A recent study (PDF) conducted by TIGTA (Treasury Inspector General for Tax Administration) has determined that the IRS remains vulnerable to attacks that utilize principles of social engineering. According to the report, TIGTA placed 102 calls to IRS employees posing as computer helpdesk representatives. Each employee was asked for assistance in correcting a computer problem and requested to change his or her password to one suggested by the fake representative.
In 61 of 102 cases, the TIGTA caller was able to convince an IRS employee to change his or her password as requested. Furthermore, only eight of the 102 IRS employees contacted actually contacted the audit team, the Treasury Inspector General for Tax Administration Office of Investigations, or the IRS computer security organization. These results indicate an ongoing problem for the IRS: in 2001, 71 percent of employees were willing to reveal password data. While this number fell to only 35 percent in 2004, that sharp decline appears to have all but reversed itself.
It's interesting to note that this isn't simply an example of a government agency being slow to react to a new, emerging threat. As the TIGTA report notes, "The IRS has adequate password policies and procedures...The IRS has posted these requirements and password security policies on its internal web site. The web site also has a document that describes social engineering and provides examples of social engineering attempts, specifically mentioning the use of telephone calls to conduct this type of attack."
Of the employees who provided their password information, 21 did so because the situation sounded legitimate and believable, 10 believed changing a password was not the same as disclosing it, eight knew the rules but changed their password anyway, seven were having or had previously had computer trouble, and four had not been trained regarding password protection. 11 employees provided no reason for why they went along with the scenario.
Of those who did not change or reveal their passwords, 20 had been trained not to do so, 17 did not believe the scenario or could not verify the caller's identity, and four did not cite a reason. These results indicate that security and password protection education has been at least partially effective but clearly highlights a need for additional training.
The TIGTA report recommends continued education efforts specifically focusing on social engineering, encourages the IRS to conduct periodic tests of its own employees to screen for those who are susceptible to social engineering-based attacks, and calls for coordination with business units to emphasize the need to discipline employees for security violations. The IRS agreed with all report recommendations and is in the process of implementing them.
Although the IRS' access to taxpayer data makes it a potentially high-profile target for hackers, the organization's susceptibility to social engineering attacks is anything but unique. The very nature of such attacks make it impossible for any antivirus or software package to defend against them, and user education is the only available option. The TIGTA report may have focused specifically on one government organization, but its recommendations are pertinent for any business or government branch with access to sensitive, password-protected data.
reader comments