TREASURY INSPECTOR GENERAL FOR TAX
ADMINISTRATION
EMPLOYEES CONTINUE TO BE SUSCEPTIBLE
TO SOCIAL ENGINEERING ATTEMPTS THAT COULD BE USED BY HACKERS
Issued on July 20, 2007
Highlights
Highlights of
Report Number: 2007-20-107 to the
Internal Revenue Service Chief,
IMPACT ON TAXPAYERS
The Internal Revenue Service (IRS) has nearly 100,000
employees and contractors who have access to tax return information processed
on approximately 240 computer systems and over 1,500 databases. Using social engineering tactics, TIGTA
determined IRS employees, including managers, are not complying with the
rudimentary computer security practices of protecting their passwords. As a result, the IRS is at risk of providing
unauthorized persons access to taxpayer data that could be used for identity
theft and other fraudulent schemes.
WHY TIGTA DID THE AUDIT
This
audit was initiated as part of our statutory requirements to annually review
the adequacy and security of IRS technology. The overall objective of this review was to
evaluate the susceptibility of IRS employees to social engineering attempts
that could be used by hackers to gain access to IRS systems.
WHAT
TIGTA FOUND
IRS employees continue to struggle with complying with
the basic security requirements of protecting their passwords and reporting
possible security incidents. TIGTA made
102 telephone calls to IRS employees, including managers and a contractor, and
posed as a helpdesk representative seeking assistance to correct a network
problem. Under this scenario, TIGTA
asked the employee to provide his or her username and temporarily change his or
her password to one TIGTA suggested. TIGTA
was able to convince 61 (60 percent) of the 102 employees to comply with the
request. Some of the notable reasons
given were that the employee thought the scenario sounded legitimate and
believable, did not think changing his or her password was the same as
disclosing the password, or had experienced past computer problems.
TIGTA had
conducted similar social engineering test telephone calls in August 2001 and
December 2004, which yielded 71 percent and 35 percent noncompliance rates,
respectively. In response to the two
audits, the IRS took corrective actions to raise awareness over password
protection requirements and social engineering attempts. However, the correction actions have not been
effective. Based on the results of this
audit, TIGTA concluded employees either do not fully understand security
requirements or do not place a sufficiently high priority on protecting
taxpayer data in their day-to-day work.
In addition,
only 8 of the 102 employees contacted the TIGTA Office of Investigations or the
IRS computer security organization to validate whether the test was an official
TIGTA audit.
WHAT TIGTA RECOMMENDED
TIGTA
recommended the Chief, Mission Assurance and Security Services, continue
security awareness activities to remind employees of the potential for social
engineering attempts and the need to report these incidents to the IRS computer
security organization, conduct internal social engineering tests on a periodic
basis to increase employees’ security awareness and the need to protect
usernames and passwords, and coordinate with business units to emphasize the
need to discipline employees for security violations resulting from negligence
or carelessness.
In
their response to the report, IRS officials stated the Mission Assurance and
Security Services organization plans to continue to deliver social engineering
messages and use results from a social engineering survey to remind employees
of the potential for social engineering attempts and the need to report these
incidents to the
READ THE
FULL REPORT
To view the report,
including the scope, methodology, and full IRS response, go to:
http://www.treas.gov/tigta/auditreports/2007reports/200720107fr.html.
Email
Address: Bonnie.Heald@tigta.treas.gov
Phone Number: 202-927-7037
Web Site:
http://www.tigta.gov