This Universal Threat Model Will Help You Stay Safe Online

What’s A Threat Model?

Next time you want to do something, ask yourself these 4 questions:

1. What Am I Trying To Do?

2. What Can Go Wrong?

3. What Am I Going To Do About It?

4. After It’s Over, How Well Did I Do?

Let’s revisit that excellent advice your parents gave you about crossing the street.

What Am I Trying To Do?

I want to cross the street to get to the other side.

What Can Go Wrong?

If I don’t look both ways before crossing, I might get run over or cause an accident.

What Am I Going To Do About It?

I’m gonna look both ways before crossing.

After It’s Over, How Well Did I Do?

OK, I’ve crossed the street. I did what I could to make this process safer. I got to the other side in one piece and didn’t endanger anyone else. That worked so well I’m gonna do that again next time. Thanks, Mom/Dad!

That’s it. Creating a simple Threat Model can be as straightforward as that.

We could easily call this A Universal Threat Model For People Crossing The Street. After all, do you know anyone who shouldn’t look both ways? Would you ever tell anyone they don’t need to look both ways before venturing out into traffic? If not, why not?

Now let’s apply that to the Internet.

We Know What Can Go Wrong Online Now. Here’s A Threat Model To Keep You Safe.

We’ve been using the Internet for 30 years. Back in the beginning of the Internet Era, we had to guess and imagine what might go right (or wrong) with our increasing use and reliance on the World Wide Web and everything that came with it.

Now, 30 years later, we don’t have to wonder or guess. We know what goes right, and what goes wrong every day on the Internet for typical online adults. Not because we’re galaxy-brain geniuses, but because we’ve had time to watch, and we’ve paid attention.

What Are We Trying To Do?

We use the Internet to get more done, often more conveniently. We can renew a driver’s license without waiting in line at the DMV, conduct banking, access an almost endless source of knowledge, connect with others with similar interests, enjoy entertainment, learn more about the World, work remotely, consume news, stay in contact with friends and family, find a love interest or an opportunity to volunteer. The Internet makes it easy (maybe too easy) to buy the products we want, especially if they’re not available locally. The Internet also allows individuals the opportunity to share their thoughts and ideas with a global audience.

What Can Go Wrong?

Loyal readers of our newsletter have previously read an extensive list of examples of what’s currently going wrong for typical Internet users. The loss of sensitive privileged information, theft of a payment for a car or even a 6-figure downpayment on a house, theft of social security payments . . . unfortunately the list of reported hacking incidents is long.

It’s important to know that those 2,000 daily reports to the FBI are only a fraction of a fraction of what actually happens in the US each day. Most hacking incidents don’t get reported in any way that’s centrally counted or tracked.

As an example, I had a front row seat as one of my coworkers was hacked 4 times in one year — her cellphone account, bank account and credit cards were easy targets. That experience of commiserating with her — over and over — made cybersecurity issues painfully real. But those separate hacking incidents weren’t reported to a single organization.

Once while opening a new bank account, the customer service agent shared how his own account at the bank he worked for was hacked, and the balance drained. It took weeks to get the money back, which created a huge and painful hole in his monthly cashflow. This was his first job after college, so cash was tight.

The Internet is awesome, but it’s also a modern Wild Wild West.

What Are We Going To Do About It?

As a typical consumer using the Internet, interacting with websites online, there is so much you can’t control. Did an IT Admin use a crappy password to secure the website’s server? Does the website’s cybersecurity team (assuming there is one) have a comprehensive plan for backups?

Thankfully there is so much you can do. It’s an odd irony that a motivated individual can protect themselves online better than a large corporation. Companies have so many servers and other pieces of networking equipment that have to be constantly monitored and secured. They have customers, employees, vendors, contractors, etc. But a single individual doesn’t have that expansive opportunity for so many things to go wrong.

As a single individual you can:

1. Learn more about your options regarding the choice of equipment you use to access the Internet. Consider a higher-grade home access point, weigh the pros and cons of using a Chromebook with a locked-down Google account, and use physical security keys such as YubiKeys.

2. Use a Modern Password for every online account — each one should be long, complex and unique.

3. Use a Password Manager to create, remember and type the passwords for your online accounts.

4. Secure your Password Manager with a Diceware Passphrase.

5. Use Multi-factor Authentication (MFA) on every online account that offers it.

These are The Basics, really now just table stakes for every online adult. If your public profile is higher than average, then you might consider options such as Google’s Advanced Protection Program or Apple’s Advanced Data Protection for iCloud. Some users report difficulties accessing certain sites or online services when using these advanced programs, so do your own reading and/or enlist the help of your favorite techie before taking that particular leap.

After It’s Over, How Did We Do?

Have we done enough?

You can think about this in relation to your public profile. If you’re a typical resident of a city of 60,000 people, and your public profile is about average in relation to everyone else, then “what can go right and what can go wrong” is about average. If you become mayor of that city, your public profile is now higher, and in addition to the typical issues, now there are additional possibilities related to “what can go right and what can go wrong” that the typical resident doesn’t experience. The opportunity to be mayor could become a tremendous stepping stone to greater career opportunities, but it also might result in harassment or stalking from disgruntled city employees or residents.

Whenever your public profile becomes higher, you may need to take additional steps beyond The Basics.

But if you’re a typical Internet user, and you’ve made your online life more secure by incorporating The Basics into your online experience — then you’ve accomplished something significant. Your online experience will be safer, and now you truly have an accomplishment worth celebrating.

Join us

Weekly resources to help keep you safer online — protecting you from hackers, online scammers, and other Digital Kleptomaniacs™.

No spam. No selling your email. Just factual, actionable information once a week, from people who truly care about online security.  You can unsubscribe any time — but we hope you’ll want to stay with us on this journey.

Cybersecurity is a modern form of wealth, and you deserve to keep what you've earned.

Looking forward to connecting again next week.

— Anthony Collette

Digital Kleptos™