Study: IRS security vulnerable to social engineering
Hey, baby, I'm the taxman -- and I can be hacked by random phone callers
IDG News Service - The Internal Revenue Service computer network is vulnerable to social-engineering hacks, with 60% of employees changing their computer passwords when requested by phone callers posing as help desk workers, according to a government auditor.
The IRS employees fell for the ruse even though the Treasury Inspector General for Tax Administration Office has run similar tests with IRS employees two other times since August 2001.
Sixty-one of 102 IRS employees and contractors contacted in March and April agreed to change their passwords to ones requested by callers from TIGTA, posing as IRS help-desk workers.
In the last test, only eight of the 102 employees contacted IRS authorities about the social-engineering attempt.
Seventy-one percent of employees fell for a similar trick in August 2001, but only 35% fell for it in December 2004. TIGTA called the recent results "alarming" in a report (PDF format) released Friday.
While IRS officials have said there's never been a successful outside attempt to breach agency computers and steal taxpayer data, the social-engineering vulnerabilities raise concerns, the report said.
"This is especially disturbing because the IRS has taken many steps to raise employee awareness of the importance of protecting their computers and passwords," Treasury Inspector General J. Russell George said in a statement. "All the sophisticated encryption and other security mechanisms available will not protect the sensitive taxpayer data on IRS computers until employees get the message loud and clear that they must, at a minimum, protect their passwords."
Asked why they changed their passwords, 21 of the IRS workers said the scenario the caller presented sounded legitimate. Ten employees said they believed that changing their passwords is not the same as disclosing their passwords, which they know is against the rules. Eight employees know the rules but changed their passwords anyway, according to the TIGTA report.
Of the 41 who refused to change their password, 20 said training, e-mail advisories or meetings reinforced the need to protect their passwords, and 17 said they didn't believe the scenario or couldn't verify the caller.
Asked why the numbers of disclosures increased from 2004, TIGTA spokeswoman Bonnie Heald said she didn't know. "That's a good question to ask IRS," she said. "IRS has tried to work really hard to raise security awareness."
An IRS spokesman said he didn't think the agency would comment on the report.
TIGTA made recommendations to the IRS, including continued security awareness training and internal social-engineering tests. The agency has agreed with the recommendations, the TIGTA report said.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts