SlideShare une entreprise Scribd logo

Personal Threat Models

Télécharger en tant que PPTX, PDF
G
Geoffrey Vaughan

Learn to take focused security precautions to protect against the threats that you are most concerned about.

Technologie
1  sur  40
Building Your Personal Threat Model Geoffrey Vaughan @mrvaughan Sr. Security Engineer
Why This Talk? • I care about you and your data • I’m tired of regular users suffering for mistakes made by large organizations (data breaches) or being caught by the simplest of phishing scam • Often small adjustments in user behavior can have a large impact on security and privacy • To encourage you to focus your energy in areas that most affect you
Whoami • Geoffrey Vaughan @MrVaughan • Sr. Security Engineer @SecurityInnovation • Appsec pentesting/advisory at all areas of SDLC • Former High School/Prison/University Teacher • Occasionally I’m let out of my basement
Tldr; If you only read one slide Giving it all away at the beginning: 1) Use a password manager 2) Keep your devices up-to-date 3) Use 2-Factor Authentication on all your accounts 4) Free Wifi Comes at a cost – Don’t connect to untrusted networks 5) Lock and encrypt your devices (phones + computers) For more information, I wrote a Guide: https://web.securityinnovation.com/essential-guide-to-online-security
Beyond the Basics: How Paranoid Should I be? • Protecting your data and privacy online can take a lot of effort. • Complete anonymity is really hard. • It will always be a trade off between usability, security, and privacy.
How Paranoid Should I be?
Threat Model? Simplified Definition: Identify and quantify your weaknesses so you can come up with appropriate defenses.
5 Minute Threat Modelling • What assets are you trying to protect? • What threats are the assets under? • What is the likelihood of a threat being realized? • What measures can help mitigate or decrease the risk associated with the threat?
Threat Modeling the Bit Longer Way 1. List all assets you want to protect 2. Define user groups / roles 3. Define components and systems your assets interact with 4. Build an access matrix 5. Define your threats 6. Assess highest risk threats 7. Think of all the ways the risks can be exploited 8. Implement mitigating controls to reduce risk
What assets do you care most about protecting?
Assets to Protect • Personal Information - Name, Age, DOB, Spouse, Children, Parents • Personal Pictures, videos, documents • Financial Information - Banking, loan, credit • Location - Home address, places you frequent, or where you are right now • Physical Devices • Business Assets on devices • Personal Communications/Conversations - Emails, Text Messages, Chat, etc., phone calls • Data about Data – When you called someone, who you text messaged
Can you classify the people you interact with into groups?
User Groups • Private – Things you keep completely to yourself • Significant other • Known Threat (stalker, ex SO, abuser, online bully) • Immediate Family and close friends • Extended friends • General Public • Employer • Doctor / Lawyer • Foreign / Domestic Governments
Where do your assets reside or pass-through?
Components Places where your assets are stored: • Mobile device – Apps you use, device storage, cache, browser history • Computer – device storage, applications • Services – LinkedIn, Facebook, Twitter, Instagram, etc. • Third party trackers – Marketing and Analytics software to track you • Wireless networks – Home vs while travelling • Cellular carriers • Border screening check points
How do all the components you use interact?
Access Matrix? • A table defining rules for how various user groups can interact with assets • For any user group a user may be able to create, read, update, or delete an assets • An access matrix defines all these rules
Assets Action User Roles
Warning: Gets a little crazy here
In smaller pieces
Generating Threats • Now that we have defined all of our rules. • Think of all the ways that these rules can be broken. • These are your threats.
My Threats • Unauthorized read of sensitive information not disclosed publicly (all other groups) • Foreign government can read authentication credentials • Any unauthorized user can read authentication credentials • Significant other reads purchasing habits and learns how much I spend on lunches, what their present is, or how much that new tech toy actually cost. • Unauthorized create, update, delete of beneficiary information • General Public or Known Threat reads sensitive information not disclosed publicly • Unauthorized read of sensitive personal media (tier 1) • Unauthorized creation of sensitive personal media (tier 1) • User is unable to delete sensitive personal media (tier 1) • Unauthorized read of sensitive personal media (tier 2) • Unauthorized creation of sensitive personal media (tier 2) • User (self) is unable to delete personal information • Unauthorized read of location information • Significant other is able to update, or delete personal information affecting access to resources • Any unauthorized user can update authentication credentials • Attacker or Known threat can create authentication credentials for accounts in your name • Any user is able to update or delete personal information • Any user is able to create personal information to impersonate you • Unauthorized read of beneficiary information • Unauthorized read of meta-data • Unauthorized read of purchasing habits • Unauthorized read of personal communications • Unauthorized read of associations • Unauthorized read, update, or delete of business assets • Unauthorized creation, read, update, or delete of financial information
My Top Threats • Unauthorized read of sensitive personal media (tier 1) • Unauthorized creation, read, update, or delete of financial information • Unauthorized read, update, or delete of business assets • Any unauthorized user can read authentication credentials • Unauthorized read of personal communications • Unauthorized read of sensitive information not disclosed publicly (all other groups)
Threats that are not high in my threat model that might be in yours • Being unable to delete personal media from the internet (revenge porn) • Hiding location and personal information from a stalker • Hiding information from an abusive partner or ex-partner • Employer spying on your Internet activity • Protecting sexual identity or associations • Attending a protest safely • Protecting sources and associations as a journalist/activist • Maintaining an anonymous presence online • Dealing with identity theft
Time to Hack Yourself
Where are you vulnerable? • For each top threat in your threat model, think of all the ways that threat could be exploited. • Consider all of the components that contain the asset under threat and ways it could be exploited.
Ex: Unauthorized read of sensitive personal media Mobile Device * Device is compromised via malware or rootkit * Insecure transmission of sensitive data from device to recipient (SMS) * Unattended unlocked device * Unauthorized device backup * Unencrypted storage of sensitive media * Malicious app gains access to media storage * Devices are lost, stolen, or otherwise compromised Computer * Device is compromised via malware * Insecure transmission of sensitive data from device to recipient (http,ftp, etc) * Unattended unlocked device * Unauthorized device backup * Unencrypted storage of sensitive media * Devices are lost, stolen, or otherwise compromised Web Service * Data unintentionally shared with web services * Unauthorized access to media storage by web service Corporate Servers * Sensitive media is inadvertently shared to corporate servers * Personal data flowing through corporate servers * Corporate IT installs monitoring software Email Provider * Email account is compromised, leaking sensitive media Wireless Networks, Cellular Carriers, Internet Service Providers, Relays * Insecure transmission of sensitive media Contact Device * Device is compromised via malware or rootkit * Insecure transmission of sensitive data from device to recipient (SMS) * Unattended unlocked device * Unauthorized device backup * Unencrypted storage of sensitive media * Malicious app gains access to media storage Border Screening Checkpoint * Devices are confiscated and forensic analysis is performed against them * Forced unlock of device * Forced disclosure of usernames and passwords * Forensic memory analysis is performed on devices * Lock screen bypass techniques * Confiscated device image is uploaded to remote provider who is later hacked
And now finally… Security Tips
Protecting Financial Data • Use strong passwords • Check your financial statements regularly • Check your credit report annually • Enable 2-Factor authentication all accounts • Using Big retailer is probably better then small online shop
Border Crossing • Do your homework and prep in advance • Print all documents you need so you can turn your phone off • Use strong (long) passwords on all devices • If concerned, get alternate computer/mobile devices to use when traveling • Your goal is to not draw attention to yourself • Be prepared for what you will say/do if asked to unlock your device • Remember that border officials are permitted to lie to you, but DON’T LIE TO THEM • If at any time you loose custody of your device, assume its been compromised and copied
Protesting safely • Strongly consider leaving your device at home • If not, only communicate via Signal app • Record and post later vs. live streaming • Strong passcode with fingerprint unlock disabled Great video by The Intercept: https://theintercept.com/2017/04/21/cybersecurity-for-the-people- how-to-protect-your-privacy-at-a-protest/
Hiding information from stalker / abusive ex-partner • Make up new identities/aliases for each network you use • Don’t have them overlap • This includes cell/internet/cable providers, banks, and any other related accounts • Adjust and review privacy settings on all apps / device regularly • Be very choosy about who you let in to your networks as friends • Get help! • Violet Blue’s Smart girls guide to Privacy: https://www.nostarch.com/smartgirlsguide
Protecting Sources as a Journalist • Some journalists are starting to take this seriously and are getting better at it • With high risk sources, significant effort will need to be taken. • This might include burner devices for all parties involved, never turning them on in news office or at home • Full disk encryption, Signal, strong passwords • An air-gapped computer devoted exclusively to email / tip lines • GET HELP!
Resources I wrote a paper: Essential Guide to Online Security https://web.securityinnovation.com/essential-guide-to-online- security
Thank you Geoffrey Vaughan @mrvaughan @SecurityInnovation

Recommandé

Security Best Practices for Regular Users
Security Best Practices for Regular UsersSecurity Best Practices for Regular Users
Security Best Practices for Regular UsersSecurity Innovation
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS AttacksJignesh Patel
 
Spoofing Techniques
Spoofing TechniquesSpoofing Techniques
Spoofing TechniquesRaza_Abidi
 
Man in The Middle Attack
Man in The Middle AttackMan in The Middle Attack
Man in The Middle AttackDeepak Upadhyay
 
E Mail & Spam Presentation
E Mail & Spam PresentationE Mail & Spam Presentation
E Mail & Spam Presentationnewsan2001
 
Email phising and spoofing hurting your business
Email phising and spoofing hurting your businessEmail phising and spoofing hurting your business
Email phising and spoofing hurting your businessMithi SkyConnect
 
Email security
Email securityEmail security
Email securityBaliram Yadav
 
15 Security & Privacy Tips for Social Media Safety
15 Security & Privacy Tips for Social Media Safety15 Security & Privacy Tips for Social Media Safety
15 Security & Privacy Tips for Social Media SafetyChad Warner
 

Recommandé

Security Best Practices for Regular Users
Security Best Practices for Regular UsersSecurity Best Practices for Regular Users
Security Best Practices for Regular UsersSecurity Innovation
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS AttacksJignesh Patel
 
Spoofing Techniques
Spoofing TechniquesSpoofing Techniques
Spoofing TechniquesRaza_Abidi
 
Man in The Middle Attack
Man in The Middle AttackMan in The Middle Attack
Man in The Middle AttackDeepak Upadhyay
 
E Mail & Spam Presentation
E Mail & Spam PresentationE Mail & Spam Presentation
E Mail & Spam Presentationnewsan2001
 
Email phising and spoofing hurting your business
Email phising and spoofing hurting your businessEmail phising and spoofing hurting your business
Email phising and spoofing hurting your businessMithi SkyConnect
 
Email security
Email securityEmail security
Email securityBaliram Yadav
 
15 Security & Privacy Tips for Social Media Safety
15 Security & Privacy Tips for Social Media Safety15 Security & Privacy Tips for Social Media Safety
15 Security & Privacy Tips for Social Media SafetyChad Warner
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness TrainingDmitriy Scherbina
 
Network Attacks and Countermeasures
Network Attacks and CountermeasuresNetwork Attacks and Countermeasures
Network Attacks and Countermeasureskaranwayne
 
Destributed denial of service attack ppt
Destributed denial of service attack pptDestributed denial of service attack ppt
Destributed denial of service attack pptOECLIB Odisha Electronics Control Library
 
A guide to email spoofing
A guide to email spoofingA guide to email spoofing
A guide to email spoofingMattChapman50
 
IBM Single Sign-On
IBM Single Sign-OnIBM Single Sign-On
IBM Single Sign-OnVan Staub, MBA
 
Email Spoofing.pptx
Email Spoofing.pptxEmail Spoofing.pptx
Email Spoofing.pptxMumara Campaigns
 
Building An Information Security Awareness Program
Building An Information Security Awareness ProgramBuilding An Information Security Awareness Program
Building An Information Security Awareness ProgramBill Gardner
 
Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Gaurav Sharma
 
From email address to phone number, a new OSINT approach
From email address to phone number, a new OSINT approachFrom email address to phone number, a new OSINT approach
From email address to phone number, a new OSINT approachMartin Vigo
 
IT Security Awarenesss by Northern Virginia Community College
IT Security Awarenesss by Northern Virginia Community CollegeIT Security Awarenesss by Northern Virginia Community College
IT Security Awarenesss by Northern Virginia Community CollegeAtlantic Training, LLC.
 
DDoS Protection
DDoS ProtectionDDoS Protection
DDoS ProtectionAmazon Web Services
 
Phishing awareness
Phishing awarenessPhishing awareness
Phishing awarenessPhishingBox
 
Spam
Spam Spam
Spam Senchu Thomas
 
Email Forensics
Email ForensicsEmail Forensics
Email ForensicsGol D Roger
 
Spam & Phishing
Spam & PhishingSpam & Phishing
Spam & PhishingGrittyCC
 
Employee Awareness in Cyber Security - Kloudlearn
Employee Awareness in Cyber Security - KloudlearnEmployee Awareness in Cyber Security - Kloudlearn
Employee Awareness in Cyber Security - KloudlearnKloudLearn
 
Cyber security awareness training by cyber security infotech(csi)
Cyber security awareness training by cyber security infotech(csi)Cyber security awareness training by cyber security infotech(csi)
Cyber security awareness training by cyber security infotech(csi)Cyber Security Infotech
 
Phishing attacks ppt
Phishing attacks pptPhishing attacks ppt
Phishing attacks pptAryan Ragu
 
Cybersecurity Awareness
Cybersecurity AwarenessCybersecurity Awareness
Cybersecurity AwarenessJoshuaWisniewski3
 
Information Security Awareness Training
Information Security Awareness TrainingInformation Security Awareness Training
Information Security Awareness TrainingRandy Bowman
 
Security best practices for regular users
Security best practices for regular usersSecurity best practices for regular users
Security best practices for regular usersGeoffrey Vaughan
 
Wfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationWfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationPriyanka Aash
 

Contenu connexe

Tendances

Network Attacks and Countermeasures
Network Attacks and CountermeasuresNetwork Attacks and Countermeasures
Network Attacks and Countermeasureskaranwayne
 
A guide to email spoofing
A guide to email spoofingA guide to email spoofing
A guide to email spoofingMattChapman50
 
Building An Information Security Awareness Program
Building An Information Security Awareness ProgramBuilding An Information Security Awareness Program
Building An Information Security Awareness ProgramBill Gardner
 
Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Gaurav Sharma
 
From email address to phone number, a new OSINT approach
From email address to phone number, a new OSINT approachFrom email address to phone number, a new OSINT approach
From email address to phone number, a new OSINT approachMartin Vigo
 
IT Security Awarenesss by Northern Virginia Community College
IT Security Awarenesss by Northern Virginia Community CollegeIT Security Awarenesss by Northern Virginia Community College
IT Security Awarenesss by Northern Virginia Community CollegeAtlantic Training, LLC.
 
Phishing awareness
Phishing awarenessPhishing awareness
Phishing awarenessPhishingBox
 
Spam & Phishing
Spam & PhishingSpam & Phishing
Spam & PhishingGrittyCC
 
Employee Awareness in Cyber Security - Kloudlearn
Employee Awareness in Cyber Security - KloudlearnEmployee Awareness in Cyber Security - Kloudlearn
Employee Awareness in Cyber Security - KloudlearnKloudLearn
 
Cyber security awareness training by cyber security infotech(csi)
Cyber security awareness training by cyber security infotech(csi)Cyber security awareness training by cyber security infotech(csi)
Cyber security awareness training by cyber security infotech(csi)Cyber Security Infotech
 
Phishing attacks ppt
Phishing attacks pptPhishing attacks ppt
Phishing attacks pptAryan Ragu
 
Information Security Awareness Training
Information Security Awareness TrainingInformation Security Awareness Training
Information Security Awareness TrainingRandy Bowman
 

Tendances (20)

Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
 
Network Attacks and Countermeasures
Network Attacks and CountermeasuresNetwork Attacks and Countermeasures
Network Attacks and Countermeasures
 
Destributed denial of service attack ppt
Destributed denial of service attack pptDestributed denial of service attack ppt
Destributed denial of service attack ppt
 
A guide to email spoofing
A guide to email spoofingA guide to email spoofing
A guide to email spoofing
 
IBM Single Sign-On
IBM Single Sign-OnIBM Single Sign-On
IBM Single Sign-On
 
Email Spoofing.pptx
Email Spoofing.pptxEmail Spoofing.pptx
Email Spoofing.pptx
 
Building An Information Security Awareness Program
Building An Information Security Awareness ProgramBuilding An Information Security Awareness Program
Building An Information Security Awareness Program
 
Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)
 
From email address to phone number, a new OSINT approach
From email address to phone number, a new OSINT approachFrom email address to phone number, a new OSINT approach
From email address to phone number, a new OSINT approach
 
IT Security Awarenesss by Northern Virginia Community College
IT Security Awarenesss by Northern Virginia Community CollegeIT Security Awarenesss by Northern Virginia Community College
IT Security Awarenesss by Northern Virginia Community College
 
DDoS Protection
DDoS ProtectionDDoS Protection
DDoS Protection
 
Phishing awareness
Phishing awarenessPhishing awareness
Phishing awareness
 
Spam
Spam Spam
Spam
 
Email Forensics
Email ForensicsEmail Forensics
Email Forensics
 
Spam & Phishing
Spam & PhishingSpam & Phishing
Spam & Phishing
 
Employee Awareness in Cyber Security - Kloudlearn
Employee Awareness in Cyber Security - KloudlearnEmployee Awareness in Cyber Security - Kloudlearn
Employee Awareness in Cyber Security - Kloudlearn
 
Cyber security awareness training by cyber security infotech(csi)
Cyber security awareness training by cyber security infotech(csi)Cyber security awareness training by cyber security infotech(csi)
Cyber security awareness training by cyber security infotech(csi)
 
Phishing attacks ppt
Phishing attacks pptPhishing attacks ppt
Phishing attacks ppt
 
Cybersecurity Awareness
Cybersecurity AwarenessCybersecurity Awareness
Cybersecurity Awareness
 
Information Security Awareness Training
Information Security Awareness TrainingInformation Security Awareness Training
Information Security Awareness Training
 

Similaire à Personal Threat Models

Security best practices for regular users
Security best practices for regular usersSecurity best practices for regular users
Security best practices for regular usersGeoffrey Vaughan
 
Wfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationWfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationPriyanka Aash
 
Securing and Safeguarding Your Library Setup
Securing and Safeguarding Your Library SetupSecuring and Safeguarding Your Library Setup
Securing and Safeguarding Your Library SetupBrian Pichman
 
Internet Security
Internet SecurityInternet Security
Internet Securitymjelson
 
Cyber security-1.pptx
Cyber security-1.pptxCyber security-1.pptx
Cyber security-1.pptxCharithraaAR
 
Cybersecurity awareness session.pptx
Cybersecurity awareness session.pptxCybersecurity awareness session.pptx
Cybersecurity awareness session.pptxUmaraZahidLecturer
 
Cyber Security Awareness Training by Win-Pro
Cyber Security Awareness Training by Win-ProCyber Security Awareness Training by Win-Pro
Cyber Security Awareness Training by Win-ProRonald Soh
 
CyberSecurity Cyber24x7.pdf
CyberSecurity Cyber24x7.pdfCyberSecurity Cyber24x7.pdf
CyberSecurity Cyber24x7.pdfVarinder K
 
Information Security Awareness: at Work, at Home, and For Your Kids
Information Security Awareness: at Work, at Home, and For Your Kids Information Security Awareness: at Work, at Home, and For Your Kids
Information Security Awareness: at Work, at Home, and For Your Kids Nicholas Davis
 
Security is a Culture GB v 9
Security is a Culture GB v 9Security is a Culture GB v 9
Security is a Culture GB v 9Garry Bolland
 
It security in healthcare
It security in healthcareIt security in healthcare
It security in healthcareNicholas Davis
 
BCE L-3omputer security Basics.pptx
BCE L-3omputer security Basics.pptxBCE L-3omputer security Basics.pptx
BCE L-3omputer security Basics.pptxKirti Verma
 
Users awarness programme for Online Privacy
Users awarness programme for Online PrivacyUsers awarness programme for Online Privacy
Users awarness programme for Online PrivacyKazi Sarwar Hossain
 
InformationSecurity
InformationSecurityInformationSecurity
InformationSecuritylearnt
 
Cyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionalsCyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionalsKrishna Srikanth Manda
 
itsecurityawareness-v1-230413174238-5e7cba3c.pdf
itsecurityawareness-v1-230413174238-5e7cba3c.pdfitsecurityawareness-v1-230413174238-5e7cba3c.pdf
itsecurityawareness-v1-230413174238-5e7cba3c.pdfMansoorAhmed57263
 
IT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptIT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptOoXair
 
Data protection and security
Data protection and securityData protection and security
Data protection and securitysamina khan
 

Similaire à Personal Threat Models (20)

Security best practices for regular users
Security best practices for regular usersSecurity best practices for regular users
Security best practices for regular users
 
Wfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationWfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security Innovation
 
COMPUTER ETHICS.pptx
COMPUTER ETHICS.pptxCOMPUTER ETHICS.pptx
COMPUTER ETHICS.pptx
 
Securing and Safeguarding Your Library Setup
Securing and Safeguarding Your Library SetupSecuring and Safeguarding Your Library Setup
Securing and Safeguarding Your Library Setup
 
Internet Security
Internet SecurityInternet Security
Internet Security
 
Cyber security-1.pptx
Cyber security-1.pptxCyber security-1.pptx
Cyber security-1.pptx
 
Information security
Information securityInformation security
Information security
 
Cybersecurity awareness session.pptx
Cybersecurity awareness session.pptxCybersecurity awareness session.pptx
Cybersecurity awareness session.pptx
 
Cyber Security Awareness Training by Win-Pro
Cyber Security Awareness Training by Win-ProCyber Security Awareness Training by Win-Pro
Cyber Security Awareness Training by Win-Pro
 
CyberSecurity Cyber24x7.pdf
CyberSecurity Cyber24x7.pdfCyberSecurity Cyber24x7.pdf
CyberSecurity Cyber24x7.pdf
 
Information Security Awareness: at Work, at Home, and For Your Kids
Information Security Awareness: at Work, at Home, and For Your Kids Information Security Awareness: at Work, at Home, and For Your Kids
Information Security Awareness: at Work, at Home, and For Your Kids
 
Security is a Culture GB v 9
Security is a Culture GB v 9Security is a Culture GB v 9
Security is a Culture GB v 9
 
It security in healthcare
It security in healthcareIt security in healthcare
It security in healthcare
 
BCE L-3omputer security Basics.pptx
BCE L-3omputer security Basics.pptxBCE L-3omputer security Basics.pptx
BCE L-3omputer security Basics.pptx
 
Users awarness programme for Online Privacy
Users awarness programme for Online PrivacyUsers awarness programme for Online Privacy
Users awarness programme for Online Privacy
 
InformationSecurity
InformationSecurityInformationSecurity
InformationSecurity
 
Cyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionalsCyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionals
 
itsecurityawareness-v1-230413174238-5e7cba3c.pdf
itsecurityawareness-v1-230413174238-5e7cba3c.pdfitsecurityawareness-v1-230413174238-5e7cba3c.pdf
itsecurityawareness-v1-230413174238-5e7cba3c.pdf
 
IT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptIT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.ppt
 
Data protection and security
Data protection and securityData protection and security
Data protection and security
 

Dernier

CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 

Dernier (20)

CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 

Personal Threat Models

  • 1. Building Your Personal Threat Model Geoffrey Vaughan @mrvaughan Sr. Security Engineer
  • 2. Why This Talk? • I care about you and your data • I’m tired of regular users suffering for mistakes made by large organizations (data breaches) or being caught by the simplest of phishing scam • Often small adjustments in user behavior can have a large impact on security and privacy • To encourage you to focus your energy in areas that most affect you
  • 3. Whoami • Geoffrey Vaughan @MrVaughan • Sr. Security Engineer @SecurityInnovation • Appsec pentesting/advisory at all areas of SDLC • Former High School/Prison/University Teacher • Occasionally I’m let out of my basement
  • 4. Tldr; If you only read one slide Giving it all away at the beginning: 1) Use a password manager 2) Keep your devices up-to-date 3) Use 2-Factor Authentication on all your accounts 4) Free Wifi Comes at a cost – Don’t connect to untrusted networks 5) Lock and encrypt your devices (phones + computers) For more information, I wrote a Guide: https://web.securityinnovation.com/essential-guide-to-online-security
  • 5. Beyond the Basics: How Paranoid Should I be? • Protecting your data and privacy online can take a lot of effort. • Complete anonymity is really hard. • It will always be a trade off between usability, security, and privacy.
  • 7. Threat Model? Simplified Definition: Identify and quantify your weaknesses so you can come up with appropriate defenses.
  • 8. 5 Minute Threat Modelling • What assets are you trying to protect? • What threats are the assets under? • What is the likelihood of a threat being realized? • What measures can help mitigate or decrease the risk associated with the threat?
  • 9. Threat Modeling the Bit Longer Way 1. List all assets you want to protect 2. Define user groups / roles 3. Define components and systems your assets interact with 4. Build an access matrix 5. Define your threats 6. Assess highest risk threats 7. Think of all the ways the risks can be exploited 8. Implement mitigating controls to reduce risk
  • 10. What assets do you care most about protecting?
  • 11. Assets to Protect • Personal Information - Name, Age, DOB, Spouse, Children, Parents • Personal Pictures, videos, documents • Financial Information - Banking, loan, credit • Location - Home address, places you frequent, or where you are right now • Physical Devices • Business Assets on devices • Personal Communications/Conversations - Emails, Text Messages, Chat, etc., phone calls • Data about Data – When you called someone, who you text messaged
  • 12. Can you classify the people you interact with into groups?
  • 13. User Groups • Private – Things you keep completely to yourself • Significant other • Known Threat (stalker, ex SO, abuser, online bully) • Immediate Family and close friends • Extended friends • General Public • Employer • Doctor / Lawyer • Foreign / Domestic Governments
  • 14. Where do your assets reside or pass-through?
  • 15. Components Places where your assets are stored: • Mobile device – Apps you use, device storage, cache, browser history • Computer – device storage, applications • Services – LinkedIn, Facebook, Twitter, Instagram, etc. • Third party trackers – Marketing and Analytics software to track you • Wireless networks – Home vs while travelling • Cellular carriers • Border screening check points
  • 16. How do all the components you use interact?
  • 17.
  • 18. Access Matrix? • A table defining rules for how various user groups can interact with assets • For any user group a user may be able to create, read, update, or delete an assets • An access matrix defines all these rules
  • 20. Warning: Gets a little crazy here
  • 21.
  • 22.
  • 23.
  • 25.
  • 26. Generating Threats • Now that we have defined all of our rules. • Think of all the ways that these rules can be broken. • These are your threats.
  • 27. My Threats • Unauthorized read of sensitive information not disclosed publicly (all other groups) • Foreign government can read authentication credentials • Any unauthorized user can read authentication credentials • Significant other reads purchasing habits and learns how much I spend on lunches, what their present is, or how much that new tech toy actually cost. • Unauthorized create, update, delete of beneficiary information • General Public or Known Threat reads sensitive information not disclosed publicly • Unauthorized read of sensitive personal media (tier 1) • Unauthorized creation of sensitive personal media (tier 1) • User is unable to delete sensitive personal media (tier 1) • Unauthorized read of sensitive personal media (tier 2) • Unauthorized creation of sensitive personal media (tier 2) • User (self) is unable to delete personal information • Unauthorized read of location information • Significant other is able to update, or delete personal information affecting access to resources • Any unauthorized user can update authentication credentials • Attacker or Known threat can create authentication credentials for accounts in your name • Any user is able to update or delete personal information • Any user is able to create personal information to impersonate you • Unauthorized read of beneficiary information • Unauthorized read of meta-data • Unauthorized read of purchasing habits • Unauthorized read of personal communications • Unauthorized read of associations • Unauthorized read, update, or delete of business assets • Unauthorized creation, read, update, or delete of financial information
  • 28. My Top Threats • Unauthorized read of sensitive personal media (tier 1) • Unauthorized creation, read, update, or delete of financial information • Unauthorized read, update, or delete of business assets • Any unauthorized user can read authentication credentials • Unauthorized read of personal communications • Unauthorized read of sensitive information not disclosed publicly (all other groups)
  • 29. Threats that are not high in my threat model that might be in yours • Being unable to delete personal media from the internet (revenge porn) • Hiding location and personal information from a stalker • Hiding information from an abusive partner or ex-partner • Employer spying on your Internet activity • Protecting sexual identity or associations • Attending a protest safely • Protecting sources and associations as a journalist/activist • Maintaining an anonymous presence online • Dealing with identity theft
  • 30. Time to Hack Yourself
  • 31. Where are you vulnerable? • For each top threat in your threat model, think of all the ways that threat could be exploited. • Consider all of the components that contain the asset under threat and ways it could be exploited.
  • 32. Ex: Unauthorized read of sensitive personal media Mobile Device * Device is compromised via malware or rootkit * Insecure transmission of sensitive data from device to recipient (SMS) * Unattended unlocked device * Unauthorized device backup * Unencrypted storage of sensitive media * Malicious app gains access to media storage * Devices are lost, stolen, or otherwise compromised Computer * Device is compromised via malware * Insecure transmission of sensitive data from device to recipient (http,ftp, etc) * Unattended unlocked device * Unauthorized device backup * Unencrypted storage of sensitive media * Devices are lost, stolen, or otherwise compromised Web Service * Data unintentionally shared with web services * Unauthorized access to media storage by web service Corporate Servers * Sensitive media is inadvertently shared to corporate servers * Personal data flowing through corporate servers * Corporate IT installs monitoring software Email Provider * Email account is compromised, leaking sensitive media Wireless Networks, Cellular Carriers, Internet Service Providers, Relays * Insecure transmission of sensitive media Contact Device * Device is compromised via malware or rootkit * Insecure transmission of sensitive data from device to recipient (SMS) * Unattended unlocked device * Unauthorized device backup * Unencrypted storage of sensitive media * Malicious app gains access to media storage Border Screening Checkpoint * Devices are confiscated and forensic analysis is performed against them * Forced unlock of device * Forced disclosure of usernames and passwords * Forensic memory analysis is performed on devices * Lock screen bypass techniques * Confiscated device image is uploaded to remote provider who is later hacked
  • 33. And now finally… Security Tips
  • 34. Protecting Financial Data • Use strong passwords • Check your financial statements regularly • Check your credit report annually • Enable 2-Factor authentication all accounts • Using Big retailer is probably better then small online shop
  • 35. Border Crossing • Do your homework and prep in advance • Print all documents you need so you can turn your phone off • Use strong (long) passwords on all devices • If concerned, get alternate computer/mobile devices to use when traveling • Your goal is to not draw attention to yourself • Be prepared for what you will say/do if asked to unlock your device • Remember that border officials are permitted to lie to you, but DON’T LIE TO THEM • If at any time you loose custody of your device, assume its been compromised and copied
  • 36. Protesting safely • Strongly consider leaving your device at home • If not, only communicate via Signal app • Record and post later vs. live streaming • Strong passcode with fingerprint unlock disabled Great video by The Intercept: https://theintercept.com/2017/04/21/cybersecurity-for-the-people- how-to-protect-your-privacy-at-a-protest/
  • 37. Hiding information from stalker / abusive ex-partner • Make up new identities/aliases for each network you use • Don’t have them overlap • This includes cell/internet/cable providers, banks, and any other related accounts • Adjust and review privacy settings on all apps / device regularly • Be very choosy about who you let in to your networks as friends • Get help! • Violet Blue’s Smart girls guide to Privacy: https://www.nostarch.com/smartgirlsguide
  • 38. Protecting Sources as a Journalist • Some journalists are starting to take this seriously and are getting better at it • With high risk sources, significant effort will need to be taken. • This might include burner devices for all parties involved, never turning them on in news office or at home • Full disk encryption, Signal, strong passwords • An air-gapped computer devoted exclusively to email / tip lines • GET HELP!
  • 39. Resources I wrote a paper: Essential Guide to Online Security https://web.securityinnovation.com/essential-guide-to-online- security

Notes de l'éditeur

  1. First time giving this talk, Why talk about the really wild and ‘sophisticated’ hacks when most people are barely doing the basics correctly
  2. Its been 4.5 months since I was last let out of my basement for work
  3. 5) Don’t wait for a crypto locker to do it for you This is by no means a complete list, there are definitely way more threats to consider than we can talk about today
  4. It greatly depends you your personal TM Governments, NSA, Russia, China, Anonymous, IoT toaster, Connected Sex Toy Crazy defenses, use signal, use tor, get a vpn,
  5. Twitter Troll Definition: Ryan Gooler ‏@jippen Oct 20 @mrvaughan a plan for how to lose the company, used to help keep it running Threat models can be long painful processes by companies to plan for every possible outcome… They don’t have to be complex
  6. Ask yourself these four questions take some notes and then take action
  7. Trust me there are much longer ways still. Access Matrix - (rules defining what users can read/write what assets) 7. Hack yourself
  8. Ask a few people: Stick to digital for the time being. Show of hands if you care about that?
  9. Participate for a few (put in slide prompt)
  10. “That guys a jerk” “He smells” “Their lazy”
  11. Put it all together and what do you get?
  12. This helps you visualize the threats associated with all the devices, components, and networks you use. Bad guy quota
  13. Talk about sometimes
  14. Talk about writing down the rules you care about, any thing that can break that rule is a threat.
  15. This is all the ways I worry about my personal rules being broken, From this we can develop our top threats.
  16. Things I am most concerned about : Protecting business assets Protecting personal communication Protecting authentication credentials (account access) Protecting financial information
  17. How likely are the threats at being realized, how would you be exploited?