Problem solve Get help with specific problems with your technologies, process and projects.

Imran Awan case shows lax security controls for IT staff

Investigations into the conduct of the IT staff of the House of Representatives raised alarms. Kevin McDonald explains what we can learn from the case of Imran Awan.

Those who operate with high-level system access, such as IT administrators, possess immense and potentially devastating...

control. With even partial domain or local administrator access, a tech-savvy individual can observe every action performed on a system. They can add programs designed to spy on users, damage systems or data, redirect data flows and communications, or fully reproduce every bit of data contained on the systems they control. They can pretend to be a user and take action as if they are that user.

I have been involved in investigations where data was deleted, information was exfiltrated, money was stolen and clients were locked out of their own systems, and even extorted by staffers with information they gained from systems access. This means that the utmost care must be taken in selecting these technology professionals, determining their access and monitoring their behaviors.

In particular, sensitive systems in government, defense and finance should be accessed and supported only by those with impeccable work history, experience, knowledge and character. If issues or questions arise about their conduct, they should have their access immediately revoked until an investigation can be completed. There is no room for leniency or error until the concerns are alleviated.

This brings me to the Imran Awan case. Awan spent more than a decade with deep access and substantial control over the computers of dozens of members of Congress.

Awan started his Capitol Hill work in 2004, providing IT support for Rep. Robert Wexler (D-Fla). In 2005, Awan began working for Debbie Wasserman Schultz (D-Fla). His two brothers, Jamal Awan and Abid Awan, also started working with the House of Representatives later that year. Awan's wife, Hina Alvi, joined the Capitol Hill payroll in 2007 as a member of the House IT staff.

Over the next decade, the Awan family's access grew to more than two dozen members of congress and scores of staffers. The Imran Awan case has revealed serious cracks in how Congress addresses red flags associated with its House IT staff.

Allegations of improper conduct

The Imran Awan case dates back to 2016, when investigators in the Office of the Inspector General (IG) began investigating Imran, Jamal and Abid Awam and Hina Alvi. The Washington Post reported IG investigators were watching the Awans for months and grew concerned when they found the employees may have been accessing congressional servers without authorization, and that they "could be reading and/or removing information." The alleged misconduct, along with additional alleged illegal activities Imran has been accused of committing, led to the removal of the Awan family's network access on Feb. 2, 2017.

While Imran Awan and his family members had their systems access revoked and most members of Congress fired the group last March, Wasserman Schultz kept Imran Awan on as a consultant. Awan remained on the payroll in the employ of Wasserman Schultz until the day after Awan was arrested by the FBI and U.S. Capitol Police at Washington Dulles International Airport on July 24, 2017, as he was about to leave the county to Lahore, Pakistan.

According to a federal affidavit and criminal complaint in the Imran Awan case, the flight was scheduled after Awan transferred nearly $283,000 to Faisalabad, Pakistan earlier that year. Bank records show that $165,000 of the funds transferred was obtained through an alleged fraudulent home loan for Awan's Alexandria, Va., property that was funded on Jan. 12, 2017. The loan was obtained through the Congressional Federal Credit Union. According to the same federal affidavit, the home equity line of credit loan was for Awan's rental home, which was reported to be his primary residence, which, if true, is against the law.

Imran Awan was charged with bank fraud, conspiracy to commit bank fraud, engaging in unlawful monetary transactions and making false statements. Currently, he has not been charged with any crimes related to his conduct as a member of the House IT staff.

However, according to Politico, a second investigation by U.S. Capitol Police into the Awans, as well as another IT staff member named Rao Abbas, found that the group had allegedly stolen computer equipment from House members' offices. This alleged theft is believed to involve hundreds of thousands of dollars in equipment, though no arrests or charges have been filed yet against the other members of the group.

Imran Awan, meanwhile, pleaded not guilty to fraud and conspiracy, and he was released from jail on monitored release with a temporary curfew and a GPS monitor.

Potential risks posed by IT staff

It's unclear how much access the Awans had to various user accounts within Congress. Many IT staff members are, unfortunately, provided unfettered access to user account passwords, and they can even request and maintain copies of passwords for those they support on a regular basis.

This is a huge violation of basic security practices and -- in many cases -- the law, but it happens every day. It happens because IT staff often, for whatever reasons, want access to systems they do not need or are too inexperienced to handle. At times, it may be for an impatient executive or user who simply says, "Just do it and let me know when it is done."

I have been involved in many internal investigations for clients where we found IT staff reading emails of company executives, peers and even love interests. We have caught IT staff abusing privileged access to look at confidential business plans, payroll and HR documents, and even intimate images kept in personal folders on phones and laptops. If, for any reason, temporary access is needed, it should never be done unattended, and passwords should be reset immediately when questions arise.

One should never share their password with anyone, and I would even say especially with IT staff. If IT needs your password to see your experience with a particular issue, then it should be done in your presence, and you should enter the password without them observing it being entered.

Sharing your password completely destroys accountability for the actions taken by a user account. It makes criminal prosecution and even employment actions very difficult, if not impossible. It can also cause problems with government records or business records if there is no way to accurately verify who accessed or modified them.

Use of multifactor authentication can help with protecting user accounts, although this may not prevent access, especially if email is used for the other factor and IT has access to the email server as an administrator.

Lessons learned from the Imran Awan case

Despite an ongoing investigation into potential misconduct, these members of the House IT staff were allowed to continue working as administrators for nearly a year. Additionally, Imran Awan was allowed to continue working as an IT admin for several months with restricted network access despite obvious red flags.

The Foundation for Accountability and Civic Trust, a conservative watchdog group, filed an ethics complaint against Wasserman Schultz.

"It appears that Wasserman Schultz permitted an employee to remain on the House payroll in violation of ethics rules," Executive Director Matthew Whitaker wrote in a letter to Congress. "After Awan was barred from accessing the House computer system, Wasserman Schultz continued to pay Awan with taxpayers' funds for IT consulting -- a position that he could not reasonably perform."

Regardless of whether Awan is found guilty, the response from members of Congress should be concerning. When challenged about why she allowed a person under criminal investigation to continue to access the building -- where computers are stored and used -- to assist with IT issues, Wasserman Schultz defended her actions by telling reporters that IT admins could assist with issues without having network access, and that IT support included other elements besides the network, such as phones, printers and software.

There should be a top-down investigation into the hiring, monitoring and termination practices of Congressional members' IT staff, and new protocols need to be instituted.

Let's break it down from an IT security perspective. First, Wasserman Schultz implies that allowing someone under criminal investigation to remain in proximity to sensitive computers and the network equipment connected to it is no big deal. Second, she goes on to say that, basically, phones, printers, the website and software are nothing to worry about, despite the fact that malware placed on any of the above can lead to systems' access. Even without gaining system access, key loggers and other data capture malware can, in fact, steal copies of everything a House member or staffer is doing.

In addition, these devices can be used as jump points by threat actors looking to move laterally. Network connectivity from phones, printers and software can also potentially enable a threat actor to gain direct access depending on the network's configuration. Phone software can be installed that captures calls, emails, texts and other information.

The lack of concern and perspective on the potential risks posed by Imran Awan is alarming.

Conclusion

It's unclear what will come of the Imran Awan case. Even if it does not rise to the level of espionage, it should be a massive wakeup call about who is being allowed to access congressional IT systems and other sensitive government computers.

There should be a top-down investigation into the hiring, monitoring and termination practices of Congressional members' IT staff, and new protocols need to be instituted. All access to sensitive systems should be monitored, and records of employee and contractor activity must be checked on a regular basis.

When potential illicit activity is found, account lockout and suspension with pay should be immediate. If nothing is found, staff members can be allowed to continue working. If misconduct or illegal activity is found, then an account lockout can prevent further damage or destruction of evidence.

This case is an example of negligence trumping security and, worse yet, common sense. Awan's alleged activities and the way many handled themselves, from the hiring to the response in the wake of the investigation, should concern us all.

This was last published in March 2018

Dig Deeper on Information security policies, procedures and guidelines

Join the conversation

5 comments

Send me notifications when other members comment.

Please create a username to comment.

What security policies should be implemented for House IT staff?
Cancel
There are too many to list here. But first, since they are being allowed to access systems that are related to government work, they should be chosen by the congressional staff (as they are now) but based on minimum qualifications. They should then be approved, managed and monitored through the government IT systems and regulations. This case involves so many ridiculous choices being made by the congressional offices, I think falling back to simple common sense best practices for hiring, access control, accountability, and termination would be a great start.  

Cancel
I mostly agree with MSPGURU, but 'common sense' is really asking too much of people who don't understand the principles of security.  When you are qualified for a position, most of your work seems to be common sense to you.  The people who perform the interviews need to understand the jobs for which they are hiring and ideally they should be fully qualified to perform those jobs.  I know that is asking a lot.  But we are talking about non-elected people with minimal supervision having access to our highest levels of Government.  Perhaps at that level IT people should be required to pass a Top Secret background investigation before sitting for their final interview before being hired.  Ben Franklin was wrong; there are people who can maintain secrets without being dead.  Those are the kinds of people we need at that level. 
Cancel

GMcNair. First, thank you for taking the time to leave a thoughtful comment. If we were speaking of an average micro or small business owner, I would totally agree that common sense is relative when it comes to understanding cyber security. I do believe we all have an obligation to understand the basics though. I spend much of my time consulting with executives to help them understand and to find a balance between security, operational efficiency and cost. But this is because they care to ask.  We are not talking about that group here. I honestly do not believe the members of Congress involved in this case gave one whit about security. They are not even willing to acknowledge it was an issue now.

The professionals involved in these congressional offices are the same people writing the laws about cyber security, holding hearings investigating issues of hacking and espionage and demanding flawless operations by small business and others when it comes to their cyber security. These are the same people who are responsible for making highly complex and sensitive decisions about our national security laws, the Patriot Act and FISA courts for example. If they don’t see a problem with this whole situation and/or worse yet, did and ignored it, they should all pack their bags and go home because they are dangerous to our nation’s security.

These are the same people who passed laws with massive fines for those in finance and healthcare who have a breach and generally without regard to how much effort they made to protect the information. They expect perfection in the private sector and yet clearly act with willful neglect in their own government cyber operations. The members of Congress who allowed this to go on were perfectly aware of the issues. They knew there was a background requirement but passed on it out of pure disregard and laziness. In one case the Congressman reportedly admitted he didn’t even know the person who was cleared to work on the systems and had allowed another person who was not authorized to do work for them. In one particular case (mentioned in the article) they were allowed to continue while the criminal investigation was conducted knowing the potential damage they could do.  Even after they were made aware of significant criminal accusations against the group in question, many members made no effort to ensure that they were removed and isolated from doing further damage. They can no longer feign ignorance at that point.

Members evidently did little if anything to be sure that a professional process of lockout occurred so that passwords shared in the past were reset, and that an investigation of every machine they touched (virtually and physically) was conducted, etc. I think the bottom line is that if they are so clueless that they can’t see the issues here, regulations that demand a clear process be followed with criminal penalties for failure to do so are needed.

To your main point, we are not talking about owners of a bakery, dry cleaners or a restaurant that take credit cards here. We are talking about very sensitive systems that should be guarded like they matter. I agree entirely with you that a strict clearance process should be instituted and rechecks should occur on a regular basis. The needs go far beyond that and need to revolve around operating procedures for who can access what, when and how and what is to be done in recording and monitoring every action they take. We cannot have the proverbial Keystone Cops managing our congressional systems.

Thanks again for commenting. I very much enjoy the dialogue and hope solutions come of it. 

Cancel

I agree.  They created a security disaster and everyone walked away with no impact to their careers.  This article was the only mention of this I have seen anywhere.  Were any of them representing Louisiana?  I ask because I live there and would be careful to not vote for them in any future election.

I especially like your suggestion that a "clear process be followed with criminal penalties for failure to do so."  Getting them to create that legislation and passing it is the hard part.  I'm suspect most voters are similarly blithe about information security.  Maybe some watchdog group could add that to what they monitor and report.  I would like to see "science" or "technology" scores for each of them as well.  I suspect low scores there would also track with lack of security awareness.  Question to Congress: If your work is not worth protecting, then why do we need you in office?  

It would be great-or maybe hilarious-if it became a standard topic for debate. Both the Democratic and the Republican party have had outsiders access their systems.  Information security should be a concern worthy of their attention.

Since we can't require members of Congress and all who have access to anything there have any security 'sense,' formalizing the requirements becomes the best we can hope for.  Some of those penalties should forbid the offender from ever again holding any public office, working as a lobbyist or in any portion of the financial industry.  After the first member of Congress is fired for a security breach, then we'd see if they can become serious about it.

Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close