Following my previous Monday blues ranting article, today is a good Monday – albeit even closer to my exams than the previous week 
– nevertheless between correcting assignments and fixing my system at home I’ve had my hands full this weekend.
My Epatec3850 ebox is currently a sitting duck as I am still unsure what the problem with it is. Instead I’ve decided to go greener by selling off one of my P4 machines only to get an AsusB202 ebox. Needless to say, I love the box. Consuming only 20W I now feel better that amidst the rising electricity tariffs, I should be consuming less power than a full blown PC (450W). Performance with WinXP is excellent and I even run my Debian box inside VMWare without too much performance loss when using the system for normal PC usage. Only thing I did was beef up the memory to 2Gb. My WRT54G WDS network is also much more stable as I reset all the boxes and flashed back with the standard DDWRT 24vSP1 firmware. Running with WPA2-AES over WDS all my devices happily connect and talk to each other without any drops or losses. (fingers-crossed) all is working in unison.
Back to the security topic of interest… is an article written by Sean M. Price on the September ISSA journal – an extension to the McCumber Cube to Model Network Defense.
Firstly, the McCumber cube was developed by John McCumber as a way to model risk management. It provides the security practioner with a way to consider risk from different perspectives employing three different aspects namely, information states, countermeasures and security services. Sean does an excellent job giving examples of how the cube can used in practice.
Building on the CIA triad, Sean talks about extending it to reduce reliance on inexact estimates and improve risk by focusing on attacks while coming up with explicit countermeasures. So in addition to the above cube to achieve the security goals of CIA attacks are added to the equation.
ATTACK + Information State + Countermeasures -> Security Goal
What is cool is that is Sean systematically broke down attacks to fit the model in way that makes more sense. The images below explain the logic behind it and I truly think it makes sense associating specific attacks with a selected information state and particular security service.
The proposed extension now takes the below form
The proposed extension to the McCumber cube takes risk assessment from a different angle. Why not consider specific threats and the estimate of their likelihood and then identify countermeasures that should be in place to defend against them. A lack of existing countermeasures from a defense-indepth perspective (which is a vulnerability) equates to more risk for the system.
A model which is closer to a state of reality as opposed to something which relies on estimates is preferable. Often the estimates used in risk assessments have little research or quantitative results to support their assertions.
The result is a better evaluation of system risk and a more discrete identification of countermeasures needed to defend a network against specific types of attacks – and I am all over it… 