Defense-in-Depth Model of IA Cybersecurity via a McCumber Cube

The McCumber Cube

Above you see a picture of the McCumber Cube – see how it also looks like a Rubik's Cube? The McCumber cube was created (I believe around 1999) as both a concept and a visual model to depict a comprehensive approach to security, later called “Defense-in-depth”. The ability to visually see this, in an easy way, makes this model unique and useful for security practitioners.

Rather than use a single dimension or list, or even just a simplified 2-dimensional matrix, McCumber came up with a three-dimensional model that is depicted as a cube. As the Wikipedia article about the McCumber Cube says, it is, “depicted as a three-dimensional Rubik's Cube-like grid.”

As you can see, a picture is worth 1000 words. The McCumber Cube shows us, more-or-less, a 3-dimensional matrix or a “3-by-3-by-3” aka “3x3x3”model - of all the key things to be considered and examined - for developing a comprehensive information security framework, policy and methodology.

Central to this thought process is the assurance of information, or data, also called “Information Assurance” or IA. This is because in the world of cyberspace, as it's been said by many, “it's all about the data”. For example, think about the importance of “Big Data”! Let's look at the McCumber model applicable for IA and data security and other themes.

The 3 x 3 x 3 aspects of the McCumber Model Include:

1. The first dimension of the 3-dimensional McCumber Cube includes what's known as the A-I-C Triad from the discipline of “Information Assurance”, as I discussed in my Primer on Cyberspace and Cybersecurity”. Please download and/or read it online, as a refresher, for more clarity on what the AIC Triad is all about.

Briefly, the AIC Triad, also called the CIA Triad by some (not my preference, CIA is taken!) stands for “Availability, Integrity and Confidentiality. These are the three major qualities and components of Information Assurance (IA), which work together to ensure IA. They are also major security items to measure all other major security areas of the cube, against.

2. The second dimension of the 3-dimensional McCumber Cube includes three “states” that all data and information can exist in, within the cyber world. These states include the “at-rest” state of data known as “storage” - either temporary (in random, dynamic or flash memory) or permanent (on the hard drive/disk or other media).

Also, there is the “state” of “processing” – conducted in various areas, by various components, which can also contain data and instructions for execution. Finally there is the “state” of “transmission” or what Information Assurance calls “in transit” as a state for data and information transiting over the wire.

Considering these three “states” of data and information, and what physical/logical/virtual components are involved, we have yet another dimensional overlay of security considerations to assure, and to compare all other things against within the McCumber cube.

This includes each “state” of data and information against its availability requirements, its integrity requirements and its confidentiality requirements.

Availability Integrity Confidentiality

People Person 1 Pers 1 Pers 1

Process Process 1 Proc 1 Proc 1

Technology Tech 1 Tech 1 Tech 1

Unlike a ship that's built once and done (with only minor upgrades and maintenance thereafter) the world of cyber is constantly re-inventing and changing the game in huge ways, and calls for a more agile approach to it's complex and often wicked nature in cybersecurity.

Things such as file hashes, checksums, encryption and other facilitators of protection and assurance are considered within this area and across all others, of the McCumber cube.

3. The third dimension of the 3-dimensional McCumber Cube reveals yet another vista if information security – where the other two dimensions must be used to measure “all major things security” against.

First, there is the “human factors” element of this side of the cube, also called the “people” aspect of security. People are, of course, the most important element of security as people can either make or break security.

Without people and their efforts and ingenuity, we would not have unique security models like the the McCumber Cube. Just the same, without people and their tendency to choose convenience over security, as well as the tendency of things to move toward chaos, complexity and insecurity rather than toward security, we would also not need models like the McCumber Cube for security. Such irony.

Next, the third dimension of this McCumber Model includes “policy and practices” or what can perhaps be summarized and combined into what's known as “processes”. These policies and practices, and the related processes, must also consider the other dimensions of the cube, such as information security policy and a governance structure for all areas of security.

Things such as policy regarding the way data is handled, to policies for router Access Control Lists and database access come into play. Practices include procedures and all of these form processes that must consider all other aspects of security, the human side, as well as the A-I-C Triad of Information Assurance measured against them and applied to them.

The McCumber Model is a 3 x 3 x 3 Model that Can be Sub-Divided

The McCumber Model shows us an overall structure and picture, but it can and should also be sub-divided into smaller components and combinations. We can do this by looking at it two-dimensionally, as we move around the cube, so-to-speak.

Since two dimensional representations are a bit easier to follow, this is acceptable as long as the integrity of the overall 3-dimensional McCumber model is not lost.

For instance, we can look at each element of A-I-C, one-at-a-time, compared against people, processes and technologies, as a two-dimensional "3 x 3" where it would look like this in a 2-dimensional spreadsheet or table:

We can keep going here, and use process/people/technology 2, 3, 4, etc...so that every A-I-C policy artifact, element, characteristic is measured against every person, process, and technology which exists within an organization. Then, if we added the other dimension of the McCumber model, we could see each of these as related to data at rest, in transit, or in processing mode.

The goals of this complex task would result in a highly detailed, complex breakdown that would map out our entire information security in a “work breakdown structure”-like way such as what's found within systems engineering. However, this approach would probably be a bit tedious, so it is not necessarily what the McCumber Model can be limited to.

This highly detailed “work breakdown structure” or WBS-like approach might be feasible for building a ship, but it it probably not feasible for trying to consider “everything under the sun”, when it comes to Information Security, considering the dynamic and rapidly changing cyber environment.

This also shows how context is important for the application of any security model. So to focus on what's important, the “big rocks” or our “center of gravity” for example, what we must do instead is pick major themes or areas of focus, to apply the McCumber model to.

This can prove a more effective approach to using the McCumber Model, suitable and agile enough for a highly dynamic, rapidly-changing cyber environment.

McCumber Cube Additional Resources Below (note: no guarantees are made whatsoever regarding the quality, availability, reliability nor any malware-free status of any of these links or files – use and /or download completely at your own risk!) :