The Treasury Inspector General for Tax Administration (TIGTA) told the Internal Revenue Service (IRS) that it needs to do a better job to verify wireless device identity, although it said that based on audit results IRS was employing effective strategies and protocols to authenticate network user identities.
The IRS’s Unified Access Project aims to implement a solution to address the agency’s unrestricted internal network access vulnerability. The project uses Cisco Identity Services Engine software to manage wired, wireless, and virtual private network (VPN) access connections to the internal network.
In its audit, TIGTA reviewed a judgmental sample of one day’s activity from the audit log to determine if the Identity Services Engine authentication was effective.
“For 104,910 successful network accesses through a wired connection, 95 percent of the users and 97 percent of the devices were authenticated using certificates, and five percent of the users and three percent of the devices were authenticated using passwords,” the audit stated. “For 4,999 successful network accesses through wireless connection, 100 percent of the users were authenticated using certificates on personal identity verification cards.”
The story was different for devices using wireless connections: 92 percent were not authenticated, five percent were authenticated with certificates, and three percent were authenticated with passwords. Additionally, zero devices connecting to the internal network through a VPN were authenticated.
“TIGTA recommended that the [CIO] implement certificate-based authentication for devices wirelessly connecting or connecting through a virtual private network, coordinate with the business units to develop a comprehensive plan with milestones to reduce the number of devices that currently authenticate using a less secure protocol, and complete the Enterprise Life Cycle methodology artifacts,” the audit said.
IRS agreed with all of those recommendations.