Study: IRS security vulnerable to social engineering
Hey, baby, I'm the taxman -- and I can be hacked by random phone callers
IDG News Service - The Internal Revenue Service computer network is vulnerable to social-engineering hacks, with 60% of employees changing their computer passwords when requested by phone callers posing as help desk workers, according to a government auditor.
The IRS employees fell for the ruse even though the Treasury Inspector General for Tax Administration Office has run similar tests with IRS employees two other times since August 2001.
Sixty-one of 102 IRS employees and contractors contacted in March and April agreed to change their passwords to ones requested by callers from TIGTA, posing as IRS help-desk workers.
In the last test, only eight of the 102 employees contacted IRS authorities about the social-engineering attempt.
Seventy-one percent of employees fell for a similar trick in August 2001, but only 35% fell for it in December 2004. TIGTA called the recent results "alarming" in a report (PDF format) released Friday.
While IRS officials have said there's never been a successful outside attempt to breach agency computers and steal taxpayer data, the social-engineering vulnerabilities raise concerns, the report said.
"This is especially disturbing because the IRS has taken many steps to raise employee awareness of the importance of protecting their computers and passwords," Treasury Inspector General J. Russell George said in a statement. "All the sophisticated encryption and other security mechanisms available will not protect the sensitive taxpayer data on IRS computers until employees get the message loud and clear that they must, at a minimum, protect their passwords."
Asked why they changed their passwords, 21 of the IRS workers said the scenario the caller presented sounded legitimate. Ten employees said they believed that changing their passwords is not the same as disclosing their passwords, which they know is against the rules. Eight employees know the rules but changed their passwords anyway, according to the TIGTA report.
Of the 41 who refused to change their password, 20 said training, e-mail advisories or meetings reinforced the need to protect their passwords, and 17 said they didn't believe the scenario or couldn't verify the caller.
Asked why the numbers of disclosures increased from 2004, TIGTA spokeswoman Bonnie Heald said she didn't know. "That's a good question to ask IRS," she said. "IRS has tried to work really hard to raise security awareness."
An IRS spokesman said he didn't think the agency would comment on the report.
TIGTA made recommendations to the IRS, including continued security awareness training and internal social-engineering tests. The agency has agreed with the recommendations, the TIGTA report said.
- Enable secure remote access to 3D data without sacrificing visual perfomance Design and manufacturing companies must adapt quickly to the demands of an increasingly global and competitive economy. To speed time to market for...
- Virtually Delivered High Performance 3D Graphics "A picture is worth a thousand words." That old phrase is as true today as it ever was. Pictures (i.e., those with heavy...
- Best Practices for Securing Hadoop Historically, Apache Hadoop has provided limited security capabilities. To protect sensitive data being stored and analyzed in Hadoop, security architects should use a...
- Top Tips for Securing Big Data Environments: Why Big Data Doesn't Have to Mean Big Security Challenges Organizations must come to terms with the security challenges they introduce. As big data environments ingest more data, organizations will face significant risks...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!