail servers, 
the report recommends.

Moreover, the IRS' chief information officer should make sure that 
technology employees follow existing procedures for installing 
security updates and patches on all e-mail servers.

The IRS maintains 228 authorized e-mail servers. The IG's office 
evaluated security on 28 servers and found 687 vulnerabilities.

"People can exploit security vulnerabilities to shut down the servers 
and disrupt e-mail service or to use the servers to access or attack 
other computers in the network, which could disrupt other critical 
operations in the IRS," the report states.

The report also recommends that the IRS cut down on the number of 
e-mail servers. The audit found an additional 4,913 IP addresses 
linked to devices that had been configured to operate as unauthorized 
e-mail servers. Messages entering through such servers skirt the 
security screening that identifies malicious software.

[1] http://www.ustreas.gov/tigta/auditreports/2006reports/200620110fr.pdf

Visit the InfoSec News store!

This archive was generated by hypermail 2.1.3 : Thu Aug 10 2006 - 23:12:00 PDT