A new audit has revealed that the Internal Revenue Service (IRS) did not properly authenticate tens of thousands of devices that accessed the organization’s internal network. Those connections were wireless or made through a Virtual Private Network.
The audit was carried out by the Inspector General for the Treasury Department. It found that the overwhelming majority (92 percent) of wireless connections were not properly vetted, and another 3 percent were only verified with a password instead of a more secure form of certification. The numbers were even worse for Virtual Private Networks, with none of the 26,237 VPN connections getting the appropriate clearance.
As the report points out, each incident represents a potentially critical security gap, especially given the sensitive nature of the information on the IRS database.
“Without properly authenticating all devices, the IRS does not have adequate controls to ensure that only authorized devices are allowed access to its internal network and taxpayer data may be at risk,” reads the report.
The numbers were pulled from one day of activity on the agency’s Identity Services Engine, which recorded more than 104,000 wired connections and more than 31,000 wireless ones. According to the audit, the majority of the wired connections were verified with certificate-based authentication.
To address the problem, the Inspector General advised the IRS to implement certificate-based authentication for all devices and connections, and to phase out legacy devices that rely on the weaker Media Access Control Authentication Bypass system. It also warned that the agency needs to modify its Unified Access project to adhere to Enterprise Life Cycle methodology.
For its part, the IRS accepted the Inspector General’s recommendations, and indicated that it will be ready to certify wireless connections in February. However, the agency will need more funding to protect VPNs. It will not be able to ensure VPN security until February of 22, and that is assuming the IRS receives adequate financial support.
The report highlights some of the security issues that have emerged as remote activity has increased during the COVID-19 pandemic. The market for identity verification technology is expected to skyrocket in the next few years, largely because organizations like the IRS will need to take extra precautions to make remote connections as safe as those in the office.