The Internal Revenue Service has inadequate security controls over its routers and switches, jeopardizing sensitive taxpayer information, according to a
"Access controls for IRS routers were not adequate, and reviews to monitor security configuration changes were not conducted to identify inappropriate use," said the report by the Treasury Inspector General for Tax Administration. "A disgruntled employee, contractor or hacker could reconfigure routers and switches to disrupt computer operations and steal taxpayer information in a number of ways, including diverting information to unauthorized systems."
The IRS had authorized 374 accounts for employees and contractors that could be used to access routers and switches to perform system administration duties, but 141 of the accounts did not have proper authorization, according to the report. Authorizations for 86 of the 141 accounts had been provided on some prior date, but had expired at the time of the review.
However, TIGTA could not find that the other 55 employee and contractor accounts had ever been authorized to access the system. "We are particularly concerned that 27 of the 55 employees and contractors had accessed the routers and switches to change security configurations," said the report.
To authenticate users, a security application requires users to enter an account name and password, but system administrators circumvented the security control by setting up 34 unauthorized accounts that could be used to change configurations without accountability and with little chance of detection. The IRS's cybersecurity office was not conducting audit trail log reviews, and only a limited percentage of audit trails for the IRS routers and switches were being reviewed.
IRS management agreed with most of TIGTA's recommendations. The IRS plans to test the authentication controls for the router and switch control software, ensure that employee user accounts are locked after 45 calendar days of inactivity and removed after 90 calendar days of inactivity, and ensure that no unauthorized or unnecessary shared accounts exist.
