Another hack, another claim of inevitability. It is frustrating to read about the IRS breach and see it declared sophisticated. The following quote, from the IRS commissioner to CNN, is just outright infuriating:
“It was an attack the agency wasn't well suited to combat, IRS Commissioner Koskinen said. ‘We're dealing with criminals with a lot of money and using expensive equipment and hiring a lot of smart people.’”
There are two elements of that statement that we can’t argue with: The perpetrators are criminals, and they have a lot of money — now. It’s been reported that $50 million was stolen. That’s a lot of money, and the people who stole it are criminals by definition. But did they have a lot of money, expensive equipment and smart people when they committed the crime? That part is not clear.
As Congress looks into this matter, it should consider how self-serving such statements as Koskinen’s are. These are the facts: The criminals managed to obtain detailed personal information for over 100,000 taxpayers and used the information to authenticate themselves, as those taxpayers, to the “Get Transcript” application. That allowed them to collect more information and then submit fraudulent tax returns with refunds totaling $50 million.
So this is a clear-cut example of an authentication hack, in which a criminal finds a way to authenticate himself as someone else by finding answers to common security questions such as “What is your mother’s maiden name?” Such information resides in the public domain and can be gleaned by such non-sophisticated techniques as looking up a Facebook profile or engaging in a little light social engineering.
None of this takes a lot of money, technology or intelligence. The IRS hackers, now reported to be located in Russia, could have used cheap PCs, and they don’t need to be overly smart. All they need is knowledge that an application exists and the ability to deduce what information is required to access information in it.
According to Koskinen, the Get Transcript application asks for authentication information that only the authorized person has. Well, clearly that statement is wrong. The criminals had that information for more than 100,000 taxpayers, and the expectation should be that a person’s grandmother’s first name and even their Social Security number can be gleaned from social media or public records, or purchased off the dark web. Authentication questions used by the Get Transcript application were about loan payments, addresses, etc., which are available on credit reports and can be purchased online, both legally and illegally, even assuming they haven’t been compromised by the hundreds of large-scale identity theft incidents or other means.
As for Koskinen’s plea that the IRS is up against a lot of fiendishly clever criminals with loads of money, you’d think that the IRS has no resources of its own. Per recent reports, the IRS has 363 people specifically focused on information security, and a budget of $141.5 million. Is Koskinen saying that those 363 people are stupid or unskilled?
In fact, the IRS has relatively strong information security practices in place, and this attack was entirely preventable. But the IRS implemented an authentication scheme that used information that is more readily available than it assumed. So the question is, Could or should stronger authentication have been in place?
As we wrote in our article about applying the Irari Rules to risk-based security programs, it is reasonable to forgo a control if the cost is greater than the benefit. There has to be a balance of ease of use and potential loss. In this case, the Irari Rule implying there should be effective misuse and abuse detection in place was violated.
The IRS does not necessarily need more money, better computers or smarter people. It needs a more comprehensive and honest examination of its authentication and detection processes, as well as the risk related to the systems in question. Evaluating risk is a key element. It is not feasible to create a system that stops all possible attacks, since the IRS has a responsibility to make data readily available to the appropriate people, and because it has to work with a budget that is decreasing.
We wrote the Irari Rules to stop people from doing exactly what Koskinen has done: portraying an organization as a victim of a sophisticated attacker instead of acknowledging an inadequate security program and figuring out how to improve it.
Ira Winkler is president of Secure Mentem and author of the book Spies Among Us. Ira and Araceli Treu Gomes can be contacted through Ira's Web site, securementem.com.
This story, "Was the IRS breach unstoppable?" was originally published by Computerworld.