A company has several internal-only, web-based applications on the internal network. Remote employees are allowed to connect to the internal corporate network with a company-supplied VPN client. During a project to upgrade the internal application, contractors were hired to work on a database server and were given copies of the VPN client so they could work remotely. A week later, a security analyst discovered an internal web-server had been compromised by malware that originated from one of the contractor’s laptops.

Which of the following changes should be made to BEST counter the threat presented in this scenario? (choose one and why)

1. Create a restricted network segment for contractors and set up a jump box for the contractors to use to access internal resources.
2. Deploy a web application firewall in the DMZ to stop Internet-based attacks on the webserver.
3. Deploy an application layer firewall with network access control lists at the perimeter, and then create alerts for suspicious Layer 7 traffic.
4. Require the contractors to bring their laptops on site when accessing the internal network instead of using the VPN from a remote location.
5. Implement NAC to check for updated anti-malware signatures and location-based rules for PCs connecting to the internal network.