Threat Model3:24 with Greg Stromire
Learn to create and apply a defensive framework used by security professionals in many industries. This video will explain how it's really just an extension of behaviors you already do.
- Threat Model -- A conceptual framework to identify assets and risks, possible mitigations, and optimizations.
- Actors -- The people, agencies, or devices involved in the threat model.
- Risks -- The vulnerabilities related to exposure or loss of assets.
- Assets -- The people, resources, or possessions you wish to protect.
- Mitigations -- The possible strategies for prevention or minimization of risk
- Breach -- An event where assets were lost or exposed, through failure of mitigations or other protections.
Now that we've explored how common traffic flows through the Internet and 0:00 the kinds of information attached to that traffic, 0:03 we can make some informed decisions about our online activity. 0:06 One way to establish some secure practices is to create what's called a threat model. 0:10 This is a defensive framework used by security professionals in many industries. 0:15 But don't let that intimidate you. 0:20 It's really just thinking through behaviors and 0:21 attitudes that you already do on a daily basis. 0:24 First, let's establish some threat model basics. 0:27 Creating a thought model is asking yourself a set of questions. 0:31 Who would be most likely to target me? 0:34 A repressive government, organized crime, corporations, my ex, my coworkers. 0:36 How much money, time, and 0:43 skill do they have to dedicate to target me, an important aspect of this activity. 0:45 What would they most likely want from me? 0:49 Money, incriminating information, access to trusted contacts. 0:52 How much effort am I willing to put into protecting it? 0:57 Is this worth the effort? 1:00 What would happen to me if they were successful? 1:01 It's all about being prepared. 1:05 Number 1 is about identifying the actors in the model. 1:07 Number 2 is about identifying the risks in the model. 1:11 Number 3 is about identifying the assets in the model. 1:15 Number 4 is about prioritizing your concerns with mitigations. 1:18 Number 5 is about planning for breach. 1:22 As I mentioned earlier, most of these really are questions you've 1:25 already asked yourself in some form or another. 1:28 This process is just collecting them together for risk analysis. 1:31 Consider when you leave your home in the morning to go to work or school. 1:36 Do you lock your door? 1:39 You've likely decided that the effort to lock the door is worth protecting the risk 1:41 for a burglary through the door. 1:46 You've identified the actors as burglar, but the front door provides 1:47 a vulnerability or risk that your valuable possessions are the assets. 1:52 You've established the lock as a risk mitigation strategy. 1:57 And you'll likely have an understanding that you can call the police 2:01 should you find out that you've been breached and had your things stolen. 2:04 An important aspect of this is to point out that there is no 2:09 one mitigation strategy that can protect against all risks. 2:12 You choose the ones that fit the task best. 2:16 For example, that lock on the door may keep out a casual burglar, but 2:19 not a dedicated one that chooses to break a window. 2:24 So now you add some bars on your windows. 2:27 Well locks and bars do nothing to protect those same assets against a fire. 2:30 Of course, the most convenient thing would be to not have to lock your door at all. 2:35 But as always, it's a trade off between security and convenience. 2:40 Your online security can gain a lot from the same threat model treatment. 2:45 And, in fact, you're already doing this as well. 2:49 The fact that you use a password to protect an account is a mitigation itself. 2:51 It's also pretty analogous to the door lock. 2:56 If you use the same key for your door as your dead bolt and 2:59 back door, you'll have to change every lock even if you lose one key. 3:02 By viewing your own online activity through the lens of a threat model, 3:07 you can really identify your own threats and 3:11 prioritize the effort you want to make to help protect yourself. 3:13 In the next stages, we'll dive deep into other actors and risks and 3:18 offer some solid mitigations so you're prepared. 3:21
You need to sign up for Treehouse in order to download course files.Sign up