IRS Doesn't Check Cyberaudit Logs 78
An anonymous reader writes "The US Internal Revenue Service's IT staff hasn't routinely checked its cybersecurity audit logs, according to a report released this week by the agency's inspector general's office. The report is not exactly flattering for the IRS. The report, with large chunks redacted, recommends the IRS allow independent review of audit logs and establish procedures to save audit logs. It also recommended that the IRS regularly test its Internet gateways for compliance with standard security configurations."
Read the whole report (Score:5, Informative)
It's linked from the story. [treas.gov] It's short and, like all such reports, its has a proforma organization that makes it easy to read. The synopsis tends to have the spin (and that's what got the attention of PC World and the Slashdot folks) but the actual findings are also clearly stated so that you can draw your own conclusions.
The inspectors made three findings.
1. "Intrusion detection systems were deployed effectively."
2. "Access controls over firewall and router system administrator accounts are operating effectively"
3. "Management of firewall and router audit logs needs to be improved."
Under # 3, they found one high-risk error, the only high-risk error in the report. That finding was "Audit logs were not independently reviewed".
The IRS agreed with all findings and promised to fix things.
My personal opinion? I think a report that says, to paraphrase, "All your stuff works fine. However, you aren't regularly running it all past someone not in the normal administrative chain; that failure is a serious error" is certainly something to be taken seriously but it's unlikely to be a career-killer for anyone. I've seen far, far worse reports on many different subjects from amny different agencies. The IRS, however, is really big and touches everyone so a finding that procedures are suboptimal is far more newsworthy than some of the truly horrific crap that passes for security practice at other agencies. I certainly feel no ill will towards those who are publishing this stuff. When you work for the IRS, you get used to seeing bad news (mostly exaggerated bad news) almost exclusively. Such is life.
Re:Not just a problem for IRS (Score:4, Informative)
I'm really not sure if I do enough. I have the FW logs all forwarded to both its own DB as well as Splunk. I then analyze the FW logs with Sawmill, but only when something comes up, and about once a month I'll kinda just poke around for anything abnormal. Where I really do most of the work is in Splunk though. I have alerts set up for Router and FW access, too many failed logon attempts from the DCs, excessive errors and all that, and about once a week I go in and just browse the logs (through Splunk). Is this enough? What do you guys do? I'm just a one-man team here and I really just implemented these procedures myself without any real policy outline in place.
No, it didn't (Score:5, Informative)
Read the report. Quoting from page 7: "Unnecessary services were enabled on routers (moderate risk)"
Whatever was enabled was judged by the report authors to be of only moderate risk. The paragraph that provides specifics is redacted but that paragraph is quite short. It's clear to me that this wasn't an error on the scale of "They left all the defaults untouched." Rather, the inspectors found a service or two that someone overlooked when configuring a router. It's an error and it needs to be corrected but it was judged to be of only moderate risk, not high risk.