NordVPN has announced a series of initiatives that it says will significantly improve the security of its infrastructure after an attacker gained access to one of its servers.
The company, known for its widely used virtual private network (VPN) service, confirmed last week that a server it was renting from a data center in Finland was exploited by an attacker via an insecure remote management system left by the data center provider.
According to NordVPN, the server did not contain any user activity logs, usernames or passwords. Nonetheless, the company said that it has enlisted the cybersecurity consulting firm VerSprite to run penetration testing, threat and vulnerability management, compliance management and assessment services on its infrastructure. VerSprite will also work with the company to form an independent cybersecurity advisory committee, which will oversee NordVPN’s security practices.
Additionally, NordVPN said it plans to introduce a bug bounty program to catch potential vulnerabilities. Cybersecurity experts who find and report the vulnerabilities will receive a payout.
NordVPN is also planning to a full-scale independent security audit for 2020. The audit will cover the infrastructure hardware, VPN software, backend architecture, backend source code, and internal procedures, the company said. In a move away from third party server providers, NordVPN is planning to build out a network of wholly owned collocated servers and is currently reviewing its infrastructure to ensure there are no other existing, exploitable vulnerabilities.
NordVPN is also planning to upgrade its more than 5,100 servers to RAM servers. The move will create a centrally controlled network where nothing is stored locally, including the operating system, and ensure that if a server is seized by an attacker, they’ll find blank hardware with no data or configuration files on it.
“Every part of NordVPN will become faster, stronger, and more secure, from our infrastructure and code to our teams and our partners,” said NordVPN’s head of PR Laura Tyrell.