Shows & Panels
- AFCEA Answers
- Ask the CIO
- The Big Data Dilemma
- Carrying On with Continuity of Operations
- Connected Government
- Constituent Servicing
- Continuous Monitoring: Tools and Techniques for Trustworthy Government IT
- The Cyber Imperative
- Cyber Solutions for 2013 and Beyond
- Expert Voices
- Federal Executive Forum
- Federal IT Challenge
- Federal Tech Talk
- Mission-critical Apps in the Cloud
- The Path from Legacy Systems
- The Real Deal on Digital Government
- The Reality of Continuous Monitoring... Is Your Agency Secure?
- Veterans in Private Sector: Making the Transition
Shows & Panels
Delayed software updates leave IRS computers prone to hackers, auditors say
Thursday - 11/1/2012, 8:10pm EDT
Because hackers often exploit glitches in existing software to gain access to systems, software manufacturers frequently release patches, or fixes, for these bugs once they've been discovered.
Large organizations, such as the IRS, employ a process called patch management to stay on top of when software needs to be updated and to install the patches.
While it sounds mundane, leaving software unpatched is one of the main avenues through which hackers access normally protected systems.
"Any significant delays in patching software with critical vulnerabilities provides ample opportunity for persistent attackers to gain control over the vulnerable computers and get access to the sensitive data they may contain, including taxpayer data," the TIGTA report stated.
However, IRS has long struggled to effectively implement a patch-management process, auditors wrote.
While IRS has made strides recently in automating software updates and staying cognizant of when patches are needed, shortcomings still plague those efforts, TIGTA said. For example, IRS has not yet completed an accurate inventory of its IT equipment and thus can't determine whether all systems have been patched.
The auditors recommended IRS complete its inventory of IT assets. More broadly, the IG called for "enterprise-level oversight and leadership," to enforce policies for ensuring software patches are implemented.
IRS agreed with most of the recommendations. It said it planned to update its patch management policy to be clearer about installation standards and deadlines. The revised policy also puts the cybersecurity division in charge of ensuring agencywide compliance.
The report, dated Sept. 25, was first publicly released Thursday.