Auditors cite security problems with IRS wireless networks
Inspections in 10 cities turn up at least one unauthorized network.
The Internal Revenue Service has jeopardized sensitive taxpayer information by failing to lock down its wireless networks, according to an audit report released Tuesday.
The report from the Treasury Inspector General for Tax Administration cited weaknesses similar to those described in a 2003 assessment.
In that report, auditors found unauthorized wireless devices directly connected to an IRS-wide network. They recommended that the agency issue policies and procedures for the use of wireless technology and scan for unauthorized networks and devices.
But an inspection of 20 IRS buildings in 10 cities in 2006 found at least one unauthorized wireless network and strong indications of three others, according to the report. While the unauthorized network was not directly connected to the agencywide network, anyone with a wireless detection tool could pick up the signal and gain access to a computer connected to it, auditors found.
In addition, an improperly configured agency computer connected to the wireless network could give a hacker access to the agencywide network, the report stated.
According to the IG, the IRS is trying with limited success "to detect unauthorized access points on an ad hoc basis." As of May 2006, the agency had scanned less than 6 percent of all locations and had concentrated its efforts in the Washington and Baltimore regions.
"We believe this scanning is of limited value, considering wireless access points can be set up easily anywhere in the nation and can place the confidentiality of the data at risk," the report stated.
The agency has one authorized wireless network - the Enterprise Logistics Information Technology network -- in Bloomington, Ill. This network receives, stores and distributes IRS publications; agency officials consider it a low security risk.
But a penetration test conducted by the IRS' Computer Security Incident Response Center identified that one wireless access point to that network had an improper security configuration and that security devices were not in place to detect attacks, the auditors said.
While the IRS fixed the problems, its Enterprise Networks Division has yet to install the necessary software to monitor the configurations of the other wireless devices connected to the network, according to the report.
The IRS agreed with the audit recommendations, which included using tools to scan the entire agency network for unapproved wireless devices and giving employees periodic advice on the risks of using wireless networks.