Threat Modeling

Threat Modeling

I believe that the journey to a more private life begins with a person evaluates why privacy matters to them.  If you are a law enforcement officer, there are a multitude of reasons to reduce the amount of personal information that is available about your online.  Your safety and the safety of your family are at the forefront of this discussion.  During your career you may also become juicy target for the media, identity thieves, or organized crime.  A victim of domestic violence or stalking may want privacy to escape a life threatening situation or individual.  The general public may simply want to make themselves more difficult to compromise by thieves who seeking to steal their identity for any number of reasons.  Maybe you are just uncomfortable with the fact that anyone with a computer can Google your name and within seconds have your home address, including exterior and sometimes interior photos of your home.

As you think about why privacy matters to you, also consider the price you are willing to pay to secure your digital life.  There is a balancing act between security, safety, and convenience.  There is no one size fits all approach that will be the solution for everyone at all times.  Each person must decide to what level they are willing to go to be more secure and protect themselves.  Edward Snowden for example ended up moving to Russia when his need for privacy and security reached a level where he needed to escape the NSA.  I sure hope I never have the need to implement those kind of extreme measures, but it is fun to learn about how it may be accomplished.

The balancing act, and constant re-evaluation of your privacy and security needs, need to be coupled with an evaluation of who your adversary may be.  Who are you hiding from and what are their capabilities?  Is your threat a hacker, dangerous former lover, or identity thief?  Is your threat a corporation, government, or oppressive regime?  What about data breaches of private information you provided to a trusted company that is now being sold on the dark web.  These are fundamentally important questions because it greatly impacts the defenses you apply.  The measures you take to hide your identity from, say, a significant other or general member of the community may not be sufficient to hide from government oversight. Of course the latter will usually also protect you from the former, but it also often comes with an additional burden to implement.

What we are discussing here is called Threat Modeling.  It is an evaluation of your need to protect yourself versus the capabilities of the threat against you.  In my opinion, many people don’t spend enough time studying threat modeling and I encourage you to take the time to educate yourself.  It is the foundation for what many of your decisions will be based on.  Understanding your threat model will help you focus your time, energy and money in the right areas.  I always error on the side of caution in this regard.  I always aim to protect against a threat model that is higher than what I predict it actually is.  I think this is a good practice to adopt, but only you can decide.

Let’s take a look some basic definitions that are relevant to many of the topics we explore here.

Privacy – right to keep things to yourself
Security – protection of your personal information
Confidentiality – right to keep things about you from being disclosed to others
Digital Security –  is the protection of your digital identity – the network or Internet equivalent of your physical identity. Digital security includes the tools you use to secure your identity, assets and technology in the online and mobile world.
“Doxing” – is the act of publishing someone’s personal information, of which there would be a reasonable expectation of privacy and dubious value to the conversation, in an environment that implies or encourages intimidation or threat.

A great deal has been written on Threat Modeling and I want to provide a few links to further your knowledge of the subject.  Justin Carroll explores the topic at length on his blog and he explains the nuances of this subject in a way that anyone can understand.  I encourage you to take a day and study his information before making decisions about your privacy strategy.  Below are links to Justin’s Threat Modeling pages and also another blog by PeopleForPrivacy on the same topic.

Comments are closed.