Shows & Panels
- The 2014 Big Picture on Cyber Security
- AFCEA Answers
- Ask the CIO
- Connected Government: How to Build and Procure Network Services for the Future
- Continuing Diagnostics and Mitigation: Discussion of Progress and Next Steps
- Federal Executive Forum
- Federal Tech Talk
- The Intersection: Where Technology Meets Transformation
- Maximizing ROI Through Data Center Consolidation
- Moving to the Cloud. What's the best approach for me
- Navigating Tough Choices in Government Cloud Computing
- The New Generation of Database
- Satellite Communications: Acquiring SATCOM in Tight Times
- Transformative Technology: Desktop Virtualization in Government
- Value of Health IT
Shows & Panels
Monday - Friday, 6-9 a.m.
Hosts Tom Temin and Emily Kopp bring you the latest news affecting the federal community each weekday morning, featuring interviews with top government executives and contractors. Listen live from 6 to 9 a.m. or download archived interviews below.
Delayed software updates leave IRS computers prone to hackers, auditors say
Thursday - 11/1/2012, 8:10pm EDT
Because hackers often exploit glitches in existing software to gain access to systems, software manufacturers frequently release patches, or fixes, for these bugs once they've been discovered.
Large organizations, such as the IRS, employ a process called patch management to stay on top of when software needs to be updated and to install the patches.
While it sounds mundane, leaving software unpatched is one of the main avenues through which hackers access normally protected systems.
"Any significant delays in patching software with critical vulnerabilities provides ample opportunity for persistent attackers to gain control over the vulnerable computers and get access to the sensitive data they may contain, including taxpayer data," the TIGTA report stated.
However, IRS has long struggled to effectively implement a patch-management process, auditors wrote.
While IRS has made strides recently in automating software updates and staying cognizant of when patches are needed, shortcomings still plague those efforts, TIGTA said. For example, IRS has not yet completed an accurate inventory of its IT equipment and thus can't determine whether all systems have been patched.
The auditors recommended IRS complete its inventory of IT assets. More broadly, the IG called for "enterprise-level oversight and leadership," to enforce policies for ensuring software patches are implemented.
IRS agreed with most of the recommendations. It said it planned to update its patch management policy to be clearer about installation standards and deadlines. The revised policy also puts the cybersecurity division in charge of ensuring agencywide compliance.
The report, dated Sept. 25, was first publicly released Thursday.