IRS Networks Riddled With Vulnerabilities
A new report from the US Treasury Inspector General for Tax Administration has delivered a damning verdict on the security of internal web servers on the Internal Revenue Service (IRS) network.
The report claims to have identified 2,093 authorized and unauthorized web servers with at least one high, medium or low risk security vulnerability. Of these, 540 servers contained one or more vulnerabilities that were rated as high risk.
Another concern was that 1,811 web servers were identified that had not been included in the web registration database and were, therefore, not authorized to connect to the IRS network. The report’s authors commented: “Unauthorized servers pose a greater risk because the IRS has no way to ensure that they will be continually configured in accordance with security standards and patched when new vulnerabilities are identified. Malicious hackers or disgruntled employees could exploit the vulnerabilities on these web servers to manipulate data on the server or use the servers as a launching point to attack other computers on the network.”
The report was also critical of the fact that the IRS was using 33 different web server software packages. Criticism here centered around the view that using as few products as possible would limit security risks, such as monitoring for security vulnerabilities, and control costs for licensing fees, training, and maintenance.
The report recommended that the IRS:
• Establish official ownership and assign responsibilities for the web registration program
• Enforce IRS procedures to block unauthorized web servers from providing data over the IRS network
• Undertake an annual scan of web servers and comparison to the web registration database to identify unauthorized web servers
• Require web server owners to revalidate the need for the servers annually and immediately notify the Chief Information Officer upon decommission of any web server
• Undertake quarterly network scans of web servers to measure compliance with security requirements, and limit the number of approved web software packages used in the non-modernized environment.