Security / Tech

NordVPN makes moves to bolster its security following recent security incident

NordVPN has partnered with cybersecurity consulting firm VerSprite to add extra layers of security to their services.

As much as we’d like it to be 100% protected from hackers 100% of the time, the truth is, there are no foolproof security measures. But that doesn’t mean you don’t at least layer your security to make it harder for hackers to gain access. The recent NordVPN security incident was a wake-up call for the company to bolster its security measures and that’s what they’re doing.

The recent security incident involved a third-party data center in Finland and while it didn’t impact the number of users initially reported, NordVPN is still addressing the situation. According to the company, only one server was accessed by the hacker and it was the data center owner that was responsible for the mistakes made that caused the security incident.

NordVPN has partnered with cybersecurity consulting firm VerSprite. The partnership will include threat and vulnerability management, penetration testing, compliance management, and assessment services. VerSprite will also help to form an independent cybersecurity advisory committee, which will consist of selected experts and oversee NordVPN’s security practices.

“We are planning to use not only our own knowledge but to also take advice from the best cybersecurity experts and implement the best cybersecurity practices there are,” says Laura Tyrell, Head of Public Relations at NordVPN. “And this is the first of many steps we are going to take in order to bring the security of our service to a whole new level.”

eyeglasses NordVPN security incident
According to the company, only one server was accessed by the hacker and it was the data center owner that was responsible for the mistakes made that caused the security incident.

The company outlined how they are addressing this security incident that will help mitigate any future possibility of a security incident. Check out the company’s five points on what they are doing:

  • Partnership with the top cybersecurity consulting firm VerSprite: Penetration testers are a key part of NordVPN’s security efforts. Their job is to prod the infrastructure for weaknesses and mitigate the vulnerabilities. That’s why NordVPN is engaging in a long-term strategic partnership with VerSprite, a leading cybersecurity consulting firm. VerSprite will work with NordVPN’s in-house team of penetration testers to challenge the infrastructure and ensure the security of customers. The main tasks covered in the new agreement include comprehensive penetration testing, intrusion handling, and source code analysis. VerSprite will also help to form an independent cybersecurity advisory committee.
  • Bug bounty program: Over the next few weeks, NordVPN is going to introduce a bug bounty program. Bug bounties reward cybersecurity experts for catching potential vulnerabilities and reporting to the developers so they can fix them. Bounty hunters will get a well-earned payout, and NordVPN users will get a service they know is scoured for bugs by thousands of people every day to make it as secure as possible.
  • Infrastructure security audit: NordVPN is planning to complete a full-scale third-party independent security audit in 2020. The audit will cover the infrastructure hardware, VPN software, backend architecture, backend source code, and internal procedures. The chosen vendor for the security audit will be announced in the future.
  • Vendor security assessment and higher security standards: NordVPN is planning to build a network of collocated servers. While still located in a data center, collocated servers are wholly owned exclusively by NordVPN. NordVPN is currently finishing its infrastructure review so that they can eliminate any exploitable vulnerabilities left by third-party server providers. NordVPN is committed to ensuring that their exclusively owned data centers maintain the highest security standards.
  • Diskless servers: NordVPN is planning to upgrade their entire infrastructure (currently featuring over 5100 servers) to RAM servers. This will allow to create a centrally controlled network where nothing is stored locally — not even an operating system. Everything the servers need to run will be provided by NordVPN’s secure central infrastructure. If anyone seizes one of these servers, they’ll find an empty piece of hardware with no data or configuration files on it.

“The changes we’ve outlined will make you significantly safer every time you use our service. Every part of NordVPN will become faster, stronger, and more secure – from our infrastructure and code to our teams and our partners,” says Laura Tyrell. “That’s our promise – we owe it to you.”

What do you think of what NordVPN is doing to address this security incident? What do you think of the steps they are taking to mitigate any future incidents? Let us know in the comments below or on Twitter, or Facebook. You can also comment on our MeWe page by joining the MeWe social network.

Comments
To Top