[ISN] IRS needs to tighten security settings: TIGTA

InfoSec News isn at c4i.org
Tue Feb 28 03:04:27 EST 2006


By Mary Mosquera 
GCN Staff

The IRS has not consistently maintained the security settings it 
established and deployed under a common operating environment (COE), 
resulting in a high risk of exploitation for some of its computers, 
according to the Treasury Department's inspector general for tax 

The IRS has adopted a common operating environment for security
configurations on all of its workstations. The common environment lets
IRS control security configuration settings and software on
workstations by using one master COE template, which the IRS installs
on its computers. The IRS has installed the master COE image on 95
percent of its computers, TIGTA said in its report [1] released today.

Agencies must be able to control security settings under the Federal
Information Security Management Act to strengthen the security of
federal systems.

"The COE essentially minimizes the risk of someone compromising
computers on the IRS network," said Michael Phillips, TIGTA's deputy
inspector general for audit, in the report.

Of 102 computers tested, only 41 percent continued to be in
compliance; 59 percent were not or contained at least one high-risk
vulnerability that would allow the computer to be exploited or
rendered unusable. Almost one-half of the compliant computers
contained at least one incorrect setting that could allow employees to
circumvent security controls established by the common operating

Also, at the time of the audit, the COE security settings had not been
installed on more than 4,700 computers. Without them, computers were
missing security patches and at high risk for viruses.

TIGTA recommended that the IRS hold system administrators accountable
for maintaining adequate security settings and periodically check
configurations on a sample of computers to assure that they continue
to comply with the COE. Computers that do not have the common
environment should have it installed, or the computers replaced or
brought manually into compliance with the prescribed security
configurations, TIGTA said in its report.

In addition, the IRS at the time did not own a software license
tracking or metering tool that could identify software use for a
baseline inventory. For example, the IRS spends up to $32 million
annually for Microsoft Office suite products. But the IRS could not
explain how it arrived at the number of licenses needed.

"Without the ability to track software usage and licenses, the IRS may
have unused licenses available that could be redistributed or have
licenses that are not needed," Phillips said.

The IRS has established a combined Modernization and Information
Technology Services organization to prioritize corrective actions that
were recommended, which reduces the security risk, said IRS CIO Todd
Grams said in a response last month.

"We believe the recommendations in this audit are low-risk control
deficiencies," he said.

Also, as the tax agency has replaced computers and moved from the
Windows NT environment, more computers are running the common
operating environment security control settings.

The IRS will direct system administrators this week to ensure that the
password-protected start-up process is enabled and that the system
administrator accounts are limited to those who need them to carry out
their responsibilities.

The IRS has already targeted noncompliant workstations with
distribution of baseline COE patches and security settings. By June,
IRS will develop a recurring report to identify those computers that
do not meet the current version.

By August, the IRS will deploy a software metering tool to gather data
about software usage and related costs. And to improve oversight of
its software licensing, the IRS will implement a software inventory
application by October.

[1] http://www.ustreas.gov/tigta/auditreports/2006reports/200620031fr.pdf

More information about the ISN mailing list