Information security controls at the Internal Revenue Service continue to be weak, according to a Government Accountability Office report released March 19.

As part of its annual review of tax agency financial statements, GAO assessed cybersecurity at the IRS and found it wanting. The GAO acknowledges progress, but finds that 69 percent of previously identified control weaknesses and program deficiencies remain unmitigated--and new problems cropped up.

For example, the IRS stored passwords in clear text, and transmitted them unencrypted over networks. Some routing table messages were also unencrypted.

Passwords were weak. Some servers, including domain controllers, "were configured to accept an authentication protocol that was vulnerable to widely published attacks of obtaining user passwords," the GAO states.

The agency also didn't patch systems in a timely manner, leaving itself open to attacks that capture user IDs and passwords by redirecting user requests.

In addition, while the GAO has tested its systems for weaknesses, the results were not always clearly documented nor reviewed. "Several tests were labeled 'pass' based on draft documents or actions that would be completed in the future," the GAO notes.

A root cause for the IRS's security ills, according to the GAO, is that it has yet to implement an agency-wide information security program, as required by the Federal Information Security Management Act.

The tax agency does have an associate chief information officer for cybersecurity heading an office for cybersecurity, but weaknesses--both old and new--continue to impair the agency's "ability to ensure the confidentiality, integrity and availability of financial and taxpayer information," the report states.

For more:
- check out the GAO report, "Information Security: IRS Needs to Continue to Address Significant Weaknesses" (.pdf)
- this Network World article

Related Article:
GAO raps feds on cybersecurity