The Treasury Inspector General for Tax Administration has released an audit report (pdf) and (html), “Unauthorized and Insecure Internal Web Servers Are Connected to the Internal Revenue Service Network.”
In a previous post, I discussed the sorry state of computer security in the federal government. The Treasury Department has received an “F” for the last two years the annual Computer Security Report Card released by the House Committee on Oversight and Government Reform.
The Inspector General reviewed the state of the IRS network from September 2007 through May 2008 as part of its annual review of “the adequacy and security of IRS technology.” According to the Inspector General, “1,811 internal web servers on the Internal Revenue Service (IRS) network had not been approved to connect to the network, and 2,093 internal web servers connected to the network had at least 1 high-, 1 medium-, or 1 low-risk security vulnerability.“
The Inspector General explained:
Unauthorized servers pose a greater risk because the IRS has no way to ensure that they will be continually configured in accordance with security standards when new vulnerabilities are identified. Malicious hackers or disgruntled employees could exploit the vulnerabilities on these web servers to manipulate data on the server or use the servers as launch points to attack other computers connected to the network.
The Inspector General made several recommendations, and the IRS agreed to make numerous changes to improve its computer security.
The Associate Chief Information Officer, Enterprise Operations, was designated as the responsible official for the web registration program. The IRS plans to identify unauthorized web servers and create a policy and procedure to prohibit them from providing data over the IRS network, and the Computer Security Incident Response Center plans to perform recurring discoveries of enterprise assets and provide an annual report to the web registration business owner to reconcile discovered assets with those currently registered. The IRS plans to disconnect unauthorized web servers and to refer web sites with inappropriate content to the TIGTA Office of Investigations. The Computer Security Incident Response Center plans to perform quarterly security assessment scans to measure compliance with security requirements, and the IRS plans to hold business owners and system administrators responsible for eliminating the vulnerabilities.