The Cube
1/8
1/5
This material was developed with funding from the
National Science Foundation under Grant # DUE 1601612
Back
Next
Restart
Information
Security
Properties
Introduction
Security Measures
The McCumber Cube is a model framework created by John McCumber in 1991 used to establish and evaluate information security programs. This security model has three dimensions and looks like a Rubik’s cube.
2/5
Information States
Prevents the disclosure of sensitive information from unauthorized people, resources, and processes
Integrity
3/5
Protects system information or processes from intentional or accidental modification
Availability
Information Security Properties
Click on each security principle
Confidentiality
The first dimension of the cube identifies the goals to protect information systems and are the foundational principles. These three principles are referred to as the CIA Triad.
Assures that authorized users can access systems and data when and where needed and limits those that do not meet established conditions
The second dimension of the cube focuses on protecting data in each of its possible states.
Click on each information state
4/5
Transmission
Data traveling between information systems (data in transit)
Data stored in memory or on permanent storage such as a hard drive, solid-state drive, or USB drive (data at rest)
Processing
Storage
Data being used in performing an operation such as updating a database record (data in process)
Administrative controls that provide a foundation for how an organization implements information assurance and include establishing policies, procedures and guidelines to follow good practices
Software- and hardware-based solutions designed to protect information systems including VPNs, IDS, and firewalls
Technology
Measures to ensure that the users of information systems are knowledgeable about potential threats and aware of how to protect information systems
Click on each security measure
5/5
Policy and
Procedure
Awareness, Training, Education
The third dimension of the cube defines the skills and disciplines a cybersecurity professional uses to protect data.
Confidentiality-Transmission-Policy & Procedures
Steps followed by small business owner when using mobile point-of-sales services
Confidentiality-Transmission-Technology
A VPN protocol that provides secure communications
Availability-Processing-Technology
Firewall rule that drops sessions that fail to complete the TCP three-way-handshake
Availability-Processing- Awareness, Training, Education
Incident response procedure to deal with teardrop attack
Integrity-Processing- Awareness, Training, Education
Training that informs tellers that only one user at a time has read/write privileges when accessing a customer record
Availability-Transmission-Technology
A firewall that only allows in-bound traffic in response to a request
Availability- Storage-Awareness, Training, Education
Handbook detailing when and where users can access data on cloud storage system
Availability- Storage-Technology
Connection controls that prevent unauthorized users from accessing SAN system
Integrity-Storage-Technology
Host intrusion system that alerts administrator when a critical file is modified
Confidentiality-Processing-Technology
Data entry clerks only able to see customer data in the field they enter and other fields like account balance is blocked out
Confidentiality-Processing-Awareness, Training, Education
A sign on the wall in a financial institution that states “No shoulder surfing while customer data is visible on a monitor”
Integrity-Storage- Awareness, Training, Education
Instructing the engineering staff to use hashing when storing files containing intellectual property
Click each cube for more information
Integrity-Transmission- Awareness, Training, Education
Handbook on implementing a protocol that ensures data integrity
Availability-Storage-Policy & Procedures
Corporate procedures that establish user-access rules for files stored in the cloud
Availability-Transmission-Policy & Procedures
A policy that defines a mandatory access control list for a database server
Integrity-Process-Policy & Procedures
Manager must enter credentials on large withdrawal from teller window
Integrity-Storage-Policy & Procedures
Management’s directive to assign read-only access to internal files
Policy and Procedures
Availability-Transmission- Awareness, Training, Education
Inform users on how to register their approved remote location for remote access to corporate resources
Confidentiality-Storage- Awareness, Training, Education
An organization’s awareness program on how to implement hard drive encryption on all laptops assigned to sales personnel
Confidentiality-Processing-Policy & Procedures
Practice of utilizing user IDs to ensure only authorized individuals have access to patient data during imaging
Confidentiality-Transmission- Awareness, Training, Education
Company issues memo to make users aware of the use of VPNs from remote locations to access patient records
Confidentiality-Storage-Policy & Procedures
Company sends out memo detailing proper handling of patient data stored on hospital tablets
Integrity-Transmission-Policy & Procedures
Guidelines that outline data transmission mechanisms to ensure data is not modified during transmission
Confidentiality-Storage-Technology
USB drive with fingerprint reader
Integrity-Transmission-Technology
Using the protocol that ensures data is not altered during transmission
Integrity-Processing-Technology
Data validation of social security numbers
Availability-Processing-Policy & Procedures
Configuration requirements that limit database access to authorized users