| Information State | Safeguard | Example | Pentest Focus |
|---|---|---|---|
| Storage | Technology | Encrypt database files and sensitive documents at rest | Check for unencrypted sensitive files, weak encryption |
| Storage | Policies | Data classification policy (e.g., public vs confidential) | Test if sensitive data is stored in incorrect locations |
| Storage | People | Train staff on secure file handling | Social engineering tests, staff awareness evaluation |
| Transmission | Technology | TLS/SSL, VPN for data in transit | Test for weak SSL, MITM, unencrypted channels |
| Transmission | Policies | Network access rules (no public Wi-Fi for sensitive data) | Attempt unauthorized network access, bypass VPN rules |
| Transmission | People | Train users not to send unencrypted emails | Phishing and awareness testing |
| Processing | Technology | Memory encryption, secure enclaves (Intel SGX) | Test memory leaks, dump attacks, and enclave bypass |
| Processing | Policies | Access control (least privilege) | Test privilege escalation or unauthorized access |
| Processing | People | Awareness of screen privacy, locking devices | Physical access attempts, observation attacks |
| Information State | Safeguard | Example | Pentest Focus |
|---|---|---|---|
| Storage | Technology | Hashing and digital signatures for stored files | Attempt to tamper files or bypass integrity checks |
| Storage | Policies | Version control, audit trails for changes | Test for unauthorized file modifications or missing logs |
| Storage | People | Train staff to validate and handle data correctly | Test adherence to data handling procedures |
| Transmission | Technology | Message authentication codes (MAC), checksums | Try replay attacks or tampering of transmitted data |
| Transmission | Policies | Secure API contracts and input validation | Test API for injection, parameter tampering |
| Transmission | People | Awareness to detect tampered files/emails | Simulate phishing or altered communications |
| Processing | Technology | Input validation, runtime integrity checks | Attempt SQL injection, code injection, or manipulation |
| Processing | Policies | Change management procedures | Check if unauthorized configuration/code changes are possible |
| Processing | People | Train developers on secure coding practices | Review code for insecure coding, weak logic handling |
| Information State | Safeguard | Example | Pentest Focus |
|---|---|---|---|
| Storage | Technology | RAID, redundant storage, cloud backups | Simulate disk failures, check backup restoration |
| Storage | Policies | Backup and disaster recovery policies | Test recovery process and compliance with policies |
| Storage | People | Train staff to restore systems from backups | Evaluate staff response to simulated data loss |
| Transmission | Technology | Load balancing, DDoS protection | Stress test or simulate traffic floods safely |
| Transmission | Policies | SLA agreements for uptime and redundancy | Verify compliance with availability policies |
| Transmission | People | Network admins trained to mitigate outages | Test incident response to network outages |
| Processing | Technology | Failover systems, clustering | Test system failover and continuity mechanisms |
| Processing | Policies | Business continuity planning | Evaluate disaster recovery plans and response |
| Processing | People | Trained IT staff to handle incidents quickly | Simulate server or service outages and response readiness |
This gives you a full 27-practical-intersection mapping of the Cybersecurity Cube specifically for a government web application with sensitive data.