A government audit of the Internal Revenue Service (IRS) has found that over 3,000 of the 7,100 servers run by the IRS are not properly updated, and that this is a common problem within the organization. This is a serious issue as failing to update servers means that they are not fully protected from the latest or emerging security vulnerabilities, whether they be simple technical issues that have been uncovered, or more pertinently are deliberately attacked by a hacker.
This is not as far fetched as it may sound, as earlier this year the IRS admitted that millions of taxpayer records had been compromised and over 200,000 actual records had in fact been stolen. Who stole them – unclear, but Chinese and Russian cybercriminals are considered to be the main suspects, but in any event, who wants their personal, financial data in the hands of any unauthorized people to begin with!
Another issue with failing to update the server fleet of the IRS is this: failing to update servers leads to operational issues, including the ability to process tax refunds quickly. In addition, this operational deficiency also impacts on delivery of dealing and answering taxpayer inquiries and correspondence.
According to an audit, 7,100 servers were found to be used by the IRS, of which only 4,100 had been upgraded by IRS staff. The real danger which lurks behind this stark data, is that an undisclosed number of IRS servers are running not on supported Windows Server 2008 & 2012, but on the 2003 version. Windows Server 2003 ceased to be a supported Microsoft product back in July 2015, which means that there are major security holes in IRS IT security.
The impact of unsupported servers is that if a flaw is discovered, then this hole or exploit can be used by cybercriminals to gain access to data and steal it. The problem is that if you are not patching your servers to keep them updated as new threats and bugs are identified and updates issued to close the holes created, then you progressively become more and more exposed to external attack. Attacks are not just from viruses, but also malware and actual hacking into your systems (and once a hacker has gained access, unless you know they have hacked you, they can simply regain entry again and again).
The problem is also compounded by the fact that while over half of the servers are updated and upgraded, it only takes one server to provide an entry point for an attacker, for the whole network and the data it contains to be exploited. This is similar to the analogy of the weak link in a chain – the network is only as strong as the weakest or most insecure point in the infrastructure.
The auditors themselves are pretty explicit as to who is responsible for this disaster waiting to happen – the IRS themselves – it states clearly, “The IRS had not adequately planned for the Windows server upgrade…and lacked sufficient oversight.” The IRS itself denies it is behind the 8-ball in this instance, and argues that no taxpayer information has been compromised, nor that the auditors can point to a single instance where their network has been compromised as a result of this failure to upgrade. That is cold comfort to the hundreds of thousands of taxpayers who have already had their information and financial data stolen from the IRS database earlier in 2015.