Who should get the blame in IRS breach?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.computerworld.com/article/2929857/data-privacy/who-should-get-the-blame-in-irs-breach.html

If cybercrime is visualized as a river, its headwaters may be in a doctor's
office in places such as South Florida. It's here where a cellphone
photograph of a medical form filled out by a patient can be sold for a
minimum of $10.

With that information, fraudsters add other data streams from publicly
accessible databases, social media sites and other sources, such as stolen
credit records. It's this now-river of data that was used to attack an
Internal Revenue Service application called Get Transcripts and access the
records of more than 100,000 taxpayers.

The U.S. Senate Finance Committee will hold a hearing today on this breach.
The IRS will put some of the blame on lawmakers, at least indirectly. The
agency has suffered big budget cuts, including to its cybersecurity
program, and has lost some key IT personnel.

But does IRS budget-cutting, from $12.15 billion in 2010 to $10.9 billion
this year, fully explain the breach?

If the IRS is asked to explain the security processes it will describe "a
multi-step process to check identities" for its Get Transcript program. The
first part involves submitting personal information about the taxpayer,
including Social Security number, date of birth, tax filing status and
street address. There are also "out-of-wallet" questions, questions "based
on information that only the taxpayer should know, such as the amount of
their car payment or other personal information," said the IRS.

But one former IRS IT manager, who didn't want his name used, said that IRS
cybersecurity officials "would have preferred to implement a more dynamic
and aggressive security framework that would have stopped the fraudsters
from being able to get in using the information they stole from the third
party." IRS senior leadership favored, instead, an approach to keep the
process simpler to encourage use, this manager claimed.

A more complex authentication system would have involved a multi-factor
authentication approach - "biometrics, dynamic questions using non-public
information rather than static or simple out-of-wallet questioning," said
this former IRS manager.

But there's no easy approach here. Even if the government were to implement
some form of biometrics, it faced potential problems.

The estimated pay rates for cellphone photographs of medical records comes
from Yair Levy, a professor of information systems and cybersecurity at
Nova Southeastern University in Fort Lauderdale, Fla. The theft of medical
records is major contributor to breaches, and he believes that a
multi-authentication process will be needed that includes biometrics.

But Levy says it will be difficult for the government to win acceptance of
biometrics. In his research he sees that people, especially in the U.S.,
"have this mental resistance to biometrics - they see it as giving a copy
of themselves to the government." About 75% will refuse to give the
government biometric data "no matter what," he said.

One system that the IRS did put in that can be effective is making
six-digit PIN available to taxpayers, but Levy said a lot of people are not
aware of it.

Nevertheless, attackers have been able to get data to answer out-of-wallet
question from publicly accessible records, as well as through the theft of
credit records.

"Out-of-wallet challenge response questions, or KBA (knowledge based
authentication) would not have offered much of a defense for those who were
exploiting the IRS Get Transcript functionality," says John Zurawski, vice
president at Authentify, a supplier of authentication services.

Zurawski believes that authentication processes that link phone numbers to
people, similar to what online services such as Google now offer, could
thwart many attempts to breach records.

IRS funding for cybersecurity has fallen from $187 million in 2011 to $149
million in 2015 -- a drop of more than 20% , said Matthew Leas, an IRS
spokesman, in a response to a query from Computerworld.

This biggest cut happened 2011. Funding fell off a cliff in 2011 and
declined to $129 million in 2012, and then rose. (This 2011 budget data was
not immediately available when Computerworld first reported on the staffing
decline and budget. The available data shows an increase from 2012 to 2014.)

"Complicating this situation even further are staffing issues, both in
cybersecurity as well as leadership and executive positions across the
agency," said Leas, in a statement.

In addition to a smaller workforce, the IRS "lost several key leaders in
the information technology and analytics areas due to the loss of
streamlined critical pay authority late last year," said Leas, in a
statement.

The critical pay authority allowed the IRS to appoint or retain people with
a high level of expertise for up to four years at salary rates above normal
government levels. But no one could be paid higher than the vice president,
who earns $233,000.

IT appointments accounted for most of the positions filled under this
program. The "private-sector expertise had been crucial to introducing new
leadership to supplement in-house expertise," according to report late last
year by the Treasury Dept.'s Inspector General.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!