Bummer! This is just a preview. You need to be signed in with a Basic account to view the entire video.
Start a free Basic trial
to watch this video
Learn to create and apply a defensive framework used by security professionals in many industries. This video will explain how it's really just an extension of behaviors you already do.
New Terms:
- Threat Model -- A conceptual framework to identify assets and risks, possible mitigations, and optimizations.
- Actors -- The people, agencies, or devices involved in the threat model.
- Risks -- The vulnerabilities related to exposure or loss of assets.
- Assets -- The people, resources, or possessions you wish to protect.
- Mitigations -- The possible strategies for prevention or minimization of risk
- Breach -- An event where assets were lost or exposed, through failure of mitigations or other protections.
Further Reading:
-
0:00
Now that we've explored how common traffic flows through the Internet and
-
0:03
the kinds of information attached to that traffic,
-
0:06
we can make some informed decisions about our online activity.
-
0:10
One way to establish some secure practices is to create what's called a threat model.
-
0:15
This is a defensive framework used by security professionals in many industries.
-
0:20
But don't let that intimidate you.
-
0:21
It's really just thinking through behaviors and
-
0:24
attitudes that you already do on a daily basis.
-
0:27
First, let's establish some threat model basics.
-
0:31
Creating a thought model is asking yourself a set of questions.
-
0:34
Who would be most likely to target me?
-
0:36
A repressive government, organized crime, corporations, my ex, my coworkers.
-
0:43
How much money, time, and
-
0:45
skill do they have to dedicate to target me, an important aspect of this activity.
-
0:49
What would they most likely want from me?
-
0:52
Money, incriminating information, access to trusted contacts.
-
0:57
How much effort am I willing to put into protecting it?
-
1:00
Is this worth the effort?
-
1:01
What would happen to me if they were successful?
-
1:05
It's all about being prepared.
-
1:07
Number 1 is about identifying the actors in the model.
-
1:11
Number 2 is about identifying the risks in the model.
-
1:15
Number 3 is about identifying the assets in the model.
-
1:18
Number 4 is about prioritizing your concerns with mitigations.
-
1:22
Number 5 is about planning for breach.
-
1:25
As I mentioned earlier, most of these really are questions you've
-
1:28
already asked yourself in some form or another.
-
1:31
This process is just collecting them together for risk analysis.
-
1:36
Consider when you leave your home in the morning to go to work or school.
-
1:39
Do you lock your door?
-
1:41
You've likely decided that the effort to lock the door is worth protecting the risk
-
1:46
for a burglary through the door.
-
1:47
You've identified the actors as burglar, but the front door provides
-
1:52
a vulnerability or risk that your valuable possessions are the assets.
-
1:57
You've established the lock as a risk mitigation strategy.
-
2:01
And you'll likely have an understanding that you can call the police
-
2:04
should you find out that you've been breached and had your things stolen.
-
2:09
An important aspect of this is to point out that there is no
-
2:12
one mitigation strategy that can protect against all risks.
-
2:16
You choose the ones that fit the task best.
-
2:19
For example, that lock on the door may keep out a casual burglar, but
-
2:24
not a dedicated one that chooses to break a window.
-
2:27
So now you add some bars on your windows.
-
2:30
Well locks and bars do nothing to protect those same assets against a fire.
-
2:35
Of course, the most convenient thing would be to not have to lock your door at all.
-
2:40
But as always, it's a trade off between security and convenience.
-
2:45
Your online security can gain a lot from the same threat model treatment.
-
2:49
And, in fact, you're already doing this as well.
-
2:51
The fact that you use a password to protect an account is a mitigation itself.
-
2:56
It's also pretty analogous to the door lock.
-
2:59
If you use the same key for your door as your dead bolt and
-
3:02
back door, you'll have to change every lock even if you lose one key.
-
3:07
By viewing your own online activity through the lens of a threat model,
-
3:11
you can really identify your own threats and
-
3:13
prioritize the effort you want to make to help protect yourself.
-
3:18
In the next stages, we'll dive deep into other actors and risks and
-
3:21
offer some solid mitigations so you're prepared.
You need to sign up for Treehouse in order to download course files.
Sign up