The important question (which I'm sure the IG ignored b/c they are useless) is: what does a username/password combo get you? If it gets you that person's email and no or negligible abilities to escalate your privileges, create tax credits, modify roles, etc, then the system designers did their job right. If trying to do those things gets you detected, then the security folks also did their jobs right. I have no idea what the systems are like at irs, but if they are like most of the Federal government...
The problem is that the typical IG prescription to this is evermore instrusive training, testing, and related things that just make people crazy. Whereas the right question is: has the system been designed to be resilient to the loss of one or more credentials?
Google doesn't care if my gmail password gets keylogged. Likewise, where I work, the loss of my credential would give an attacker such a tenuously poor foothold that it's almost not even worth talking about. Computer systems are supposed to be resilient, not *fool*proof.
Slashdot Mirror
The important question (which I'm sure the IG ignored b/c they are useless) is: what does a username/password combo get you? If it gets you that person's email and no or negligible abilities to escalate your privileges, create tax credits, modify roles, etc, then the system designers did their job right. If trying to do those things gets you detected, then the security folks also did their jobs right. I have no idea what the systems are like at irs, but if they are like most of the Federal government... The problem is that the typical IG prescription to this is evermore instrusive training, testing, and related things that just make people crazy. Whereas the right question is: has the system been designed to be resilient to the loss of one or more credentials? Google doesn't care if my gmail password gets keylogged. Likewise, where I work, the loss of my credential would give an attacker such a tenuously poor foothold that it's almost not even worth talking about. Computer systems are supposed to be resilient, not *fool*proof.