Question / Problem
We are looking to hire a freelance professional to help us with important initiatives. The freelancer will need to connect to our network via a VPN using their own personal laptop. In order to ensure the security of our systems prior to granting access, what are some critical cybersecurity protocols that need to be implemented?
We have implemented all necessary measures, including signing a Non-Disclosure Agreement (NDA). Is it necessary to conduct any security pre-assessments with the freelancer? Are there any other further ideas or suggestions you would like to offer?
Answer / Solution
Deploy the following measurements:
- PAM Privileged Access Management
- Multifactor Authentication (MFA)
- PoLP Principle of Least Privilege
- Network segmentation: Segment your network to ensure that third-party access is limited to a specific portion of your network, thereby protecting sensitive systems and data from unauthorized access.
- A Virtual Private Network (VPN) provided an additional layer of security to ensure secure transmission of sensitive data between your network and a third party by encrypting all data sent. This provides an added layer of security for confidential information.
- Security Information and Event Management (SIEM) for log and event management: It is recommended to engage a third party to monitor and log all access to your network in order to detect any potential unauthorized or suspicious activity and take the necessary corrective measures.
- Risk Assessment
- Third-party Access Policy Management
- Sign a contract agreement: This Agreement is intended to define the scope, payment terms, and other relevant details related to the access and use of the network and services. All parties should consider and agree to the terms and conditions outlined herein prior to signing.
Additional reference: NIST > Privileged Account Management for the Financial Services Sector
Notice: To maintain an adequate understanding of risk, the organization must deploy and maintain a comprehensive risk analysis function.
I have compiled a list of questions for which I seek responses from freelance individuals. Furthermore, I will include a clause in the agreement that any misleading or inaccurate information provided in response to any of these questions will constitute a breach of the Non-Disclosure Agreement (NDA).
- Is your device for remote access official or personal?
- Have you installed an antivirus/antimalware program on your device?
- What antivirus/antimalware program do you have installed?
- Is the automatic update feature enabled for your antivirus/antimalware software and when was the last update?
- Is real-time scanning enabled for your antivirus/antimalware software, and does it scan all elements for potential threats? Has your device recently undergone a virus scan?
- Does your antivirus/antimalware software offer protection against malicious websites and phishing attempts?
- Have there been any security incidents or virus/malware infections on your device in the past two months?
- What operating system is installed on your device?
- Have all the latest operating system updates and patches been installed?
- Are there any potentially risky software applications installed on your device that could pose a security threat if granted remote access?
- Have you installed the necessary remote software on your device, such as Teamviewer, Anydesk, or Logmein?
- What web browser do you use and is it up to date with the latest security patches?
- Is your device’s hard disk encrypted for sensitive data protection?
- Are you using any third-party VPN software for anonymity or privacy?
- Do you have multi-factor authentication on your email?
- Can you provide information on your work session access times and location (public, home, office, etc.) to align with the agreed schedule?
Ensure that a comprehensive VPN Audit Program is in place, incorporating the following components:
- Confirm a list of employees and/or contractors with VPN access exists.
- Confirm that their access is authorized and in line with their roles.
- Confirm that their access is reviewed in line with VPN / user access policies.
- Obtain a sample of recent user departures/moves and confirm that VPN privileges for these users have been deactivated or modified in line with their new roles or employment status.
- Confirm that no nonhuman users (e.g., bots) are connecting to the VPN.
- Confirm that a list of vendors with VPN access is maintained.
- Confirm that business owners manage vendors with VPN access and that appropriate business owners have authorized that vendor access.
- Confirm opening hours for VPNs. Confirm that out-of-hours access has been authorized.
- Confirm that vendors notify the enterprise when their employees leave.
- Confirm that vendor access is reviewed in line with VPN / user access policies.
- Obtain a sample of recent user departures/changes in position responsibilities and confirm that VPN privileges for these users have been deactivated or modified in line with their new employment statuses.
- Determine whether specific vendor access policies need inclusion for segmentation to restrict access to what the vendor needs.
- Confirm that the VPN generates logs containing information that establishes the identity of any individual or process associated with the event.
- Confirm that the VPN generates logs containing information to establish where the events occurred.
- Confirm that the VPN is configured to protect audit information from unauthorized deletion or accidental loss.
- Confirm that the VPN provides centralized management and configuration of content to be captured in log records.
- Confirm that the VPN is configured to perform an enterprise-defined action if the audit reveals unauthorized activity.
- Examine logs to determine whether they contain information about the success or failure of client connection attempts or other events.
To maximize security, deploying multi-factor authentication across all systems and devices. All employees and any third-party users of our network create unique and complex passwords on all devices that access the company’s network, 10-12 letters, of which:
- 1-2 are CAPITAL letters
- 1-2 are numbers
- Include special characters also (!’#$%’)