Teach Cyber: Unit 4 Lesson 3

This document is licensed with a Creative Commons Attribution 4.0 International License

Day

Day
1

Learning Outcomes

Upon completion of this lesson, students will be able to:

•

U4.L3. 1: Analyze existing data security concerns and
assess methods to overcome those concerns (focus on
the data states).

•

U4.L3.2: Describe how the requirements for protecting
data at rest (storage), transit (networks), and
processing.

This document is licensed with a Creative Commons Attribution 4.0 International License

Day

Day
1

Data and the McCumber Cube

McCumber Cube: Illustrates design
aspects for securing data in every level of
abstraction

• Security Goals (we saw the CIA

principles in Lesson 2)

• Information States (we will see data

in each state in this lesson)

• Countermeasures (we will talk about

security controls in Lesson 4)

The McCumber Cube

This document is licensed with a Creative Commons Attribution 4.0 International License

Day

Day
1

Data at Rest, In Transit, Processing

Watch video Data Sets: Data-at-rest, in transit and in-use

https://www.youtube.com/watch?v=yRxsQP740LM

This document is licensed with a Creative Commons Attribution 4.0 International License

Day

Day
1

Data at Rest, In Transit, Processing

At Rest (stored) - data stored on a device, server, cloud, or a backup medium.

• For example, stored private photos and comments on Instagram.

Instagram could process your data both locally on your phone or on their
servers. Instagram could have multiple servers and cloud storage where
these photos and comments are stored (anywhere in the world)

• We must ensure no other application, the phone/server operating system,

except the Instagram application, is able to see (confidentiality), change
(integrity), or delete (availability) our photos while they are stored both locally
or remotely.

This document is licensed with a Creative Commons Attribution 4.0 International License

Day

Day
1

Data at Rest, In Transit, Processing (cont. 1)

In Transit (network) - data traveling across network.

• For example, uploading private photos and comments

on Instagram using your phone over your home WIFI.

• Before it reaches Instagram, the data is crossing

multiple network nodes across the country and the
globe.

• We must ensure none of these nodes are able to

see (confidentiality), change (integrity), or delete
(availability) our photos or before they reach the
Instagram sever.

This document is licensed with a Creative Commons Attribution 4.0 International License

Day

Day
1

Data at Rest, In Transit, Processing (cont. 2)

In Processing (In-Use) - data actively processed (used) by an
application.

• For example, private photos and comments processed by the Instagram

application.

• Instagram could process your data both locally on your phone or on

their servers.

• We must ensure no other application, the phone/server operating

system, except the Instagram application, is able to see
(confidentiality), change (integrity), or delete (availability) our
photos while they are processed both locally or remotely.

This document is licensed with a Creative Commons Attribution 4.0 International License

Day

Day
1

Data Hacks- Compromise of Data at Rest

• PlayStation suffered a massive breach in its video game online network that led

to the theft of names, addresses and possibly credit card data belonging to 77
million user accounts in what is one of the largest-to date Internet security
break-ins. The “unauthorized person” obtained people’s names, addresses,
emails, birth dates, usernames, passwords, security questions...

• 77 million user accounts - this is a breach of data at rest was obtained by an

unauthorized person, whowas able to locate the data and steal it from the
PlayStation servers.

This document is licensed with a Creative Commons Attribution 4.0 International License

Day

Day
1

Data Hacks - Compromise of Data in Transit

• Stuxnet infected PC used for automating and monitoring electromechanical

equipment. Stuxnet was sending damage-inducing instructions to the
electromechanical equipment. At the same time, Stuxnet sent false feedback
to the main controller so anyone monitoring the equipment would have had
no indication of a problem...

• Damage-inducing instructions and false feedback - this is a compromise of

data in transit because Stuxnet was sending the instructions and the feedback
over a network.

This document is licensed with a Creative Commons Attribution 4.0 International License

Day

Day
1

Data Hacks - Compromise of Data in Processing

• WannaCry is a ransomware cryptoworm that targeted computers

running the Microsoft Windows operating system by encrypting
data and demanding ransom payments in the Bitcoin
cryptocurrency to provide a secret decryption key.

• Encrypting data - this is a compromise of data in processing (use)

because it affected data regularly processed by the Microsoft
Windows operating system (in addition to data at rest, which also
was encrypted by the ransomware).

This document is licensed with a Creative Commons Attribution 4.0 International License

Day

Day
1

Data at Rest per Abstraction Level

• Unauthorized access, modification, and disruption of data at rest.

• Bit-level: Cloud storage, USB, hard drives, phones, any removable

media.

• System-level: operating system files, device configuration files.

• Personal-level: passively stored files containing names, addresses,

emails, birth dates, usernames, passwords, security questions,
biometrics

This document is licensed with a Creative Commons Attribution 4.0 International License

Day

Day
1

Data in Processing per Abstraction Level

• Unauthorized access, modification, and disruption of data in

processing.

• Bit-level: processors, memory.

• System-level: firmware, low-level operating system instructions.

• Personal-level: actively used files containing names, addresses,

emails, birth dates, usernames, passwords, security questions,
biometrics.

This document is licensed with a Creative Commons Attribution 4.0 International License

Day

Day
1

Data in Transit per Abstraction Level

Unauthorized access, modification,
and disruption of data in transit.

From Unit 3, Lesson 2: use the TCP/IP
network stack

• Bit-level: physical layer for the

network transmission of data

• System-level: medium access,

network, transport layers

• Personal-level: application level

This document is licensed with a Creative Commons Attribution 4.0 International License

Day

Day
1

Data States and Security Concerns (cont. 1)

Discuss:

• Is it possible to completely delete our data

in cyberspace from every state?

• Can we remove our data from Instagram

forever?

This document is licensed with a Creative Commons Attribution 4.0 International License

Day

Day
1

Lesson 3 Takeaway

The attacker can attack the CIA of data at any state and at

different times, while the defender must defend the CIA of

data at every state all the time.

Last Slide