Friday, May 4, 2018

Reducing Privacy and Security Risks With Threat Modeling


Reducing privacy and security risks starts with knowing what the threats really are. An excellent article appeared in ARS Technica (July 8, 2017) that discussed personal threat modeling.

"Who you are, what you are doing, and where you are doing it are all major factors in determining what threats you face. Where you work, your social and political activities, your notoriety, social connections, travel, and other factors all play into your threat model, too. Such characteristics introduce different sets of potential risks to your security and privacy, and these traits could attract different sorts of potential adversaries. Of course, some activities invite risk in and of themselves based on the kind of information being exposed. In the world of threat modeling, these are often referred to as "assets" - the important pieces of information you want to use in an activity but simultaneously want to protect. Pieces of information that could be used to expose your assets are just as essential to protect as the assets themselves. Personal biographical and background data might be used for social engineering against you, your friends, or a service provider. Keys, passwords, and PIN codes should also be considered as valuable as the things that they provide access to."

Creating Your Own Personal Threat Model
 
To create your own personal threat model, ask yourself the following questions:

* What are the assets you care most about protecting? (emails, images, video, your location, identity, financial information, etc.)

* Who are the different user groups you interact with? (friends, family, employer, random person on the train)

* What are the systems where your data is stored? (Websites you frequent, devices, and services)

* How do all of these things interact? (It usually helps to draw a picture)

* What are the rules I want to maintain? (Who can see my pictures? How much can my employer know about me?)

* What are the top threats that I am worried about? (Hackers? Government intrusion?)

* What steps can I take to best protect against the top threats?


No comments:

Post a Comment

Note: Only a member of this blog may post a comment.