Pentests, audits, and RAM-only servers part of lockdown plan
And so, in full damage limitation mode, the private networking biz has outlined steps it is taking to improve its defenses. Steps, we note, that should have been in place to begin with, but hey, hindsight is 20-20.
The VPN provider says it will undertake five different projects, each aimed at helping it to beef up security protections of its network and the application code. The plan calls for a number of collaborations with outside researchers and companies.
“We are planning to use not only our own knowledge, but to also take advice from the best cybersecurity experts and implement the best cybersecurity practices there are,” NordVPN head flack Laura Tyrell said of the campaign. “And this is the first of many steps we are going to take in order to bring the security of our service to a whole new level.”
But enough with the lip service, here is what they actually plan to do.
First off, NordVPN says it will subject itself to regular independent security audits. Though it is yet to say who will conduct that assessment, NordVPN promises a third party will be called in to examine everything from the client software to the backend source code and the hardware and architecture used for the servers and network.
Additionally, the VPN biz says it will be calling in hackers-for-hire VerSprite to conduct a series of penetration tests alongside NordVPN’s own internal red team. In addition to hammering on NordVPN’s source code and intrusion prevention system, VerSprite will help form an independent advisory committee for security.
Row erupts over who to blame after NordVPN says: One of our servers was hacked via remote management tool
Flaw finders will be pleased to know that NordVPN is looking to launch its own bug bounty program. Set to launch over the “next few weeks,” the program would look to pay out to researchers who find and report security holes in NordVPN’s stuff to the biz. Hopefully the few weeks will be enough to time properly set up the program, as experts say a poorly run bug bounty system is worse than none at all.
On the hardware side, NordVPN says it plans to take control of all of its servers and improve their design, following a hole discovered in one of its rented systems in Finland. Specifically, the VPN service will transition to co-located servers that it owns and manages.
While NordVPN says it is still in the process of reviewing its infrastructure to catch and eliminate any exploitable vulnerabilities introduced by third-party vendors and developers, one of the measures it already plans to take is to switch entirely to disk-less, RAM-only servers.
This would allow NordVPN to store the server images centrally and push them out to the nodes without the need to store any information, sensitive or otherwise, at rest on the machines. Those machines would then periodically be restarted or otherwise updated to use fresh images.
NordVPN hopes both moves will eliminate the situation that caused the recent security breach: a compromised server in a third-party datacenter that NordVPN was using to route subscribers’ connections.
That server, hosted in a Finland datacenter operated by Creanova, was infiltrated back in 2018 via a remote management account that would have allowed miscreants on the other side of the internet to see some traffic passing through the exit node. Creanova said NordVPN knew the remote management system was installed and that NordVPN failed to lock it down. NordVPN claimed it had no idea this God-mode-level access was present in the box. ®
Serverless Computing London – 6-8 Nov 2019