Welcome to the SecAware blog

I spy with my beady eye ...

18 Apr 2019

NBlog April 18 - another NSA contractor accused of schlurping

Catching up with recent infosec news, I stumbled across a piece about NSA contractor Harold T Martin III, accused of schlurping (pinching and hoarding) some 50 terabytes of secret data.  50 Tb!  Along with Julian Assange, Ed Snowden and Chelsea Manning, the US government appears to be hemorrhaging secrets by the shed-load, despite all the extraordinary security controls designed to prevent and detect it.

I say 'shed-load' advisedly: a typical page of a typical document has about 500 typical words per side i.e. 1,000 words per double-sided sheet needing about 200 kb of rich text data (e.g. a Word document). That's 5 sheets per Mb*. 50 Tb is 50 million Mb or about 250 million sheets. A typical box of printer paper contains 10 reams of 500 sheets i.e. 5,000 sheets per box, enough to print out about 1 Gb of data*. So, printing 50 Tb would take about 50,000 boxes of paper, a stack of about 37x37x37 boxes. That's a shed-load ... a big shed, a small warehouse or industrial unit*.

Modern PC disk drives hold about 1 Tb. It is possible someone might casually stroll out of work carrying 50 hard drives in a box marked "Spares", more likely a high-capacity USB thumb drive or laptop every working day for a month or three.

Alternatively, 50 Tb would take approximately forever to download at 1 Gb per hour on a typical home Internet connection ... but barely a day on a lightning-fast fiber-optic line running flat-out at 1 Gb per second*. Professionals working regularly from home, perhaps offering remote IT support, could conceivably claim the business expense of a fast fiber line ... or invest personally for geek status points.

This is relevant to next month's NoticeBored security awareness topic. IT-enabled workers are technically capable of accessing and storing vast quantities of data wherever they happen to be working, whether on- or off-site. About 20 years ago 'deperimiterization' became a nasty buzzword, referring to the dissolving boundaries around organizations, changing the information risks. Today, it seems as if those boundaries have completely evaporated: inside and outside are virtually indistinguishable.

If our organizations can't quite match the government spooks' budgets and appetites for information security (and even if they can!), where does that leave us? I'll  tell you where - firmly in the Probability Impact Graph's high-risk bright red zone.

* All the figures in this piece are vague approximations. Treat them as rough ball-parks at best ... and please let me know if you spot any errors.

No comments:

Post a Comment