Use of Unapproved Wireless Technology Puts Sensitive Data at Risk
Reference Number:† 2003-20-056
This report has cleared the Treasury Inspector General for Tax Administration disclosure review process and information determined to be restricted from public release has been redacted from this document.
February 21, 2003
DEPUTY COMMISSIONER FOR MODERNIZATION &
CHIEF INFORMATION OFFICER
FROM:†††† Gordon C. Milbourn III /s/ Gordon C. Milbourn III
†††††††††††††††† Acting Deputy Inspector General for Audit
SUBJECT:†††† Final Audit Report Ė Use of Unapproved Wireless Technology Puts Sensitive Data at Risk (Audit # 200220044)
This report presents the results of our review of the Internal Revenue Serviceís (IRS) use and security of wireless technology.† The overall objective of this review was to determine the effectiveness of the IRSí actions to control and secure the use of wireless technology.
Wireless networks are rapidly gaining popularity in the Federal Government and private sectors because they are inexpensive and provide greater flexibility than wired networks.† With the advantages come security vulnerabilities, particularly with unauthorized disclosure of sensitive data.† Before a wireless network is implemented, the advantages need to be carefully weighed against the vulnerabilities.
The IRS recognized the risks when its limited scanning in the Washington, D.C., area from December 2001 to March 2002 identified three unexpected wireless networks.† Although these wireless applications were shut down, over 6 months passed before the IRS initiated comprehensive efforts to identify other applications and educate all employees about the risks of using wireless technologies.
In summary, our subsequent scanning identified an unauthorized wireless application in one location that was directly connected to the IRS-wide internal network containing sensitive taxpayer information.† Although encryption was used, the encryption key was unchanged for 2 years and could have been compromised.† We were able to capture traffic from this application from a hotel approximately one-quarter mile away from the IRS building.† The IRS advised us that this application had no current business purpose.
At a second location, we had strong indications of another wireless application.† However, we were unable to confirm the existence of the wireless components and configurations of the wireless application because the wireless signal was abruptly terminated when we entered this location and advised the employees in the office of our review.
In addition, we identified the potential for unauthorized disclosure of sensitive data on the approved wireless application supporting the IRSí Continuity of Operation Plan (COOP).† The IRS has authorized the use of wireless devices for executives in the event of an emergency and has configured the supporting network to ensure that all transmissions are encrypted.† However, once electronic mail messages are read on the wireless devices, the messages are stored unencrypted.
We recommended that the Deputy Commissioner for Modernization & Chief Information Officer immediately disconnect all unapproved wireless networks that are connected to the IRS architecture, incorporate policies and procedures for the use of wireless technology into the segment of the Internal Revenue Manual (IRM) addressing Information Technology Security Policies and Guidance, and ensure wireless scanning efforts include critical assets.† Also, we recommended that action be taken to minimize the exposure of unencrypted sensitive data stored on the wireless devices supporting the COOP.
Managementís Response:† The Chief, Security Services, concurred with the findings in this report and has taken actions to address the security vulnerabilities associated with wireless networks.† Specifically, the IRS has terminated all known unapproved wireless networks connected to the internal network, incorporated the topic of wireless technology in the IRM, conducted and will continue to conduct unannounced scans for wireless networks, and taken steps to address unencrypted sensitive data on wireless devices for the COOP.† Managementís complete response to the draft report is included as Appendix IV.
Copies of this report are also being sent to the IRS managers who are affected by the report recommendations.† Please contact me at (202) 622-6510 if you have questions or Gary V. Hinkle, Acting Assistant Inspector General for Audit (Information Systems Programs), at (202) 927-7291.
Wireless networks are rapidly gaining popularity in the Federal Government and private sectors because they are inexpensive (a wireless network can be set up for less than $250).† Wireless networks also provide greater flexibility.† For example, when an office is moved, wires do not need to be restrung through walls.
Wireless technology is based on sending radio-wave transmissions through the air between two points, usually a user laptop computer and a pre-defined access point.† The access point can be connected back to the organizationís network to allow for full functionality and access to all computer resources.
With the advantages associated with wireless networks come significant security risks.† Wireless signals can be intercepted by anyone in close proximity with inexpensive, readily available equipment.† Although encryption is available for wireless traffic, it has proven to be weak.† Anyone can obtain free software from the Internet to break this encryption.† In addition, the existence of a wireless access point represents another avenue into an organizationís network infrastructure.
Recent commercial incidents have also demonstrated some of the vulnerabilities of wireless networks.† For example, one large retailer was using unencrypted wireless to transmit cash register transactions.† These transactions contained customer credit card numbers and other sensitive information.† The transmissions were shut down after someone sitting in the parking lot intercepted the transactions and reported it to the company.
Loosely organized hacker and investigative groups have been scanning metropolitan areas for wireless technology for some time.† Commonly referred to as ďwar driving,Ē this activity has more recently been extended to hackers posting information on buildings housing insecure wireless networks for others to potentially exploit.
Federal Government agencies are aware of the wireless vulnerabilities and have responded accordingly.† For example, the United States Secretary of Defense has placed a moratorium on the installation of telecommunications network infrastructure to support wireless services in the Pentagon area.† The Secret Service has initiated an effort to identify and report insecure wireless activities in the Washington, D.C., metropolitan area.
For the Internal Revenue Service (IRS), the security risks associated with wireless technology mainly involve the improper access to and unauthorized disclosure of sensitive data.† Sensitive financial data for over 130 million taxpayers could be at risk.
The audit was conducted from July through November 2002 in IRS offices located in Washington, D.C.; Oakland, Sacramento, San Francisco, and San Jose, California; Las Vegas, Nevada; Memphis, Tennessee; and Dallas, Texas.† The audit was conducted in accordance with Government Auditing Standards.† Detailed information on our audit objective, scope, and methodology is presented in Appendix I.† Major contributors to the report are listed in Appendix II.
We scanned IRS buildings in eight cities using inexpensive wireless equipment and software freely available on the Internet.† We identified an unapproved wireless application in one location and had strong indications of another wireless application in a second location.
The Information Technology Services organization in one office connected its wireless application to the internal IRS-wide network.† Not only were data on the wireless network exposed in this instance, but sensitive taxpayer data and systems on the entire IRS network were vulnerable.† The IRS advised us that the application had no current business purpose.
We were able to capture traffic from this application from a hotel approximately one-quarter mile away from the IRS building.† Either a hacker or occupants in nearby buildings could have easily captured the IRSí wireless traffic.† The wireless traffic in this case was encrypted.† However, with free software available on the Internet, they could have cracked the encryption key in a short time, obtained passwords, and accessed the IRS network.
Encryption keys should be changed regularly and often to minimize the opportunities for hackers to gather sufficient information to crack the keys.† However, the encryption key for this wireless application had not been changed for 2 years.
At another location, we identified an encrypted wireless signal and were able to isolate the signal to a specific IRS office.† However, we were unable to confirm the existence of the wireless components and configurations of the wireless application.† The wireless signal was abruptly terminated immediately after we arrived in the office and informed employees of our purpose.† We made an unannounced return visit and did not find the wireless application active.
Discussions with numerous IRS managers and employees showed they did not understand or were not aware of the security vulnerabilities associated with wireless technology.† Only the Information Technology Services employees seemed to generally understand the risks with wireless technology and the IRSí position not to deploy it.
Documentation shows that IRS security officials have been aware of the risks associated with wireless technology for over a year.† From November 2001 through March 2002, the IRSí Computer Security Incident Response Center (CSIRC) and Treasury Inspector General for Tax Administrationís System Intrusion Network Attack Response Team (SINART) jointly conducted scans for wireless technology at selected IRS facilities in the Washington, D.C., area.† These scans identified three unexpected applications, which were subsequently shut down.
Because of the potential security vulnerability of wireless applications, the CSIRC and SINART jointly issued a memorandum on March 20, 2002, to the Director of Cyber-Security (now the Director, Mission Assurance) discussing their results.† In addition, they made recommendations to create a more secure communication channel for wireless use or disallow connectivity to the IRSí internal network.† They also suggested that a review of the current IRS policy be conducted for adequate wireless security consideration.
Approximately 6 months after the issuance of the memorandum, the IRSí Technology Security Committee approved the release of a wireless article through publication channels for issuance throughout the IRS.† This article stated that any use of wireless technology needs to be approved by the Office of Security Services, and it prohibited the use of wireless devices without a security certification and accreditation.† The IRS distributed this article by posting it on the Security Services Intranet web site in October 2002 and including it in a November 2002 all employee newsletter, IRS HeadlinesÖ and More.† The IRS has also initiated actions to have one of its contractors conduct wireless scans at various IRS locations during Fiscal Year 2003.
We are encouraged by these activities.† They provide greater awareness of wireless security vulnerabilities and a means to identify unauthorized use.† The IRS is no longer relying on its general security policy and has issued specific guidance regarding the use of wireless technology.† We concur with the approach for developing technology-specific guidance as appropriate and necessary.
The Deputy Commissioner for Modernization & Chief Information Officer (CIO) should:
1. Immediately shut down all known wireless applications connected to the IRS architecture that have not gone through the proper approval process and security evaluations.
Managementís Response:† The IRS shares our concerns with employees connecting wireless devices to the internal network.† All known unapproved wireless applications connected to the IRS architecture have been terminated.
2. Incorporate the policies, procedures, and guidance developed for the use of wireless technology into the Internal Revenue Manual (IRM).
Managementís Response:† IRS policies and procedures covering network connectivity, including wireless network connectivity, are currently reflected in the IRM.
3. Ensure wireless scanning efforts include sufficient geographical coverage to provide representative assessments of unapproved wireless use.
Managementís Response:† The IRS has increased coverage on wireless scanning through an inter-agency agreement with one of its contractors.† In addition, the IRSí CSIRC has augmented its activities to perform random on-going unannounced wireless scans at IRS sites on an enterprise-wide basis.
The IRS has approved the use of wireless technology for its Continuity of Operation Plan (COOP) and CSIRC.† Approximately 300 wireless devices were obtained for executives and other key personnel and are to be used to transmit emergency and computer security communications.† In addition, the employees can remotely access their desktop electronic mail (email) messages using the devices, depending on how the employee sets the rules as to what is forwarded to the device.
The wireless application securely transmits the email messages using a Federal Government-approved encryption method.† The information is encrypted from the internal server to the device.† The IRS also uses strong passwords and screen saver lockout features to help secure the information stored on the devices.
However, once email messages are read on the device, the information is stored unencrypted.† The user guide for the device does not mention this, and users may not be aware that they need to delete the email messages after reading them.† Because these devices are small and portable, they can easily be lost or stolen.† Any unencrypted information would thereby be at risk of disclosure.
4. The Deputy Commissioner for Modernization & CIO should minimize the exposure of sensitive data stored on the wireless devices by completing one of the following actions:
∑ Encrypt all data stored on the wireless devices.
∑ Incorporate restrictive rules on forwarding email messages to the devices.
∑ Advise users to delete sensitive emails after reading them.
Managementís Response:† The IRS will implement Secure/Multipurpose Internet Mail Extensions protocol messaging to wireless messaging devices.† This will provide IRS employees the ability to securely handle all sensitive message traffic to wireless devices, including the storage of encrypted messages on the devices.† In addition, the IRS will implement an aggressive re-education program to ensure that all employees are aware of how to identify and protect sensitive information and to use secure messaging.
The overall objective of this review was to determine the effectiveness of the Internal Revenue Serviceís (IRS) actions to control and secure the use of wireless technology.
I. To assess the current IRS position regarding the use of wireless technology, we:
A. Reviewed the Department of the Treasury, IRS, and other appropriate guidance documents related to establishing the use of wireless technology.
B. Determined IRS managementís responsibilities for wireless technology.
II. To evaluate the security of approved wireless applications, we:
A. Reviewed approval documents, including certifications, schematics, and operating plans.
B. Evaluated the logical security protections, including the use of encryption.
III. To identify any unauthorized use of wireless technology, we:
A. Specifically configured a laptop computer to receive wireless transmissions and scanned for the existence of wireless access points in IRS offices located in Washington, D.C.; Oakland, Sacramento, San Francisco, and San Jose, California; Las Vegas, Nevada; Memphis, Tennessee; and Dallas, Texas.
B. Recorded transmissions and reviewed them to ensure they were IRS-related.
C. Attempted to exploit any wireless applications inter-connected to the IRS architecture.
IV. To determine the level of employee awareness regarding the use of wireless technology and determine actions taken to educate employees, we:
A. Identified any policy or guidance documents and their distribution.
B. Discussed the use of wireless technology with managers and employees at seven of the eight locations visited.
C. Discussed employee training and awareness regarding wireless technology with the Office of the Deputy Commissioner for Modernization & Chief Information Officer, the Business Unit Division Information Officers, and other appropriate entities.
D. Reviewed any employee alerts, messages, etc., pertaining to wireless technology.
Scott E. Wilson, Assistant Inspector General for Audit (Information Systems Programs)
Gary V. Hinkle, Acting Assistant Inspector General for Audit (Information Systems Programs)
Steve Mullins, Director
Kent Sagara, Audit Manager
Harry Dougherty, Senior Auditor
Louis Lee, Senior Auditor
Larry Reimer, Senior Auditor
William Simmons, Auditor
Acting Commissioner† N:C
Chief, Information Technology Services† M:I
Chief, Security Services† M:S
Director, Mission Assurance† M:S:A
Deputy Director, Computer Security Incident Response Capability† M:S:A:IR
Chief Counsel† CC
National Taxpayer Advocate† TA
Director, Legislative Affairs† CL:LA
Director, Office of Program Evaluation and Risk Analysis† N:ADC:R:O
Office of Management Controls† N:CFO:F:M
Deputy Commissioner for Modernization & Chief Information Officer† M
Chief, Security Services† M:S
The response was removed due to its size.† To see the complete response, please go to the Adobe PDF version of the report on the TIGTA Public Web Page.