According to a report Tuesday from the Government Accountability
\nOffice, sensitive taxpayer data housed at the IRS is critically
\nvulnerable to security threats. The report is a follow up from March
\n2006 where the security problems were initially discovered. The new
\nreport indicates that 70% of the issues discovered in March remain.<\/p>\n
<\/p>\n
The 33 page report details shortcomings including insufficiently
\ncomplex passwords, unnecessary access privileges for employees,
\nunencrypted data on laptops, and absence of logging or tracing on
\nsecurity sensitive data access. \u00a0The IRS responded to the report in
\nthe same manner as last year by acknowledging the problems and
\nassuring the GAO that a plan to tighten measures was in development.<\/p>\n
The GOA’s report is another example of a common security mistake:
\nfunctionality first, security second. \u00a0Retrofitting existing systems
\nto be secure is a flawed and slow \u00a0methodology for gaining security.
\nIt is understandable why it has taken the IRS years to even begin to
\ncorrect the problems, but the systems should not have been put into
\nproduction without a security review PRIOR to implementation. \u00a0Before
\nuser accounts are set up, the appropriate tiers of access rights
\nshould have been established. \u00a0Logging of sensitive data accesses
\nshould have been developed concurrently with the system’s
\nimplementation. \u00a0It’s not as if the data weren’t sensitive and then
\nsuddenly became a security risk: taxpayer data has ALWAYS needed to be
\nsecured. \u00a0Secure systems need to built from the ground up, and its
\ninconceivable that a high profile government agency such as the IRS
\nwould be prone to such a poor implementation.<\/p>\n
The dangerous aspect is, given the publicity of these reports, the
\nvulnerabilities are now available to whoever wants to pursue them.
\nIts as if the GAO has done the cracker’s initial reconnaissance. \u00a0For
\nexample, a crooked corporation interested in finding its way out of
\ntax database will read that the data warehouse systems have no audit
\ntrail and the passwords are stored on the intern’s laptop and may
\nthink to themselves “How about we go talk to that intern…”.
\nFurthermore, they’ve had over a year to scheme without the IRS making
\ncorrectional changes. \u00a0Due to exposure, the risk is increasing.
\nAdditionally, we have no way of knowing if a security violation even
\nhas occurred to date. The software industry already knows this
\nprinciple. You don’t hear Apple saying “we found a way a website may
\nexecute arbitrary code through Safari and it will be repaired on our
\nnext operating system release.” \u00a0That would be security suicide akin
\nto posting a note on your door saying its unlocked and where to find
\nthe jewelry.<\/p>\n
Its imperative that when issues like this come to light, the knowledge
\nof the vulnerabilities is controlled until the risk has been
\nmitigated. \u00a0Lets just hope with a second warning, the IRS makes the
\nappropriate steps to protect our information.<\/p>\n","protected":false},"excerpt":{"rendered":"
According to a report Tuesday from the Government Accountability Office, sensitive taxpayer data housed at the IRS is critically vulnerable to security threats. The report is a follow up from March 2006 where the security problems were initially discovered. The … Continue reading