Thousands of IRS computers could be prone to cyber intruders because officials aren’t updating software in a timely manner, according to a report from the Treasury Inspector General for Tax Administration.
Because hackers often exploit glitches in existing software to gain access to systems, software manufacturers frequently release patches, or fixes, for these bugs once they’ve been discovered.
Large organizations, such as the IRS, employ a process called patch management to stay on top of when software needs to be updated and to install the patches.
While it sounds mundane, leaving software unpatched is one of the main avenues through which hackers access normally protected systems.
“Any significant delays in patching software with critical vulnerabilities provides ample opportunity for persistent attackers to gain control over the vulnerable computers and get access to the sensitive data they may contain, including taxpayer data,” the TIGTA report stated.
However, IRS has long struggled to effectively implement a patch-management process, auditors wrote.
While IRS has made strides recently in automating software updates and staying cognizant of when patches are needed, shortcomings still plague those efforts, TIGTA said. For example, IRS has not yet completed an accurate inventory of its IT equipment and thus can’t determine whether all systems have been patched.
The auditors recommended IRS complete its inventory of IT assets. More broadly, the IG called for “enterprise-level oversight and leadership,” to enforce policies for ensuring software patches are implemented.
IRS agreed with most of the recommendations. It said it planned to update its patch management policy to be clearer about installation standards and deadlines. The revised policy also puts the cybersecurity division in charge of ensuring agencywide compliance.
The report, dated Sept. 25, was first publicly released Thursday.