Criando resiliência na gestão de vulnerabilidades

It’s never the data breach -- it’s always the cover-up

The felony charges levied against former Uber CSO paints him as actively masterminding and executing a plan to cover up a major data breach. This serves as a reminder that CSOs and CISOs must consider how decisions made in the moment can be interpreted, construed, or proven to be criminal after the fact.

The obstruction of justice and misprision of a felony charges levied against Joseph Sullivan, former Uber chief security officer (CSO), sent shock waves through the cybersecurity community. CSO and chief information security officers (CISOs) rightfully wondered what these charges mean in terms of their own culpability for decisions made on the job.

CSOs and CISOs handle sensitive data, make difficult decisions, and consider their responsibility to the company and its shareholders when making those decisions. Legal, regulatory, and privacy issues also feature heavily in these decisions.

The narrative in the charging documents (Note: This is not yet a criminal indictment) issued by the FBI against Uber's former CSO (Sullivan) paints him as actively masterminding and executing a plan to cover up a major data breach, obstruct federal regulators, and conceal activity from senior executives.

According to the charging document, Sullivan, former Uber CEO Travis Kalanick, and others took the following steps after learning of the 2016 data breach:

1. They confirmed the data was real. 
2. Sullivan modified an existing bug bounty program to pay a ransom to keep the hackers from exposing the data breach publicly. 
3. The bounty amount paid was 10 times higher than the maximum of the existing bug bounty program, and the breach type and records were also not covered by the existing bug bounty program. 
4. Sullivan required that the hackers sign a non-disclosure agreement (NDA), another change to the existing bounty program. 
5. Sullivan did not mention the 2016 hack to the FTC. 
6. Sullivan did not fully explain the data breach to the new Uber CEO in 2017. Note that Sullivan is not charged for the first four. Instead, these are being used as supporting evidence for the charges of obstruction of justice and misprision of a felony. 

Read more: https://www.zdnet.com/article/its-never-the-data-breach-its-always-the-cover-up/

Tags 🏷
#cybersecurity #cso #ciso #infosec #hacker #security#ciberseguranca #cyberattacks #threats #malware #cibercrime #exploit #hackers #hacker #breach #mitreatt&ck #pentesting #cloudsecurity #cybersecurity #datasecurity #ethicalhacking #hacking #cloud #informationsecurity #securitymanagement #infosec #ransomware #datasecurity #zdnet @zdnet_cbsi