Heads up! To view this whole video, sign in with your Courses account or enroll in your free 7-day trial. Sign In Enroll

Preview

Start a free Courses trial
to watch this video

Sign up for Treehouse

Threat Model

3:24 with Greg Stromire

Learn to create and apply a defensive framework used by security professionals in many industries. This video will explain how it's really just an extension of behaviors you already do.

New Terms:

  • Threat Model -- A conceptual framework to identify assets and risks, possible mitigations, and optimizations.
  • Actors -- The people, agencies, or devices involved in the threat model.
  • Risks -- The vulnerabilities related to exposure or loss of assets.
  • Assets -- The people, resources, or possessions you wish to protect.
  • Mitigations -- The possible strategies for prevention or minimization of risk
  • Breach -- An event where assets were lost or exposed, through failure of mitigations or other protections.

Further Reading:

Intro to Threat Modeling

Now that we've explored how common traffic flows through the Internet and 0:00
the kinds of information attached to that traffic, 0:03
we can make some informed decisions about our online activity. 0:06
One way to establish some secure practices is to create what's called a threat model. 0:10
This is a defensive framework used by security professionals in many industries. 0:15
But don't let that intimidate you. 0:20
It's really just thinking through behaviors and 0:21
attitudes that you already do on a daily basis. 0:24
First, let's establish some threat model basics. 0:27
Creating a thought model is asking yourself a set of questions. 0:31
Who would be most likely to target me? 0:34
A repressive government, organized crime, corporations, my ex, my coworkers. 0:36
How much money, time, and 0:43
skill do they have to dedicate to target me, an important aspect of this activity. 0:45
What would they most likely want from me? 0:49
Money, incriminating information, access to trusted contacts. 0:52
How much effort am I willing to put into protecting it? 0:57
Is this worth the effort? 1:00
What would happen to me if they were successful? 1:01
It's all about being prepared. 1:05
Number 1 is about identifying the actors in the model. 1:07
Number 2 is about identifying the risks in the model. 1:11
Number 3 is about identifying the assets in the model. 1:15
Number 4 is about prioritizing your concerns with mitigations. 1:18
Number 5 is about planning for breach. 1:22
As I mentioned earlier, most of these really are questions you've 1:25
already asked yourself in some form or another. 1:28
This process is just collecting them together for risk analysis. 1:31
Consider when you leave your home in the morning to go to work or school. 1:36
Do you lock your door? 1:39
You've likely decided that the effort to lock the door is worth protecting the risk 1:41
for a burglary through the door. 1:46
You've identified the actors as burglar, but the front door provides 1:47
a vulnerability or risk that your valuable possessions are the assets. 1:52
You've established the lock as a risk mitigation strategy. 1:57
And you'll likely have an understanding that you can call the police 2:01
should you find out that you've been breached and had your things stolen. 2:04
An important aspect of this is to point out that there is no 2:09
one mitigation strategy that can protect against all risks. 2:12
You choose the ones that fit the task best. 2:16
For example, that lock on the door may keep out a casual burglar, but 2:19
not a dedicated one that chooses to break a window. 2:24
So now you add some bars on your windows. 2:27
Well locks and bars do nothing to protect those same assets against a fire. 2:30
Of course, the most convenient thing would be to not have to lock your door at all. 2:35
But as always, it's a trade off between security and convenience. 2:40
Your online security can gain a lot from the same threat model treatment. 2:45
And, in fact, you're already doing this as well. 2:49
The fact that you use a password to protect an account is a mitigation itself. 2:51
It's also pretty analogous to the door lock. 2:56
If you use the same key for your door as your dead bolt and 2:59
back door, you'll have to change every lock even if you lose one key. 3:02
By viewing your own online activity through the lens of a threat model, 3:07
you can really identify your own threats and 3:11
prioritize the effort you want to make to help protect yourself. 3:13
In the next stages, we'll dive deep into other actors and risks and 3:18
offer some solid mitigations so you're prepared. 3:21

You need to sign up for Treehouse in order to download course files.

Sign up