The New Oil

The New Oil logo
Threat Modeling

Threat Modeling

In order to know what tools on this site are right for you, you should understand “threat modeling.” The term “threat model” is just a fancy way to say “what are you hiding and who are you hiding it from?” For example:

  • A journalist may want to protect their sources from harm or retaliation. Their threat model will include ways to avoid location tracking, encrypt or otherwise protect the uncensored information they receive from their source, and other similar information that might reveal who their source is or allow others to track them to their source.
  • A member of law enforcement may want to protect their home location to avoid putting their families in danger from vengeful criminals. Their threat model will include ways to keep their home address off the public record, such as data removal services and legal protections to keep their home address off the public voter record and home ownership records.
  • An activist in a repressive country may want to hide their activities from the government to protect themselves and their loved ones. Their threat model will include ways to communicate securely and privately, as well to connect to the internet anonymously.
  • Many people are worried about identity theft and loss of financial resources through their bank account. Some of their defense strategies could include using a password manager, two-factor authentication, and freezing their credit.

While threat modeling can be applied to a wide variety of situations (as shown above), on this site I focus specifically on threat modeling for your personal data. The Electronic Frontier Foundation defines data as “any kind of information, typically stored in a digital form. Data can include documents, images, keys, programs, messages, and other digital information or files.” While there are “best practices” that apply to almost (if not) everyone, there’s really no one-size-fits-all threat model for everyone. Some people need more security or privacy, and some need less. Most people want to find a healthy balance between protection and convenience.

The threat model that I focus on in this site is defense against common, non-targeted attacks. For a real world example, I cite infamous serial killer Richard Chase, who stalked the Los Angeles area between 1977 and 1978. One of the reasons he was so difficult to catch was because he didn’t have a pattern. After he was caught he stated that he would just cruise around neighborhoods until he spotted a house he felt compelled to try. If the doors and windows were locked, he would go on his way and try a different house rather than force his way in. My goal with this site is to teach you how to “digitally lock your doors and windows” to protect against yourself against the Richard Chase’s of the digital world. In other words, make yourself harder to hack than the other guy so that hackers looking for an easy payday give up and move on to someone else.

What’s your threat model? You can’t know how to properly defend yourself against attacks if you don’t know what attacks you are likely to face. While I teach the basics here, some readers may need to continue their education after my site, and all readers will have to examine the numerous tools and techniques I share here to figure out which is best for them. You can’t know any of that without defining your threat model. So how do you determine your threat model?

  1. What do I want to protect? This is typically known as assets, and they come in both physical and non-physical forms. A physical asset would be something like a laptop, phone, or file cabinet - a place that holds the data you wish you to protect. A non-physical asset would be something like a bank account, email account, or cloud storage backup account. You need to identify all your assets. Another term worth introducing at this stage is “attack surface.” This is a fancy term for all the possible points of failure where you might be compromised. Every app you download, every account you create, every file you store expands your attack surface and presents another chance for compromise to occur. Minimalism is your best friend when it comes to privacy and security, particularly with your assets. The less assets you have, the smaller your attack surface. Just something to keep in mind. (Note: an individual piece of your attack surface is known as an “attack vector.” Attack vectors combine to create an attack surface, like drops of water combine to create a puddle, lake, or ocean.)
  2. Who do I want to protect it from? “Bad guys” is not a good answer to this question because it is too vague. Different types of bad guys have different resources and motivations. For example, a typical cybercriminal wouldn’t likely target you specifically (see Understanding Data Breaches). A potential employer or doxxer, on the other hand, is targeting you specifically and one may have different resources to work with. Try to be specific when identifying the “who” of your threat model, and know that it can vary from asset to asset.
  3. How bad are the consequences if I fail? To use the examples from #2: the cybercriminal is trying to steal all your money and maybe even open fake accounts in your name that you will then be responsible for. Your prospective employer is simply trying to decide if they want to hire you. Both are consequences, and both are serious, but they require different levels and methods of defense. There’s nothing wrong with going above and beyond the bare minimum of defense, but make sure that you know what’s actually necessary and don’t ruin your relationships or mental health because you went too far. It’s all about balance.
  4. How likely is it that I will need to protect it? This ties into both #2 and #3. For example: a person who shops online frequently and with many different retailers will almost certainly have their card details stolen at some point. The need to protect their card details, funds, and financial rating are extremely high as chances for something to go wrong - your attack surface - is extremely high.
  5. How much trouble am I willing to go through to try to prevent potential consequences? This is the “cost/benefit analysis.” Some security and privacy strategies involve much more work and may not be right for you if you don’t enjoy the challenge, lack the technical skill to do it right, or the information isn’t sensitive. Always remember: nothing is unhackable. Trying to protect all your data against everything all the time is impossible and exhausting. Instead, the goal should be to find a balance where you protect against or mitigate the most likely and most harmful threats as much as possible without negatively impacting yourself or those around you.

If you’re still having trouble defining your threat model, a great post from the now-defunct site Cupwire suggested a four-level template for determining your threat model. Note that this post is not a hard-and-fast rule, there is a lot of nuance and gray area, and you can feel free to drift in between levels depending on the situation, but it can be extremely helpful in getting started and visualizing where you land.

  1. Protection from family & friends. This includes things like putting a password on your phone or not loaning out your debit card for use.
  2. Protection from corporations. This includes things like using fake information when signing up for rewards cards and using tracker blockers online. This site covers Levels 1 and 2.
  3. Protection against targeted, non-government attacks. This includes things like hardening your operating system and keeping your address off public records. This site briefly mentions some of these strategies, but does not go into detail.
  4. Protection from federal governments and intelligence agencies. This includes things like complex disinformation campaigns and heavily hardened electronics. This site does not cover this threat model at all.

Another resource you may find helpful is Consumer Reports’ interactive Security Planner, which can help walk you through your own personalized threat model. If you prefer video content, Eric Murphy made an incredible YouTube video I wish I had been clever enough to make that sums up threat modeling perfectly.

It’s important to remember that threat modeling is an ongoing, evolving process. As you go through life and your situation evolves, so, too, will your threat model. Perhaps right now you are young and single. Your threat model may include basic defense against mass surveillance and targeted advertising. As you get older, you may have children. Your threat model would now include protecting your children against predators and other online harms. As you continue to grow in your career, your threat model may include defense against more advanced scams and phishing attempts to swindle you out of your hard-earned savings. Or perhaps you’ll pivot to another career as a journalist, politician, content creator, or other public figure. Again, this comes with a new set of threats, considerations, and protections that may not have been worth the effort before but now are (note: I have created a page specifically for aspiring public figures here.) These are just a few examples of how your threat model will continue to change as your life does. Your threat model may also vary considerably in different areas of your life. For example, you may put extra emphasis into protecting your email - since it can serve as a single point of failure via password resets and the revealing nature of the messages stored in our inbox - than you would into a social media account with few followers. Alternately your main device (or “daily driver”) might have more sensitive data that requires more protection than a tablet you use only to entertain the kids on long road trips. As with everything else on this site, there is no hard-and-fast rule about how often to re-examine your threat model, but I encourage you to regularly reasses and reavluate in your own life as well as to remember that different threat models apply to different areas of your life.

What Threat Model Does This Website Address?

This website addresses a “typical” threat model of mass surveillance capitalism for the average person. We assume that you are not being specifically singled out by an advanced attacker such as a nation state, intelligence agency, or abusive partner. We assume that you are not a millionaire, politician, or public figure who is likely to attract special attention (nor do you have dumptrucks of cash to simply buy all new devices, homes, cars, and ulimited top-tier subscription services to start over fresh). The threat model we cater to is that you simply want more privacy and security to protect yourself against common scams, excessive data collection, unsophisticated hacking attempts, and unlawful collection of your data by law enforcement without a warrant and that your resources (both time and money) are limited.

If your threat model is higher, this website can still serve as an excellent starting point and foundation to build upon, however you should know that there is still significantly more you can and should do that isn’t covered here. Because each situation is different - the motivations of your adversary, their resources, your skill and resources, etc - it would be irresponsible to give broad advice without knowing more.

Defense

While this entire website is designed to arm you with the tools and knowledge you need to defend yourself, there are a handful of specific defense strategies worth drawing attention to.

The first concept is called “security through obscurity.” This is largely frowned upon in the security community, but only because many people falsely rely on it as the only measure of protection. A good example of this is not using two-factor authentication. In this case you’re relying solely on your password remaining unknown, and even if it’s a good one you never know if the company will store it in plaintext or use an outdated hashing algorithm. The second factor offers a layer of security that’s more robust than simply keeping your password hidden. Security through obscurity should never be relied upon as your only method of security.

This leads into defense in depth. You may know this as “redundancy.” Some real world examples of this could include things like crossing at the crosswalk and looking both ways first, using both your seatbelt and an airbag, or locking both the door lock and turning on the alarm. Defense in depth is about acknowledging that sometimes defenses fail and having multiple lines of defense in place to compensate for that. However, this concept is still closely tied to your threat model: not all assets warrant the same level of protection, and it’s very easy to quickly add too many layers of defense to the point of diminishing returns that cost you time, mental energy, and possibly money while delivering very little or no additional security in return (and in some cases actually contradicting other defensive mechanisms and weakening your posture in the process). I strongly recommend you always practice defense in depth where possible, but remember to keep it reasonable and tailor the level of depth to your threat model.

Security through obscurity is acceptable when used as part of a larger strategy with defense in depth. An example of this would be using data removal services alongside disinformation. While both of these tools are “security through obscurity,” relying on them together provides layers of protection that are superior to relying on only one. Ideally it would be best to pair security through obscurity alongside other forceful means of security (for example, to have a hidden site that also requires a login).

Large parts of this page were borrowed from or inspired by EFF’S Surveillance Self Defense Guide.