Slashdot Mirror

← Back to Stories (view on slashdot.org)

IRS Doesn't Check Cyberaudit Logs

Posted by samzenpus on from the check-your-work-twice dept.

An anonymous reader writes "The US Internal Revenue Service's IT staff hasn't routinely checked its cybersecurity audit logs, according to a report released this week by the agency's inspector general's office. The report is not exactly flattering for the IRS. The report, with large chunks redacted, recommends the IRS allow independent review of audit logs and establish procedures to save audit logs. It also recommended that the IRS regularly test its Internet gateways for compliance with standard security configurations."

16 of 78 comments (clear)

  1. Or better yet by IceCreamGuy · · Score: 2, Funny

    Why don't we test their Internet gateways? Right now! Let's go, crowd, everybody start hammering their GWs! Hooray, we're helping!

    1. Re:Or better yet by morgan_greywolf · · Score: 2, Funny

      No, thanks. You don't want to know what the IRS can do to get you back. You really, really don't want to know...

      --
      My blog
  2. Are you surprised? by Spazztastic · · Score: 2, Interesting

    I'm not surprised. With how awful the UK has been with keeping a hold on our data, why should the US be any better at it? Just because we're not leaving it on subway cars or recycling computers without shredding the hard drives doesn't mean there isn't a fault somewhere else.

    --
    Posts not to be taken literally. Almost everything is sarcasm.
  3. irs.portforward.com by martin_henry · · Score: 3, Insightful

    [Comment Redacted]

    --
    www.purevolume.com/martyd
  4. Why redacted? by fprintf · · Score: 4, Insightful

    I cannot understand what needs to be so secret about anything in the IRS that any portion of a report would need to be redacted. I do understand that there might be investigations into white collar crime, but if the summary is correct and "large portions are redacted", what are they worried about us finding out? This is not the FBI or CIA here, it is the IRS, the US government agency charged with collecting taxes.

    Once again I think we have a serious issue with power and openness in our government. It has gotten so way out of control it seems ridiculous!

    --
    This post brought to you by your friendly neighborhood MBA.
    1. Re:Why redacted? by fprintf · · Score: 5, Insightful

      Never mind. I just figured it out... social security numbers and private information. Once again, that little problem of social security numbers raises its ugly head. If it was just used for social security taxes, and nothing else we'd be fine. But now it is used for all kinds of financial transactions any organization has to guard those 9 numbers better than Fort Knox guards its gold.

      --
      This post brought to you by your friendly neighborhood MBA.
  5. Re:It wasn't a mistake ... by cthulu_mt · · Score: 4, Funny

    Its okay as long as they keep the records for seven years.

    --
    Virginia is for lovers. EVE is for griefers.
  6. Yet another case for some sort of tax revamping... by Notquitecajun · · Score: 2, Insightful

    I'm not the biggest "flat tax" proponent, mostly supporting it just to enact some sort of simplification to the tax system....but issues like the IRS audit logs points yet again to the bloated American tax system - imagine what we could do with the economy when we don't have to add all the salaries of accountants and tax people, which add little to no value to a product (if not negative) through a simplification of the tax process. It's one of those self-propogating systems - the more laws we have on taxation, the more that companies have to spend to try and get around them.

  7. Not just a problem for IRS by ACK!! · · Score: 3, Insightful

    I would bet money a lot of government and I know for a fact a lot of private organizations do NOT audit their general security logs in a timely and in an effective fashion. Of course, its scarier when its the government considering the host of private info they have on us. But keep in mind how many credit card companies have been compromised and how much info they have on us. The problem is of course much bigger than one organization.

    --
    ACK /ak/ interj. 2. [from the comic strip "Bloom County"] An exclamation of surprised disgust, esp. i
    1. Re:Not just a problem for IRS by pyro_peter_911 · · Score: 2, Funny

      I would bet money a lot of government and I know for a fact a lot of private organizations do NOT audit their general security logs in a timely and in an effective fashion.

      Don't forget to file your form 1099 after you win that bet.

      Peter

      --
      Downsize DC Today!
    2. Re:Not just a problem for IRS by IceCreamGuy · · Score: 3, Informative

      Alright, so let's start a discussion here; what do you guys do to audit your security logs?

      I'm really not sure if I do enough. I have the FW logs all forwarded to both its own DB as well as Splunk. I then analyze the FW logs with Sawmill, but only when something comes up, and about once a month I'll kinda just poke around for anything abnormal. Where I really do most of the work is in Splunk though. I have alerts set up for Router and FW access, too many failed logon attempts from the DCs, excessive errors and all that, and about once a week I go in and just browse the logs (through Splunk). Is this enough? What do you guys do? I'm just a one-man team here and I really just implemented these procedures myself without any real policy outline in place.

  8. Read the whole report by BenEnglishAtHome · · Score: 5, Informative

    It's linked from the story. It's short and, like all such reports, its has a proforma organization that makes it easy to read. The synopsis tends to have the spin (and that's what got the attention of PC World and the Slashdot folks) but the actual findings are also clearly stated so that you can draw your own conclusions.

    The inspectors made three findings.

    1. "Intrusion detection systems were deployed effectively."

    2. "Access controls over firewall and router system administrator accounts are operating effectively"

    3. "Management of firewall and router audit logs needs to be improved."

    Under # 3, they found one high-risk error, the only high-risk error in the report. That finding was "Audit logs were not independently reviewed".

    The IRS agreed with all findings and promised to fix things.

    My personal opinion? I think a report that says, to paraphrase, "All your stuff works fine. However, you aren't regularly running it all past someone not in the normal administrative chain; that failure is a serious error" is certainly something to be taken seriously but it's unlikely to be a career-killer for anyone. I've seen far, far worse reports on many different subjects from amny different agencies. The IRS, however, is really big and touches everyone so a finding that procedures are suboptimal is far more newsworthy than some of the truly horrific crap that passes for security practice at other agencies. I certainly feel no ill will towards those who are publishing this stuff. When you work for the IRS, you get used to seeing bad news (mostly exaggerated bad news) almost exclusively. Such is life.

  9. Re:I don't either... by Anonymous Coward · · Score: 5, Funny

    Have you stopped to think that perhaps automated tools don't always work as expected?

    Frist Post!!1!

  10. You're kidding, right? by BenEnglishAtHome · · Score: 2, Insightful

    You don't really think the "Slashdot effect" would seriously impact the IRS, do you?

    Every April, the IRS web presence gets hammered in ways most people can't imagine. It stays available. That speaks volumes about the ability of Treasury to handle traffic.

  11. No, it didn't by BenEnglishAtHome · · Score: 4, Informative

    Read the report. Quoting from page 7: "Unnecessary services were enabled on routers (moderate risk)"

    Whatever was enabled was judged by the report authors to be of only moderate risk. The paragraph that provides specifics is redacted but that paragraph is quite short. It's clear to me that this wasn't an error on the scale of "They left all the defaults untouched." Rather, the inspectors found a service or two that someone overlooked when configuring a router. It's an error and it needs to be corrected but it was judged to be of only moderate risk, not high risk.

  12. Nonsensical claim. by Spazmania · · Score: 2, Interesting

    Nobody with a brain audits the security logs. The worms pound away at a rate of dozens per minute and the unsuccessful hack attempts are not far behind. If you were going to be able to detect a successful breach via the logs, you'd have prevented it at the firewall in the first place. The ratio between taxpayer-paid manpower to improved security would be exceptionally low.

    Truth is, the logs are only valuable forensically. After detecting a breach or suspected breach, the logs can tell you more about what actually happened and how far it spread.

    --
    Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.