As an offshoot of a reported incident involving NordVPN and a third-party data center it was renting in Finland where an attacker exploited an insecure remote management system, NordVPN promised five major security updates by the end of October 2019, which the company has been working on non-stop. NordVPN is taking the measures that will make its security to the next level, ensuring the public and the end-users that nothing like that will happen again.
NordVPN’s security updates are focused on future security improvements. Some of the steps are already part of NordVPN, but after the reported breach, the company wants to make them even stronger. Some new steps aim to help the company ensure that they earn the trust of the public, the cybersecurity community, and the end-users.
NordVPN is taking action to enhance its security. One of the first steps taken is a long-term partnership with VerSprite, a leader in operational risk management and security advisory services.
The partnership includes the areas of penetration testing, threat and vulnerability management, compliance management, and assessment services. VerSprite will assist in forming an independent cybersecurity advisory committee to be composed of selected experts who will oversee the security practices of NordVPN.
Penetration testers play an essential part in NordVPN’s security efforts. Their main task is to prod the infrastructure for weaknesses to mitigate the vulnerabilities. It is the reason behind the partnership with VerSprite, a topnotch cybersecurity consulting firm. The main focus of the partnership agreement will include intrusion handling, comprehensive penetration testing, and source code analysis.
NordVPN is also negotiating with other big names in cybersecurity to work out an improved and cost-effective security practices and better business outcomes.
2. Bug Bounty Program
NordVPN introduces for 2020 a bug bounty program. The bug bounty program will reward cybersecurity experts who can catch potential vulnerabilities and reporting the same to developers for fixing. Bounty hunters typically get a well-earned payout, and NordVPN end-users will get a VPN service that has been scoured for bugs by thousands of people each day to make it as secure as possible.
NordVPN has expanded the scale of its penetration testing to include the entire cybersecurity community. Nord is encouraging in-house penetration testers who are enterprising and prolific white-hat hackers who are working hard to ensure that NordVPN is one of the most secure VPNs in the world.
The problem of NordVPN is that it has only a few in-house penetration testers. NordVPN opens its doors to cybersecurity professionals around the world, given the authority to scour the company’s system for any flaw, whether large or small, and get paid for it. Bug hunters will be rewarded for anything they will find that could impact the service NordVPN provides. NordVPN accepts grey or black-hat hackers who can notify it of any critical flaw, allowing these hackers an easy payday. The NordVPN bug bounty program will ensure the quality and security of the company’s service.
3. Infrastructure Security Audit
NordVPN has put in place for 2020 a full-scale independent security audit by a third-party to cover NordVPN’s software, infrastructure hardware, backend architecture, internal procedures, and backend source code. The company will announce the chosen vendor for a security audit.
The selection of an independent vendor to do the security audit is not a first for NordVPN. The company is merely following the practices of the leading VPN providers by having their servers audited as reassurance to users that the servers are secure, and there is nothing for users to worry about.
The security audit that was conducted by one of the big four auditing firms showed that NordVPN does not store personal IP addresses, and there is no log of internet activities of its subscribers.
4. Vendor Security Assessment and Higher Security Standards
NordVPN is assessing the datacenters that they use in line with the increased security standards that the company has to meet. NordVPN plans to build a network of collocated servers, which are to be exclusively owned by NordVPN while still located in a data center. NordVPN is now in the process of completing its infrastructure review so the company can get rid of any exploitable vulnerabilities left by third-party service providers. The company is committed to ensuring that its exclusively owned data centers comply with the highest security standards.
5. Diskless Servers
NordVPN is in the process of upgrading their entire infrastructure, which currently features over 5100 servers, to RAM servers. A part of the company’s servers has already been upgraded and will continue doing so until it finally reaches 100% diskless servers. A diskless server is more secure than traditional servers. A RAM server, when removed from its physical location, becomes an empty box to which hackers have no use for.
The conversion to RAM servers will create a centrally-controlled network with nothing stored locally, including the operating system. Everything that the servers need to run efficiently and securely will come from NordVPN’s secure central infrastructure. If people can seize one of the servers, they will have in their hands an empty piece of hardware with no data or configuration files on it.
Recently, one of the 5100 servers was accessed by an unauthorized third party. The hacker was able to get access by a malicious actor who managed to access the single server located in Finland due to the mistake of the data owner. While not initially aware of the incident, NordVPN is sure that customer data are not accessed or affected by such a malicious actor. The service as a whole was not hacked, the code was spared of the hacking, and the tunnel was not breached, with NordVPN apps staying unaffected.
NordVPN is a founding member of the VPN Trust Initiative (VTI), a coalition of the leading VPN providers that speak with one voice on the US internet and cybersecurity policy. The VTI aims to institute changes by reaching out to the legislators, technologist, and end-users. It seeks to self-regulate the industry and change VPN’s trajectory through advocacy, creation, and validation of policies that strengthen VPN discourse through the support and validation of strategies that will enhance trust and transparency while mitigating risk for end-users.