GOA says “The IRS security still sucks”
According to a report Tuesday from the Government Accountability
Office, sensitive taxpayer data housed at the IRS is critically
vulnerable to security threats. The report is a follow up from March
2006 where the security problems were initially discovered. The new
report indicates that 70% of the issues discovered in March remain.
The 33 page report details shortcomings including insufficiently
complex passwords, unnecessary access privileges for employees,
unencrypted data on laptops, and absence of logging or tracing on
security sensitive data access. The IRS responded to the report in
the same manner as last year by acknowledging the problems and
assuring the GAO that a plan to tighten measures was in development.
The GOA’s report is another example of a common security mistake:
functionality first, security second. Retrofitting existing systems
to be secure is a flawed and slow methodology for gaining security.
It is understandable why it has taken the IRS years to even begin to
correct the problems, but the systems should not have been put into
production without a security review PRIOR to implementation. Before
user accounts are set up, the appropriate tiers of access rights
should have been established. Logging of sensitive data accesses
should have been developed concurrently with the system’s
implementation. It’s not as if the data weren’t sensitive and then
suddenly became a security risk: taxpayer data has ALWAYS needed to be
secured. Secure systems need to built from the ground up, and its
inconceivable that a high profile government agency such as the IRS
would be prone to such a poor implementation.
The dangerous aspect is, given the publicity of these reports, the
vulnerabilities are now available to whoever wants to pursue them.
Its as if the GAO has done the cracker’s initial reconnaissance. For
example, a crooked corporation interested in finding its way out of
tax database will read that the data warehouse systems have no audit
trail and the passwords are stored on the intern’s laptop and may
think to themselves “How about we go talk to that intern…”.
Furthermore, they’ve had over a year to scheme without the IRS making
correctional changes. Due to exposure, the risk is increasing.
Additionally, we have no way of knowing if a security violation even
has occurred to date. The software industry already knows this
principle. You don’t hear Apple saying “we found a way a website may
execute arbitrary code through Safari and it will be repaired on our
next operating system release.” That would be security suicide akin
to posting a note on your door saying its unlocked and where to find
the jewelry.
Its imperative that when issues like this come to light, the knowledge
of the vulnerabilities is controlled until the risk has been
mitigated. Lets just hope with a second warning, the IRS makes the
appropriate steps to protect our information.