Cross-posted from: https://lemmy.zip/post/18686329 (the first OPSEC community on Lemmy, feel free to join us)

Guide to Determining Your Threat Model

Creating a solid threat model is an essential step in improving your operations security (OPSEC). It helps you identify potential threats, assess their impact, and prioritize your defenses. Here’s a step-by-step guide to help you develop your own threat model.


1. Define Your Assets

First, list the things you want to protect. These might include:

  • Personal Information: Name, address, phone number, Social Security number, etc.
  • Financial Information: Bank account details, credit card numbers, financial records.
  • Digital Assets: Emails, social media accounts, documents, photos.
  • Physical Assets: Home, devices (computers, smartphones, etc.).

2. Identify Potential Threats

Next, think about who or what could pose a threat to your assets. Possible threats include:

  • Hackers: Individuals or groups looking to steal data or money.
  • Government Agencies: Law enforcement or intelligence agencies conducting surveillance.
  • Corporations: Companies collecting data for marketing or other purposes.
  • Insiders: Employees or contractors who might misuse their access.
  • Physical Threats: Burglars or thieves aiming to physically access your assets.

3. Assess Your Vulnerabilities

Identify weaknesses that these threats could exploit. Consider:

  • Technical Vulnerabilities: Unpatched software, weak passwords, outdated systems.
  • Behavioral Vulnerabilities: Poor security habits, lack of awareness.
  • Physical Vulnerabilities: Insecure physical locations, lack of physical security measures.

4. Determine the Potential Impact

Think about the consequences if your assets were compromised. Ask yourself:

  • How critical is the asset?
  • What would happen if it were accessed, stolen, or damaged?
  • Could compromising this asset lead to further vulnerabilities?

5. Prioritize Your Risks

Based on your assessment, rank your risks by considering:

  • Likelihood: How probable is it that a specific threat will exploit a particular vulnerability?
  • Impact: How severe would the consequences be if the threat succeeded?

6. Develop Mitigation Strategies

Create a plan to address the most critical risks. Strategies might include:

  • Technical Measures:

    • Use strong, unique passwords and enable two-factor authentication.
    • Keep your software and systems up to date with the latest security patches.
    • Use encryption to protect sensitive data.
  • Behavioral Measures:

    • Be cautious with sharing personal information online.
    • Stay informed about common scams and phishing tactics.
    • Regularly review your privacy settings on social media and other platforms.
  • Physical Measures:

    • Secure your devices with locks and use physical security measures for your home or office.
    • Store sensitive documents in a safe place.
    • Be mindful of your surroundings and use privacy screens in public places.

7. Continuously Review and Update

Your threat model isn’t a one-time project. Review and update it regularly as your situation changes or new threats emerge.


Example Threat Model

  1. Assets:

    • Personal Information (e.g., SSN, address)
    • Financial Information (e.g., bank accounts)
    • Digital Assets (e.g., emails, social media)
    • Physical Assets (e.g., laptop, phone)
  2. Threats:

    • Hackers (e.g., phishing attacks)
    • Government Agencies (e.g., surveillance)
    • Corporations (e.g., data collection)
    • Insiders (e.g., disgruntled employees)
    • Physical Threats (e.g., theft)
  3. Vulnerabilities:

    • Weak passwords
    • Outdated software
    • Sharing too much information online
    • Insecure physical locations
  4. Potential Impact:

    • Identity theft
    • Financial loss
    • Loss of privacy
    • Compromise of additional accounts
  5. Prioritize Risks:

    • High Likelihood/High Impact: Weak passwords leading to account compromise.
    • Low Likelihood/High Impact: Government surveillance leading to loss of privacy.
  6. Mitigation Strategies:

    • Use a password manager and enable two-factor authentication.
    • Regularly update all software and devices.
    • Limit the amount of personal information shared online.
    • Use a home security system and lock devices.
  • TranquilTurbulence@lemmy.zip
    link
    fedilink
    arrow-up
    10
    ·
    5 months ago

    A few months ago, I did a similar assessment where I categorized potential threats in the following manner.

    Category 1 - financial impact

    A criminal might gain access to my account, steal my money or make online purchases in my name. The impact is potentially great, but the probability is low. Overall risk is medium. Using good online practices helps mitigate the risk.

    Category 2 - social impact

    I may carelessly share personal information online and coworkers, friends or family may find out something they aren’t supposed to. The impact is medium to high, but the probability is very low. Overall risk is low. Not sharing personal information online helps mitigate the risk. Besides, I don’t even use Facebook, Xitter and other modern online trash. I do share stuff on Lemmy, but I try to keep my personal details out of it. Also, I don’t use my real name here, so a random family members probably aren’t going to stumble upon this account without first putting in some serious snooping effort.

    Category 3 - matters of principle

    Meta, Microsoft, Amazon and all the other large companies are constantly trying to learn as much as possible. The potential harm is low, but the probability is very high. Overall risk is still low. I’m using many techniques to limit the amount of information professional snoopers might get their hands on.

    So, category 1 is obviously the highest priority, and that’s where I put most of my effort. Category 3 is nice to have, but screwing up here isn’t going the be the end of the world. If you want to know more about the actual mitigation methods, don’t be afraid to ask.

  • Jumuta@sh.itjust.works
    link
    fedilink
    arrow-up
    7
    ·
    5 months ago

    the problem with threat models is that it changes over time, and your current info that’s being saved on the internet will be subject to that future more advanced threat model

    • Borna Punda@lemmy.zipOP
      link
      fedilink
      English
      arrow-up
      4
      ·
      5 months ago

      It is unfortunately impossible to defend against time. What works today might not work tomorrow, but that doesn’t mean you should give up because it might get compromised at some point in time. Establishing a clear threat model helps push that point in time farther away.

  • Album@lemmy.ca
    link
    fedilink
    arrow-up
    4
    ·
    5 months ago

    Threat modeling is cool and all but does nothing to assess whether or not you’re managing your risks effectively. But it will help you to understand your risks and what to focus on.

    • edric@lemm.ee
      link
      fedilink
      arrow-up
      4
      ·
      5 months ago

      You can maybe add a residual risk section as a way to assess what level of risk remains after implementing a control.

      • Album@lemmy.ca
        link
        fedilink
        arrow-up
        1
        ·
        5 months ago

        Yeah honestly I might go really light on some of these topics in the model like just defining them and then doing like an RCSA afterwards.

  • Autonomous User@lemmy.world
    link
    fedilink
    English
    arrow-up
    4
    ·
    edit-2
    5 months ago

    Return on investment (time/effort) is often more useful.

    E.g, Getting friends on Signal/SimpleX: low effort, very high reward.

    Fighting Windows on every “upgrade”: high effort, very low reward (still infected with Windows, anti-libre software).

    • Melody Fwygon
      link
      fedilink
      English
      arrow-up
      1
      ·
      5 months ago

      Solution: Backup all data, Blank the disk and install an appropriate Linux Distro.

      It’s not hard; and if you need Windows for something, you should run that in a virtual machine.

  • Elias Griffin@lemmy.world
    link
    fedilink
    English
    arrow-up
    2
    ·
    edit-2
    5 months ago

    Quadhelion Engineering Corrected Mitigation Strategies:

    • Never use an electronic password manager, use index cards and an art quality graphite pencil instead
    • The loss, hack, crack, or malfunction of a MFA device can be absolutely devastating. Use with caution and sync three of them, 1 of them kept in a firesafe at all times
    • Never regurlarly update all software and devices, choose your updates and choose your timing depending on your environment and posture instead
    • Never be reliant upon an electronic home security system and lock devices (if they get that far, major damage has occured), use a Rottwieller, Great Dane, Mastiff, German Shepard, or Akita (never Pitbulls or Dobermans) alongside yourself with non-lethal weapons until lethal force is used upon you, instead

    You asked and the Non-lethal (Less-Lethal) Weapons Industry has delivered. Pepper ball guns, Radically Improved Tasers, Electrical Stun Devices, Batons, Kubatons, Pellet Guns, ColdSteel Brooklyn Smasher, Slings, and also you may not think unless you played, Paintball Guns, big nasty bruises at medium range if only wearing a T-Shirt.

    • Borna Punda@lemmy.zipOP
      link
      fedilink
      English
      arrow-up
      3
      ·
      edit-2
      5 months ago

      This is quite extreme. While it could be beneficial for some threat models, this was written as an example for the average Joe. OPSEC is not about having the best possible security as much as it is about having security that satisfies your threat model.

      • Elias Griffin@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        ·
        edit-2
        5 months ago

        I just happened upon this thread and security of all types is my specialty so I just wanted to say that nothing here is personal. I’m trying to be helpful giving folks “actual security” as in not “better than putting passwords in plain text files”. Lazy idiots will be lazy idiots with Keepass as well. I can’t tell you how many stories I’ve heard from colleagues that those people aforementioned just put the main Keepass password in a plain text file.

        I upvoted the OP and your reply for bringing TM novelty and awareness.

        I do see what you’re going for, but the mitigations you wrote can be found everywhere on the Internet for over a decade. It’s average commodity information combined with that fact that we are not more secure these days, but less secure in 2024 that ever.

        In the case of password databases, this is de facto less secure than paper and pencil, which is not extreme by any measure and actually takes little effort.

        • Melody Fwygon
          link
          fedilink
          English
          arrow-up
          1
          ·
          edit-2
          5 months ago

          While I don’t understand how people could possibly fail to remember ONE PASSWORD; since it is brilliantly easy to remember whole sentences and phrases that resonate with you; I do understand that laziness is profoundly common.

          For this kind of laziness; I do think Password Managers should routinely scan the local disk(s) for documents with strings that can hash into being the ‘master passphrase’. When found; you’re instantly greeted with a requirement to change your password to a new one that isn’t one you used in the past.

          We do need to punish laziness like that in password managers at least. Similarly; OSes need to do this too with their own passwords.

    • Aquila@sh.itjust.works
      link
      fedilink
      arrow-up
      1
      ·
      5 months ago
      • Never use an electronic password manager, use index cards and an art quality graphite pencil instead

      Can you elaborate on this? I thought keeping passwords written down near computer is big security no no?