Heads up! To view this whole video, sign in with your Courses account or enroll in your free 7-day trial. Sign In Enroll

Security Literacy

Preview

Start a free Courses trial
to watch this video

Sign up for Treehouse

Threat Model

3:24 with Greg Stromire

Learn to create and apply a defensive framework used by security professionals in many industries. This video will explain how it's really just an extension of behaviors you already do.

New Terms:

  • Threat Model -- A conceptual framework to identify assets and risks, possible mitigations, and optimizations.
  • Actors -- The people, agencies, or devices involved in the threat model.
  • Risks -- The vulnerabilities related to exposure or loss of assets.
  • Assets -- The people, resources, or possessions you wish to protect.
  • Mitigations -- The possible strategies for prevention or minimization of risk
  • Breach -- An event where assets were lost or exposed, through failure of mitigations or other protections.

Further Reading:

Intro to Threat Modeling

Related Discussions

Have questions about this video? Start a discussion with the community and Treehouse staff.

Sign up

    Related Discussions

    Have questions about this video? Start a discussion with the community and Treehouse staff.

    Sign up

    Now that we've explored how common traffic flows through the Internet and 0:00
    the kinds of information attached to that traffic, 0:03
    we can make some informed decisions about our online activity. 0:06
    One way to establish some secure practices is to create what's called a threat model. 0:10
    This is a defensive framework used by security professionals in many industries. 0:15
    But don't let that intimidate you. 0:20
    It's really just thinking through behaviors and 0:21
    attitudes that you already do on a daily basis. 0:24
    First, let's establish some threat model basics. 0:27
    Creating a thought model is asking yourself a set of questions. 0:31
    Who would be most likely to target me? 0:34
    A repressive government, organized crime, corporations, my ex, my coworkers. 0:36
    How much money, time, and 0:43
    skill do they have to dedicate to target me, an important aspect of this activity. 0:45
    What would they most likely want from me? 0:49
    Money, incriminating information, access to trusted contacts. 0:52
    How much effort am I willing to put into protecting it? 0:57
    Is this worth the effort? 1:00
    What would happen to me if they were successful? 1:01
    It's all about being prepared. 1:05
    Number 1 is about identifying the actors in the model. 1:07
    Number 2 is about identifying the risks in the model. 1:11
    Number 3 is about identifying the assets in the model. 1:15
    Number 4 is about prioritizing your concerns with mitigations. 1:18
    Number 5 is about planning for breach. 1:22
    As I mentioned earlier, most of these really are questions you've 1:25
    already asked yourself in some form or another. 1:28
    This process is just collecting them together for risk analysis. 1:31
    Consider when you leave your home in the morning to go to work or school. 1:36
    Do you lock your door? 1:39
    You've likely decided that the effort to lock the door is worth protecting the risk 1:41
    for a burglary through the door. 1:46
    You've identified the actors as burglar, but the front door provides 1:47
    a vulnerability or risk that your valuable possessions are the assets. 1:52
    You've established the lock as a risk mitigation strategy. 1:57
    And you'll likely have an understanding that you can call the police 2:01
    should you find out that you've been breached and had your things stolen. 2:04
    An important aspect of this is to point out that there is no 2:09
    one mitigation strategy that can protect against all risks. 2:12
    You choose the ones that fit the task best. 2:16
    For example, that lock on the door may keep out a casual burglar, but 2:19
    not a dedicated one that chooses to break a window. 2:24
    So now you add some bars on your windows. 2:27
    Well locks and bars do nothing to protect those same assets against a fire. 2:30
    Of course, the most convenient thing would be to not have to lock your door at all. 2:35
    But as always, it's a trade off between security and convenience. 2:40
    Your online security can gain a lot from the same threat model treatment. 2:45
    And, in fact, you're already doing this as well. 2:49
    The fact that you use a password to protect an account is a mitigation itself. 2:51
    It's also pretty analogous to the door lock. 2:56
    If you use the same key for your door as your dead bolt and 2:59
    back door, you'll have to change every lock even if you lose one key. 3:02
    By viewing your own online activity through the lens of a threat model, 3:07
    you can really identify your own threats and 3:11
    prioritize the effort you want to make to help protect yourself. 3:13
    In the next stages, we'll dive deep into other actors and risks and 3:18
    offer some solid mitigations so you're prepared. 3:21

    You need to sign up for Treehouse in order to download course files.

    Sign up

      You need to sign up for Treehouse in order to set up Workspace

      Sign up