Some "lessons learned" from the whole #NordVPN disaster:
1. Revoke keys when you notice the private key was compromised
2. Use HSMs to prevent private keys from getting compromised
3. Inform your customers about breaches
4. Do proper audit logging of your systems' user accounts
5. Use your own OS images, when installing machines
6. Run an IDS to get informed when your production systems act unusual
7. Spend more money on infrastructure security, less on marketing it
Follow
@sheogorath this reminds me of the matrix.org hack, where they somehow they thought it was a great idea to save their signing key on a life production server connect to the internet.
:)
@blacklight447 To be honest, Matrix.org is easier to justify. I mean they are a development company and they didn't higher lots of Ops people, therefore things went up and down.
But this company? A VPN company? Handing certificates is their bread and butter. And operating the VPN network securely the main purpose of their company.