Slashdot Mirror
IRS Doesn't Check Cyberaudit Logs
An anonymous reader writes "The US Internal Revenue Service's IT staff hasn't routinely checked its cybersecurity audit logs, according to a report released this week by the agency's inspector general's office. The report is not exactly flattering for the IRS. The report, with large chunks redacted, recommends the IRS allow independent review of audit logs and establish procedures to save audit logs. It also recommended that the IRS regularly test its Internet gateways for compliance with standard security configurations."
Why don't we test their Internet gateways? Right now! Let's go, crowd, everybody start hammering their GWs! Hooray, we're helping!
I'm not surprised. With how awful the UK has been with keeping a hold on our data, why should the US be any better at it? Just because we're not leaving it on subway cars or recycling computers without shredding the hard drives doesn't mean there isn't a fault somewhere else.
Posts not to be taken literally. Almost everything is sarcasm.
In Soviet Amerika, the IRS doesn't audit itself, it audits YOU!
If you're not compliant, no excuses. If they're not compliant, don't complain comrade - they WILL auduit you!
[Comment Redacted]
www.purevolume.com/martyd
I cannot understand what needs to be so secret about anything in the IRS that any portion of a report would need to be redacted. I do understand that there might be investigations into white collar crime, but if the summary is correct and "large portions are redacted", what are they worried about us finding out? This is not the FBI or CIA here, it is the IRS, the US government agency charged with collecting taxes.
Once again I think we have a serious issue with power and openness in our government. It has gotten so way out of control it seems ridiculous!
This post brought to you by your friendly neighborhood MBA.
Damn that's some hot stuff !!!!
Mcow.
Why would I audit my security logs? I have a shell script running for that.
Often wrong but never in doubt.
I am Jack9.
Everyone knows me.
I'm not the biggest "flat tax" proponent, mostly supporting it just to enact some sort of simplification to the tax system....but issues like the IRS audit logs points yet again to the bloated American tax system - imagine what we could do with the economy when we don't have to add all the salaries of accountants and tax people, which add little to no value to a product (if not negative) through a simplification of the tax process. It's one of those self-propogating systems - the more laws we have on taxation, the more that companies have to spend to try and get around them.
I would bet money a lot of government and I know for a fact a lot of private organizations do NOT audit their general security logs in a timely and in an effective fashion. Of course, its scarier when its the government considering the host of private info they have on us. But keep in mind how many credit card companies have been compromised and how much info they have on us. The problem is of course much bigger than one organization.
ACK
It's linked from the story. It's short and, like all such reports, its has a proforma organization that makes it easy to read. The synopsis tends to have the spin (and that's what got the attention of PC World and the Slashdot folks) but the actual findings are also clearly stated so that you can draw your own conclusions.
The inspectors made three findings.
1. "Intrusion detection systems were deployed effectively."
2. "Access controls over firewall and router system administrator accounts are operating effectively"
3. "Management of firewall and router audit logs needs to be improved."
Under # 3, they found one high-risk error, the only high-risk error in the report. That finding was "Audit logs were not independently reviewed".
The IRS agreed with all findings and promised to fix things.
My personal opinion? I think a report that says, to paraphrase, "All your stuff works fine. However, you aren't regularly running it all past someone not in the normal administrative chain; that failure is a serious error" is certainly something to be taken seriously but it's unlikely to be a career-killer for anyone. I've seen far, far worse reports on many different subjects from amny different agencies. The IRS, however, is really big and touches everyone so a finding that procedures are suboptimal is far more newsworthy than some of the truly horrific crap that passes for security practice at other agencies. I certainly feel no ill will towards those who are publishing this stuff. When you work for the IRS, you get used to seeing bad news (mostly exaggerated bad news) almost exclusively. Such is life.
It would be such revenge to see an audit on the IRS with such scrupulous nature as that in itself, that the IFCC stop all communications from happening with the IRS until they took proper precautions, and were again given the stamp of approval.... although they themselves would not see the irony, everyone ever audited would sure think so!!!
You don't really think the "Slashdot effect" would seriously impact the IRS, do you?
Every April, the IRS web presence gets hammered in ways most people can't imagine. It stays available. That speaks volumes about the ability of Treasury to handle traffic.
another high-risk error they found (and, in my experience, a higher-risk error than having only non-independent review of logs) is that the IRS "had unnecessary services enabled on routers".
Now you can get a chance to audit the IRS for a change!
Read the report. Quoting from page 7: "Unnecessary services were enabled on routers (moderate risk)"
Whatever was enabled was judged by the report authors to be of only moderate risk. The paragraph that provides specifics is redacted but that paragraph is quite short. It's clear to me that this wasn't an error on the scale of "They left all the defaults untouched." Rather, the inspectors found a service or two that someone overlooked when configuring a router. It's an error and it needs to be corrected but it was judged to be of only moderate risk, not high risk.
Further proof that the IRS is outdated and needs to be dissolved...
Colin Dean Go a year without DRM
n/t
ON DELETE CASCADE
You've managed to (fail to) make an obtuse (frankly, opaque) point about the BATFE by conflating political history from nearly 100 years ago with present-day network design. That's really impressive.
Nobody with a brain audits the security logs. The worms pound away at a rate of dozens per minute and the unsuccessful hack attempts are not far behind. If you were going to be able to detect a successful breach via the logs, you'd have prevented it at the firewall in the first place. The ratio between taxpayer-paid manpower to improved security would be exceptionally low.
Truth is, the logs are only valuable forensically. After detecting a breach or suspected breach, the logs can tell you more about what actually happened and how far it spread.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
While I agree that the IRS is a bad plan, you'll care when someone deletes their record of your tax payments, and they freeze your assets pending (a second) payment of your taxes.
Just because you go to flat tax doesn't mean you are going to ease up on the accountant. Institutions that pay NO taxes still have accounting needs that go well beyond the abilities of most people.
At the IRS, we keenly appreciate such irony, especially where audits are concerned. Everyone who works here is audited; it's part of the hiring process. If you're hired right out of college, there's a substantial chance your audit will consist of someone looking at your returns, concluding there's nothing worth looking at, and re-filing them. Thus, some new employees don't even realize they've been audited. But it happens to everyone. When I came aboard, I'd just closed down a Schedule C business with a big loss for the last year of operation. I got the fine-toothed comb treatment.
Everyone at the IRS has empathy for people being audited. That empathy can get a little rusty after years of dealing with bad people. But it's there, nevertheless.
Why is this listed troll? There is still an active contention that the IRS is illegal under the 16th amendment (and there are also several active movements to repeal the 16th amendment).
Disclaimer: The opinions and actions of the US Gov't are in no way representative of those held by this author or its ci
Why should only hedge funds and corporations get the benefit of lax or nonexistent regulation, no enforcement and robber baron capitalism? It's only reasonable and in strict GOP dogmatic compliance that we should get away with everything we can up to and including hacking the IRS to afford ourselves a lower tax bill. And since all taxes are teh evil, I'm sure the Grover Norquists of the world are cheering.
I understand that, but you won't need as many accountants (or, at least, man-hours) for the general populace outside of regular bookkeeping. A simplified, streamlined process means less work.
Because it is a troll.
You forgot to add "by wackjobs, flim-flam men, and the self-deluded."
In all honesty, because I really mean this: Good luck with that. Actually repealing the amendment is the only real, legal way to destroy income taxes and if that's your goal and you can be successful, more power to you. But for the gp to just declare the the IRS is illegal is not just trolling, it's not even smart trolling.
I doubt very much such is the case on a regular basis, you might be the exception to the rule.
The IRS audited my uncle 6 years in a row, everything from his business to personal, he had to hire
a lawyer, because it was harassment. Some noob on the job thought he would eventually find something, but each time nothing was "found out of place". Each year also, they had the balls to ask for the previous years audit info (like they didn't already have it). I am sure you have not had a REAL audit. The one you describe at the start seems pretty flimsy, when you compare having government officials rummaging through your house belongings to try and find stuff that was out of the ordinary.
Each time my uncle delt with it with patience thinking in the end it would pay off, but either red tape, or corporate BS made that he was a target next year. The supposed random selection is not random at all....so this proves. If you consider how much such an investigation costs the tax payers, especially when everything is on the up and up, you wonder who the moron in charge is when these things happen.
I'll care even more when some deletes my records and they decide they owe me back refunds
How long ago was this? And were the people doing the work Revenue Agents, Revenue Officers, or Special Agents?
I don't mean to be arcane, but there's a big difference between a tax audit, even an intrusive one, and the kinds of things that require "rummaging through the house." Rummaging through the house == a lot more than an audit. I can think of only a few things that warrant that sort of treatment.
1. Many, many years ago if you wanted to compromise a tax liability, you had to submit a financial statement that was fully verified. Verification included having a Revenue Officer rummage through the house looking for hidden assets. That practice ended decades ago.
2. The collection of taxes by seizing personal property, including going through your house looking for assets, can happen. It requires a judge to grant an entry order and a pre-existing liability. That sort of thing can happen year after year to delinquents for as long as they remain delinquent. But times have changed. A writ of entry to enter a private home (as opposed to the premises of a business) was always incredibly rare; I haven't heard of one being granted in the last decade.
3. Special Agents can rummage through the house in pursuit of a criminal investigation, pursuant to a search warrant. That's about as far from a simple tax audit as you can imagine.
I don't have enough information to make a judgement, but it certainly sounds like your uncle had more going on than just an audit. If he has any old paperwork, take a look at it. If the noob you refer to had the title of "Revenue Agent" then maybe it was an audit and something was happening that I've never heard of. But if said noob bore the title "Revenue Officer" or "Special Agent," then it wasn't an audit.
News flash, you'll still need accountants, just maybe not as many tax accountants.
You're mistake there is thinking that a simple tax system will catch more money than a complicated one. Why do you think the one we have is so complicated? Because companies pulled crap in the past that was 'within the letter of the law'.
> imagine what we could do with the economy when we don't have to add all the salaries of accountants and tax people,
Accountants and auditing are the punishment companies go through because of past misbehavior. You CAN NOT rely on trust, when you're insisting someone pay you. Ask anyone in Accounts Receivable.
> which add little to no value
Depends on which side you're looking at.
Are you the company? They cost you to hire, they cost you in money you could have hidden. But they reduce the likelihood of getting sued, and every now and then they DO save you money that you would normally have paid in taxes. As well, they can tell YOU where the costs are in your company, so you can reduce your overhead.
Are you a shareholder? They act as an incentive for the company officers to behave, by making it more likely that bad behavior will be discovered.
Are you a government? They save YOU having to start lawsuits. And occasionally save you from having to put people in jail for bad behavior.
I admire the ideal, of a world where you didn't have to bludgeon money out of deadbeats. But it ain't this world. Sorry.
Trust me: if we went to a flat tax, the number of accountants working for the IRS wouldn't drop one bit. Bureaucracies don't work that way. This is explained by The Iron Law of Bureaucracy.
Good, inexpensive web hosting
I'm not talking IRS, I'm talking private sector, particularly those huge departments at big businesses. THOSE accountants would be in for an interesting time job-hunting if we went to a more simplified system and they didn't have much to do because the company would need fewer tax experts in-house and just people to more or less keep the books straight.
The Iron Law applies just as much to business as it does to government. Think not? Look at all those "reserve" auto workers sitting around all day "Just In Case" they're needed because of union regulations. If you don't think it happens, read up on featherbedding.
Good, inexpensive web hosting
Accountants != auto workers. White-collar non-government employees are rarely unionized, and we are seeing a TON of job-cutting lately that more or less stretches across all spectrums. You're almost treating the iron law as an absolute, instead of a general practice in some sectors. If that were the case, we wouldn't be losing so many jobs right now (which, even if we get over about 10%, isn't necessarily a catastrophe).
Yes, I'm treating it as an absolute; in a bureaucracy. And, such things as accounting departments are bureaucracies. They always get bigger, never smaller. If you disagree, provide a counter-example or be ignored.
Good, inexpensive web hosting
There have been almost a half-million jobs lost in the past year or so that more or less prove my point, and they pretty much run the gamut among all industry. Every week we are hearing about layoffs. How does that not prove essentially against what you're talking about?
Because most of those jobs have been blue-collar workers, not accountants, professionals or middle managers, that's why.
Good, inexpensive web hosting