What is Threat Modeling for Individuals?
Threat modeling is a way of thinking about risk. It is not all technological solutions but they do play a role in thinking about how to mitigate or lessen the threats. When you think about defense, start with thinking about what you’re defending, and how valuable it is.
Lets start off with an example that you might already have in your house. Using smart speakers in your house (Alexa, Echo or Google). Here are some of the things I thought of while visiting this issue:
What do you want to protect?
My Location
Privacy
Search History
Voice Recordings
Who do I want to protect it from?
Tech Company
Data Brokers
ISP
Hackers
How likely is it that I will need to protect it?
Tech Company
Amazon gets hacked with all your data released
Amazon gets hacked with very little data stolen
Data Brokers
Amazon sells my data to a data broker
Personal information aggregates across the web
ISP
Can snoop the traffic and “listen in”
Hackers
Can listen in on private conversations
Use Alexa to use IOT devices – for instance: “Alexa, Open the garage door”
How bad are the consequences if I fail?
Personal and confidential information is released and monetized
Voice is used to train AI for spoofing those I care about
Here is the process that we are illustrating:
Threat modeling for individuals is an on-going process that is never finished. Things always change and we need to adapt.
Steps to Individual Threat Modeling
What do I want to protect? An “asset” is something you value and want to protect. Emails, contact lists, financial information, instant messages, Your location, files, and devices are examples.
List your “assets”: The data that you keep, where it’s kept (Which computers, encrypted backups, etc.), who has access to it (is it locked away somewhere?), and what stops others from accessing it.
Who do I want to protect it from? A person or entity that poses a threat to your assets is an “adversary”.Examples of potential adversaries are your boss, your former partner, your business competition, your government, or a hacker on a public network.
Make a list of your adversaries or those who might want to get a hold of your assets. This list may include individuals, a government agency, or corporations.
Depending on who your adversaries are, under some circumstances, this list might be something you want to destroy after you’re done security planning.
How likely is it that I will need to protect it? Risk is the likelihood that a particular threat against a particular asset will actually occur. It goes hand-in-hand with capability. Write down which threats you are going to take seriously, and which may be too rare or too harmless (or too difficult to combat) to worry about.
How bad are the consequences if I fail? Security planning involves understanding how bad the consequences could be if an adversary successfully gains access to one of your assets. To determine this, you should consider the capability of your adversary. For example, your mobile phone provider has access to all of your phone records. A hacker on an open Wi-Fi network can access your unencrypted communications. Your government probably has stronger capabilities. Write down what your adversary might want to do with your private data.
Some mitigation strategies
Regularly update software and firmware: Keep all systems, devices, and software up to date with the latest security patches and updates. This helps protect against known vulnerabilities that hackers could exploit.
Use strong and unique passwords: Enforce the use of strong passwords that consist of a combination of uppercase and lowercase letters, numbers, and special characters. Avoid using the same password for multiple accounts. Use a password manager to keep track of your usernames, passwords and important information. I suggest Bitwarden or Keypass.
Multi-factor authentication (MFA): Enable MFA wherever possible to add an extra layer of security. This adds an additional step to verify the user’s identity.
Implement firewalls: Firewalls monitor and control network traffic. Implementing a hardware firewall can help identify and block malicious activity.
Secure network connections: Use secure protocols, such as HTTPS, for all network connections. Avoid using unsecured or public Wi-Fi networks, especially when accessing sensitive information.
Encrypt sensitive data: Use encryption to protect sensitive information both during storage and transmission. This ensures that even if data is intercepted, it would be unreadable without the appropriate decryption key.
Perform regular backups: Regularly back up important data to ensure that it can be recovered in case of a security incident. Store backups in a secure location, separate from the primary systems and encrypt them before storing them.
Conduct security awareness training: Educate your family about the importance of security best practices, such as recognizing phishing emails, avoiding suspicious websites, and reporting any security concerns.
Monitor and analyze system logs: Set up and regularly review logs from your systems, networks, and applications. This can help detect any unusual activity or signs of a security breach.
Incident response planning: Develop a comprehensive incident response plan that outlines the steps to be taken in the event of a security incident. This ensures a timely and effective response to mitigate further damage.
Summing it all up
Someone once said that Noah started building the ark before there was even a drop of rain in the sky. Being prepared to protect yourself and your family is important. Thinking about what you have and hold dear – that could be monetized against you, something that is personal to you or your family or just something you don’t want to loose should be the start of a journey to keep it. There are data breaches on almost a daily basis, data brokers and companies are selling our information. Data has no borders, you can send it anywhere. Protect yourself by doing a threat model for yourself and your family. Then take action.
Yes, this is a different way of looking at the world and it may seem strange when you start it for the first time, but it will help in many ways. You will narrow down what you have to protect and focus you on ways to protect it.