[ISN] IRS employees fall for faux password scam

From: InfoSec News (alerts@private)
Date: Thu Aug 09 2007 - 00:07:35 PDT


http://www.fcw.com/article103417-08-03-07-Web

By Mary Mosquera
August 3, 2007

IRS employees do not follow the most basic computer security practices 
to protect their passwords, leaving taxpayer data at risk of identity 
theft, according to the Treasury Inspector General for Tax 
Administration.

In a test sample, nearly 60 percent of 102 IRS employees were duped into 
handing over their access information, the IG said in a report released 
today.

TIGTA auditors used social-engineering methods to survey the degree of 
compliance with data security. Posing as help-desk representatives, they 
called IRS line employees, including managers and contractors, and asked 
for their assistance to correct a computer problem. They requested that 
the employee provide a user name and temporarily change his or her 
password to one TIGTA callers suggested.

TIGTA test callers convinced 61 of the 102 employees to comply with the 
requests. Only eight of the 102 employees in the sample contacted the 
appropriate offices to report or validate the test calls, the report 
said. The sample employees were from across IRS’ business units and 
geographic regions.

“We conclude employees either do not fully understand security 
requirements for password protection or do not place a sufficiently high 
priority on protecting taxpayer data in their day-to-day work,” said 
Michael Phillips, TIGTA’s deputy inspector general for audit.

TIGTA had conducted similar tests in 2001 and 2004, during the latter in 
which only 35 percent of the employee sample delivered their log-in 
information. Since then, IRS acted to raise the awareness of employees 
to password protection requirements and to beware of hackers taking 
advantage of the human element to find ways to convince employees to 
share their information.

Employees later told TIGTA that the scenario sounded legitimate and 
believable. They also did not think changing their password was the same 
as disclosing their passwords. In some cases, they had experienced past 
computer problems.

“When employees are susceptible to social-engineering attempts, the IRS 
is at risk of providing unauthorized persons access to computer 
resources and taxpayer data,” he said. When these attempts are not 
reported, IRS cannot investigate incidents and take action to minimize 
the effects of a security breach.

Hackers have turned to alternative methods to gain access to an 
organization’s network since agencies are able to block more attacks at 
the network perimeters.

TIGTA recommended that IRS continue security awareness training and 
activities, remind them to report incidents, conduct internal 
social-engineering tests periodically and coordinate with business units 
about the need to discipline employees for security violations resulting 
from negligence and carelessness.

The IRS continues to emphasize computer security practices to its 
personnel, including social engineering, said Daniel Galik, chief of IRS 
mission assurance and security services, in a response letter dated June 
28.

IRS will survey employees to assess their knowledge of hacker methods. 
The agency will use the results to tailor future efforts to remind 
employees of those types of attempts. The agency also will conduct at 
least one internal social-engineering test during the 2008 fiscal year, 
incorporating lessons learned from the TIGTA survey.



____________________________________
Visit the InfoSec News book store!
http://www.shopinfosecnews.org



This archive was generated by hypermail 2.1.3 : Thu Aug 09 2007 - 00:18:49 PDT