Basic IT security amiss at IRS

One federal agency is in the hot seat after an audit found that it had failed to take rudimentary steps to protect its 100,000 computers, but some experts say even the most basic IT security can present challenges for a sizable organization.

A new report from the Treasury Inspector General for Tax Administration (TIGTA) states that the Internal Revenue Service has failed to take an enterprisewide approach to installing and monitoring software patches to mitigate the security risks associated with known vulnerabilities. Specifically, IRS officials had not implemented key patch management policies and procedures or completed an inventory of its IT assets, an essential element of a patch management strategy.

The report found two main reasons why patches were not always installed: The automated approach used to install patches on Windows-based systems at times lacked valid connections to the systems requiring patching, and administrators believed manually patching numerous systems would be a labor-intensive process.

“I think it's shocking that something as basic as an enterprisewide patch management policy is not being done at the IRS,” said Jeffrey Carr, founder and CEO of IT security firm Taia Global. “That's one of the most basic cybersecurity housekeeping tasks that any responsible organization should do.”

Carr, who wrote “Inside Cyber Warfare: Mapping the Cyber Underworld,” said the IRS case demonstrates that the federal government “is incapable of protecting its own networks, let alone privately owned critical infrastructure.”

“Perhaps rather than trying to pass cybersecurity legislation that will accomplish next to nothing, Congress and the president should focus on putting their own house in order,” Carr said.

However, another expert said even a basic practice like patch management can be a laborious, challenging process for multiple reasons.

“The first challenge is that it is hard for organizations, particularly larger ones, to identify all the systems that need patching,” said Irving Lachow, director of the Program on U.S. National Security in the Information Age at the Center for a New American Security. “It seems like a very fundamental thing for an organization to know what systems they have on the network, but it’s actually very difficult to keep track because it’s a very dynamic process.”

Part of the problem is that the network’s boundaries have become porous. New devices are constantly being added to the network, Lachow said, and old devices are not always removed in a timely manner.

Furthermore, agencies often have to test patches before implementing them to ensure that they do not cause conflicts with other systems — a process that could take weeks or even months depending on the number of systems in need of testing, Lachow said.

“The longer you go with that testing process, the more positive you are that you’re not going to cause harm,” he said. “But the interval between when the patch was needed to the time it’s rolled out is a time of vulnerability.”

At an agency like the IRS, individual divisions have a mix of mainframe, Windows and Unix computers, which requires a tie-in across the agency to coordinate the patch management process, said Maria Horton, founder and CEO of IT security firm EmeSec.

“But as the report pointed out, it’s not just about patch management but the overall process of how can a large agency get funding and implementation in place,” she said. “I’m not saying there is a single point of failure. I think it’s complicated and complex to run all of that across the organization.”

TIGTA said the IRS should improve its patch installation and monitoring processes to ensure that patches are applied in a timely fashion and institute agencywide adoption of its standardized patch management program, among other recommendations.

However, even if the IRS achieved 100 percent compliance with its patch management policy, it should not be the agency’s only approach to cybersecurity, said Horton, who formerly served as CIO at the National Naval Medical Center.

“Patch management itself is not the only way people are being scammed, socialized or broken into so it’s not the only silver bullet,” she said.