September 5, 2008 -- (WEB HOST INDUSTRY REVIEW) -- The US Internal Revenue Service Network has been the target of thousands of unauthorized and insecure internal web servers, according to a report from the Treasury Inspector General for Tax Administration.
According to the independent report released Thursday, 1,811 internal web servers on the IRS network had not been approved to connect to the network and 2,093 internal web servers connected to the network had at least a risk of security vulnerability. The internal audit was conducted to determine whether the IRS is adequately controlling and securing its web servers.
According to the report, the unauthorized and insecure web servers "placed both the computers and the entire IRS network at risk of unauthorized accesses to taxpayer and personally identifiable information."
However, while still posing a risk, not all unauthorized web servers had malicious intent, the Enterprise Operations organization recorded 661, or 36 percent, of the 1,811 web servers had a legitimate business purpose for being connected.
The authors of the report made recommendations to the IRS Chief Information Officer. The CIO, they said, should enforce procedures to block unauthorized web servers from the IRS network and impose an annual scan of web servers to identify unauthorized web servers. The unauthorized web servers should be immediately disconnected from the IRS network and web server owners should be required to re-validate the need for the servers annually and immediately notify the Chief Information Officer when decommissioning any server.
The CIO reportedly agreed with the recommendations and is taking steps to implement them.
