Monday, August 06, 2007
IRS Fails Social Engineering Test
A new report by the Treasury Department's Inspector General for Tax Administration (TIGTA) gives details of an audit that showed that a majority of IRS employees surrendered sensitive information, including computer log-on passwords, to investigators using social engineering techniques.
Employees Continue to Be Susceptible to Social Engineering Attempts That Could Be Used by Hackers (22 page PDF).
We made 102 telephone calls to IRS employees, including managers and a contractor, and posed as computer support helpdesk representatives. Under this scenario, we asked for each employee’s assistance to correct a computer problem and requested that the employee provide his or her username and temporarily change his or her password to one we suggested. We were able to convince 61 (60 percent) of the 102 employees to comply with our requests. As part of the audit, we also evaluated whether employees contacted appropriate offices to report or validate our test calls. Only 8 of the 102 employees in our sample contacted either the audit team, the Treasury Inspector General for Tax Administration Office of Investigations, or the IRS computer security organization to validate our test as being part of an official Treasury Inspector General for Tax Administration audit.
The above conditions were particularly alarming because we had conducted similar social engineering test telephone calls in August 2001 and December 2004. Our 2001 and 2004 test calls yielded 71 percent and 35 percent noncompliance rates, respectively. In response to these two prior audits, the IRS took corrective actions to raise awareness of password protection requirements and social engineering attempts. However, the corrective actions have not been effective. Based on the results of this audit, we conclude employees either do not fully understand security requirements for password protection or do not place a sufficiently high priority on protecting taxpayer data in their day-to-day work. To better understand employee behavior, we asked the employees in our sample why they did not comply with IRS password security requirements. Some of the notable reasons given were that the employee thought the scenario sounded legitimate and believable, did not think changing his or her password was the same as disclosing the password, or had experienced past computer problems.
When employees are susceptible to social engineering attempts, the IRS is at risk of providing unauthorized persons access to computer resources and taxpayer data. In addition, when attempts at social engineering are not reported to appropriate personnel, the IRS cannot investigate incidents and take action to minimize the effect of a security breach. ...
While our calls were part of an official TIGTA audit, hackers could include a reference to a nonexistent TIGTA audit in an attempt to divert attention from their social engineering attempts, particularly if an employee questions the call.