Introduction
I like my privacy, and I think you should too. I don't like to feel like a victim to large corporations or law enforcement who collect lots and lots and lots of data about almost everyone who exists. I am also in several communities that help people to achieve online privacy. This has mainly been for one reason so far: fear.
To be fair to myself, there are indeed legitimate reasons to fear data collection. These reasons include things like:
- If people are scared of surveillance, then they are probably less likely to research controversial issues for fear of being branded as an activist by the government. This leads to less education on important topics that will affect our future
- Cars are nowadays often made to track people for the purpose of evaluating someones rate for insurance. In the event of a data breach this data could be easily used by and ex or another bad actor to show up at your location and confront you
- Even many western governments engage in anti-movement behavior. This again causes people to be scared to advocate for change in their governments, undermining the democratic process
For more examples, visit The New Oil.
Most people probably don't like these things, but they probably also don't understand their significance.
Unfortunately, fear is not all that good a reason to do things, because it is not rational. I was afraid of the potential of identity theft, losing my data to ransomware, losing the money in my bank account, the government knowing all of my habits and using it against me, someone getting their hands on my phone and getting the data off, etc. Because of these fears, I looked for solutions, I installed Grapheneos, I deleted the accounts I didn't need, I didn't create some accounts I probably did need, I used email aliases, etc.
Although most of these actions were useful, some were not, and worse, I was living in fear of things I didn't need to be. I thought that everything was a threat and I wanted to protect myself from all of it.
I had heard the term threat modeling thrown around before, I had heard it was important, but I didn't really believe it. I thought, "I am doing just fine without one, why should I make one."
Eventually, after several years, I have just now, finally made one. It has highlighted for me what things I do that really are useful(password managers, MFA, etc.), what things I do that it wouldn't be the end of the world if I couldn't fully implement(email aliases, fingerprint resistant browsers, etc.), and what things I have ignored that really would significantly enhance my safety(security keys). And I guess I was right, I was doing just fine without one, but what if I could have been doing good with one.
Overall, the biggest thing that threat modeling has already noticeably increased is my confidence. I feel more protected because I have actually done the thinking, and I feel less scared because there aren't these big nebulous concepts out there that I am trying to protect against. The concepts are now contained and feel manageable.
How Can You Do This Too?
I was listening to a podcast while writing this post, and it pointed something out I had not thought of: Maybe the fear was an essential learning step required for threat modeling. What I mean is that in order to threat model you need to asses the likelihood and severity of different threats, and the effectiveness of solutions. For me, this knowledge did indeed come from the fear stage of researching all possible threats and protections.
I guess you don't have to try everything, but you do indeed need to do some research and thinking before you even start. You need to read articles on potential threats, join online communities, try out different solutions, and be open to the possible results. I have placed some suggestions of potential resources, as well as a link to the podcast, at the end.
You can probably do yours differently, and I am not an experienced threat modeler, so you may well have a better format, but here is how I did it:
- Create a new document
- Put a heading called "Assets," and list all of the things that you have that someone could steal or use to hurt you in some way. These can be nebulous concepts too, like if you try to keep your different social media profiles separate. It's okay if it's incomplete. You will think of more stuff as you go through the rest
- Create a new heading "Threats," and list all of the ways people could use these things to hurt you
- Now create a heading called "Defenses." This part will be a little more complex. Write things you could do that you think would protect you. Then, find an asset this would protect, and what method of attack it would protect against. Rate this pair by how severe it is(How likely it is to happen, how well the defense protects against it, how bad it would be if it happened, etc.) You can put things you already do on here as well to analyze their validity
- Finally, go back and look over your defenses. If there are things with lots of high numbers, you should probably implement those defenses. If there are things with only a few low numbers, they might not be worth it
Simplified Example
In this example we see that password manager, and a credit freeze scored highly, due to the large impacts of insecure passwords, the protection of your bank account by a strong password stored in a password manager, and the large impact of identity theft. In contrast, email aliases didn't do so well. They protect against surveillance and spam, but those aren't the end of the world.
Here, I would totally get a password manager, and freeze my credit, and maybe still try out email aliases if I felt like it, but it would also be fine to not.
It's worth noting that this can change though, so you should still do it for yourself. What if you needed to give out your email to lots of people for job searching, without people being able to compare notes on you, or risking them not being careful with your address and opening you up to harassment. Then maybe email aliases would rank more highly.
Assets
- Passwords
- Money in bank
- Personally identifiable information
- Email address
Threats
- Credential stuffing
- Spam
- Surveillance
- Monetary theft
Defenses
- Password manager(Passwords->Credential stuffing: 7/10, Money in bank->Monetary theft: 8/10)
- Credit freeze(PII->Identity theft: 8/10)
- Email aliases(Email address->Surveillance: 4/10, Email address->Spam: 2/10)
Resources
Do You Know A Better Way?
If you think you know a better template for threat modeling, or you think I got something else wrong, please let me know by using the link below to send me an email. Happy threat modeling!