Saturday, September 5, 2015

McCumber Cube to Model Network Defense

Week -1
McCumber Cube and Extended Version.


This week we focused on McCumber Cube model for Information Security (InfoSec). InfoSec is referred as the protection of information and its critical characteristics: confidentiality, integrity, and availability. McCumber Cube is a three-dimensional view of information characteristics, information location, and security control categories designed serves as the many standard of InfoSec with the extended version of core characteristics: confidentiality, integrity, and availability. The three dimension of McCumber Cube model represents information characteristics, information location, and information security. Furthermore, the cube represents 3x3x3 with 27 cells wits its subdivision as shown in figure 1.

The basic concept of this three-dimensional is to address to secure information, and to achieve desired security goals of the InfoSec each cell must be addressed. 

This graphical representation of security model helps to understand the most Complex issue as well as provides deeper understanding of the relationships of each component and way to model risk management. Each view of the cube represents different perspective such as: information characteristics which addresses three fundamental aspects processing, storage, and transmission: information location which addresses technology, people, and policies and practices: where as security control addresses confidentiality, integrity, and availability. This model provides platform to practitioners to select desired security service and circumstances. For example: integrity, storage, and technology: confidentiality, transmission, and policy and practice: confidentiality, processing, and policy and practice.

According to the writer Sean M. Price on his Journal “Extending the McCumber Cube to Model Network Defense”, he mentioned that to address the contemporary security issues practitioners need to see the Cube model with minimization view for the particular situation and particular security service. Practitioners need to adopt risk-based approach and analyze the appropriateness and completeness of the countermeasures to match the each attacks against the system. Here are some examples presented by writer Sean M. Price on his Journal:
Figure 2, Proposed Extension to McCumber Cube (Source: Price, 2008)


Figure 3, Confidentiality Mode Extension (Source: Price, 2008)


Figure 4, Integrity Model Extension (Source: Price, 2008)

Figure 5, Availability Mode extension (Source: Price, 2008)

On these above diagram Mr Price presented different states with the colors such as, the attack vector as red, information state as green, counter measures as orange, and security goal is on blue.

To enforce the InfoSec, practitioners need to focus on the situation based issues rather than just relying on one model for practice. So, The extended version of Cube presented by Mr. Price helps to understand clearly to situation and necessary measures need to be considered to address the threats and issues on our practice. Certainly, there are valid arguments behind this McCumber Cube’s extended model to address security services, countermeasures and specific attacks. This will provide different perspective to look at risk management and identify the respective countermeasures from all dimensions.

Reference:
1.    Michael E. Whitman and Herbert J. Mattord, “ Management of Information Security”, Published by Cengage Learning, Fourth Edition
2.    Sean M. Price, “Extending the McCumber Cube to Model Network Defense”. Published on ISSA Journal on September 2008. Retrieved from: https://cyberactive.bellevue.edu/bbcswebdav/pid-7538926-dt-content-rid-10132349_2/courses/CIS608-T303_2161_1/mccumber%20article.pdf



No comments:

Post a Comment