Treat Modeling

From Kicksecure

Threat Modeling[edit]

Definition[edit]

Various wiki chapters reference the concept of threat modeling. Statements like "Conduct a personal threat assessment before proceeding" often appear before instructions that install additional software or change specific system configurations. Despite this warning, many users are unfamiliar with the concept or unsure how to conduct a proper assessment in their circumstances. In simple terms, threat modeling refers to: [1] [2]

A threat model is a list of the most probable threats to your security/privacy endeavors. Since it’s impossible to protect yourself against every attack(er), you should focus on the most probable threats. In computer security, a threat is a potential event that could undermine your efforts to stay private and secure. By focusing on the threats that matter to you, this narrows down your thinking about the protection you need, so you can choose the tools that are right for the job.

Threat modeling is a form of risk assessment that models aspects of the attack and defense sides of a particular logical entity, such as a piece of data, an application, a host, a system, or an environment. The fundamental principle underlying threat modeling is that there are always limited resources for security and it is necessary to determine how to use those limited resources effectively.

Threat Model Examples[edit]

Devising a threat model requires a realistic assessment of probable threats (adversaries) and the available mitigations that are feasible to apply. Adversaries will have varying motivations, skill and resources at their disposal. The Electronic Frontier Foundation (EFF) has noted proper security planning necessitates answering five key questions to determine what should be protected, from whom, and the potential consequences of a breach: [3]

  1. What do I want to protect?
  2. Who do I want to protect it from?
  3. How bad are the consequences if I fail?
  4. How likely is it that I will need to protect it?
  5. How much trouble am I willing to go through to try to prevent potential consequences?

To better understand these concepts, consider these questions in further detail below.

Table: Threat Modeling Concepts [1]

Concept Description
What I want to protect In terms of computing and digital security, this refers to protecting "assets" which is a type of information like browsing history, files, messages, emails, personal contacts and so on. To determine your assets, take note of what data is stored and where, who potentially has access to it, and what protections are in place to prevent unwanted access.
Who I am protecting it from Consider who might target you or your information; this is your "adversary". Potential adversaries include: family, friends or ex-partners; employers; business competition; researchers; government entities; malicious hackers; advertisers; corporations; and the IC.
How likely protection is required A proper risk assessment is required. To determine the probability of threats being actualized, consider the capabilities of adversaries and their motivation, for example: [4]
  • Family, friends and ex-partners are likely to be unskilled and unmotivated threats.
  • Advertisers and employers are generally unskilled and motivated threats.
  • Some corporations are skilled, but unmotivated threats (such as a mobile device provider).
  • Security researchers, other corporations (like Google and Facebook), competent hackers and law enforcement are skilled and motivated threats. They also have access to limited global resources.
  • The IC are highly skilled, highly motivated and have significant global resources.
Impact of an adversary breach Skilled adversaries have multiple opportunities to access, exfiltrate, delete or corrupt data, but the motives and tactics will differ depending on the specific adversary. For example, advertisers will remain focused on highly detailed profiling, government may focus on reading private communications of journalists, the IC may seek to establish full monitoring of systems associated with political activists and so on. Consider how harmful a successful breach by an adversary would be -- what they can do with private data -- and the probability of this occurring; the likelihood obviously increases with more skilled adversaries. [5]
Effort exerted on improved security Security is a process and not an end product. Every individual has different priorities, threats, resources, and capabilities. This means the "right" strategy is a balance of personal time, convenience, privacy and cost. Threat models and mitigation strategies will be very different for:
  • A journalist willing to disclose whistleblower secrets, since this requires protection from government entities.
  • A member of the public who is simply seeking to thwart profiling by online advertisers/global technology companies.
  • Managers protecting themselves against potential hackers employed by competitors for the purpose of corporate espionage.

Threat Model Guides[edit]

To better protect yourself against surveillance by adversaries, it is recommended to consult the following EFF "Security Scenarios". Detailed advice is provided for various user groups regarding appropriate resources, tools and tips to mitigate potential threats: [6]

To learn more about the Kicksecure ™ threat model, see here.

  1. 1.0 1.1 https://www.privacyguides.org/basics/threat-modeling/
  2. https://csrc.nist.gov/CSRC/media/Publications/sp/800-154/draft/documents/sp800_154_draft.pdf
  3. https://ssd.eff.org/en/playlist/academic-researcher
  4. This is admittedly a subjective process which is different for every individual. Even though some risks are low, they may be unacceptable to specific people. On the other hand, some people disregard probable threats, because the consequences are assessed as inconsequential.
  5. For example, mobile phone providers can access all phone records, unencrypted communications are vulnerable to hackers on Wi-Fi networks, and government agencies can likely backdoor any Internet-connected device.
  6. https://ssd.eff.org/en/module-categories/security-scenarios