Electronic Authentication Process Controls Have Been Improved, but Have Not Yet Been Fully Implemented

Transcript

1 TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION Electronic Authentication Process Controls Have Been Improved, but Have Not Yet Been Fully Implemented February 5, 2018 20-007 Reference Number: 2018- This report has cleared the Treasury Inspector General for Tax Administration disclosure review process and information determined to be restricted from public release has been redacted from this document. Redaction Legend: 2 = Law Enforcement Techniques/ Procedures and Guidelines for Law Enforcement Investigations or Prosecutions. . Phone Number 622- 6500 / 202- [email protected] E- mail Address / Website / http://www.treasury.gov/tigta

2 To report fraud, waste, or abuse, call our toll -free hotline at: 1-800 -366-4484 By Web : www.treasury.gov/tigta/ Or Write: Treasury Inspector General for Tax Administration P.O. Box 589 Ben Franklin Station Washington, D.C. 20044- 0589 Information you provide is confidential and you may remain anonymous.

3 HIGHLIGHTS However, the network monitoring tools that the ELECTRONIC AUTHENTICATION prevention and the IRS purchased to improve PROCESS CONTROLS HAVE BEEN detection of automated attacks were not fully IMPROVED , BUT NOT YET BEEN HAVE implemented due to issues related to resources, FULLY IMPLEMENTED In addition, incompatibility, and higher priorities. s to prevent a user from fraudulent control creating profiles were not fully improperly Highlights implemented. Further, the IRS is not fulfilling requirements for monitoring audit logs for February 5, 2018 Final Report issued on processes suspicious activi ty due to inadequate s as for generating and reviewing audit log report Highlights of Reference 007 20- : 2018- Number well as ensuring reports are useful for not to the Internal Revenue Service C hief ng investigati to suspicious ding and respon Information Officer . activities. IMPACT ON TAXPAYERS WHAT TIGTA RECOMMENDED As part of its Future State initiative, the IRS TIGTA recommended that the IRS Chief continues to enhance its existing online ) prepare a plan of action Officer: 1 Information applications and self -help tools by increasing the and milestones to ensure that remaining issues amount of tax information and services available preventing full implementation of the two to taxpayers on IRS.gov. These online tools are addressed; network monitoring Personally applications may process and store 2) establish a process to adequately test and Information and tax return data for Identifiable subsequently monitor enhancements made to millions of taxpayers. Because this information application controls until it can be confirmed that is considered extremely valuable, the IRS has eff ective; 3) are the controls ensure that become a target of cyber criminals and identity electronic a uthentication audit logs capture Proper electronic authentication thieves. adequate data to allow for tracking and analysis controls are needed to prevent identity thieves IRS policy is of user activity; and 4) ensure that succeeding from at impersonating taxpayers and audit log report generation and met in regards to gaining improper access to tax records. review, and reports are useful for investigation and response to suspicious activities. WHY TIGTA DID THE AUDIT This audit was initiated to evaluate whether the The IRS agreed with . recommendations our IRS has properly implemented secure electronic The IRS plans to develop a plan of action and authentication in accordance with Federal milestones to ensure that remaining issues standards for public access to IRS online preventing full implementation of the two systems and effectively resolved identified network monitoring tools are addressed; ensure control weaknesses. that the amount of time in the eAuthentication Test Plan is expanded so anomalies are OUND WHAT TIGTA F modify the captured and resolved; eAuthenticat g process to capture ion audit lo The IRS has made progress in improving its adequate data for all user transactions ; and . It deployed electronic authentication controls a the capability to generate continue implement ing more rigorous electronic authentication process , logs reports from the eAuthentication audit factor authentication via a that provides two- demand audit review, which will enable on- security code sent to text -enabled mobile , and after analysis . fact investigations -the- phones. It completed or updated electronic 28 of its for authentication risk assessments online applications to determine appropriate levels of authentication assurance , and enhanc ed its network monitoring and audit log analysis capabilities.

4 DEPARTMENT OF THE TREASURY WASHINGTON, D.C. 20 220 ENERAL TREASURY INSPECTOR G ON FOR TAX ADMINISTRATI February 5, 2018 MEMORANDUM FOR CHIEF INFORMATION OFFICER FROM : Michael E. McKenney Deputy Inspector General for Audit SUBJECT: Audit Report – Electronic Authentication Process Controls Final , but Have Not Yet Have Been Improved Been Fully Implemented # 201720004) (Audit This report presents the results of our review to evaluate whether the Internal Revenue Service (IRS) has properly implemented secure electronic authentication in accordance with Federal standards for public access to IRS online systems and effectively resolved identified control weaknesses. d in the Treasury Inspector General for Tax Administration’s This audit is include Fiscal Year 201 8 Annual Audit Plan and addresses the major management challenge of Security Over Taxpayer Data and Protection of IRS Resources. Management’s complete response to the draft report is included as Appendix V. Copies of this report are also being sent to the IRS managers affected by the report recommendations. If you have any questions, please contact me or Danny R. Verneuille, Assistant Inspector General for Audit (Security and Infor mation Technology Services).

5 Electronic Authentication Process Controls Have Been Implemented Improved, but Have Not Yet Been Fully Table of Contents Page 1 Background ... Results of Review ... Page 5 Progress Has Been Made in Improving Controls Electronic Authentication ... Page 5 for Secure Access Purchased to Improve Network Monitoring Tools Automated Attacks the Prevention and Detection of Implemented Page 7 Were Not Fully ... : ... Page 8 Recommendation 1 to Electronic Authentication Control Enhancements Improve the Prevention of Improper Profile Creation and Unauthorized Access to Tax Data Were Not Fully Effective ... Page 9 Recommendations 2 and 3 : ... Page 11 Requirements for Monitoring Audit Logs for Being Fulfilled ... Page 11 Suspicious Activity Were Not : ... Page 14 Recommendation 4 Appendices Appendix I – Detailed Objective, Scope, and Methodology ... Page 15 ... – Ma jor Contributors to This Report Page Appendix II 17 Appendix III ... Page 18 – Report Distribution List Appendix IV – List of Online Applications W ith Reassessed Electronic Authentication Risk Assessments ... Page 19 Appendix V – Management’s Response to the Draft Report ... Page 23

6 Electronic Authentication Process Controls Have Been Implemented Improved, but Have Not Yet Been Fully Abbreviations Electronic Authentication Risk Assessment eRA Id entification ID Internal Revenue Service IR S National Institute of Standards and Technology NIST PIN Personal Identification Number TIGTA Treasury Inspector General for Tax Administration TIN Taxpayer Identification Number UUID Universally Unique UserID

7 Electronic Authentication Process Controls Have Been Implemented Improved, but Have Not Yet Been Fully Background As part of its Future State initiative, the I nternal Revenue Service (IRS) continues to enhance its existing online The purpose of electronic -help tools by increasing the amount of applications and self authentication is to prevent tax information and services available to taxpayers on unauthorized access to tax ications may process and store IRS.gov. These online appl information and fraudulent transactions. nformation and tax return data for Personally Identifiable I millions of taxpayers. Because this information is considered extremely valuable, the IRS has become a target of cyber criminals and identity thieves. As cybersecurity threats against the Federal G overnment continue to grow, protecting the confidentiality of taxpayer information continues to be a top concern for the IRS. i.e. , the Electronic authentication is the process of establishing confidence in user identities ( person is who they say they are) that are electronically accessing In an information system. an e uthentication solution (hereafter referred to as deployed IRS January 2014, the lectronic a as its enterprise identity management and authentication infrastructure to eAuthentication) access to an online application. The authenticate the identity of public users when they request IRS designed eAuthentication to provide various levels of assurance when confirming the ( identity proofing) depending i.e., on the sensitivity of identity of the person requesting access . Its purpose is to prevent taxpayer impersonations and account takeovers the data being shared by identity thieves. 1 IRS’s online applications, Get Transcript, Three of the Identity Protection Personal 2 and Online Payment Agreements Identification Number (PIN), , authenticated users through PIN ere Identity Protection se applications, Get Transcript and wo of the eAuthentication. T , w In addition, the Electronic Filing PIN tool on compromised during F iscal Y ears 2015 and 2016. 3 also compromised. was IRS.gov • Get Transcript Breach – In May 2015, the IRS discovered that criminals had launched a coordinated attack on its eAuthentication portal and used taxpayer personal identification information obtained from sources outside the IRS to impersonate legitimate taxpayers t a pplication. The and gain unauthori zed access to tax information in th e Get Transcrip 1 , or download s print The Get Transcript online application provides the ability to view, an individual’s tax record using e Authentication. 2 An Identity Protection PIN is a six -digit number assigned to taxpayers who have been victims of identity theft and fraudulent tax refunds. The Identity Protection PIN helps the IRS verify the taxpayer’s identity when filing tax returns. 3 Electronic Filing PIN tool, at the time of the compromise, did not authenticate users through eAu The thentication. Page 1

8 Electronic Authentication Process Controls Have Been Implemented Improved, but Have Not Yet Been Fully Treasury Inspector General for Tax Administration’s ( TIGTA ) review of the audit logs estimated there were a total of 724,000 potential unauthorized accesses to taxpayer accounts through the Get Transcript application. The IRS identified that approximately he IRS 252,400 potentially fraudulent tax returns were filed related to this incident. T ; stated that it stopped approximately $1.55 billion in refunds on 189,400 of these returns however lion in refunds from being issued on the , the IRS did not stop $490 mil 4 audit report remaining 63,000 returns. A subsequent TIGTA analysis of the presented an IRS’s eAuthentication audit logs that found criminals were using automated attacks to authenticate and obtain copies of tax returns as early as July 2014. Identity Protection PIN Breach – In January 2016, TIGTA issued two e -mail alerts to • , stating concerns regarding the fraudulent use of the Identity Protection PIN the IRS and recommending that the IRS take it application offline until a stronger level of authentication was implemented. The IRS had also noted instances in which electronic taxpayers tried to file their Identity Pr otection PIN only to find out that tax return with an ha d already filed a fraudulent tax return identity thieves . On March 7, 2016, two months after the e- , the IRS took the Identity Protection PIN application offline. mail alerts 5 presented an analysis of Tax Year 2015 tax returns A subsequent TIGTA audit report that were filed with an PIN obtained from the online application. That Identity Protection report i , of the 100,463 tax returns filed with an Identity Protection PIN, dentified that 23,991 (24 percent) of them with refunds claimed totaling $26 million we re potentially fraudulent. 6 exploited • – In January 2016, a n orchestrated bot attack PIN Breach Electronic Filing the IRS Electronic Filing PIN tool on IRS.gov. The Electronic Filing PIN tool is an application that w as created to provide taxpayers with a special PIN number that would allow the m to electronically file a Federal tax return. Using personal data and S ocial Security Numbers obtained from sources outside of the IRS, identity thieves used 7 to generate Electronic Filing attack PINs . The IRS discovered the automated malware during the testing of a new tool purchased to detect automated attack activity following . the Get Transcript incident The IRS estimates the exploitation resulted in the issuance of over 100,000 Electronic Filing PINs that were used to file tax returns claiming over $100 million dollars in 4 TIGTA, Ref. No. 2016- 20- 082, Improvements Are Needed to Strengthen Electronic Authentication Process Controls (Sept. 2016). 5 40- 026, Inconsistent Processes and Procedures Result in Many Victims of Identity Theft TIGTA, Ref. No. 2017- Not Receiving Identity Protection Personal Identification Numbers (Mar. 2017). 6 A software application that runs automated tasks over the Internet, that may be used for beneficial purposes or for attacks. 7 A program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the computer’s data, applications, or operating system. Page 2

9 Electronic Authentication Process Controls Have Been Implemented Improved, but Have Not Yet Been Fully fraudulent refunds . As a result of this exploitation, the IRS announced on June 23, 2016, PIN tool . that it had disabled the Electronic Filing 8 Subsequent to the Get Transcript incident, TIGTA reported that the authentication methods used for the IRS’s online applications did not comply with the National Institute of Standards and Technology (NIST) requirements . The e lectronic authentication processes used to authenticate and Identity P rotection PIN applications provide d only single -factor users of the Get Transcript 9 10 authentication standards requiring multifactor authentication for higher risk despite the NIST In addition, the single applications. -factor process used by the IRS to authenticate users did not meet NIST standards for single -factor authentication. As a result, unscrupulous individuals gained unauthorized access to tax account information. Further, TIGTA reporte d that the IRS’s network monitoring tools were not sufficient to detect automated attacks and that the eAuthentication audit logs were not being adequately monitored to detect fraudulent activity. ***************************************2************************************** ***************************************2************************************** **************2**************. The IRS also acknowledged that it lacked the ability to detect and prevent automated attacks and to adequately monitor system a ccess anomalies. To correct these deficiencies, the IRS planned numerous corrective actions, including: • Improving security protections at the IRS.gov portal. • Strengthening authentication requirements. • . Building cyber analytics capabilities Enhancing monit oring to include Get Transcript and protected applications. • Revisiting electronic authentication risk assessments (eRA) and the overall eRA • 11 process. • Bringing in outside expertise to assess capabilities and test deployment readiness. This review was performed in the IRS Information Technology organization at the New Carrollton Federal Building in Lanham, Maryland, in the Offices of Cybersecurity and ; and Applications Development; at Accenture’s office in Hyattsville , Maryland with information obtained from the Office of Online Services, Identity Assurance Office during the period of 8 TIGTA , Ref. No. 2016- 40- 007, Improved Tax Return Filing and Tax Account Access Authentication Processes and Procedures Are Needed (Nov. 2015). 9 A characteristic of an authentication system or a token that uses one of the three authentication factors to achieve authentication – something you know, something you have, or something you are. 10 A characteristic of an authentication system or a token that uses two or more authentication factors to achieve authentication. 11 The process of identifying the risks to system security and det ermining the probability of occurrence, the resulting impact, and additional safeguards that would mitigate this impact. Page 3

10 Electronic Authentication Process Controls Have Been Improved, but Have Not Yet Been Fully Implemented November 2016 through July 2017. We conducted this performance audit in accordance with d tandards require that we plan an generally accepted government auditing standards. Those s perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objective. We believe that the evidence obtained or our findings and conclusions based on our audit objective. provides a reasonable basis f Detailed information on our audit objective, scope, and methodology is presented in Appendix I. Major contributors to the report are listed in Appendix II. Page 4

11 Electronic Authentication Process Controls Have Been Improved, but Have Not Yet Been Fully Implemented eview Results of R Has Been Made in Improving Controls for Secure Access Progress Authentication Electronic The IRS has taken a number of steps to provide for more secure authentication and improve network monitoring controls and audit log analysis. Following the discovery of unauthorized access to the Get Transcript application in May 2015, the IRS redesigned its e lectronic authentication process to provide multifactor remote authentication techniques for its online applicat ions that contain sensitive information. In addition, t he IRS completed or reassessed its online applications to determine , the appropriate level of assurance at , or update where necessary which to authenticate its users. The IRS enhanced its network monitoring controls at the IRS.gov portal that were needed to help identify and block malicious activity. *******2****** ***************************************2************************************** ***************************************2************************************** ***********2***********. The IRS deployed a more rigorous e lectronic authentication process In June 2016, t he IRS deployed a more rigorous e lectronic authentication process that provide s 2, Electronic identity and authentication services at the NIST S pecial Publication 800- 63- Authentication Guideline s 1 through 3) . In particular, the IRS improved (Level , assurance levels 12 The NIST its authentication processes to achieve compliance with the NIST Level 3 standard. -factor authentication to create a user profile. Two -factor Level 3 assurance level requires two authentication requires additional credentials beyond username and password for gaining access to the application . The IRS’s new Level 3 authenticat ion involves verification using financial information and having a text -enabled mobile phone associated with the profile. Users must receive a security code text to complete the identity validation process and when returning to access their profiles . The security code is sent to the mobile phone of record (something the user possesses) to verify account access authorization. Users without a text- enabled phone are issued a mailed activation code to the address of record. Upon receipt, the users can compl ete the identity validation process. The IRS calls its new means to authenticate and authorize online users as “ Secure Access eAuthentication ,” which it describes as a rigorous identity verification process that helps protect 12 While this report was being drafted, the NIST released the final version of NIST Special Publication 800 -63- 3, Digital Identity Guide lines , in June 2017. The new guidance replaced NIST Special Publication 800 -63- 2. During the course of our review, the IRS indicated it would work to ensure it is compliant with the new guidance once the new guidance in a subsequent audit. issued . We plan to review the IRS’s implementation of Page 5

12 Electronic Authentication Process Controls Have Been Improved, but Have Not Yet Been Fully Implemented taxpayer data and IRS systems from automated cyberattacks. Before accessing certain IRS -help tools, users must first register through Secure Access and online self eAuthentication authenticate their identities. Thereafter, each time registered users return to the tool, they must enter both their credentials (username and password) plus a security code sent via mobile phone 13 This enhanced eAuthentication solution is currently used for five online applications text. at the appropriate level of assurance to authenticate users. The IRS completed or reassessed the electronic authentication risk assessments for its online applications The IRS wants its online a pplications to use the appropriate level of assurance to conduct identity proofing that is required to protect ity of the data being shared with the the sensitiv taxpayer. To determine the appropriate level of authentication assurance required by the NIST (Level s 1 through 3) , the IRS implemented an eRA process , in accordance with the Office of Management and Budget ’s M emo randum 04- 04, E-Authentication Guidance for Federal 63- Agencies pecial P ublication 800- , and NIST S 2 guidance , that it completes for each new online application or when there is a change made to an application. The IRS indicated that it annually to ensure that the identified assurance level remains consistent with will renew all eRAs the application’s online risk profile and any applicable policies. The IRS Cybersecurity process s the initial completion and annual and track organization has responsibility for the eRA 14 of its online recently renewals of the eRAs. The IRS has completed or updated eRAs for 28 applications . For example, the IRS raised the risk assessment level of the Get Transcript online application from moderate to high to more accurately reflect the risk demonstrated during the previous unauthorized accesses. The IRS enhanced its network monitoring and audit log analysis capabilities The IRS enhanced its network monitoring controls at the IRS.gov portal that were needed to help identify and block malicious activity . This involved implementing various applications to provide enhanced analysis and monitoring capabilities. In addition, the IRS en hanced its capabilities to aggregate and correlate system audit logs across diffe rent systems Cybersecurity . The IRS is able to stream the eAuthentication log data to its anomalous log activity as part of its Data Warehouse and hired a contractor to analyze Cyber Fraud Analytics group. The scope of the work performed by the contractor includes using advanced analytic techniques to prevent and detect fraudulent activity in IRS online applications. The contractor has been tasked with conducting complex analytics on large transactional data sets to identify anomalous patterns in activity and building and refining predictive models to 13 The five online applications which use eAuthentication at an appropriate level of authentication assurance are Get Transcript, Identity Protection PIN, Online Payment Agreement Individual Master File, Online Accou nt – View Payment Status and History, and Taxpayer Digital Communications. 14 See Appendix IV for a list of the 28 online applications. Page 6

13 Electronic Authentication Process Controls Have Been Implemented Improved, but Have Not Yet Been Fully classify or identify anomalous transactions. The total contract cost from April 2017 to 2018 is $6.7 million. April uspicious The Cyber Fraud Analytics group developed a tool that searches the log data for s potentially fraudulent behavior. *******************2******************** and activities 15 ***************************************2*************, *************************2************************. Using this tool, the Cyber Fraud Analytics group identified fraudulent activity in which fraudsters used data stolen improperly from sources outside of the IRS to successfully perpetrate a small number of targeted attacks . nhance controls and security , more work is needed to fully While the IRS took action to e implement the security improvements the IRS indicated were completed since the Get Transcript breach in May 2015. Specifically, additional work is needed in the following areas: • Fully implement network monitoring tools to improve prevention and detection of automated attacks on online applications. Ensure that eAuthentication controls are in place to effectively improve the prevention of • improper profile creation and unauthorized access to tax data. • Ensure that eA uthentication audit log review, analysis, and reporting processes provide useful information to support investigation and response to suspicious activities. and ion Network Monitoring Tools Purchased to Improve the Prevent Automated Attacks Were Not Fully Implemented Detection of 16 -time analysis of IRS policy states that automated tools shall be employed to support near real events in support of attack detection, that IRS information systems shall continuously moni tor inbound and outbound communications traffic for unusual or unauthorized activities or conditions, and that the systems should alert appropriate IRS personnel when indications of compromise or potential compromise occur. 17 that the IRS’s network monitoring tools were not sufficient to TIGTA previously reported detect automated attacks. In its response to the r ecommendation for this finding , the IRS stated it had completed this action, as “ reflected by the acquisition of specified security centric contractor services and technology tools managed by the IRS Integrated Enterprise Portal contractor .” The IRS has made progress towards implementing network monitoring controls, and the enhanced network monitoring controls that are currently in place provide a significant improvement in the 15 A nine -digit number assigned to taxpayers for identification purposes. Depending upon the nature of the taxpayer, the TIN is an Employer Identification Number, a Social Security Number, or an Individual Taxpayer Identification Number. 16 Internal Revenue Manual 10.8.1, Information Technology (IT) Security, Policy and Guidance (July 2015). 17 TIGTA, Ref. No. 2016- 20- 082, Improvements Are Needed to Strengthen Electronic Authentication Process . 2016). Controls (Sept Page 7

14 Electronic Authentication Process Controls Have Been Improved, but Have Not Yet Been Fully Implemented IRS’s ability to detect and prevent attacks compared to its pr ior posture. The IRS has implemented the enhanced controls it planned related to network traffic, such as network activity nternet rate controls, increased detection via perimeter controls, and filtering of suspicious I Protocol addresse s. However, the IR S has not fully completed implementation of other controls . specific to analyzing network activity in real -time and identifying automated attacks ***************************************2***************************. 18 *********************************2*****************************, • 19 *********************************2********************************, 20 ******************2*******, *************. • *********************************2************************************** *********************************2************************************** ******************2******************. ***************************************2************************************** ***************************************2************************************** ***************************************2************************************** ************************2*************************. While the IRS is receiving weekly status reports from the contractor implementing these security improvements, a more ized process for identifying needed tasks, establishing milestones, and detailing required formal resources would be beneficial. For example, creating a plan of action and milestones, which includes these items, would ensure proper tracking and management visibi lity of the remaining Thus, a plan of action and milestone s would allow management issues that need to be addressed. If automated attacks to determine and direct the resources needed to address the issues timely. are not prevented, more taxpayer records could be compromised and revenue lost to identity theft refund fraud. Recommendation Recommendation 1 : The Chief Information Officer should prepare a plan of action and milestones to ensure that remaining issues preventing full imp lementation of the two network monitoring tools are addressed. 18 Identifies online activities or requests that are potentially bot- like and collects additional information that is used to validate false positives or legitimate scripting users, but no action is taken. 19 The security tools are intended to provide protect ion for many other applications besides eAuthentication. For example, see applications listed in Appendix IV. 20 Executes automated mitigation action when an online activity or request is identified as bot- like, such as or page or other nonsensitive page that does not collect data. redirecting it to an application err Page 8

15 Electronic Authentication Process Controls Have Been Implemented Improved, but Have Not Yet Been Fully Management’s Response: The IRS agreed with this recommendation. The IR S will action and milestones to ensure that remaining issues preventing full develop a plan of implementation of the two network monitoring tools are addressed . Authentication Control Enhancements to Improve the Electronic Prevention of Improper Profile Creation and Unauthorized Access to Tax Data Were Not Fully Effective 21 IRS policy states the IRS information systems shall uniquely identify and authenticate non- IRS lectronic authentication shall be used in accordance with O ffice of M anagement users, and that e 22 and B 04 and the E -Government Act of 2002, Section 208. udget ’s Memorandum 04- Following the Get Transcript breach, the IRS took actions to correct the control deficiencies within eAuthentication that allowed the previous fraudulent activities related to creating user profiles and accessing tax records. For example, the IRS indic ated by June 7, 2016, it had completed a number of eAuthentication improvements to implement stronger authentication, r from creating new profiles using including preventing a fraudulent use TINs that already had previously established eAuthentication profiles. Th is ability previously allowed cyber criminals to gain access to the tax data of multiple taxpayers . However, not all control enhancements were , our completed implementation of the fully effective. While the IRS stated that it had se controls ***************************************2************************************** ***************************************2*********************************. Controls did not always prevent improper creation of profile s The IRS stated that it implemented a control enhancement in July 2015 to enforce a one TIN to 23 **********************2***********************, ***************************************2************************************** ***************************************2************************************** ***************************************2************************************** ***************************************2************************************** ***************************************2************************************** ***************************************2************************************** ***************************************2***********************. We reported this information to the IRS on March 28, 2017. The IRS officials responded that they were aware of the deficiency, and subsequently indicated that they had corre cted it on May However, we are concerned about the IRS’s ability to test and monitor enhanced 14, 2017. 21 Internal Revenue Manual 10.8.1 Information Technology (IT) Security, Policy and Guidance (July 2015). 22 347, 44 U.S.C. Chapter 36. Public Law 107- 23 *************** ******************** *************** **2*************************** *** ******** **********************2****************. Page 9

16 Electronic Authentication Process Controls Have Been Implemented Improved, but Have Not Yet Been Fully application controls based on the amount of time it took to discover and correct this deficiency. ***************************************2************************************** ***************************************2************************************** However, it took almost two years for the IRS to discover and address the deficiency in the contr ol’s effectiveness. While the IRS indicated it had completed actions to correct this deficiency , it did not adequately ntrol s were fully effective at preventing test or monitor the audit logs to determine whether the co the unauthorized activities. Audit log limitations could have contributed to difficulties in ensuring controls were effective , we believe limitations with Based on our review and analysis of the eAuthentication audit logs ntributed to the the log data may have co control s we re effective. IRS’s difficulty in ensuring y data, but much of it is combined into one field such ke The eAuthentication audit log s contain that , would require extra time and effort to extract the key , to make it usable for analysis elements. T IGTA had to perform this work of extracting key elements prior to running the tests that determine d that IRS’s enhanced control s were not fully effective, and it took a significant amount of time and resources . ***************************************2************************************** ***************************************2************************************** ***************************************2************************************** ***************************************2************************************** ***************************************2************************************** ***************************************2************************************** **2**. ***************************************2************************************** ***************************************2************************************** *************2***************. W ithout adequate and readily usable audit logs or other means to s ufficiently test and monitor control s, the IRS may not discover control deficiencies in a timely manner. If controls are not effective in stopping unauthorized activities, more taxpayer records could be compromised and revenue lost to identity theft refund fraud. Page 10

17 Electronic Authentication Process Controls Have Been Improved, but Have Not Yet Been Fully Implemented Recommendations ief Information Officer should: The Ch : E stablish a process to adequately test and subsequently monitor Recommendation 2 s made to application control s until it can be confirmed that the co ntrol s are enhancement effective. Management’s Response: The IRS agreed with this recommendation. While the IRS has processes in place to confirm that all corrections to application controls are tested , the IRS will ensure the amount of t ime in the and verified in lower environments eAuthentication Test Plan is expanded to ensure that any anomalies are captured and resolved. Recommendation 3 : Ensure that the eAuthentication audit log captures *****2****** in a separate field for all user transactions to allow for tracking and analysis of user activity. Management’s Response: The IRS agreed with this recommendation. Information Technology staff will modify the eAuthentication audit log process to capture ***2*** **2** in a separate field for all user transactions. This modification will be assessed and prioritized along with all other eAuthentication work in the product backlog. Requirements for Monitoring Audit Logs for Suspicious Activity Were Not Being Fulfilled 24 ublication 800- 53 ( Rev ision 4) , NIST S audit requirement 6, states that organizations pecial P need to regularly review and analyze audit records for indications of inappropriate or unusual activity, investigate suspicious activity or suspected violations, report findings to appropriate officials, and take necessary actions. 25 states that the IRS shall employ automated mechanisms to integrate audit review, IRS policy analysis, and reporting processes to support organizational processes f or investigation and response to suspicious activities. IRS information systems shall also provide the ability to summarize and report voluminous audit log information into a more meaningful format generation capability that supports on- w, analysis, and reporting requirements demand audit revie and after -the -fact investigations of incidents. 24 NIST Special Publication 800 -53 (Revision 4 ), Security and Privacy Controls for Federal Information Systems and Organizations (Apr. 2013). 25 (July 2015). Internal Revenue Manual 10.8.1, Information Technology (IT) Security, Policy and Guidance Page 11

18 Electronic Authentication Process Controls Have Been Implemented Improved, but Have Not Yet Been Fully 26 In addition, IRS policy requires that auditable events be reviewed and updated at a minimum of 27 every two years. NIST guidance also describes the need for periodicall y reassessing which events are captured. Specifically, it states, “Over time, the events that organizations believe should be audited may change. Reviewing and updating the set of audited events periodically is necessary to ensure that the current set is still necessary and sufficient.” 28 Further, IRS policy describes the Security Specialist viewing all types of ’s role to include re audit logs and observing system activity at least weekly. In addition, the Cybersecurity Operations Standard Operating Procedures roles and responsibilities inc lude reviewing audit logs and observing system activity to detect potential security incidents. 29 ed TIGTA previously report e Security Operations organization was not monitoring or that th analyzing system audit logs for eAuthentication in compliance with IRS policy or the eAuthentication Audit Plan. ****************2************************************** ***************************************2************************************** ***************2******************. These occurrences over the specified thresholds should then be reviewed to determine if action is necessary based on the underlying data. We reported that , if the IRS had been adequately monitoring the audit trails, the automated attacks esses could have been identified and stopped much sooner . and improper acc , in order to During this review, Security Operations organization management informed us that meet IRS policy and eAuthentication Audit Plan requirements, it has utilized contractor and IRS s to process the audit log data and generate the unusual activity reports specified in the resource eAuthentication Audit Plan. The unusual activity reports were not reviewed Although the Security Operations organization generated and e -mailed reports of exceeded thresholds to the application owner and indicated that a response was required, the application owner did not review the reports or provide a response. The Security Operations organization not provided, indicating that the report generation did not follow up on why a response was to us and review process was still Our review of the unusual activity reports that being developed. were generated through the contractor identified that key data w ere sti ll left combined into one field and , therefore, these reports were not readily useful for review, analysis, or after -the -fact investigations of user activity. This lack of usefulness may have contributed to the application owner’s failure to review them. 26 Security, Policy and Guidance Internal Revenue Manual 10.8.1, Information Technology (IT) y 2015). (Jul 27 NIST 800 -53 (Revision 4 ), Special Publication Security and Privacy Controls for Federal Information Systems and Organizations (Apr. 2013). 28 Internal Revenue Manual 10.8.2, Information Technology (IT) Security, IT Security Roles and Responsibilities (Sept. 2016). 29 TIGTA, Ref. No. 2016- 20- 082, Improv ements Are Needed to Strengthen Electronic Authentication Process 2016). Controls (Sept. Page 12

19 Electronic Authentication Process Controls Have Been Implemented Improved, but Have Not Yet Been Fully In June 2017, the application owner assigned staff to begin reviewing the reports e -mailed by the organization. However, a reviewer indicated that instructions Security Operations were needed on what to do with the suspicious activity once identified. **************2*************** ***************************************2************************************** ***************************************2*********************. The lack of the capability to generate reports from the eAuthentication audit logs that readily demand au dit review, analysis, and after -the -fact investigations of incidents reduces support on- the IRS’s ability to discover and address malicious activity and to determine the effectiveness of eAuthentication controls in a timely manner. iewing the unusual activity In addition, not rev reports or conducting adequate and timely follow up on the identified suspicious activities could lead to taxpayer records being compromised. Criteria to generate certain reports was not reviewed or updated As mentioned previously icy requires auditable events to be reviewed and updated at a , IRS pol minimum of every two years. However, the IRS could not demonstrate this was done in the case of certain auditable events in the eAuthentication Audit Plan as required. It is the responsibility owner, and entication’s of various parties, including the Security Operations organization, eAuth the program management o ffice, among others, to meet and review this information. Failure to do so could result in criteria being obsolete, which would limit the effectiveness of the reports being generated. Our analysis of approximately two months of daily unusual activity reports showed that some specific threshold amounts were not exceeded at all or by very minor amounts, while others were exceeded by very large amounts. This discrepancy indicates that the individual thresholds may be either too low or too high, and therefore , need to be reviewed to ensure their usefulness. The usefulness of the generated reports is in question given the potentially outdat ed thresholds and ily available means to review the underlying data. the lack of a read ***************************************2************************************** ***************************************2****************. The IRS indicated that it had i mplemented new controls to block excessive attempts in Calendar Year 2014 and further strengt hened them in Calendar Year 2016. However, instances of excessive activity still appear on the unusual activity reports. This could indicate that some controls a re not working as intended or that event thresholds are inappropriate and outdated. This further reinforces the need to review the unusual activity reports and ensure that the thresholds that trigger report generation are appropriate and kept up to date. Without periodically reassessing which events are captured and keeping the event thresholds that trigger report generation current, the reports being produced may lose their usefulness. If the ot be able to effectively investigate reports being produced have limited usefulness, the IRS will n and respond to suspicious activities. Page 13

20 Electronic Authentication Process Controls Have Been Implemented Improved, but Have Not Yet Been Fully Recommendation Recommendation 4 : The Chief Information Officer should ensure that IRS policy is met in regards to audit log report generation and review, that actionable events and threshold triggers are kept current, and reports are useful for investigation and response to suspicious activities. IRS agreed with this recommendation. The Management’s Response: Cybersecurity staff will continue to implement the capability to generate reports from the eAuthentication audit logs, which enables on -demand audit review, analysis, and after - will continue to implement the -fact investigations. Additionally, Cybersecurity staff process changes to ensure that actionable events, threshold triggers, and reports are kept current. Page 14

21 Electronic Authentication Process Controls Have Been Implemented Improved, but Have Not Yet Been Fully Appendix I Detailed Objective, Scope, and Methodology Our overall objective was to evaluate whether the IRS has properly implemented secure electronic authentication in accordance with Federal standards for public access to IRS online systems and effectively resolved identified control weaknesses. To accomplish our objective, we: Determined whether the IRS has implemented secure authentication for remote access to I. IRS information in compliance with Federal standards. IRS’s progress in implementing NIST A. -compliant eAuthentication for Determined the -wide. its online tools and applications IRS B. Determined whether the IRS is using adequate risk assessment procedures that result ion assurance levels for its online tools and in the proper identity and authenticat applications. II. Determined whether the IRS has effectively strengthened its network monitoring controls to ensure quick detection of malicious activity and fraudulent transactions occurring over the network. A. the Cyber Analytics initiative) i.e., Evaluated the IRS’s deployment of infrastructure ( to enhance network monitoring and analytic capabilities along with the new group of employees who can analyze large volumes of data across the IRS and track end -to-end access and usage of online applications. B. Evaluated the IRS’s enhancements at the Integrated Enterprise Portal level related to network monitoring. III. Determined whether the IRS has effectively strengthened controls in the Secure Access eAuthentication to correct weaknesses that allowed the previous fraudulent activity and unauthorized accesses. A. Determined whether the IRS has established appropriate monitoring parameters in the eAuthentication Audit Plan and has implemented regular review and analysis of the audit records. B. Determined whether the IRS has corrected code deficiencies within the Secure Access eAuthentication that allowed previous fraudulent activity and unauthorized access. IV. Determi ned whether the IRS has effectively implemented corrective actions for Improvements Are 082, recommendations (contained in TIGTA, Ref. No. 2016- 20- Page 15

22 Electronic Authentication Process Controls Have Been Implemented Improved, but Have Not Yet Been Fully (Sept. 2016) ) to Needed to Strengthen Electronic Authentication Process Controls improve controls for prevent ing unauthorized access to IRS online data sources. Internal controls methodology Internal controls relate to management’s plans, methods, and procedures used to meet their mission, goals, and objectives. Internal controls include the processes and procedures for planning, organizing, directing, and controlling program operations. They include the systems for measuring, reporting, and monitoring program performance. We determined that the following internal controls were relevant to our audit objective: evenue M anual Internal R 10.8.1, Information Technology (IT) Security, Policy and Guidance (July 2015), and other IRS procedures related to network monitoring, authentication and authorization controls, and audit log analysis and review. We evaluated these controls by interv iewing IRS management and staff, reviewing relevant NIST and IRS documentation, and reviewing relevant supporting documentation and application audit logs . Page 16

23 Electronic Authentication Process Controls Have Been Implemented Improved, but Have Not Yet Been Fully Appendix II Major Contributors to This Report Danny R. Verneuille , Assistant Inspector General for Audit ( Security and Information ) Technology Services Kent Sagara, Director Jody Kitazono, Audit Manager Midori Ohno, Lead Auditor Steven Stephens, Senior Auditor Linda Cieslak, Information Technology Specialist Alberto Garza, Manager, Applied Research and Technology Page 17

24 Electronic Authentication Process Controls Have Been Implemented Improved, but Have Not Yet Been Fully Appendix III Report Distribution List Commissioner Office of the Commissioner – Attn: Chief of Staff Deputy Commissioner for Operations Support Deputy Commissioner for Services and Enforcement Deputy Chief Information Officer for Operations hief Information O fficer , Applications Development Associate C Associate Chief Information Officer, Cybersecurity hief Associate C Information O fficer , Enterprise Operations Director, Enterprise Technology Implementation Director, Office of Online Services Director, Office of Audit Coordination Page 18

25 Electronic Authentication Process Controls Have Been Improved, but Have Not Yet Been Fully Implemented Appendix I V ith Reassessed List of Online Applications W Electronic Authentication Risk Assessments ONLINE DESCRIPTION APPLICATIONS Affordable Care Act 1 Allows insurance companies, self -insured, large Information Returns businesses, and businesses that provide health employees to electronically file insurance to their information returns. 2 Certified Professional Supports Certified Professional Employer Employer Organizations Organizations and 501(c)4 exempt organizations in data collection, identity verification, payment, application processing, and communication related to each registration process. Tracks continuing education hours earned by tax 3 Continuing Education Provider Registration and return preparers. Tracking System 4 Used for online submission of IRS Form 990- N, ePostcard Electronic Notice (e- Postcard) for Tax -Exempt Organizations Not Required to File Form 990 or Form 990EZ , for annual filings for small tax -exempt organizations reporting $50,000 or less. 5 eServices e- File Allows a third party to apply online to become an electronic filer and allows internal users to input paper applications. 6 eServices Secure Object Allows users to request transcripts through the Repository Transcript Transcript Delivery Sys tem that are delivered to the Delivery System user’s individual secure object repository mailbox. 7 eServices External Allows tax filers of Affordable Care Act related tax Services Authorization forms to register for and receive a transmission Management control code to be used as an authorization identifier for the submissions of tax filer data. Page 19

26 Electronic Authentication Process Controls Have Been Improved, but Have Not Yet Been Fully Implemented ONLINE DESCRIPTION APPLICATIONS 8 eServices Secure Object Allows matching of TINs against IRS records for eServices users with results delivered to the user’s Repository TIN Matching individual secure object r epository mailbox. Provides an online process for fuel terminal operators 9 Excise Files Information and carriers to file information returns. Retrieval System – Excise Summary Terminal Activity Reporting System Provides an online means for applicants to retrieve 10 Federal Student Aid – Datashare individual Federal tax return information from the IRS while on the Department of Education’s website completing the Free Application for Federal Student Aid form. Used by external trading partners to transmit tax 11 Filing Information Returns documents to report certain types of payments made Electroni cally as part of their trade or business. First Time Home Buyer 12 -Time Allows users to look up the balance of the First Credit Account Lookup Homebuyer C redit, the amount paid back to date, the total amount of the credit received, and annual installment repayment amount. 13 Provides an online means for financial institutions to Foreign Accounts Tax submit registration data and agreement Compliance Act forms in order to engage in withholding and reporting activities under the F oreign Accounts Tax Compliance Act . 14 Get Transcript Allows taxpayers to view and download their tax return information online. 15 IDVerify Allows taxpayers, who have received a letter from the IRS indicating it has stopped their return due to indications of identity theft, a means to verify their identities. 16 Identity Protection PIN Enables at -risk taxpayers the opportunity to obtain an Identity Protection PIN online, which is a six -digit number assigned to taxpayers that have been victims of identity theft and which allows their tax returns to be processed without delay. Page 20

27 Electronic Authentication Process Controls Have Been Implemented Improved, but Have Not Yet Been Fully ONLINE APPLICATIONS DESCRIPTION Assists taxpayers, businesses, and their Integrated Customer 17 representatives to complete the application for an Communications Employer Identification Number using as interactive – Environment system, which asks questions tailored to the type of Modernized Internet entity the taxpayer is establishing. Employer Identification Number 18 IRS Direct Pay Prov ides a means to make an electronic payment directly to the IRS fro m a checking or savings account with an electronic confirmation. 19 Modernized e- File Provides a means to electronically file corporate, Internet Filing Application exempt organization, individual, partnership, and excise tax returns through the Internet. Production Transmitter View Allows an online capability to display taxpayer 20 Online Account – Payment Status/History payment information. 21 Online Payment Allows a qualified taxpayer or authorized representative (Power of Attorney) to apply for or Agreement – Business File and Power of modify a previously established installment Master agreement if the business is unable to pay the liability Attorney on time. Online Payment 22 Allows an individual taxpayer the opportunity to apply – Individual nt Agreeme for or modify a current installment agreement if the individual is unable to pay the liability on time. Master File 23 Order a Transcript (via An interactive web application on IRS.gov for transcript requests that mirrors the telephone postal mail) applications and sends transcripts to taxpayers via U.S. mail based on the address of record on the 1 Master File. 24 Political Organization Enables political organizations to register and submit Filing and Disclosure and forms online. Action 527 Political Committee 1 The IRS database that stores various types of taxpayer account information. This database includes individual, data. business, and employee plans and exempt organizations Page 21

28 Electronic Authentication Process Controls Have Been Improved, but Have Not Yet Been Fully Implemented ONLINE DESCRIPTION APPLICATIONS Provides online registration and renewal, user fee 25 Tax Professional collection, and issuance of unique identifying Preparer/Tax numbers for all paid tax preparers. Identification Number Enables taxpayers to communicate with IRS 26 Taxpayer Digital employees on small business and self -employment Communications – Small issues over the Internet through several Business and communication channels: secure messaging, text Self -Employed chat, voice chat, video meetings, and co- browsing. 27 Where’s My Amended Provides automated access to the processing status of taxpayers’ Form 1040X, Amended U.S. Individual Return Income Tax Return , for the current year and up to three pr ior years. 28 Where’s My Refund Provides automated access to the processing status of tax refunds for taxpayers who filed a Form 1040, U.S. Individual Income Tax Return , and are eligible to receive a refund. Page 22

29 Electronic Authentication Process Controls Have Been Implemented Improved, but Have Not Yet Been Fully Appendix V Management ’s Response to the Draft Report Page 23

30 Electronic Authentication Process Controls Have Been Improved, but Have Not Yet Been Fully Implemented Attachment Draft Audit Report - Electronic Authentication Process Controls Have Been Improved, but Have Not Yet Been Fully Implemented (Audit# 201720004) (e- trak # 2018- 97621) The Chief Information Officer should prepare a plan of action and Recommendation 1 : milestones to ensure that remaining issues preventing full implementation of the two network monitoring tools are addressed. CORRECTIVE ACTION: The IRS agrees with this r ecommendation. The IRS will develop a Plan of Action and Milestones (POAM) to ensure that remaining issues preventing full implementation of the two network monitoring tools are addressed. IMPLEMENTATION DATE : March 15, 2018 RESPONSIBLE OFFICIAL(S) : Associate Chief Information Officer, Applications Development We enter accepted Corrective Actions CORRECTIVE ACTION MONITORING PLAN: into the Joint Audit Management Enterprise System (JAMES) and monitor them on a monthly basis until completion. RECOM MENDATION 2 : The Chief Information Officer should establish a process to adequately test and subsequently monitor corrections made to application controls until it can be confirmed that the corrections were effective. CORRECTIVE ACTION: The IRS agrees with this recommendation. While the IRS has processes in place to confirm that all corrections to application controls are tested and verified in lower environments the IRS will ensure the amount of time in the eAuthentication Test Plan is expanded to en sure any anomalies are captured and resolved. IMPLEMENTATION DATE : March 15, 2018 : Associate Chief Information Officer, Application RESPONSIBLE OFFICIAL(S) Development CORRECTIVE ACTION MONITORING PLAN: We enter accepted Corrective Actions into the J oint Audit Management Enterprise System (JAMES) and monitor them on a monthly basis until completion. RECOMMENDATION 3 : The Chief Information Officer should ensure that the eAuthentication audit log captures ****************2***************** in a separate field for all user transactions to allow for tracking and analysis of user activity. Page 24

31 Electronic Authentication Process Controls Have Been Improved, but Have Not Yet Been Fully Implemented Attachment - Electronic Authentication Process Controls Have Been Improved, Draft Audit Report but Have Not Yet Been Fully Implemented (Audit# 201720004) (e- trak # 2018- 97621) CORRECTIVE ACTION: The IRS agrees with this recommendation. Information Technology will modify the eAuthentication audit log process to capture *******2******* in a separate field for all user transactions. This modification will be assessed and prioritized along with all other eAuthentication work in the product backlog. IMPLEMENTATION DAT E: March 15, 2018 RESPONSIBLE OFFICIAL(S) : Associate Chief Information Officer, Applications Development CORRECTIVE ACTION MONITORING PLAN: We enter accepted Corrective Actions into the Joint Audit Management Enterprise System (JAMES) and monitor them on a monthly basis until completion. RECOMMENDATION 4 The Chief Information Officer should ensure that IRS policy is : met in regards to audit log report generation and review, that actionable events and threshold triggers are kept current, and reports are useful for investigation and response to suspicious activities. The IRS agrees with this recommendation. Cybersecurity will CORRECTIVE ACTION: continue to implement the capability to generate reports from the eAuthentication audit logs, which enables on- demand audit review, analysis, and after -the -fact investigations. Additionally, Cybersecurity will continue to implement process changes to ensure that actionable events, threshold triggers and reports are kept current. IMPLEMENTATION DATE : October 15, 2018 RESPONSIBLE OFFICIAL(S) : Associate Chief Information Officer, Cybersecurity CORRECTIVE ACTION MONITORING PLAN: We enter accepted Corrective Actions into the Joint Audit Management Enterprise System (JAMES) and monitor them on a monthly basis until completion. Page 25

Related documents