Guest Post: A new approach to threat modeling
I have a guest post from Ben Elijah, author of The Productivity Habits. He writes at Ink and Ben, and you can also find out more about him by listening to Systematic Episode 155, where he was a gracious guest.
Now I’ll turn it over to Ben and let him talk about security of the tools we use every day.
The Snowden leaks made me question the trustworthiness of the systems and services we all rely on. Oh, of course there is the usual retort of the authoritarian; “if you’ve got nothing to hide you’ve got nothing to fear”, though I rather think that those who argue this point ought to defecate in the street and tattoo their passwords on their foreheads.
The thing is, my brain sucks. I find it difficult to hold pieces of information in my mind for long periods of time. A long time ago I decided that I wasn’t going to accept these limitations. Methods like Getting Things Done helped enormously, as well as the ideas which found their way into The Productivity Habits. Task lists, note-taking apps, knowledge managers, collaboration services; gimme gimme gimme!
I’ve learned to rely on services and infrastructure which we now know are under pervasive surveillance. Working with information outside my head is as important to the way I live my life as any habit or belief. I’m sure almost all of the services I might use have good intentions, but unless I encrypt my data, properly, before it leaves my computer with a key that only I have, I can safely assume that I’m sharing it with the NSA and GCHQ. I believe that privacy is essential for creativity, and consequently, so are privacy-respecting tools. I cannot use untrustworthy tools to make things. Mass surveillance has motivated me to find alternatives.
The Hedgehog Mode
I’m not going to give you a litany of surveillance counter measures; there are fantastic resources online which offer practical advice and useful recommendations. Each individual will have different needs and priorities. Someone who doesn’t feel as deeply about surveillance as I do would probably worry less than I do about, for example using commercial cloud services.
When I talk about information security people often go into what I call the “hedgehog mode”: curl up into a ball, frightened by everything; feeling under threat from all sides because they don’t know where the threat is coming from. Sometimes they end up locking themselves down so much that they can no longer work effectively. We should avoid that. It’s better to rationally assess your security needs and identify the specific threats that you need to counter.
In the world of corporate IT, a sensible security person will conduct a procedure to identify vulnerabilities in their systems, and the threats that could exploit them. This will help them to decide where to put their resources. This procedure is called “threat modelling”. It’s equally useful for individuals too. I’ve developed a simple method for personal threat modelling which will help you to understand the particular threats you face based on the way that you work, and the risks associated with them. Then, you can build a workflow that keeps you safe and productive.
Let’s start with a scenario I hope you’ll be able to relate to. A writer, interested in hot political issues, who travels across borders fairly frequently, with good technical skills, and commonsense enough to backup their data correctly.
Data Flow Diagram
First, we need to understand the way our writer works, then list all the security threats they face. We’ll be using a Data Flow Diagram. DFDs are rather like the network topology maps you might have seen if you’ve ever wired up the computers in an office. It shows us where we interact with data, the zones where we can and can’t trust it, and the boundaries between those zones.
There are lots of ways to create a DFD. My approach starts with the various jobs that comprise a workflow, and the situations in which they are performed.
In my research for The Productivity Habits I created a concept called The Context Triangle. This helps us to analyse the way we work, defining working situations or contexts as discrete combinations of space, time and thought. These are then related to the dependencies of a task - availability, attention, creativity.
It’s a bit like performing a Fast Fourier Transform on your calendar.
List out the various tasks you’ve performed over the last week or two. You will have been in a number of different working situations. You can do different kinds of work in each situation. For example, your local cafe is good for conversations, taking notes, reading; maybe less good for editing a thesis. Why? An environment with a lot of sensory stimulation (background chatter, decor on the walls, strong espresso) might lend itself to open, playful creativity. It’s likely that you can zone out from this noise which allows for deep attention. Any everything you need for those tasks, your notebooks and pens, is probably on your person. Whereas in an office, with distractions you’ll probably have to deal with, you can probably offer rather less attention.
Create a table listing tasks that comprise your workflow. It’s helpful to break it down to the verb associated with the job you’re performing, and the information tool you’re working with. Then add the situation which you’ve deduced from the Context Triangle.
Finally, we need to understand where each task belongs in the workflow. We can put any information task with one of three categories: Capture, Compile, or Review+Share. This workflow loop can be helpful when choosing your tools and analysing your workflow.
|Verb||Job||Object||Situation (At, Cr, Av)||Workflow|
|Speak||Conversations||Voice||Sh, Op, Float||1.1 Capture|
|Write||Notes||Notebook||Sh, Op, Float||1.2 Capture|
|Capture||Tasks||Smartphone||Sh, Cl, Float||1.3 Capture|
|Write||Draft||Notebook||Dp, Op, Float||1.4 Capture|
|Process||Tasks||Computer||Sh, Cl, Fixed||2.1 Compile|
|Retrieve||Research||Computer||Sh, Cl, Fixed||2.2 Compile|
|Organise||Research||Computer||Dp, Cl, Fixed||2.3 Compile|
|Type||Draft||Computer||Dp, Cl, Fixed||2.4 Compile|
|Edit||Draft||Tablet||Dp, Op, Float||2.5 Compile|
|Process||Smartphone||Sh, Cl, Float||3.1 Review+Share|
|Review||PDFs||Smartphone||Sh, Cl, Float||3.2 Review+Share|
|Commit||Git||Computer||Sh, Cl, Fixed||3.3 Review+Share|
The decimals in Workflow allow us to precisely tune the order of the table. When we sort the table by Workflow, notice how the situations tend to cluster together. This forms the basis of our data flow diagram:
Threats tend to occur at the boundaries of situations. For example, you might trust the privacy of the information you write in a journal which you hide under a pillow, a situation that you trust. That trust is violated when someone removes the pillow and reads the journal without your permission. You might trust the security of the contactless credit cards which you keep in your pocket, up until the moment you get mugged in the street. With this in mind, we list the threats that occur at the boundary of each situation:
I know, I know. Corporate suck. But this is the most revealing part of the process. Place each unique threat in a table which compares impact and probability:
|Low Probability||Medium Probability||High Probability||Very High Probability|
|Very High Impact||Evil maid||Targeted surveillance||Confiscation||Malware|
|High Impact||Intentional leak||Mugging||Loss/theft||Mass surveillance|
|Medium Impact||Packet sniffing||Compromised website||Device failure|
|Low Impact||Eavesdropping||Accidental leak||Lost password||Shoulder surfer|
This table allows us to create an ordered list of threats, from most risky to least:
- Mass surveillance
- Targeted surveillance
- Device failure
- Compromised website
- Shoulder surfers
- Lost passwords
- Evil maid
- Intentional leak
- Packet sniffing
- Accidental leak
This is a reasonable assessment of the various risks faced by our writer in this scenario. As an aside, it also works well for planning your backup strategy. In our case it makes sense to put more energy into mitigating the threat of malware, confiscation and mass surveillance than the threat of paranoid rubbernecking in a cafe or accidental leaks. Consequently, our writer might want to regularly update their software, use a security-focused operating system like Qubes OS, and to ensure that all data is strongly encrypted and extricated before they cross a border. They might also plan to avoid using insecure commercial cloud services for communication, switching to open source encrypted protocols such as Signal instead.
I’m certain that I’ve missed threats in this scenario. You could also argue that some threats are riskier than shown here. Individual workflow and privacy needs are unique so the risk of each threat will differ from person to person. Nor should you expect this process to highlight every conceivable risk that you’ll face. It’s also worth mentioning that a single countermeasure can account for many different risks. For example, by using a good password manager you mitigate the threat of lost passwords, compromised websites, and you make it easier to encrypt data at rest.
You should also consider that each countermeasure is going to add friction. Imagine a scale with security at one extreme and convenience at the other. There is a fundamental conflict between them. This means that security is hard to attain for users who need maximum convenience. You will have to choose a compromise that you’re comfortable with. New technologies and threats are emerging constantly, and those threats never get less effective. In my opinion, your knowledge of those threats is the best protection from them. I hope that the method outlined in this post will help you to apply that knowledge.
Ben Elijah writes about the relationship between information and thought. He is the author of The Productivity Habits,
occasionally blogs at inkandben.com/blog, and tweets @inkandben.