Security – Best practices for 3rd party users
Uncategorized September 29th, 2020SANS ISC shares best security practices for non-employees who are often clients, business partners, vendors, etc. The theme is to always “verify before you fully trust” … Additionally ADMINs must continuously log + monitor security events actively & implement best technical defenses for all users
https://isc.sans.edu/forums/diary/Managing+Remote+Access+for+Partners+Contractors/26614/
Here are some tips to increase the operations security when working with third-parties.
-
- Know who’s behind the keyboard . Are the third-party employees on the payroll, dedicated to you (read: they know you and your business). Are they also contractors? Are they located in the same country as yours?
- When it’s not mandatory, do not keep the remote access open 24×7. All access requests must be approved following a procedure.
- Do not grant full access to your infrastructure. Restrict the third-party rights to the minimum resources to perform its job (least privilege). Keep segmentation in mind. Restrict its access to a jump host that will be used to enforce more security controls.
- Keep logs of who did what, when, why, and from where. Log everything, all connections, all commands.
Example: Detect an unforeseen connection from an unusual location outside the business hours. - Keep an inventory of your partners and installed software. Force them to upgrade them and audit the settings.
- Enable security settings available in the deployed tools
Example: Enable MFA, activate client-side certificates, provide security tokens.