Threat Modeling, a beginners guide

Threat Modeling, a beginners guide

If you are always worried about your Internet Service Provider, corporations, and the government watching you, or you have been looking to have a fair understanding of security on the internet, maybe it’s time to complete an exercise called threat modeling.

It sounds like something the Pentagon does in a war room, but it’s aterm used by software developers anticipating security issues in theircode. Practically speaking, threat modeling is something everyone should do when considering how to safeguard their data.

Follow the steps below to transform your vague paranoia into a rational game plan and get some peace of mind:

What is threat modeling?

A good threat model is a thorough description of five things:

  1. What you have to protect
  2. Who you want to protect it from
  3. The probability of them getting it
  4. How far you’re willing to go to protect it
  5. What would happen if you failed

1. What you have to protect: The assets

Don’t think of this as asking “What do you have to hide?”. Just try to think of all the types of data you have on your digital devices, where you keep them, and how many copies exist.

Emails, photos, messages, documents: How much of it is in the cloud,and how much is only on local devices? How many of those local devicesconnect to the internet (smartphones, laptops), and how many don’t (hard drives, USB)?

2. Who you want to protect it from: The adversaries

For each asset, think about the consequences of it falling into thewrong hands. For instance, if you’re a journalist, you may have severalpoliticians and/or corporations who would like a look at your contactlist.

Maybe you have certain people whom you wouldn’t want to access yoursocial media profiles. Don’t limit your thinking to just the people with the technical know-how to obtain your assets, because we’ll get to that in the next step.

3. The probability of them getting it: The risk

For each adversary, think of how likely he/she is to gain access toyour data, or even attempt an attack in the first place. This willdepend on their technical skill level, motivation, and intent.

Your neighbor might enjoy some free Wi-Fi now and again, but she might not be devious or motivated enough to try to steal your password. If you work in sales, your competitor has a financial motivation to see your private emails, but are they technically able to hack into your laptop?

Your ISP has access to your browsing history (unless you use Tor and/or a VPN), but are they likely to use it to blackmail you? Maybe you don’t like the idea of ISPs having your data in the first place (we certainly don’t!), but it’s still helpful to be realistic about threat likelihood, mostly just for sanity’s sake.

4. How far you’re willing to go to protect it: The cost

If you’ve read this far, chances are you’re no slouch when it comesto internet privacy. But it’s worth considering how much time (andmoney) you’re willing to spend to protect your assets.

For most people, a subscription to a private, encrypted VPN service is the easiest solution, but there are many additional measures you can take if you’ve evaluated your situation as high-risk.

  • Use end-to-end encryption
  • Encrypt your hard drive
  • Always use strong passwords
  • Turn on two-factor authentication (2FA)
  • Keep software updated

Some tools are free, some cost money, but all will take a little bitof time to set up. Think about cost vs. benefit before you treat it like a strict to-do list.

5. What would happen if you failed: The consequences

Finally, take a look at the worst-case scenario. Everyone has private data, but the implications of compromised data are different foreveryone. Is it financial ruin? Marital destruction? Crippling shame and social exile? All of the above? Or maybe nothing at all?

Privacy is for everyone, regardless of whether you think you have “something to hide.” Just because you’re not doing anything illegal doesn’t mean you should let the government snoop on your online traffic. People behave differently when they know they’re being watched, so think about the consequences to your long-term psychological health as well!

Remember, you can’t stop all the bullets

The internet is as life itself, you can never be entirely out of harm’s way. But hopefully, the simple exercise of threat modeling is enough to put your paranoia in perspective!