Question

The Internal Revenue Service (IRS) annually processes more than 222 million tax returns. The returns are then converted into electronic records. The information contained in these records is protected by law and considered sensitive. Maintaining this type of information could make the IRS a target for computer hackers—individuals who attempt to gain unauthorized access to computers or computer networks.

The IRS has made significant efforts to secure the perimeters of its computer network from external cyberthreats. Because hackers cannot gain direct access to the IRS through these Internet gateways, they are likely to seek other methods. One such method is social engineering, which is the process of gaining information from people, often through deception, for the purpose of finding out about an organization’s computer resources. One of the most common tactics is to convince an organization’s employees to reveal their passwords.

In August 2001, with the assistance of a contractor, the IRS conducted social engineering tests on IRS employees. The IRS team placed calls to 100 IRS employees, asking them to change their passwords to what the team suggested. Of those employees called, 71 were willing to accommodate the team’s request.

The employees gave the following reasons for why they were willing to accommodate the request:

1. They were not aware of social engineering tactics or the security requirements to protect their passwords.
2. They were willing to assist in any way possible once the team members identified themselves as the IT help desk.
3. They were having network problems, and the call seemed legitimate.
4. Although they questioned the caller’s identity and could not locate the caller’s name, which was fictitious, in the global e-mail address book, they changed their passwords anyway.
5. They were hesitant, but their managers gave them approval to assist the team.

a. Were any of these reasons valid?

b. What could the IRS do to mitigate the vulnerability?

Answer 1

a. Not all of the above reasons are valid.

The first reason where employees were not aware of the social engineering tactics or the security requirements to protect their passwords reflects that the above employees are either ignorant of the seriousness of their job or are ill-informed and not trained enough about the threats to the security.

The second reason where the employees helped because they thought that the call was from the IT help desk also acted impulsively as no IT help desk of an organization calls its employees about their passwords. Even in the case of any discrepancy, they first should have enformed their employers to airgap their access to their system before any change in the password was made so that no one should be able to misuse the credentials.

The third reason may seem genuine, but still, even in the case of network problem or failure, a precautionary step should be taken to separate the access of the individual's account from the whole network before any changes in the password are made.

The fourth reason shows that they are aware of the threats and are suspicious, but their action to ultimately give in the password shows that they are negligent of the protocols or there is a genuine absence of any preceding authority from which consultation or authorization can be taken in the case of occurrence of such discrepancies.

The fifth reason is a valid one, as it shows that in case of doubt the employees decided to approach their preceding authority who approved them to give their password. This shows that the employee is aware and the problem lies with the higher authority. It may even be the case of espionage or fraud at a higher level.

b. There are a few steps that can be taken by the IRS to mitigate the vulnerabilities.

1. Release a proper set of guidelines about security and protocols for performing authentication changes.

2. Perform a training session for all employees regarding the frauds.

3. Provide a specific set of procedures to follow before the change of password.

4. Provide an air-gapped system.

5. Use multiple levels of authorization before access credential changes.