Lance Bellers - Fotolia

Tip

Imran Awan case shows lax security controls for IT staff

Investigations into the conduct of the IT staff of the House of Representatives raised alarms. Kevin McDonald explains what we can learn from the case of Imran Awan.

Those who operate with high-level system access, such as IT administrators, possess immense and potentially devastating control. With even partial domain or local administrator access, a tech-savvy individual can observe every action performed on a system. They can add programs designed to spy on users, damage systems or data, redirect data flows and communications, or fully reproduce every bit of data contained on the systems they control. They can pretend to be a user and take action as if they are that user.

I have been involved in investigations where data was deleted, information was exfiltrated, money was stolen and clients were locked out of their own systems, and even extorted by staffers with information they gained from systems access. This means that the utmost care must be taken in selecting these technology professionals, determining their access and monitoring their behaviors.

In particular, sensitive systems in government, defense and finance should be accessed and supported only by those with impeccable work history, experience, knowledge and character. If issues or questions arise about their conduct, they should have their access immediately revoked until an investigation can be completed. There is no room for leniency or error until the concerns are alleviated.

This brings me to the Imran Awan case. Awan spent more than a decade with deep access and substantial control over the computers of dozens of members of Congress.

Awan started his Capitol Hill work in 2004, providing IT support for Rep. Robert Wexler (D-Fla). In 2005, Awan began working for Debbie Wasserman Schultz (D-Fla). His two brothers, Jamal Awan and Abid Awan, also started working with the House of Representatives later that year. Awan's wife, Hina Alvi, joined the Capitol Hill payroll in 2007 as a member of the House IT staff.

Over the next decade, the Awan family's access grew to more than two dozen members of congress and scores of staffers. The Imran Awan case has revealed serious cracks in how Congress addresses red flags associated with its House IT staff.

Allegations of improper conduct

The Imran Awan case dates back to 2016, when investigators in the Office of the Inspector General (IG) began investigating Imran, Jamal and Abid Awam and Hina Alvi. The Washington Post reported IG investigators were watching the Awans for months and grew concerned when they found the employees may have been accessing congressional servers without authorization, and that they "could be reading and/or removing information." The alleged misconduct, along with additional alleged illegal activities Imran has been accused of committing, led to the removal of the Awan family's network access on Feb. 2, 2017.

While Imran Awan and his family members had their systems access revoked and most members of Congress fired the group last March, Wasserman Schultz kept Imran Awan on as a consultant. Awan remained on the payroll in the employ of Wasserman Schultz until the day after Awan was arrested by the FBI and U.S. Capitol Police at Washington Dulles International Airport on July 24, 2017, as he was about to leave the county to Lahore, Pakistan.

According to a federal affidavit and criminal complaint in the Imran Awan case, the flight was scheduled after Awan transferred nearly $283,000 to Faisalabad, Pakistan earlier that year. Bank records show that $165,000 of the funds transferred was obtained through an alleged fraudulent home loan for Awan's Alexandria, Va., property that was funded on Jan. 12, 2017. The loan was obtained through the Congressional Federal Credit Union. According to the same federal affidavit, the home equity line of credit loan was for Awan's rental home, which was reported to be his primary residence, which, if true, is against the law.

Imran Awan was charged with bank fraud, conspiracy to commit bank fraud, engaging in unlawful monetary transactions and making false statements. Currently, he has not been charged with any crimes related to his conduct as a member of the House IT staff.

However, according to Politico, a second investigation by U.S. Capitol Police into the Awans, as well as another IT staff member named Rao Abbas, found that the group had allegedly stolen computer equipment from House members' offices. This alleged theft is believed to involve hundreds of thousands of dollars in equipment, though no arrests or charges have been filed yet against the other members of the group.

Imran Awan, meanwhile, pleaded not guilty to fraud and conspiracy, and he was released from jail on monitored release with a temporary curfew and a GPS monitor.

Potential risks posed by IT staff

It's unclear how much access the Awans had to various user accounts within Congress. Many IT staff members are, unfortunately, provided unfettered access to user account passwords, and they can even request and maintain copies of passwords for those they support on a regular basis.

This is a huge violation of basic security practices and -- in many cases -- the law, but it happens every day. It happens because IT staff often, for whatever reasons, want access to systems they do not need or are too inexperienced to handle. At times, it may be for an impatient executive or user who simply says, "Just do it and let me know when it is done."

I have been involved in many internal investigations for clients where we found IT staff reading emails of company executives, peers and even love interests. We have caught IT staff abusing privileged access to look at confidential business plans, payroll and HR documents, and even intimate images kept in personal folders on phones and laptops. If, for any reason, temporary access is needed, it should never be done unattended, and passwords should be reset immediately when questions arise.

One should never share their password with anyone, and I would even say especially with IT staff. If IT needs your password to see your experience with a particular issue, then it should be done in your presence, and you should enter the password without them observing it being entered.

Sharing your password completely destroys accountability for the actions taken by a user account. It makes criminal prosecution and even employment actions very difficult, if not impossible. It can also cause problems with government records or business records if there is no way to accurately verify who accessed or modified them.

Use of multifactor authentication can help with protecting user accounts, although this may not prevent access, especially if email is used for the other factor and IT has access to the email server as an administrator.

Lessons learned from the Imran Awan case

Despite an ongoing investigation into potential misconduct, these members of the House IT staff were allowed to continue working as administrators for nearly a year. Additionally, Imran Awan was allowed to continue working as an IT admin for several months with restricted network access despite obvious red flags.

The Foundation for Accountability and Civic Trust, a conservative watchdog group, filed an ethics complaint against Wasserman Schultz.

"It appears that Wasserman Schultz permitted an employee to remain on the House payroll in violation of ethics rules," Executive Director Matthew Whitaker wrote in a letter to Congress. "After Awan was barred from accessing the House computer system, Wasserman Schultz continued to pay Awan with taxpayers' funds for IT consulting -- a position that he could not reasonably perform."

Regardless of whether Awan is found guilty, the response from members of Congress should be concerning. When challenged about why she allowed a person under criminal investigation to continue to access the building -- where computers are stored and used -- to assist with IT issues, Wasserman Schultz defended her actions by telling reporters that IT admins could assist with issues without having network access, and that IT support included other elements besides the network, such as phones, printers and software.

There should be a top-down investigation into the hiring, monitoring and termination practices of Congressional members' IT staff, and new protocols need to be instituted.

Let's break it down from an IT security perspective. First, Wasserman Schultz implies that allowing someone under criminal investigation to remain in proximity to sensitive computers and the network equipment connected to it is no big deal. Second, she goes on to say that, basically, phones, printers, the website and software are nothing to worry about, despite the fact that malware placed on any of the above can lead to systems' access. Even without gaining system access, key loggers and other data capture malware can, in fact, steal copies of everything a House member or staffer is doing.

In addition, these devices can be used as jump points by threat actors looking to move laterally. Network connectivity from phones, printers and software can also potentially enable a threat actor to gain direct access depending on the network's configuration. Phone software can be installed that captures calls, emails, texts and other information.

The lack of concern and perspective on the potential risks posed by Imran Awan is alarming.

Conclusion

It's unclear what will come of the Imran Awan case. Even if it does not rise to the level of espionage, it should be a massive wakeup call about who is being allowed to access congressional IT systems and other sensitive government computers.

There should be a top-down investigation into the hiring, monitoring and termination practices of Congressional members' IT staff, and new protocols need to be instituted. All access to sensitive systems should be monitored, and records of employee and contractor activity must be checked on a regular basis.

When potential illicit activity is found, account lockout and suspension with pay should be immediate. If nothing is found, staff members can be allowed to continue working. If misconduct or illegal activity is found, then an account lockout can prevent further damage or destruction of evidence.

This case is an example of negligence trumping security and, worse yet, common sense. Awan's alleged activities and the way many handled themselves, from the hiring to the response in the wake of the investigation, should concern us all.

Dig Deeper on Security operations and management

Networking
CIO
Enterprise Desktop
Cloud Computing
ComputerWeekly.com
Close