IRS Granted Tens of Thousands of Devices Network Access Without Proper Authentication

Most devices accessing the Internal Revenue Service’s internal network using wireless connections and virtual private networks weren’t authenticated, according to an audit. The Internal Revenue Service failed to authenticate tens of thousands of devices connecting to the agency’s internal network through wireless connections or virtual private networks during a recent audit. The Inspector General for the Treasury Department audit described cracks in the authentication process used for accessing the internal IRS network. None of the devices used to make 26,237 network connections via virtual private networks were authenticated. Another 92% of devices using a wireless connection also were not authenticated, while 3% were authenticated with a password rather than the preferred certificate method. These measures came from a sample activity log covering one day of authentication using the Identity Services Engine. Over 104,000 network accesses were made via wired connections, the vast majority of which were verified using certificate-based authentication. But more than 31,000 non-wired accesses were made on devices lacking certificate authentication. “Without properly authenticating all devices, the IRS does not have adequate controls to ensure that only authorized devices are allowed access to its internal network and taxpayer data may be at risk,” the report reads.

The inspector general recommends IRS implement certificate-based authentication across all devices regardless of connection type, develop a plan to reduce the number of devices authenticated with a less-secure protocol and ensure Unified Access project is following the predetermined development methodology appropriately. The agency concurred with each point. According to a July 16 memorandum from IRS acting Chief Information Officer Nancy Sieger, which was attached to the audit, IRS implementation will begin as early as February 2021. Work on certifying devices using wireless connections is already underway. That is the piece of the puzzle set for implementation in February. But in order to implement certificate-based authentication for devices connecting over a VPN, IRS needs funding. The memo posits IRS will be able to ensure VPN device authentication by February 2022 should it receive the needed funds.

The other two recommendations indicate IRS should develop a plan to phase out devices that use a less secure authentication protocol, called Media Access Control Authentication Bypass, as well as course correct the Unified Access project to adhere to the appropriate development methodologies. The UA project is an IT security initiative that protects the network, assets and taxpayer data, according to the memo. The audit found development of the project isn’t following the Enterprise Life Cycle methodology. The ELC standard defines a software development path for commercial off-the-shelf solutions. “We are committed to implementing the corrective actions that will strengthen device authentication and completing all Enterprise Life Cycle required artifacts,” Sieger wrote in the memo.

https://www.nextgov.com/cybersecurity/2020/08/irs-granted-tens-thousands-devices-network-access-without-proper-authentication/167784/

First night Democratic convention viewership dips after digital-only debut

An estimated 18.7 million people tuned into the opening night of the 2020 Democratic National Convention, a drop compared to four years ago, according to early Nielsen ratings. The top five broadcast and cable news networks agreed to take the second and final hour of Monday's virtual convention program, the first time either party has tested the format. While the majority of viewers from 10-11:15 p.m. turned on CNN and MSNBC, which carried the full scheduled two hours, an average of 2.1 million people watched via Fox News, Nielsen Media Research found. About 4.7 million of the total audience, including on ABC, CBS, and NBC, were aged 25-54 years, a demographic advertisers covet. Those numbers represent a decline from the 2016 convention. Last cycle, Democrats drew an estimated 26 million via traditional TV on the first night during the same time slot. The initial figures may be revised with data from smaller networks.

The Biden campaign appeared to anticipate a ratings hit on Tuesday morning, citing their online reach during a press briefing. Biden staff also touted the "dynamic experience" they created through a mix of produced content and live speakers. "We really wanted to think about this as a convention across America," Biden spokeswoman Kate Bedingfield told reporters. "We've really thought about how we can reach people on non-traditional platforms and how we can really make this a dynamic experience for the person watching from home who might not otherwise tune in to an hour-plus of convention coverage." Later Tuesday, the team announced the convention notched up 10.2 million views via livestreams. The coronavirus pandemic forced Democrats to scrap their plans for a partially digital convention last week, including hosting reporters and TV crews in the host city of Milwaukee. The development meant last-minute coverage changes in the days leading up to the event.

https://www.washingtonexaminer.com/news/first-night-democratic-convention-viewership-dips-after-digital-only-debut