re: Effective Communication Security / Beyond 'Use Signal Use Tor' VIEW POST

FULL DISCUSSION
 

Welcome to being a poster here :)

I do like the Grugq comment at the top - threat modelling sounds hard, so when it does get done it becomes the starting point for a lot of advice that then gets cargo culted by the tools brigade.

I would recommend having a go at it though, the Wikipedia page is a pretty decent introduction.

  • Identify who your threat actors are, at work we use the following classifications: Non-criminals ('script kiddies'), Lone criminals / insiders, Organised crime, State sponsored actors. These are IT focussed, yours may differ depending on your domain.
  • Identify assets at risk, this could be data assets, people (you!), systems (eg: emergency services).
  • Consider the motivations and capabilities of each actor towards each asset, estimate the impact (cost) of their successes, prioritise them.
  • Consider the attack vectors towards each asset, I like Bruce Schneier's Attack Trees method. Estimate 'cost' to the attacker and prioritise those routes that impact higher priority assets at lowest cost.

That's it - you have a threat model, now you can look at mitigations to the identified risks through controls against the attack vectors eg: telephone network failure impacting emergency services - provide an alternative communication system.

Typically a threat model for one of our products at work is a one-page document in confluence.

To follow up the Schneier quote about never-ending process: put a threat model review into your development lifecycle, they'll thank you in the end :)

 

Thanks for excellent comment, Phil! In fact I am little ashamed that I did not make this post more comprehensive and holistic, but even some basics are sometimes hard to grasp for ordinary people. Also thanks for notice on threat modelling, yes, one should definitely put a threat model review into the development lifecycle, and think about it at the first place. Maybe (if there'll be enough time), I'll write more comprehensive post later, but I am really not sure if whether it belong here, on forum focused primary on development.

code of conduct - report abuse