[ISN] TIGTA: IRS routers need stronger security

From: InfoSec News (alerts@private)
Date: Wed Apr 09 2008 - 01:10:39 PDT


http://www.fcw.com/online/news/152179-1.html

By Mary Mosquera
FCW.com
April 8, 2008

The IRS did not put in place sufficiently strong access controls for its 
routers and did not monitor security configuration changes in order to 
identify inappropriate use, putting information about taxpayers at risk, 
the Treasury Inspector General for Tax Administration (TIGTA) said in a 
report released April 7.

The IRS sends sensitive taxpayer and administration information across 
its networks, so routers on the networks must have adequate security 
controls to deter and detect unauthorized use.

.A disgruntled employee, contractor or hacker could reconfigure routers 
and switches to disrupt computer operations and steal taxpayer 
information in a number of ways, including diverting information to 
unauthorized systems,. said Michael Phillips, TIGTA.s deputy inspector 
general for audit..

Of the 374 users that IRS managers authorized to have entry to the 
Terminal Access Controller Access Control System to administer and 
configure routers and switches, 38 percent did not have proper 
authorization, the report said. Of those, 27 employees and contractors 
had accessed the routers and switches to change security configurations, 
TIGTA said. Systems administrators had circumvented a security 
application for the system that requires a login and password by 
establishing 34 unauthorized accounts that appeared to be shared-user 
accounts.

.Any person who knew the passwords to these accounts could change 
configurations without accountability and with little chance of 
detection,. Phillips said. During fiscal 2007, 84 percent of the 5.2 
million accesses to the system were through the 34 accounts, and none 
were properly authorized.

IRS. Cybersecurity office, part of the agency's Modernization and 
Information Technology Services organization, did not conduct audit 
trail log reviews, which can reveal potential security events, such as 
hacking attempts, virus or worm infections and attempts to change 
information.

Arthur Gonzalez, IRS chief information officer, said that the agency has 
improved the control and monitoring of routers and switches and would 
implement most of TIGTA.s recommendations by July. All 369 access 
control system users now have valid authorizations, and IRS provides the 
minimum level of permission for those users. IRS also has implemented 
configuration management and compliance initiatives to assure their 
appropriate maintenance and configuration, he said.

.Our policy has always been to prohibit shared accounts and to require 
every user to have his or her own user ID and password with 
authorization,. Gonzalez said.

In 2009, IRS will deploy a new CiscoWorks infrastructure that will 
reduce from 24 to six the number of service accounts, and likewise 
reduce the number of transactions from 5.2 million.


___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn 



This archive was generated by hypermail 2.1.3 : Wed Apr 09 2008 - 01:31:46 PDT