This is the 77th episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions, Silent Pocket and CISOBox. This episode was hosted by Tom Eston and Scott Wright recorded June 19, 2018. Listen to this episode and previous ones direct via your web browser by clicking here!
Help the podcast and leave us a review! We would really appreciate you leaving a review in iTunes. Reviews really help move us up the podcast ratings list and are greatly appreciated!
In this episode Tom and Scott discuss the concept of developing your own privacy threat model and personal risk assessment. We often discuss privacy threats and risk on the podcast so we thought it would make sense to discuss how to put together your own threat model to determine what risk you actually face from potential threats. We define risk, in the context of the topics of this podcast, as how likely is it that a potential threat may compromise your privacy or your personal information. By threat, we define that as something bad that can happen to you like being the receiver of phishing emails, malware being installed installed on your computer or even surveillance being conducted by a nation-state or ISP on your Internet activities. Here’s an example of putting risk and threat together. Lets say you have a nice car and you park it in an area that is known for a high threat of crime and auto thefts, there is a greater risk that your car may be stolen than if it was parked in an area not known for crime and auto theft.
The first step in the personal risk assessment is to create a privacy threat model for yourself. We’re going to reference a really great framework for threat modeling put together by the EFF (The Electronic Frontier Foundation) borrowed from their helpful guides on Surveillance Self-Defense. The EFF threat model starts by having you answer the following five questions:
What do I want to protect?
Who do I want to protect it from?
How bad are the consequences if I fail?
How likely is it that I will need to protect it?
How much trouble am I willing to go through to try to prevent potential consequences?
The idea is to answer these questions as best as you can in preparation for an event or action that you may be taking related to your privacy. Based on your threat model you can then determine what tools and techniques are appropriate for your level of risk. This is always a personal decision! Some examples:
“I want to hide my browsing habits from third-party ad trackers or my ISP”
This scenario may be low risk to you so you may be fine just using a VPN and privacy focused browser plugins like EFF’s Privacy Badger.
“I’m not comfortable giving Facebook my personal data”
This scenario may be more of a medium risk for you so you may choose to delete your Facebook account or be more careful what you post.
“I’m a journalist in a foreign country reporting on human rights abuses”
This scenario is most likely high risk to you so you should consider using a burner laptop, Tor and the Signal app for communication.
Listen to the full episode where Tom and Scott discuss other real world applications for privacy related threat modeling. We also discuss Stingray surveillance devices which are commonly used by law-enforcement and governments to intercept mobile phone communications.
Please send any show feedback, suggestions for future guests and topics to feedback [aT] sharedsecurity.net or comment in our social media feeds. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next full episode. Be sure to visit our website, follow us on Twitter, Instagram and like us on Facebook. Thanks for listening!
