The Treasury Inspector General for Tax Administration (TIGTA
the network security of the Internal Revenue Service (IRS
) as part of its mandatory annual review. In doing so, it found 2,093 internal vulnerable web servers on the network and 1,811 web servers that were not authorized to access the network.
According to the TIGTA report
, out of the 2,093 insecure web servers found, 540 suffered from at least one high-risk vulnerability, 1,101 had at least one moderate-risk vulnerability, and 2,092 presented at least one low-risk vulnerability. The report exemplifies the high-risk vulnerabilities with 62 servers that were affected at the time of the scan by password-related vulnerabilities and 130 servers that had a buffer overflow flaw. It further explains that, by exploiting them, “unauthorized users could access the web servers to alter the servers’ contents, copy data, install malicious programs for fraudulent purposes, or attack other computers on the network.”
Another serious issue was the 1,811 rogue web servers found. The document specifies that the IRS “requires that business units register all internal web sites and web servers,” noting, however, that no one has been responsible for the web registration program (meant to register the web servers on the network) since September 2006. This could mean that some of those web servers have legit business purposes, but were simply never registered. Even so, the Enterprise Operations organization could justify the purpose of only 661 of these servers.
This still leaves 1,150 servers that could have non-business purposes. The report notes that many could be unintentional, and result from bad administration - “An unintentional web server might exist when a system administrator inadvertently misconfigures a computer to perform as a web server or is unaware that web server capabilities are installed by default.” In fact, another scan revealed that 54 were laptop or desktop computers and, upon randomly checking 19 of them, it was confirmed that they were legit computers that were unintentionally running a web service.
According to IRS procedures, unregistered web servers should not be able to access the network. However, since no one had responsibility over the web registration program, this restriction was not enforced. The problem with such computers having network access is that they are not monitored for security updates, and could be hacked from the outside and then used to launch attacks on the internal network.
The report also expresses concern on the fact that there were 33 different web server software packages running on the whole network. The use of so many different applications for the same purpose increases security risks, maintenance and licensing costs, and raises compatibility issues. Finally, it is noted that all the recommendations the report made, starting with assignment of responsibility over the web registration program, were accepted by the Chief Information Officer, and are expected to be followed.