Heard of Imran Awan? Just another IT consultant serving the U.S. Congress, until recently. Awan is a Pakistani IT specialist that was hired, along with family members, by certain U.S. Congress representatives over a period of several years. Awan, along with his family and team members, earned several millions of dollars – sometimes for their IT personnel that didn’t even show up for work. In July of 2017, Awan was arrested by the FBI and Capitol Police at the Washington Dulles International Airport for bank fraud, while attempting to leave the U.S. for Pakistan. He allegedly was involved in a series of questionable financial transactions and was implicated in misuse of sensitive data including personal emails and possibly classified information. In early 2017, Awan and members of his IT team were identified as suspects in a criminal investigation by the U.S. House of Representatives security services and the FBI. The suspicion was associated with serious and potentially illegal violations of the House IT network. By July, Awan had been fired by all of the U.S. Congress members that previously hired him and his family members. SMBs should take this incident as a “lesson learned” in performing proper due diligence before hiring an IT company that will be given access to sensitive data. Proper due diligence will help to mitigate the financial, operational, and reputation risks associated with an unscrupulous IT vendor.
Getting into some of the details, Awan and his family worked for more than two dozen members of the U.S. House of Representatives for several years. These representatives included some members of the data-sensitive House Intelligence and Foreign Affairs committees. According to various press reports, Awan and two brothers working part-time for the House earned approximately $4 million over a period of eight years. When Awan was identified as a suspect in February 2017, he and his family members were blocked from access to the House IT network. Later, pretending to be his wife, Awan wired $283,000 to Pakistan. Following the funds’ transfer, his wife left the country with over $12,000 in cash and Awan attempted to flee the U.S. from the Dulles airport to Pakistan. During the criminal investigation, a laptop computer and other stolen IT equipment were found hidden by Awan in the Rayburn House Office Building, occupied by the U.S. House of Representatives. Also, prior to his arrest, the FBI seized smashed computer hard drives at his home. Alleged crimes committed by Awan include illegal financial transactions, insurance fraud, no-show jobs, home loan violations, and others.
The FBI apparent interests included theft of government computers, possible exploitation of sensitive information stored on the House computer network, espionage, and bank fraud.
Hiring IT Providers Mandates Due Diligence
Too often, small and medium-sized businesses (SMBs) evaluating third-party IT companies do not put the proper weight on considering the number of years in business, integrity, trustworthiness, and client references. Many times, SMBs establish a common list of IT tasks to be performed by potential vendors, then compare prices as the primary differentiator. In the case of Imran Awan, after learning of potential criminal activity, U.S. Congress representatives questioned the background checks done on the Awan and his IT team. It appears preventative background checks and security measures were inadequate. Naturally, SMBs should avoid being in a similar position of questioning due diligence after an IT exposure or breach is discovered.
Screening should start with checking out a vendor’s website, including office location(s), phone number(s), management team, and staff. It is important to understand how long the IT vendor under consideration has been in business and types of clients the company has supported. Also, backgrounds of their people and management team should be understood and evaluated. Employees of IT firms should have received background checks including U.S. employment eligibility and criminal records. A distinction to understand is how many of the IT firm’s employees are full-time regular employees versus part-time or contracted workers.
Naturally, the financial health of the IT company should be determined. This ties back to the question of how long has the company been in business. Also, full-time employees versus part-time and contracted staff can be an indicator of financial condition.
Partnerships, associations, and other affiliations are indicators of an IT vendor’s industry standing. Certifications with these entities can also help to verify the credibility of the IT company.
With respect to IT and data security infrastructure and processes, IT providers should comply with industry standards and compliances, when applicable. Examples include the Center for Internet Security (CIS) Security Controls, the National Institute of Standards and Technology (NIST) cybersecurity standards, and Health Insurance Portability and Accountability Act (HIPAA) compliance rulings.
Center for Internet Security (CIS)
The “Center for Internet Security (CIS) Critical Security Controls for Effective Cyber Defense” is a publication of best practice guidelines for computer security. This publication was initially developed by the SANS Institute, a global cooperative research, and education organization facilitating the collaboration of security practitioners working across the entire information security industry. SANS (SysAdmin, Audit, Network, and Security) provides training designed to help IT personnel defend against the most dangerous security threats. The initial SANS ownership of the publication was eventually transferred to CIS in 2015. The CIS guidelines are comprised of 20 key critical security controls (CSC), which are actions organizations should take to block or mitigate known attacks. The controls are based mostly on automated processes that provide actionable recommendations for cyber security.
The following are just a few of the topics covered in the CIS publication:
- Email and Web Browser Protections
- Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
- Vulnerability Assessment and Remediation
- Administrative Privileges
- Malware (Malicious Software) Defenses
- Data Recovery
- Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
- Data Protection
- Controlled Access Based on the Need to Know
- Wireless Access Control
- Account Monitoring and Control
- Security Skills Assessment and Appropriate Training to Fill Gaps
- Application Software Security
- Incident Response and Management
- Penetration Tests
National Institute of Standards and Technology (NIST)
The National Institute of Standards and Technology (NIST), a part of the U.S. Department of Commerce, is one of the nation’s oldest physical science laboratories. NIST’s cybersecurity program supports its overall mission to promote U.S. innovation and industrial competitiveness. Its cybersecurity standards and best practices address interoperability, usability, and privacy. NIST’s cybersecurity programs are designed to enable practical, innovative security technologies and methodologies. A few of the topics addressed by NIST include:
- Configuration & vulnerability management
- Cybersecurity education & workforce development
- Identity & access management
- Risk management
Health Insurance Portability and Accountability Act (HIPAA)
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is U.S. legislation that provides data privacy and security provisions for safeguarding medical information. Under this act, the U.S. Department of Health & Human Services publicizes standards for the electronic exchange, privacy and security of health information.
The standards mandate that healthcare providers take proactive steps towards becoming HIPAA compliant. Covered entities (physician practices, clinics and hospitals) must update their HIPAA policies, procedures, forms, notices of privacy practices, and implement other changes required by the legislation. The healthcare providers and their Business Associates (including IT providers) must manage Protected HIPAA Information (PHI) and comply with federal Privacy and Security HIPAA regulations or face substantial penalties. Part of due diligence for healthcare covered entities is to ensure that any hired IT companies are compliant with HIPAA guidelines and rulings.
In summary, the U.S. Congress hiring and retaining of Imran Awan with apparent inadequate initial screening and ongoing due diligence should be taken as a “lesson learned” for SMBs. Key to evaluating a potential new IT provider is speaking with multiple customers of the firm to help determine its credibility and ability to deliver on its promises. Knowing the trustworthiness and security practices of your IT provider are critical to managing and protecting your company’s data, finances, operations, and reputation.