Shows & Panels
- The 2014 Big Picture on Cyber Security
- AFCEA Answers
- Ask the CIO
- Connected Government
- Consolidating Mission-critical Systems
- Constituent Servicing
- Continuous Monitoring: Tools and Techniques for Trustworthy Government IT
- The Data Privacy Imperative: Safeguarding Sensitive Data
- Eliminating the Pitfalls: Steps to Virtualization in Government
- Federal Executive Forum
- Federal Tech Talk
- Government Cloud Brokerage: Who, What, When, Where, Why?
- Government Mobility
- Mission-critical Apps in the Cloud
- Mobile Device Management
- The Modern Federal Threat Landscape
- The Path from Legacy Systems
- Understanding the Intersection of Customer Service and Security in the Cloud
Shows & Panels
Monday - Friday, 6-9 a.m.
Hosts Tom Temin and Emily Kopp bring you the latest news affecting the federal community each weekday morning, featuring interviews with top government executives and contractors. Listen live from 6 to 9 a.m. or download archived interviews on our daily show blogs.
Delayed software updates leave IRS computers prone to hackers, auditors say
Thursday - 11/1/2012, 8:10pm EDT
Because hackers often exploit glitches in existing software to gain access to systems, software manufacturers frequently release patches, or fixes, for these bugs once they've been discovered.
Large organizations, such as the IRS, employ a process called patch management to stay on top of when software needs to be updated and to install the patches.
While it sounds mundane, leaving software unpatched is one of the main avenues through which hackers access normally protected systems.
"Any significant delays in patching software with critical vulnerabilities provides ample opportunity for persistent attackers to gain control over the vulnerable computers and get access to the sensitive data they may contain, including taxpayer data," the TIGTA report stated.
However, IRS has long struggled to effectively implement a patch-management process, auditors wrote.
While IRS has made strides recently in automating software updates and staying cognizant of when patches are needed, shortcomings still plague those efforts, TIGTA said. For example, IRS has not yet completed an accurate inventory of its IT equipment and thus can't determine whether all systems have been patched.
The auditors recommended IRS complete its inventory of IT assets. More broadly, the IG called for "enterprise-level oversight and leadership," to enforce policies for ensuring software patches are implemented.
IRS agreed with most of the recommendations. It said it planned to update its patch management policy to be clearer about installation standards and deadlines. The revised policy also puts the cybersecurity division in charge of ensuring agencywide compliance.
The report, dated Sept. 25, was first publicly released Thursday.