Malware Incidents on the Rise at IRS

Inspector General: 11 % of Servers Not Scanned Regularly Eric Chabrow (GovInfoSecurity) • March 19, 2009 Malware infecting Internal Revenue Service computers increased by 45 percent last year to 961 incidents, according to a Treasury Department inspector general's report.

Though IRS automatically scans workstations weekly for malware, only 89 percent of the agency's servers are scanned each week. The others were either scanned less often or not at all, the IG said. "The introduction of malware on servers is particularly risky because many users access them, making the spread of the malware to other computer systems more likely," wrote Michael Phillips, Treasury deputy inspector general for audit.

It's not that the IRS isn't taking steps to thwart malware. In fact, Phillips noted, the agency had adequately implemented many of the enhanced controls outlined in a December 2007 Treasury memorandum to block known malicious sites and prohibit administrator accounts from receiving e-mail from accounts outside of the department. The IRS is also adequately preventing access to online e-mail accounts outside of the Department for all user accounts, in compliance with its own policy.

Still, the IG said, the IRS hasn't fully enforced a department memorandum that prohibits administrators from using their administrator accounts to access the Internet unless authorized in writing by the agency's CIO or designee. The IG identified 63 administrator accounts that had accessed Internet websites 820 times in just a single week without the CIO authorization.

The IG recommended the IRS chief information office:

Schedule automatic scans of antivirus software on servers.

Regularly remind administrators not to use their administrator accounts to access the Internet, and monitor Internet activity to determine whether administrators comply with this control.

Notify employees and their managers when their activity results in a successful malicious code incident, particularly when the activity is a violation of IRS policy.

Update IRS security awareness training to include the use of portable and removable media among the common ways in which users can introduce malicious code to the network and their potential effects.

In responding to the IG audit, IRS management agreed to institute weekly automated antivirus scans of servers, as well as monitor for unauthorized administrator Internet access and use the security awareness training course required by Treasury that address the proper use of portable and removable devices.