Monday, March 06, 2006

Report: IRS slips on keeping workers’ computers secure; Systems administrators are being blamed for weak security settings
Report: IRS slips on keeping workers’ computers secure
Systems administrators are being blamed for weak security settings
News Story by Linda Rosencrance

MARCH 02, 2006 (COMPUTERWORLD) - The Internal Revenue Service must do a better job of maintaining the security settings it developed and deployed on employees’ workstations under a common operating environment (COE), according to report by the Treasury inspector general for tax administration (download PDF).

Currently, high-risk vulnerabilities could allow the computers to be compromised, Michael Phillips, deputy inspector general for audit, said in the report.

Although the IRS developed the COE with secure configurations and installed those configurations on employees’ computers, security settings have not been consistently maintained, Phillips said.

“In our sample of 102 computers with the COE installed [out of approximately 100,000], only 42 were sufficiently secure based on the IRS standards,” Phillips said. “The remaining 60 computers complied with less than [90%] of the computer settings prescribed by the IRS or contained at least one high-risk vulnerability that could be exploited to either take control of the computer or render it unusable.”

In addition, 50 of the computers studied had at least one incorrect setting that could allow employees to circumvent security controls and inadvertently introduce vulnerabilities into the agency’s network, according to the report. “In our sample, 11 of the 102 computers contained 21 unauthorized software programs,” Phillips said in the report. “Some of the programs were clearly not authorized for official business, such as card and board games.”

Phillips said the weak security settings could be attributed to systems administrators since they are generally the only people authorized to change security settings on employees’ workstations.

“Maintaining secure settings also includes correcting new vulnerabilities that are identified by software vendors or the computer industry. However, the IRS did not ensure that all new vulnerabilities on employee workstations were being addressed,” according to the report. “We found 29 of the 102 computers in our sample did not have the latest COE update version. COE updates contain the latest available security patches to address new vulnerabilities. When the automated update installation failed, employees were not aware of the failure and did not take actions to install the updates. System administrators also did not follow up to ensure the updates had been installed.”

In addition, the COE image has not been installed on more than 4,700 IRS workstations, meaning those computers don’t have critical security patches and contained high-risk vulnerabilities, including incorrect password length and inadequate virus protection, Phillips said. “These computers are especially susceptible to computer viruses that could render them unusable.”

The report also indicates that the IRS is paying license fees for software that it rarely uses, such as the full version of Adobe Acrobat, which is an advanced software package with features employees are probably either unaware of or rarely use, Phillips said.

“In practice, most IRS employees only need the Adobe Reader, which is free software,” Phillips said. “The IRS paid approximately $2.3 million for 10 fully licensed versions of Adobe Acrobat. The IRS is also under agreement for annual maintenance and support for an additional $2.3 million each year.”

If systems administrators had performed necessary configuration audits, they would have identified software packages that are no longer needed, Phillips said. “At the time of our review, we were not aware of any such software configuration reviews being conducted,” he said.

The IG’s office recommends that the agency’s CIO hold system administrators accountable for maintaining the correct security settings on computers after the COE is deployed. The CIO should also ensure that the systems administrators run the IRS’s configuration-checking program on a sample of workstations on a periodic basis and conduct workstation security reviews. The system administrations should also follow up on workstations where proper updates were not successfully installed, identifying all computers without the agency’s COE image and either install it, replace the computers or manually bring the computers into compliance.

“We also recommended [that the CIO] use available tools to identify possible unauthorized software installed on computers, consider purchasing software metering tools, and assign responsibility for monitoring software with significant license agreement costs,” Phillips said.

In the report, IRS CIO, W. Todd Gramms said he agrees with the findings and most of the recommendations and is committed to securing employees’ workstations.