Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Vulnerability Management

10/29/2019
10:05 AM
Dark Reading
Dark Reading
Products and Releases
50%
50%

NordVPN Lists 5 Measures to Supercharge Its Security

NordVPN signs a strategic partnership with VerSprite, a leading cybersecurity consulting firm.

October 29, 2019. In the aftermath of a security incident involving NordVPN and a third-party data center, the company is taking action to enhance its security. One of the first moves is a long-term strategic partnership with VerSprite — one of the leading cybersecurity consulting firms.

The partnership will include threat and vulnerability management, penetration testing, compliance management and assessment services. VerSprite will also help to form an independent cybersecurity advisory committee, which will consist of selected experts and oversee NordVPN’s security practices.

“We are planning to use not only our own knowledge, but to also take advice from the best cybersecurity experts and implement the best cybersecurity practices there are,” says Laura Tyrell, Head of Public Relations at NordVPN. “And this is the first of many steps we are going to take in order to bring the security of our service to a whole new level.”

According to NordVPN, they are ready to take action in five different fields to become more secure than ever. Here’s the list of the planned measures:

1. Partnership with the top cybersecurity consulting firm VerSprite. Penetration testers are a key part of NordVPN’s security efforts. Their job is to prod the infrastructure for weaknesses and mitigate the vulnerabilities. That’s why NordVPN is engaging in a long-term strategic partnership with VerSprite, a leading cybersecurity consulting firm.

 

VerSprite will work with NordVPN’s in-house team of penetration testers to challenge the infrastructure and ensure the security of customers. The main tasks covered in the new agreement include comprehensive penetration testing, intrusion handling, and source code analysis. VerSprite will also help to form an independent cybersecurity advisory committee.

2. Bug bounty program. Over the next few weeks, NordVPN is going to introduce a bug bounty program. Bug bounties reward cybersecurity experts for catching potential vulnerabilities and reporting to the developers so they can fix them. Bounty hunters will get a well-earned payout, and NordVPN users will get a service they know is scoured for bugs by thousands of people every day to make it as secure as possible.

3. Infrastructure security audit. NordVPN is planning to complete a full-scale third-party independent security audit in 2020. The audit will cover the infrastructure hardware, VPN software, backend architecture, backend source code, and internal procedures. The chosen vendor for the security audit will be announced in the future.

4. Vendor security assessment and higher security standards. NordVPN is planning to build a network of collocated servers. While still located in a data center, collocated servers are wholly owned exclusively by NordVPN. NordVPN is currently finishing its infrastructure review so that they can eliminate any exploitable vulnerabilities left by third-party server providers. NordVPN is committed to ensuring that their exclusively owned data centers maintain the highest security standards.

5. Diskless servers. NordVPN is planning to upgrade their entire infrastructure (currently featuring over 5100 servers) to RAM servers. This will allow to create a centrally controlled network where nothing is stored locally — not even an operating system. Everything the servers need to run will be provided by NordVPN’s secure central infrastructure. If anyone seizes one of these servers, they'll find an empty piece of hardware with no data or configuration files on it.

“The changes we’ve outlined will make you significantly safer every time you use our service. Every part of NordVPN will become faster, stronger, and more secure – from our infrastructure and code to our teams and our partners,” says Laura Tyrell. “That’s our promise – we owe it to you.”

What happened last week

Last week, it was announced that 1 of more than 5000 NordVPN’s servers was accessed by an unauthorized third party. The hacker managed to access this single server located in Finland because of mistakes made by the data center owner, of which NordVPN was not aware.

However, NordVPN is sure that no customer data was affected or accessed by the malicious actor, as the server did not contain any user activity logs, usernames, or passwords. NordVPN’s service as a whole was not hacked, the code was not hacked, the VPN tunnel was not breached, and the NordVPN apps stayed unaffected.

 

ABOUT NORDVPN

 

NordVPN is the world's most advanced VPN service provider, used by over 12 million internet users worldwide. NordVPN provides double VPN encryption, malware blocking, and Onion Over VPN. The product is very user-friendly, offers one of the best prices on the market, has over 5,000 servers in 60 countries worldwide, and is P2P friendly. One of the key features of NordVPN is zero-log policy. For more information: nordvpn.com.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
gs_geek
50%
50%
gs_geek,
User Rank: Apprentice
12/10/2019 | 6:40:02 AM
nord vpn app
Nordvpn mod apk is best for surfing the internet privately. I am using this app for the last 4 months and it is working fine. 
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3656
PUBLISHED: 2019-12-10
JBoss KeyCloak: XSS in login-status-iframe.html
CVE-2013-0293
PUBLISHED: 2019-12-10
oVirt Node: Lock screen accepts F2 to drop to shell causing privilege escalation
CVE-2013-1793
PUBLISHED: 2019-12-10
openstack-utils openstack-db has insecure password creation
CVE-2013-2095
PUBLISHED: 2019-12-10
rubygem-openshift-origin-controller: API can be used to create applications via cartridge_cache.rb URI.prase() to perform command injection
CVE-2019-19698
PUBLISHED: 2019-12-10
marc-q libwav through 2017-04-20 has a NULL pointer dereference in wav_content_read() at libwav.c.