Threat Modeling

December 24, 2018

I’m sure this topic will be nothing to new to many of my readers here, however it seems only appropriate to start from the beginning, and this is a fundamental topic to keep in mind as you move through life and your information security journey. The term “threat model” is – in the context of privacy and security – just a fancy way to say “what are you hiding and who are you hiding it from?” For example:

A journalist may want to protect their sources from harm or retaliation. Therefore their threat model will include ways to avoid location tracking, encrypt or otherwise protect the uncensored information they receive from their source, and other similar information that might reveal who their sources is or allow others to track them to their sources.
A member of law enforcement may wish to protect their home location in a variety of ways to avoid putting their families in danger from criminals seeking revenge or just general criminals with a grudge against the system.
An activist in a repressive country make take steps to hide their research, gatherings, or other activities so the government can’t track their real identity and use it against them.

We all share some common threat models. For example, we all want to take steps to protect our bank accounts. Other people may have stricter threat models. While there’s basic “best practices” that do apply to almost (if not) everyone, there’s really no one-size-fits-all solution for everyone. Some people need more protection. Most people want to find a healthy balance between protection and ease of use. That’s why this site exists.

The example I like to use is infamous serial killer Richard Chase. Chase stalked the Los Angeles area between 1977 and 1978. One of the reasons he was so difficult to catch was because he didn’t have a pattern. He said on record after he was caught that he would just cruise around neighborhoods until he spotted a house he felt compelled to try. But here’s what made Chase odd: if the doors and windows were locked, he would go on his way and try a different house. He didn’t force his way in.

We should all be trying to defend ourselves from the Richard Chase’s of the digital world. Many people argue that security is inconvenient. It is. It’s much more convenient to use your daughter’s name and birth year for every single account instead of a randomly-generated password that you don't reuse anywhere. It’s very convenient to stay logged in or not use Two-Factor Authentication. My own VPN drives me crazy sometimes. But it’s also inconvenient to have to unlock my door and open it up whenever I come home, but the amount of security I get from not leaving my door wide open at all times and using a simple $2 key more than pays for itself. The same principle applies with information security. Even little things like strong password practices and 2FA can provide a measure of security that outweighs the inconvenience, and it only takes a few weeks or even days for it to become second nature.

What’s your threat model? That’s a question only you can answer. Maybe you just need to lock your front door, so to speak. Maybe you need to hire a security guard. Maybe you need to move to an underground bunker. Everybody is different and everybody’s threat model is different. Some people may find the benefits of Facebook worthwhile and keep their account despite knowing the aggressive surveillance the company performs. Other people may decide they don’t want any social media whatsoever anywhere. These are personal questions. When crafting a threat model, remember those two opening questions: what am I trying protect and from who? Once you narrow that down, the “how” is usually just a couple web searches away. Even a simple Google search like “how can I protect my bank account from hackers” is a pretty solid starting point that will give you some basic ideas.

In the coming articles I will be posting in the future, I’ll be diving into all kinds of threat models and tools and practices. We’ll talk about secure messaging, VPNs, disinformation tools, and more. I’ll compare different services, the pros and cons of each, and what to consider when using these services. I’ll talk about best practices (like the aforementioned “not reusing passwords” thing). Feel free to reach out with any questions I should cover, products you’re curious about, or any of that. Thanks for reading and good luck!

You can find more recommended services and programs at TheNewOil.org, and you can find our other content across the web here or support our work in a variety of ways here.