Friday, June 15, 2012

Dear Bloggers,
I ran across an article last week that put the use of the McCumber Cube in a different light with respect to protecting and defending a network while keeping a security goal in mind. It’s convenient and coincidental since we just ran across the McCumber Cube last week. While it’s still fresh in our minds I think this is an excellent topic for this week’s blog!
Sean Price is the author of our article and by his credits is seemingly a pretty savvy guy in the world of Information Security. Here is his view of the McCumber Cube:
He has a different view of the McCumber Cube and how it can be expanded to cover network information security.
 Instead of picking one of 27 cells for instance transmission + integrity + technology or storage + confidentiality + people to address information security programs, Mr. Price introduces the proposed extension to the McCumber Cube: start with an attack or threat to the system, determine the information state (green section), identify the countermeasures (orange section), to reach a security goal (blue section).
This proposed extension is represented graphically here:
This may sound confusing at first but I think a couple of examples with help to clarify this process. Take for example network confidentiality. The process would look like this: Sniffer (the attack method) + Transmission (the information state) + Encryption/Key Management/Training (Countermeasures) -> to reach the security goal of Confidentiality. Another fun graphic to describe this particular example is:

Notice how the Countermeasures section includes all three pieces of Technology, Policy, and People. This is how Mr. Price has incorporated the extension into the McCumber Cube. It’s just a different way of looking at information security.  Are you ready for another example? Let’s go!!
Let’s take a look at network information integrity with ARP Spoofing as the attack, Transmission as the information state, Port Scanning/Periodic Scans/Investigators as the countermeasures with a security goal of Integrity.
Graphically that would look like this:

Our last example covers the availability of the network. The attack is Denial of Service, the information state is Transmission, the countermeasures are Intrusion Detection/Monitoring/Incident Response with a security goal of Availability which looks like this:

Using this extension model by Mr. Price helps to focus on a specific threat, the countermeasures for that threat and because of this will more accurately define the risk assessment for an environment. Just by taking a different look at the McCumber Cube, an IT environment has the ability to better prepare themselves to prevent and tackle threats that come their way.
That's all for now, happy blogging!
Price, S. (2008). Extending the McCumber Cube to Model Network Defense. ISSA Journal. September 2008, 14-18.