[ISN] Auditors cite security problems with IRS wireless networks

From: InfoSec News (alerts@private)
Date: Wed Apr 18 2007 - 02:13:14 PDT


http://www.govexec.com/dailyfed/0407/041707p1.htm

By Daniel Pulliam
dpulliam (at) govexec.com
April 17, 2007

The Internal Revenue Service has jeopardized sensitive taxpayer 
information by failing to lock down its wireless networks, according to 
an audit report released Tuesday.

The report from the Treasury Inspector General for Tax Administration 
cited weaknesses similar to those described in a 2003 assessment.

In that report, auditors found unauthorized wireless devices directly 
connected to an IRS-wide network. They recommended that the agency issue 
policies and procedures for the use of wireless technology and scan for 
unauthorized networks and devices.

But an inspection of 20 IRS buildings in 10 cities in 2006 found at 
least one unauthorized wireless network and strong indications of three 
others, according to the report. While the unauthorized network was not 
directly connected to the agencywide network, anyone with a wireless 
detection tool could pick up the signal and gain access to a computer 
connected to it, auditors found.

In addition, an improperly configured agency computer connected to the 
wireless network could give a hacker access to the agencywide network, 
the report stated.

According to the IG, the IRS is trying with limited success "to detect 
unauthorized access points on an ad hoc basis." As of May 2006, the 
agency had scanned less than 6 percent of all locations and had 
concentrated its efforts in the Washington and Baltimore regions.

"We believe this scanning is of limited value, considering wireless 
access points can be set up easily anywhere in the nation and can place 
the confidentiality of the data at risk," the report stated.

The agency has one authorized wireless network - the Enterprise 
Logistics Information Technology network -- in Bloomington, Ill. This 
network receives, stores and distributes IRS publications; agency 
officials consider it a low security risk.

But a penetration test conducted by the IRS' Computer Security Incident 
Response Center identified that one wireless access point to that 
network had an improper security configuration and that security devices 
were not in place to detect attacks, the auditors said.

While the IRS fixed the problems, its Enterprise Networks Division has 
yet to install the necessary software to monitor the configurations of 
the other wireless devices connected to the network, according to the 
report.

The IRS agreed with the audit recommendations, which included using 
tools to scan the entire agency network for unapproved wireless devices 
and giving employees periodic advice on the risks of using wireless 
networks.

(c) 2007 by National Journal Group Inc. All rights reserved.


__________________________
Subscribe to InfoSec News
http://www.infosecnews.org



This archive was generated by hypermail 2.1.3 : Wed Apr 18 2007 - 02:31:07 PDT