fotohansel - Fotolia

NordVPN enlists ethical hackers, launches bug bounty programme

Breached consumer VPN supplier details steps it is taking to shore up its cyber security posture after an unknown actor gained access to one of its servers

Consumer virtual private network (VPN) supplier NordVPN has engaged the services of security consultancy VerSprite to form an independent security advisory committee and help it conduct ongoing penetration testing, threat management and compliance audit, and will review several other aspects of its cyber security posture, following the exposure of a 2018 breach of its systems.

Although the breach was relatively minor – affecting one server out of thousands held in a third-party datacentre – and has resulted in no user data being compromised to date, NordVPN had previously stressed that it intended to take substantial remedial action to restore user trust in its widely-used service.

“We are planning to use not only our own knowledge, but to also take advice from the best cyber security experts and implement the best cyber security practices there are,” said Laura Tyrell, head of public relations at NordVPN.

“This is the first of many steps we are going to take to bring the security of our service to a whole new level.

“The changes we’ve outlined will make you significantly safer every time you use our service. Every part of NordVPN will become faster, stronger and more secure – from our infrastructure and code to our teams and our partners. That’s our promise – we owe it to you.”

The company’s engagement with VerSprite will see teams of ethical hackers work alongside NordVPN’s own internal penetration testing teams to probe its infrastructure for additional weaknesses, centring on penetration testing, intrusion handling and source code analysis.

In the next few weeks, it will also launch a bug bounty programme, paying out cash prizes to external cyber security experts for spotting potential vulnerabilities and reporting them back.

Beginning in 2020, the firm will also conduct a full-scale independent third-party security audit, covering its infrastructure hardware, VPN software, back-end architecture and source code, and internal procedures.

Read more about datacentre security

NordVPN will also overhaul its physical IT infrastructure. It is currently conducting an infrastructure review to make sure that any other exploitable vulnerabilities in its server systems left by third parties are secured, and then it will move to a colocation model, whereby it will own its own hardware sitting within third-party datacentres outright, rather than leasing it.

At the same time, it said, it will redouble its commitment to ensuring that its exclusively-owned datacentres maintain the highest security standards.

NordVPN will also harden its server infrastructure – it currently has about 5,100 servers in harness – by upgrading them to RAM servers, enabling it to create a centrally-controlled network where nothing is stored locally, but rather in a secured central infrastructure.

This means that should one of these servers be compromised, attackers will find nothing more than an empty piece of hardware with no data or configuration files present, said NordVPN.

Read more on Data breach incident management and recovery

Data Center
Data Management