Government employees fail security test, reveal passwords to "technicians"

60 percent of tested IRS employees failed to protect their passwords from government tiger teams, says a July 20 government report.

The audit was launched by the Treasury Inspector General for Tax Administration (TIGTA) between March and April of 2007. The report (PDF), sampled 102 various IRS employees, including managers and a contractor, on a single day sometime in the audit timeframe. Social engineers from the TIGTA contacted the IRS employees via telephone, posing as helpdesk personnel.

61 of the 102 sampled IRS employees complied with the TIGTA callers’ requests — which violates IRS internal security policy — by providing their username and changing their password to one suggested by the caller.

Previous audits, conducted in 2001 and 2004, revealed vastly different results. In 2001, TIGTA callers were able to coax passwords out of 71 percent of sampled employees, while the audit in 2004 saw that number drop to 35 percent.

In an effort to understand the numbers, TIGTA auditors contacted all the sampled employees for a follow-up on why they did or did not comply with the TIGTA callers’ requests. Among those who broke policy, the most popular reasons cited were: the employee believed the request sounded legitimate (33 percent); the employee did not believe that changing their password was the same as revealing it, which they knew was against the rules (16 percent); or most alarmingly, the employee was aware of the rules but broke them anyway (13 percent).

The IRS employs close to 100,000 people, says the report, and the sample size was purposefully small as auditors needed to conduct their tests before the news broke out around IRS offices.

“Due to the sample size, we were unable to project our results throughout the IRS. However, we believe our sample was sufficient to demonstrate that IRS employees continue to be susceptible to social engineering attempts and that employees do not provide sufficient emphasis to the security of taxpayer data in their day-to-day activities,” states the report.

Despite frequent intrusion attempts, the report emphasizes that the IRS’ computer systems remain uncompromised by outside threats. However, given that IRS employees so easily revealed their passwords, that record could easily be broken, putting millions of taxpayer records stored in more than 1500 databases at risk.

In a reply attached to the end of the report, IRS Mission Assurance and Security Services Chief Danel Galik writes, “the [IRS] takes its security posture very seriously and we recognize the risks associated with exposing sensitive data unnecessarily ... we continue to reemphasize computer security practices, including social engineering, to IRS personnel.”

"DailyTech is the best kept secret on the Internet." -- Larry Barber

Latest Blog Posts
The Best Android Apps
Saimin Nidarson - May 20, 2017, 6:16 AM

Copyright 2017 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki