IRS improves cybersecurity, but still vulnerable to malware

The Internal Revenue Service has improved its protection of computer networks from malicious software attacks, but it has failed to scan computers for viruses and to enforce security policies, which put taxpayer data at risk, according to a report the IRS inspector general released on Monday.

The IRS' Computer Security Incident Response Center identified and eliminated the increasing number of cyber threats that targeted agency networks, according to a review that the IG performed from October 2007 through September 2008. Based on incident data obtained from the center, the IRS responded to 661 malware incidents during calendar year 2007 and to 961 malware incidents in 2008.

Malware refers to a computer program that infiltrates a network with the intent of stealing data or altering applications and operating systems.

The IRS requires system administrators to install antivirus software on all computers running the Windows operating system and to perform antivirus scans at least weekly. When an update of the antivirus software is released, the agency updates 96 percent of workstations within two business days and updates almost 100 percent within one week, according to the report.

For servers, however, virus scans are not automated and system administrators must manually initiate the updates. The IG found that from May 1, to June 30, 2008, administrators scanned 89 percent of the servers every week and scanned the remaining servers less frequently or not at all.

"The introduction of malware on servers is particularly risky because many users access them, making the spread of the malware to other computer systems more likely," the IG reported.

Most IRS administrators complied with a Treasury Department requirement that prohibits them from using their accounts to receive e-mail from outside the department. But not all administrators complied with another requirement that bars them from using their accounts to access the Internet without written authorization from the chief information officer. During a one-week period in February 2008, the IG identified 63 administrator accounts that successfully accessed Internet Web sites 820 times without prior approval. As a result, the IG reported, "We do not have assurance that accesses by administrator accounts are sufficiently controlled to prevent compromise by malware-infected sites."

All IRS employees receive additional training to ensure they don't participate in behaviors that can increase the risk of malware infection, the IG reported, including using removable storage devices, downloading software, and opening attachments or links in e-mails. According to the report, of the 661 malware incidents reported in the calendar year 2007, 311 successfully installed malicious code on a computer and began to execute a program that had the intention of doing harm. Of those, 69 percent originated from a user accessing an infected Web site.

The IG recommended that security awareness refresher training, which employees and contractors must complete annually, be updated to include a more thorough list of the actions that have led to malware infections on IRS systems. The IG also suggested notifying employees when they caused a malware incident so they are aware that their actions resulted in an infection.

The IRS agreed with the recommendations to schedule automated antivirus scans on servers, to regularly monitor servers to ensure that weekly antivirus scans are executed and to issue regular reminders on Internet access restrictions for administrators.