Whether you're a seasoned security professional or complete novice, it's important to protect your personal information online. But how paranoid should you really be? Well, it depends on your personal threat model. Often small adjustments in your behavior can have a drastic impact on your security posture.
Recently, I was invited to speak at DSS ITSEC 2016 where I discussed how you can create your own personal threat model to identify and quantify your weaknesses so you can come up with the appropriate defenses for protecting yourself online. Here's a summary of that presentation and how you can begin creating your own personal threat model.
What information do you want to protect?
Protecting your online information can take a lot of effort and there will always be a trade off between usability and security/privacy. In order to protect your information online, you'll first need to identify what assets you are trying to protect and what the likelihood is of a threat being realized. Some of these assets might be your personal information, location, pictures, conversations in emails and texts, social media, banking information, etc. Once you know what you're trying to protect, you can move on to what measures you can take to help mitigate or decrease the risk associated with these threats.
What are the potential threats associated with these assets?
Now that you know what information you want to protect, ask yourself, "How will I protect that information from a potential cybersecurity threat?" Think about how an attacker might target each of those assets and start by making a list. Some examples might be:
- Personal Information: An attacker could obtain information on you through public, searchable resources found online. They can also look into your social media profiles and the profiles of your contacts to see what information you or others share publicly.
- Financial Information: Anywhere you use your credit/debit cards (especially online) could be an opportunity for your information to be compromised. Any retail account that uses/stores your financial information could be compromised and abused if a weak password is used.
- Location: An attacker could use knowledge of your location to target you directly by knowing when to rob you or when you will be away. Attackers in foreign countries could use social media to target tourists.
- Personal Communications: From business conversations to what you're eating for dinner, personal text messages and emails can provide an attacker a large amount of information about you. Most often, an attacker will obtain your information when you download insecure apps on your phone or from malware installed on your device.
How can you protect these assets from the associated threats?
Knowing how an attacker might be able to obtain data will allow you to better understand what needs to happen in order to secure your assets from getting hacked. Some ways you can do this include:
- Lock and encrypt all your devices: You should password protect your devices (phone and laptop), but also encrypt your data so that anyone without the decryption key can't read it. This also helps if your device ever gets lost or stolen.
- Lock down your social media accounts: Regularly review the security and privacy settings for all the social media accounts you use. Many social media websites offer additional security and privacy capabilities like login notifications and two factor authentication, utilize them where possible. Wait until you get home to post pictures of travel on social media.
- Use Strong passwords: A secure password will make it more difficult for an attacker to hack into your account. You should also make use of a password manager to keep these passwords secure. Never share your password with others. Use two factor authentication: Whenever available, 2FA gives you the added benefit of an extra layer of security when logging into accounts. Many banking, retail, and social media websites offer this feature as well as email providers like Gmail (see which websites support 2FA here). That means even if an attacker has your password, they’ll still have to bypass the one time 6 digit security code needed to log in.
- Stay on top if it: Make sure your devices are always up to date. Often times, these updates include security patches that could stop an exploit. You should also enforce security upon yourself at all times. Don’t connect to untrusted WiFi networks and always monitor your accounts for suspicious activity. If you're interested in learning more about creating your own personal threat model, you can watch the full video replay of the presentation below and view the slides from presentation on Slideshare.
I have also put together the Essential Guide to Online Security, a comprehensive guide to understanding and implementing best practices for staying safe online.
