IRS Granted Tens of Thousands of Devices Network Access Without Proper Authentication

The Internal Revenue Service failed to authenticate tens of thousands of devices connecting to the agency’s internal network through wireless connections or virtual private networks during a recent audit.

The Inspector General for the Treasury Department audit described cracks in the authentication process used for accessing the internal IRS network. None of the devices used to make 26,237 network connections via virtual private networks were authenticated. Another 92% of devices using a wireless connection also were not authenticated, while 3% were authenticated with a password rather than the preferred certificate method. 

These measures came from a sample activity log covering one day of authentication using the Identity Services Engine. Over 104,000 network accesses were made via wired connections, the vast majority of which were verified using certificate-based authentication. But more than 31,000 non-wired accesses were made on devices lacking certificate authentication. 

“Without properly authenticating all devices, the IRS does not have adequate controls to ensure that only authorized devices are allowed access to its internal network and taxpayer data may be at risk,” the report reads. 

The inspector general recommends IRS implement certificate-based authentication across all devices regardless of connection type, develop a plan to reduce the number of devices authenticated with a less-secure protocol and ensure Unified Access project is following the predetermined development methodology appropriately.

The agency concurred with each point. According to a July 16 memorandum from IRS acting Chief Information Officer Nancy Sieger, which was attached to the audit, IRS implementation will begin as early as February 2021. 

Work on certifying devices using wireless connections is already underway. That is the piece of the puzzle set for implementation in February. But in order to implement certificate-based authentication for devices connecting over a VPN, IRS needs funding. The memo posits IRS will be able to ensure VPN device authentication by February 2022 should it receive the needed funds. 

The other two recommendations indicate IRS should develop a plan to phase out devices that use a less secure authentication protocol, called Media Access Control Authentication Bypass, as well as course correct the Unified Access project to adhere to the appropriate development methodologies. 

The UA project is an IT security initiative that protects the network, assets and taxpayer data, according to the memo. The audit found development of the project isn’t following the Enterprise Life Cycle methodology. The ELC standard defines a software development path for commercial off-the-shelf solutions. 

“We are committed to implementing the corrective actions that will strengthen device authentication and completing all Enterprise Life Cycle required artifacts,” Sieger wrote in the memo.