At this point, remarking that people now are more concerned about online privacy than ever before is not a novel observation. What’s fascinating, though, is that interest in personal digital security has remained high since the issue exploded about seven years ago. In other words, instead of experiencing a short-lived spike, digital privacy awareness has been sustained.
This is especially encouraging to me, since I gained my background in technology precisely out of the desire to secure my own digital autonomy.
I know as well as anyone that it’s not always clear where to turn to improve one’s digital security. Getting a handle on the subject can seem like trying to jump onto a moving train. To extend the metaphor, this article may give you a running start.
My hope is that a guide from the perspective of someone who not long ago probably knew less than you do now, you will develop enough of a foundation to journey forth on your own.
Gluing Together Your Threat Model
So where do you start? Quite simply, with yourself. The whole purpose of security is to protect what is valuable, and what is valuable is different for everyone. Consequently, security is possible only after you determine the object of value. Only then can you assess how far to go to safeguard it.
Before you can think about the means, you must select the end. In the case of digital security, you need to figure out what it is you are trying to protect. This could be as straightforward as certain files on your devices, or the contents of your communications with associates.
It could be more abstract. For example, as a consequence of your behavior, certain personal details about you — while not contained in files as such — can be inferred and automatically captured as data streams akin to files, called “metadata.”
In the context of digital security, everything essentially takes the form of information, so you need to think long and hard about what information you’re guarding, and all the forms it can take or ways it can be accessed. This can be quite a task at first, but it gets easier with practice.
Defining the information you want to protect gives you the first component that comprises what is called a “threat model” — basically your high-level strategic view of how to keep your information safe. In the context of your threat model, your valued information goes by the more succinct name of “asset.”
Once you have defined your asset, it’s time to identify your “adversary,” which is the glorified name for entities who want to take your asset. This exerts a strong influence on what your threat model ultimately will look like — your strategy for holding onto your asset will look very different depending on whether your adversary is your nosy neighbor or a hostile government.
When contemplating your adversary, it is critical to enumerate realistic threats. It may seem counterintuitive but, as you will see by the end of this primer, it actually doesn’t help to overestimate your enemy.
The word “adversary” may evoke a diabolical nemesis, but that doesn’t have to be the case. Though you shouldn’t inflate your antagonist, neither should you overlook it. While it’s very easy to single out an adversary like a criminal hacking collective (if that is indeed yours) for its overt ill intent, your adversary could be a service you willingly use but do not fully trust. The point is, you need to catalog every player that wants your asset, no matter the reason.
With those two pillars in place, it’s time to finish the tripod: Accounting for your asset and adversary, you need to size up the means the adversary has at its disposal and, most importantly, the means you have and lengths you are willing to go to protect your asset. These last two things are not always the same — hence the distinction.
Fortunately an abundance of tools are available to keep your asset secure, if you know how to use them. Even better, the most effective ones are all free. The real limit in practice is that of self-discipline. Keep in mind that a powerful safeguard is useless without the resolve to utilize it consistently without relenting.
Categorize and Prioritize
I like to think of adversaries as occupying one of three categories:
- Category 1 adversaries are entities engaging in what is popularly called “surveillance capitalism,” but technically referred to as “data mining.” Operating predominantly in the private sector, category 1 actors are those that passively collect information from you as a consequence of your use of their services. However, in recent years we have learned that companies overstep this implicit covenant to
collect data on individuals even when those individuals
don’t explicitly do business with them. Generally, these adversaries don’t seek out your data directly. Instead of coming to you, they wait for you to come to them. Therefore, they can be thwarted by shrewder consumer choices.
- Category 2 adversaries are those that employ primarily offensive techniques to execute both targeted and untargeted (i.e. indiscriminate) attacks on users. This category includes a diverse spectrum of attackers, from lone black hats to sophisticated criminal enterprises. What they all have in common is that their methods are intrusive, actively breaching one’s defenses, and definitely not legally sanctioned.
- Category 3 encompasses the most formidable adversaries — foes that can leverage state resources. In point of fact, the actors in this category are the only ones that qualify for the information security consensus term “advanced persistent threats” or APTs. Like category 2 opponents, they conduct invasive offensive operations, but they do so with the financial resources of a political faction or government behind them, and in many cases, the legal immunity of one as well.
This is my own taxonomy, rather than accepted industry terms, but my hope is that it illustrates the kinds of adversaries you may face vividly enough to help in your threat modeling.
You will have to judge for yourself which of these categories describes your adversaries most aptly, but there are some quick diagnostics you can run to characterize what you need to look out for, based on your assets as well as the adversaries themselves.
If you don’t consider your work particularly sensitive and just want to mitigate the creepiness factor of intimate personal details constantly and mercilessly being stored and analyzed, you are facing a category 1 scenario. Most of you likely will find yourselves in this boat, especially if you rely to any degree on social networks or communication services operated by ad revenue-driven tech companies.
For those of you in possession of highly valuable information, like six-figure-plus financial data, there’s a good chance you need to arm yourself against category 2 attackers. The lucrative nature of the information you handle means you likely will attract actors that specifically and actively will work to breach your defenses to steal it from you.
Dealing in truly sensitive data, the kind that could spell life or death to certain people, exposes you to category 3 adversaries. If you’re the kind of person who risks attack from a state-level actor, like a national security journalist or defense sector professional, you already know it. If fending off category 3 attackers is your reality, you need way more operational security than I possibly could provide you. My treatment of category 3 actors will be more for the sake of painting a complete picture for readers in general, and to convey a sense of scale of possible countermeasures.
By now, you should have a sense of what your asset is, and what adversary it attracts. This aligns with my roadmap for this four-part series. Subsequent installments will focus on determining which tools and practices your asset and adversaries necessitate.
The next three articles in this series will equip you with some tools for countering each of the adversary categories. In the next installment, which delineates threats from category 1, you will learn the digital hygiene that is beneficial for everyone and sufficient for most, but inadequate for those squaring off against foes in categories 2 and 3.
The article that follows, along with educating those anticipating threats from category 2, might draw in those who want to get ahead of the pack fending off category 1. It also will build a bridge for those bound for the hard road of resisting category 3 attacks, but it won’t be enough in itself.
Instead of focusing on software tools themselves, the last piece will strive to outline the thought patterns needed to combat the most daunting opponents one can face in information security. Considering the inherently vast capability of category 3 threats, the goal is to describe the evaluative mindset of those who need to defend against them.
You Can’t Have It All – but You Should Try to Have Some
I’ll leave you with one parting thought to set the tone for this series: No matter how your threat model shapes up, you will face a tradeoff between security and convenience. You will never have both, and their inverse relationship means an increase in one decreases the other. A viable threat model is one that finds the balance between the two that you can stick with, but that still addresses the threat at hand. The only way to keep that balance is through discipline.
This is exactly why plans that overkill your adversary don’t work. All they do is trade away more convenience than you can tolerate for security you don’t need, which leads to abandonment of the threat model entirely more often than to a revision of it. Instead, if you find your equilibrium and have the will to maintain it, you will set yourself on the path to success.
That path, as you will see, is challenging and long — possibly endless — but there is a reward purely in traveling it. The only thing more satisfying than setting out on its winding way is to bring new company along. So, I’ll see you next time, when we hit the trail.