I am trying to get better at threat modeling. Please share personal threat models. The strictness or intensity of your model does not matter.
2 Likes
Threat modelling is important because that can help you to actually manage your privacy strategies and take the correct steps to protect your privacy in you own way without going “full privacy” and blindly hardening your stuff like a prosecuted journalist, dying trying to adopt that approach, like what I did on my privacy baby steps. That’s really stressing, so this what a threat model helps you to achieve: identifying your threats so you can take the privacy measurements you actually want to implement.
These are the steps I usually personally take to TM:
- Identifying my threats.
- Reasons why I should protect myself from that threat.
- How can I protect myself?
- Categorisation and prioritisation of the threat (is this important, my life depends on protecting this?)
- And study/research the threat if applicable! To take better and informed decisions.
An example:
- Cool Spyware Inc.
- Data sovereignty loss, privacy/security loss, reduce anxiety of feeling spied on, etc…
- Avoiding their software, choosing privacy friendly alternatives, etc…
- Medium (is not a threat to my life, but I’ll get anxious if I don’t protect myself from this threat because I’ll feel that I’m being spied by this threat).
- In 2022 they handled user’s data to the government, their database has been hacked multiple times in the past, etc…
Something like that :’p I’m a visual guy, so I like to picture them as mental mindmaps.
Of course this is not a full guide on how to threat model, this is just my personal approach.
And of course, don’t get obsessed if your threat model is not perfect or you feel that’s incomplete. Over time you’ll acquire more knowledge, resources and experience and you’ll know how to threat model and how to privacy better!
2 Likes
If you can share what issues or concerns you’re having with threat modeling for yourself, that would be more helpful because that context and other details can explain the hindrance on your end.
3 Likes
An example would be SIM swap attacks. My threat model is to use my SIM number only for real time comms. This is so that I don’t tie one phone number to every service that requires a phone number. This is something to think about when handing over personal information e.g. name, phone no., e-mail, address, social media, etc.
I assume OP has already browsed these, so just to have them on hand for anyone with a similar curiosity, here’s PG’s official knowledge base articles on threat modelling and common threats (to help apply the advice).
I personally find these concrete steps from the threat modelling article helpful in getting specific:
What do I want to protect?
Who do I want to protect it from?
How likely is it that I will need to protect it?
How bad are the consequences if I fail?
How much trouble am I willing to go through to try to prevent potential consequences?
1 Like
I think for example, someone not living in an oppressing regime but is concerned about the surveillance as a business model problem with google and meta would do many things to mitigate/minimize as much of the data collection as possible
for example:
- Actively check privacy settings of your phone and accounts, try disabling as much as possible to minimize it (eg. deleting advertising id and it’s one example of many)
- all together move away from google and meta and move to privacy respecting alternatives like proton, signal and mastodon
- maybe go further and debloat the phone, better yet just get a pixel and use GrapheneOS
I think it is also very important to mention the window of tolerance to associate with your move in regards to that kind of threat model:
1 Like
My threat model is to not expose my data to big tech
My threat model is to limit my exposure of personal data as much as possible
Or something like those is often repeated when people try to threat model, but those aren’t threat models. They are at best vague high level goals.
A basic threat model committed in writing will look something like this:
| Threat | Mitigation(s) |
|---|---|
| Credentials compromise through database leaks | Use Passkeys (preferred) or other MFA wherever possible and use unique passwords stored in a password manager when password auth is required |
| Identity correlation between sites that should not be able to correlate my identity | Use distinct browser profiles and a VPN |
| Targeted attack by state actor using a zero day | None, risk accepted |
This is a very basic example, you can include other columns for additional relevant details if needed. The point of threat modeling is to formally list your concerns, which allows you to think about how to address each individually, and track how you plan to respond.
That’s what people mean when they say “depends on your threat model”. They are saying that your question is one for you to decide based on your privacy concerns and what you are willing to do to alleviate them.
In the above example, the “Targeted attack by state actor using a zero day” is an accepted risk, because the hypothetical person writing this threat model has decided that it isn’t worth worrying about enough to go to the lengths needed to do anything about it. Maybe they find the likelihood of it happening to them extremely low. Another person like a journalist might find it to be higher, and in their threat model it will warrant an actual mitigation like using GrapheneOS with all exploit protections enabled to harden against possible attacks.
1 Like