Was the IRS breach unstoppable?

As Congress looks to place blame for the recent IRS hack, the Irari Rules make it simple.

Another hack, another claim of inevitability. It is frustrating to read about the IRS breach and see it declared sophisticated. The following quote, from the IRS commissioner to CNN, is just outright infuriating:

"It was an attack the agency wasn't well suited to combat, IRS Commissioner Koskinen said. We're dealing with criminals with a lot of money and using expensive equipment and hiring a lot of smart people.'"

There are two elements of that statement that we can't argue with: The perpetrators are criminals, and they have a lot of money -- now. It's been reported that $50 million was stolen. That's a lot of money, and the people who stole it are criminals by definition. But did they have a lot of money, expensive equipment and smart people when they committed the crime? That part is not clear.

As Congress looks into this matter, it should consider how self-serving such statements as Koskinen's are. These are the facts: The criminals managed to obtain detailed personal information for over 100,000 taxpayers and used the information to authenticate themselves, as those taxpayers, to the "Get Transcript" application. That allowed them to collect more information and then submit fraudulent tax returns with refunds totaling $50 million.

So this is a clear-cut example of an authentication hack, in which a criminal finds a way to authenticate himself as someone else by finding answers to common security questions such as "What is your mother's maiden name?" Such information resides in the public domain and can be gleaned by such non-sophisticated techniques as looking up a Facebook profile or engaging in a little light social engineering.

None of this takes a lot of money, technology or intelligence. The IRS hackers, now reported to be located in Russia, could have used cheap PCs, and they don't need to be overly smart. All they need is knowledge that an application exists and the ability to deduce what information is required to access information in it.

According to Koskinen, the Get Transcript application asks for authentication information that only the authorized person has. Well, clearly that statement is wrong. The criminals had that information for more than 100,000 taxpayers, and the expectation should be that a person's grandmother's first name and even their Social Security number can be gleaned from social media or public records, or purchased off the dark web. Authentication questions used by the Get Transcript application were about loan payments, addresses, etc., which are available on credit reports and can be purchased online, both legally and illegally, even assuming they haven't been compromised by the hundreds of large-scale identity theft incidents or other means.

As for Koskinen's plea that the IRS is up against a lot of fiendishly clever criminals with loads of money, you'd think that the IRS has no resources of its own. Per recent reports, the IRS has 363 people specifically focused on information security, and a budget of $141.5 million. Is Koskinen saying that those 363 people are stupid or unskilled?

In fact, the IRS has relatively strong information security practices in place, and this attack was entirely preventable. But the IRS implemented an authentication scheme that used information that is more readily available than it assumed. So the question is, Could or should stronger authentication have been in place?

As we wrote in our article about applying the Irari Rules to risk-based security programs, it is reasonable to forgo a control if the cost is greater than the benefit. There has to be a balance of ease of use and potential loss. In this case, the Irari Rule implying there should be effective misuse and abuse detection in place was violated.

The IRS does not necessarily need more money, better computers or smarter people. It needs a more comprehensive and honest examination of its authentication and detection processes, as well as the risk related to the systems in question. Evaluating risk is a key element. It is not feasible to create a system that stops all possible attacks, since the IRS has a responsibility to make data readily available to the appropriate people, and because it has to work with a budget that is decreasing.

We wrote the Irari Rules to stop people from doing exactly what Koskinen has done: portraying an organization as a victim of a sophisticated attacker instead of acknowledging an inadequate security program and figuring out how to improve it.

Ira Winkler is president of Secure Mentem and author of the book Spies Among Us. Ira and Araceli Treu Gomescan be contacted through Ira's Web site, securementem.com.

Join the CSO newsletter!

Error: Please check your email address.

Tags cnndata breachesIRSsecurity

More about CNNFacebookIRS

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By Ira Winkler and Araceli Treu Gomes

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts