Threat Modeling: How Can We Use It for Our Cybersecurity?

Threat modeling is a set of principles, ideas, and tools used by software developers to imagine how their cybersecurity system should look like. Thankfully, as users, we don’t need to spend a semester on MIT to learn the exact coding techniques that come with it but can rather focus on the part that we can use, and which is quite fun, sometimes, maybe, for some people.

Threat modeling has three general steps that are all dealt with in very different ways. The reason why even the biggest companies often struggle with threat modeling is that it requires quite a bit of criminology in the beginning, philosophy in the middle, and engineering in the end. To use these systems we just need a general approach to these things. Most people neither have the time or the energy to study all three fields in depth, but just knowing where to look will help you use these systems and protect yourself much better than any company might protect their users.

The tools we use are very well known to use. If you are using an updated operating system, a good anti-virus, and a professional VPN provider to mask our IP address, you can make yourself very safe. Premium VPN providers like Le VPN will not only provide you with an anonymous IP address but will give you a wide range of other protections that will shield you from would-be data thieves.

What Are the Steps of Threat Modeling?

The first step is to use criminology to determine who your adversaries are. These are the people, groups, or organizations that want to do you harm on the internet. As this can mean different things for different people, it is important to know what is important to us and what do we want to make secure.

The second step is to understand the minds of the people or groups that want to harm us. The biggest mistake there is thinking that these groups will act rationally, and it is much better to accept all of the silliness and madness of humanity if we would like to understand that part.

Finally, the third step is to use the tools that we need to protect ourselves from the adversaries that we have imagined. This will depend on the person because shielding your sensitive data is much easier if you only have personal information to safeguard and nobody is directly targeting you. You know who you are protecting and who can have access to your data. But, if you have other sensitive information that malicious entities want to have, this might be much more difficult to protect. Thankfully, if you are using Le VPN, most of these advanced tools would be at your disposal from the beginning.

Who Are the Adversaries?

Not to jump ahead with philosophy, but both the Chinese military theorist Sun Tzu and the medieval Italian politician Cesare Borgia agree that knowing yourself and knowing your enemy will result in winning a war every time.

In this case, we can only theorize an enemy by what they want to get from you. You should never underestimate the human desire for wealth and control, nor the occasional madness of some people who just want to do harm. All groups that are after your sensitive data are there for different reasons. They also tend to use different tactics, which is why you should defend against them in different ways.

Foreign Governments

While some people might be in danger from the one government they call their own, however reluctantly, all of us are under threat from foreign governments that are after our data. Depending on the way malicious parts of the government obtained their access, they might be after two things. Primarily, there are your communications, like emails or chats. Here they can fish for security information and reports, practically using you as an unknowing participant in espionage, minus all the 007 glamour.

The second thing they want is your general browsing history so that they can make social patterns, knowing how people from other countries feel, and if they would be able to influence their politics and behavior in any way.

Domestic Institutions

Domestic institutions are different than foreign governments in the way that they don’t necessarily want to misuse your data. But, they are dangerous because their ‘’theft’’ might not be against the law and they are often hacked compromised, giving your data to other parties.

This category includes everything from the NSA, for those in the US, collecting your data for security purposes, to local councils, for those in the UK, keeping your information in their database in the effort to provide better public support. While these might be good intentions, the road to hell has been known to be paved with those. From the information simply leaking, to the country instituting a social credit policy that will bar you from buying a plane ticket because of your political beliefs, as is the case in PR China.

Corporations

Most people forget that the biggest corporations are bigger than many small countries. An entity of that size is bound to have rogue or semi-sanctioned groups that will do anything and everything to give their shareholders a slightly better quarterly report than the last.

Generally, corporations are after your browsing data and buying habits but are not above stealing your personal data to get that edge. Additionally, these rogue entities inside the corporations are known to sell the personal data they collect to third parties, making your social security code just a bargaining chip in their deals.

To combat this, we need to forgo the marketing how a trillion dollar corporation can somehow be on our side. Don’t give them your information and always use an anonymous IP and anonymous web browsing to access any part of the internet if you don’t want companies like Google or Apple snooping on what you are doing.

Companies

Companies are much smaller than corporations, and not nearly as malicious. They can range from mom N pop shops on the corner, to some that can cover the entire state. Unlike other entities, companies will never hack your devices to obtain personal data, but will rather ask you to provide that yourself. Don’t do it. Generally, it is a good idea to have your internet service provider, your ISP, send the bills to a PO box and not your real address, as they also usually fall into this group.

Not just that getting adds in your email and in your post box can be annoying, but these companies can often be compromised, and your data stolen by hackers. If you are paying with your credit card, the store will already have your payment information. And, if you leave your personal information to match that is everything a hacker needs to steal your identity.

Crime Groups

Because dealing with personal information is very lucrative, there are now numerous crime groups that spend their days collecting this information in a different way and using it to profit. While they usually target specific businesses, institutions, and known wealthy individuals, they are not above targeting anyone else if their information is just ‘’out there”.

The biggest problem with having your data stolen by crime groups is that they don’t include only online threats. These groups have many affiliates who are more than capable of infringing on your physical security if that is something that could profit the group. The best way to prevent this is to use a premium VPN. With companies like Le VPN, you can have 100+ locations to move the anonymous IP address to, and let these groups chase you over the hills of Mongolia while you sit at home.

Hackers

While most people imagine some cyberpunk dressed in neon typing fanatically on the keyboard, or Angelina Jolie from the movie ‘’Hackers”, this is not how this group looks like or thinks. An average hacker is a slightly overweight Swedish (due to liberal laws) young person with enough skill and free time to collect available data on the internet for a small gain or just for fun.

Generally, hackers are not bad people, but they can create many problems for you if they get to your data. Additionally, they are the only ones who will go out of their way to get that data, exploiting any hole in your defense to write themselves a win. When imagining this kind of adversary, it is not a bad idea to forgo the idea of common sense, as most of these people are very maniacal and not always totally present in the real world.

Malware

Finally, the most boring and common adversary you will encounter is malware and spyware. In rare occasions, this type of software will have detrimental effects on your devices and personal information, but it is mostly annoying and slows your internet and your devices.

To protect your hardware and software, you should have an ad-block installed on your browser as well as anti-spyware software running, with frequent scrubs.

To protect your data that might be compromised, you should always use a premium VPN to prevent any person behind the malware connecting your browsing to your personal information.

Primary Assumptions

The first step in creating an active defense system is making some fundamental assumptions. Most of these you will already make when imagining your adversaries. Additionally, you should imagine ways that they will get to your information.

The most common way snoopers get our information is when we are using a public IP, like in a café, or when we are connecting our real IP address to our personal information. In these cases, the best course of action would be to use some sort of proxy servers or anonymous proxy nodes like the TOR browser or something that will mask our IP address.

While using the TOR browser as your primary browser is a good idea, you should always opt for a premium VPN over a free web proxy. A free proxy server can be easily compromised and is often a target of malicious entities, if not made by those entities in the first place. There are also other advantages of VPN, from the fact that it is faster and easier to use, to it having a lot of redundant passive protections that will make you safe on the internet.

Negative Goal Problem

Those experienced in problem-solving might have noticed that threat modeling has a major issue with its goal. Mainly, it is a negative goal. You are not trying to do something, but trying to prevent something from happening.

This is where creativity comes to play. The best way to engage in threat modeling for your personal cybersecurity is to let your imagination make the wildest ways that it can be compromised and misused. From selling your summer vacation photos to stock companies to piggybacking on your credit card to buy online games, there is little that people don’t think of when it comes to using your data.

This is where tiers of security come in, and while most of your data will be protected with a good anonymous web proxy, the only way to secure more important information with anonymization of your IP address using a good VPN, and preferably accessing the internet with the TOR browser.

The Hitchhiker’s Guide to the Galaxy

“There’s an infinite number of monkeys outside who want to talk to us about this script for Hamlet they’ve worked out.” –Douglas Adams

While not the obvious route in cybersecurity, this book by Douglas Adams has several points that are crucial when it comes to threat modeling. Also, it is quite an interesting read.

The point of the story is the rule of great numbers. While you may not be a target or an organized crime syndicate to steal your social security number, you are accessing the internet every day, not to mention using your credit card and filling out forms for various entities. The reason why your cybersecurity needs to be bordering on paranoid is that you never know what could happen and which unintentional move might share your treasured info with hackers.

If you secure yourself from something unexpected, you will be safe from the expected as well.

Best Security Practices

Going back to this side of reality, there are a few best practices ironed out over the years that are meant to protect us from potential threats and to minimize our security risks. When you know about all of the various threats and vulnerabilities you will be able to adequately make a model that will protect you and your computer and mobile devices from any risk online.

Digital Safety

Creating a framework for digital security is somewhat easier because the technology you need is already available.

First of all, you will connect all of your devices over a VPN. Premium providers like Le VPN will give you anonymous browsing that is as fast as you regular internet, as well as protected from all snoopers you might stumble upon online. This service is capable to easily hide me, you, and all of our devices and to make them all seem like they are coming from different locations.

The second line of defense will be the device itself, which should have an updated security system with all of the modern protocols. Additionally, you should have a good anti-virus and anti-spyware software installed.

Finally, there is no better way to keep your most valuable information safe than on an external hard drive that is disconnected from your device until you need it. With USB flash storage technology, this has become a cheap solution that can guarantee that such information will be unreachable.

Physical Safety

This brings us to physical safety and security, as someone breaking into your home can steal even that flash drive. This part of cybersecurity is often disregarded, but it is a fact that spreading personal information, especially your home address, can bring your place of residence in danger.

The same way you should keep your real IP address private with a VPN, you should not disclose your actual place of residence to any company if you don’t have to.

Cover All of Your Bases

To build up your security infrastructure, threat analysis alone will not be enough. You will need to know if you will be tempted to forgo your security for convenience at some point and establish security measures that will allow you to use the internet safely even at those times.

A good example is if you need higher internet speeds, where you will sometimes disable your VPN to get those additional megabytes. A much better option here is to use modern protocols like OpenVPN that will give you those faster speeds regardless than to have your whole threat modeling journey go to waste because of impatience.

Conclusion

While threat modeling in software development is a complicated process of security assessment and methodology used to implement security policies, for personal users this road is much easier. If we are using professional VPN providers like Le VPN, we already have all of the encryption tools and security algorithms that we need to detect, avoid, and remove any cyber risk that we can find on the internet.

Using some insight from best practices and our imagination to think how our security might be at risk we can make ourselves secure by being anonymous online and slightly prudent on how we share our information. Anonymous surfing online is the best way to feel safe and free on the internet today.