TIGTA: IRS Can Do More To Beef Up Security

Chris Gaetano
Published Date:
Oct 21, 2016

The Treasury Inspector General for Tax Administration said that the IRS has made good improvement in securing its systems from attack, but still found flaws in its processes and procedures that serve as possible avenues for further exploits. The IRS has struggled over the years with cybersecurity incidents that lead to unlawful actors accessing confidential taxpayer information, one of the more infamous being the Get Transcript incident. Get Transcript is a tool that allows people to access their tax information online. However last year the IRS discovered that fraudsters were using the tool to gain unauthorized access to personal information, affecting as many as 724,000 taxpayers. 

The IRS took a number of steps in response to the incident, including the development of a new initiative to detect malicious activity and fraudulent transactions, implementing new security protocols and network controls, and improving its authentication system. Despite this, TIGTA said that there are still a number of areas where the IRS could improve. It said that the IRS should clarify the responsibilities of its own responsibilities as well as that of contractors in preventing automated attacks, noting that poor communication between the service and its contractor for detecting attacks was one of the factors in the Get Transcript incident. It also recommended that the IRS establish a process to monitor the results and effectiveness of controls to prevent and detect automated attacks. 

It also recommended that managers of security operations follow Internal Revenue Manual procedures, in particular that eAuthentication audit logs are properly monitored, nothing that the Security Operations organization was not monitoring or analyzing system audit logs in compliance with IRS policy. Along similar lines, TIGTA faulted the IRS for not correlating audit log information across different repositories, which led it to recommend the development of automated mechanisms that can integrate audit review, analysis and reporting processes and to correlate audit records across different parts of the system to gain organization-wide situational awareness. 

Further, it recommended making sure that security specialists have the proper tools and training, saying they lacked the means to actually monitor and analyze all the data that would be required. 

TIGTA also recommended compiling periodic summary data of eAuthentication volume and unusual activity trigger event transactions so as to be able to compare data over time and identify trends and outliers. Finally, it suggested that the eAuthentication audit trail include an EventID that indicates which target application the user intended to access after authenticating. 

The IRS agreed with the TIGTA's recommendations. 

Click here to see more of the latest news from the NYSSCPA.