http://www.fcw.com/article103417-08-03-07-Web
By Mary Mosquera
August 3, 2007
IRS employees do not follow the most basic computer security practices
to protect their passwords, leaving taxpayer data at risk of identity
theft, according to the Treasury Inspector General for Tax
Administration.
In a test sample, nearly 60 percent of 102 IRS employees were duped into
handing over their access information, the IG said in a report released
today.
TIGTA auditors used social-engineering methods to survey the degree of
compliance with data security. Posing as help-desk representatives, they
called IRS line employees, including managers and contractors, and asked
for their assistance to correct a computer problem. They requested that
the employee provide a user name and temporarily change his or her
password to one TIGTA callers suggested.
TIGTA test callers convinced 61 of the 102 employees to comply with the
requests. Only eight of the 102 employees in the sample contacted the
appropriate offices to report or validate the test calls, the report
said. The sample employees were from across IRS’ business units and
geographic regions.
“We conclude employees either do not fully understand security
requirements for password protection or do not place a sufficiently high
priority on protecting taxpayer data in their day-to-day work,” said
Michael Phillips, TIGTA’s deputy inspector general for audit.
TIGTA had conducted similar tests in 2001 and 2004, during the latter in
which only 35 percent of the employee sample delivered their log-in
information. Since then, IRS acted to raise the awareness of employees
to password protection requirements and to beware of hackers taking
advantage of the human element to find ways to convince employees to
share their information.
Employees later told TIGTA that the scenario sounded legitimate and
believable. They also did not think changing their password was the same
as disclosing their passwords. In some cases, they had experienced past
computer problems.
“When employees are susceptible to social-engineering attempts, the IRS
is at risk of providing unauthorized persons access to computer
resources and taxpayer data,” he said. When these attempts are not
reported, IRS cannot investigate incidents and take action to minimize
the effects of a security breach.
Hackers have turned to alternative methods to gain access to an
organization’s network since agencies are able to block more attacks at
the network perimeters.
TIGTA recommended that IRS continue security awareness training and
activities, remind them to report incidents, conduct internal
social-engineering tests periodically and coordinate with business units
about the need to discipline employees for security violations resulting
from negligence and carelessness.
The IRS continues to emphasize computer security practices to its
personnel, including social engineering, said Daniel Galik, chief of IRS
mission assurance and security services, in a response letter dated June
28.
IRS will survey employees to assess their knowledge of hacker methods.
The agency will use the results to tailor future efforts to remind
employees of those types of attempts. The agency also will conduct at
least one internal social-engineering test during the 2008 fiscal year,
incorporating lessons learned from the TIGTA survey.
Received on Thu Aug 9 02:07:35 2007