Learning About the McCumber Cube

Victor OhachorVictor Ohachor
4 min read

Table of contents

This is the first article in this series. In this series, I will document everything I learn as I go through the basics of cybersecurity. I hope it benefits you as much as it has benefited me.

the McCumber Cube

Introduction

The goal of this model was to form a structured methodology independent of technology evolution around the advance of security, such that information security would not be referred to as just an art.

It was created in 1991 by John McCumber. Like any professional who develops a methodology or invents a concept, he wrote a book about it called "Assessing and Managing Security Risk in IT Systems: A Structured Methodology," first published in 2004.

The Concept

In geometry, a cube is a solid shape. Solid shapes are three-dimensional. Following this idea, this security model has three dimensions:

  1. The foundational principles for securing information systems.

  2. The protection of information in each of its possible states.

  3. The security measures used to protect data.

Let's briefly explore each of these dimensions.

The Foundational Principles for Securing Information

๐Ÿ’ก
You can refer back to the diagram above whenever a new dimension is introduced.

This dimension focuses on the desired goals: the CIA triad.

๐Ÿ’ก
If the term "desired goals" is unclear, it refers to the comprehensive objectives of the model. This model aims not only to establish secure information systems within organizations but also to consider all necessary factors to ensure exceptional success.

The CIA triad is an information security model widely used to guide organizations in their efforts and policies to secure their data.

CIA stands for Confidentiality, Integrity, and Availability. These are the core principles for any cybersecurity team when securing information systems or an organization's data.

Confidentiality

This refers to a set of rules that prevents sensitive information from being disclosed to unauthorized people, resources, and processes. An example of this is ensuring that new employees sign NDA documents to prevent them from sharing the company's secrets.

Integrity

This ensures that system information or processes are protected from unauthorized or accidental changes. An example of this is using checksums to verify that a file has not been altered during transmission.

Availability

This means that authorized individuals should be able to access systems or data whenever and wherever needed, while those who do not meet these criteria should not. This is where redundancy shines. Implementing redundant systems and backup power supplies can ensure that critical services remain accessible even during hardware failures or power outages.

๐Ÿ’ก
Remember this article following the subsea cable disruption on 14th March 2024?

The Protection of Information in Each of its Possible States.

๐Ÿ’ก
Information states is the focus here.

There are three states of information (data flow) according to the model. They include:

Data in Process

This refers to data that is being used to perform an operation, such as updating a database record. According to the McCumber Cube model, this is called Processing*(See diagram above)*.

Data at Rest

This refers to data that is stored in memory or on a physical medium such as a hard drive, SSD, or any other storage device. This state of data is not actively moving through the networks or being processed by the information systems. This is known as Storage*(See diagram above)*.

Data in Transit

This refers to data actively moving between information systems, such as across the Internet or through a private network. This state of data is particularly vulnerable to interception and unauthorized access because it is being transmitted over potentially insecure channels. This is known as Transmission*(See diagram above)*.

The Security Measures Used to Protect Data.

๐Ÿ’ก
The focus here is on data safeguards.

These measures fall into three categories:

  1. Awareness, training, and education, also known as human factors. Organizations should implement measures to ensure users are aware of potential security threats and know how to respond. Humans are often the weakest link in information security.

    With effective social engineering, an unsuspecting user can become the breach in a highly secure system.

  2. Technology refers to the software and hardware solutions designed to protect information systems, such as antivirus programs, firewalls, and intrusion detection systems.

  3. Policy and practices encompass the administrative controls that establish the framework for an organization's implementation of information assurance. These include best practice guidelines, standard operating procedures, and compliance requirements.

    By setting clear policies and practices, organizations can ensure consistent and effective security measures, align with regulatory standards, and provide a structured approach to managing and protecting information assets.

Conclusion

The McCumber Cube provides a comprehensive framework for understanding and implementing information security. By considering the foundational principles of the CIA triad, the various states of data, and the necessary security measures, organizations can develop robust strategies to protect their information assets.

0
Subscribe to my newsletter

Read articles from Victor Ohachor directly inside your inbox. Subscribe to the newsletter, and don't miss out.

cybersecurityCIA TRIADinformation security#learning-in-public

Written by

Victor Ohachor
Victor Ohachor

I am a software engineer with nearly two years of professional experience. I specialize as a backend engineer but also work in full-stack capabilities. I use JavaScript/TypeScript, Python, and PHP to solve real-world problems every day.