The Government Accountability Office (GOA) realeased a report last week
\nstating vulnerabilities in the security system used by the IRS to protect
\ntaxpayer data. The report showed the IRS has number of security issues
\nin the way that it protect sensitive data.<\/p>\n
Some of the major security issues include: the IRS doesn’t encrypt certain
\ntypes of sensative data, user IDs and passwords can be easily obtained by
\nany user on the network, and they don’t enforce strong password rules for
\nauthenticating users.<\/p>\n
A lack of an agency-wide security program and no annual review of risk
\nassessment are the root of many of these issues. As a result, the IRS is
\nespecially vulnerable to attackers with inside information, wich could expose
\ntaxpayer and financial data.<\/p>\n
The GOA cited several specific security problems. Among those were the
\nfollowing: A contractor-maintained website has exposed usernames and passwords;
\nany authenticated user on the network has access to shared drives containing
\nsensative data like taxpayer informaiton and social sercutity numbers;
\nfinancial information and account data were tranferred from the IRS’s accounting
\nsystem without first being encrypted; inadequately logging various security
\nevents at data centers.<\/p>\n
The IRS is currently trying to improve it’s security system. They have taken
\nseveral steps to do this thus far, including, better controls for authenticating
\nusers, patching critical vulnerabilites quickly, and forming a better plan
\nfor logging critical business processes.<\/p>\n
IRS Commissioner Douglas Shulman responded to GOA report, stating that data
\nsecurity and privacy are of the utmost importance to the IRS, and said that
\nthey would release a detailed corrective action plan stating how they would
\nfix the vulnerabilites discovered.<\/p>\n
This report by the GOA followed the October release by the general for tax
\nadministration that also criticised the IRS’s security controls. That report
\nwas mostly critical of the security vulnerabilities found in new $1 billion
\nsystem called CADE the IRS is rolling out to eventually manage all taxpayer
\naccounts. They were also critical of the $700 million system called AMS that
\nis designed to provide faster access to the taxpayer information stored in
\nthe CADE database. The report cited several weaknesses with access control,
\nsystem access monitoring, and disaster rocovery involving the CADE and AMS
\nsystems, which pose a direct threat to sensative taxpayer data.<\/p>\n
With indentity theft rising each year and more and more security breaches
\noccurring, keeping sensative data is of the utmost importance. The IRS
\ndatabases contains sensative information on almost every American citezen. The
\nIRS’s lack of security measures to protect the information of taxpayers could
\nresult in a large security breach that could affect millions of Americans.
\nWith such a poor security system in place, it is only a matter of time until
\na security breach occurs unless the IRS acts quickly implement an agency-wide
\nsecurity plan to keep sensative information secure.<\/p>\n
The fact that these kinds of vulnerabilties exist in a government system
\nhousing a wealth of sensative data on millions of Americans demonstrates the
\nmuch larger issue today. Too few institutions are concerned with protecting the
\nsensative data within their databases. Security is still an afterthought,
\nsecurity patches are issued and holes are fixed, rather developing a secure
\nsystem from the start. The new CADE and AMS systems the IRS is rolling out
\nis just another demostration of how systems need to be designed with security
\nin mind from the start, and that simply is still not happening.<\/p>\n","protected":false},"excerpt":{"rendered":"
The Government Accountability Office (GOA) realeased a report last week stating vulnerabilities in the security system used by the IRS to protect taxpayer data. The report showed the IRS has number of security issues in the way that it protect … Continue reading