Uploaded byevacide
PPTX, PDF1,555 views

Threat modeling nihilists v. vegans

The document discusses threat modeling and how to develop an effective threat model. It explains that a threat model involves identifying: 1) the assets you want to protect, 2) potential adversaries who would threaten those assets, 3) likely threats from those adversaries, 4) the adversaries' capabilities, and 5) your willingness to accept risks and consequences. Developing a threat model is a process that helps determine appropriate security tools and processes based on the identified risks. An effective threat model also needs regular updates as risks can change over time.

Embed presentation

Download to read offline
<location, date> What the Hell is Threat Modeling Anyway? Eva Galperin/Parker Higgins eva@eff.org/parker@eff.org @evacide/@xor Electronic Frontier Foundation
<location, date> What the hell is a threat model?
<location, date> 1. What do you want to protect?
<location, date> 1. What do you want to protect? 2. Who do you want to protect it from?
<location, date> 1. What do you want to protect? 2. Who do you want to protect it from? 3. How likely is it you will need to protect it?
<location, date> 1. What do you want to protect? 2. Who do you want to protect it from? 3. How likely is it you will need to protect it? 4. How bad are the consequences if you fail?
<location, date> 1. What do you want to protect? 2. Who do you want to protect it from? 3. How likely is it you will need to protect it? 4. How bad are the consequences if you fail? 5. How much trouble are you willing to go through to prevent those consequences?
<location, date> ASSETS This is what you want to protect. Passwords Money Files Conversations Meta-data
<location, date> ADVERSARY This is what you want to protect your assets from. NSA Your classmates Your parents The police Advertisers
<location, date> THREAT Hackers hijack your Twitter account Your brother reads your diary Your boss sees your browser history Criminals steal your credit card numbers Adversary reads your communications Adversary deletes or alters your communications
<location, date> CAPABILITY Attacker could file a subpoena Attacker could break into your house Attacker could spy on your wifi network Attacker could put a tracking device on your car Attacker could force you to give up your passwords Attacker could torture your friends/family for info Attacker could shoulder-surf your phone password
<location, date>
<location, date>
<location, date>
<location, date> Then there’s this guy
<location, date> RISK
<location, date> People have different appetites for risk
<location, date> Privacy Nihilists
<location, date> Privacy Vegans
<location, date> Security is a process, not a product • Tools are not enough to protect your privacy • Build a threat model, then figure out what tools/processes are appropriate • Your threat model may change over time
<location, date>
<location, date> You don’t have to a nihilist or a vegan
<location, date>
<location, date>
<location, date>
<location, date>
<location, date> Thanks! Laura Poitras Bruce Schneier Jonathan Stray

More Related Content

PPTX
Threat modeling librarian freedom conference
byevacide
 
PPTX
An Imposter's Journey Into InfoSec
byStu Hirst
 
PPTX
Dynamic Risk Assessment, March 2013
byDavid Webster
 
PPTX
Starting with Yes: How Lawyers Can Become Early Adopters of Technology
byJules Miller
 
PPTX
Making Ethical Tech: Fulfilling Obligations to Your Users, Your Staff and You...
byYTH
 
PDF
The #1 Thing That Goes Wrong In Client Projects Even When You're Doing Everyt...
byFollowbright
 
PPTX
An Imposter's Journey Into InfoSec
byStu Hirst
 
PDF
Where Americans Don't Lock Their Doors [Survey] | Eyewitness Surveillance
byAshley Stryker
 
Threat modeling librarian freedom conference
byevacide
 
An Imposter's Journey Into InfoSec
byStu Hirst
 
Dynamic Risk Assessment, March 2013
byDavid Webster
 
Starting with Yes: How Lawyers Can Become Early Adopters of Technology
byJules Miller
 
Making Ethical Tech: Fulfilling Obligations to Your Users, Your Staff and You...
byYTH
 
The #1 Thing That Goes Wrong In Client Projects Even When You're Doing Everyt...
byFollowbright
 
An Imposter's Journey Into InfoSec
byStu Hirst
 
Where Americans Don't Lock Their Doors [Survey] | Eyewitness Surveillance
byAshley Stryker
 

Similar to Threat modeling nihilists v. vegans

PDF
Threat Modeling workshop by Robert Hurlbut
byDevSecCon
 
PPT
Rainer+3e Student Pp Ts Ch03
bykbzdox ivanovich
 
PPTX
Personal Threat Models
byGeoffrey Vaughan
 
PDF
Cyber Security Program Protect Networks Devices Programs And Data Luce
bymejatrio30
 
PDF
Course Information Security Lecture 1.pdf
bySamahAdel16
 
PPTX
Threat Modeling - Locking the Door to Vulnerabilities
bySecurity Innovation
 
PPTX
23 network security threats pkg
byUmang Gupta
 
PPT
Threats
bysbmiller87
 
PPTX
Networks
byjanani thirupathi
 
PDF
Application Threat Modeling
byPriyanka Aash
 
PPTX
ITT408_Unit#1_InformationSecurity_Fundamentals_STUDENTS.pptx
bysrizvi9
 
PPTX
Protection and security
bymbadhi
 
PPTX
Civilian OPSEC in cyberspace
byzapp0
 
PPTX
Threat modelling(system + enterprise)
byabhimanyubhogwan
 
PPTX
Chapter 1 a
bykibrutry
 
PPT
Information security and compliance areas
byrahulshah641439
 
PPT
Protection and Security in Operating Systems
byvampugani
 
DOCX
Residency ResearchISOL 536 Security Architecture and Design.docx
bybrittneyj3
 
PDF
Module 1 Introduction of Network security
byhoangvttlu
 
PPTX
Architecting for Security Resilience
byJoel Aleburu
 
Threat Modeling workshop by Robert Hurlbut
byDevSecCon
 
Rainer+3e Student Pp Ts Ch03
bykbzdox ivanovich
 
Personal Threat Models
byGeoffrey Vaughan
 
Cyber Security Program Protect Networks Devices Programs And Data Luce
bymejatrio30
 
Course Information Security Lecture 1.pdf
bySamahAdel16
 
Threat Modeling - Locking the Door to Vulnerabilities
bySecurity Innovation
 
23 network security threats pkg
byUmang Gupta
 
Threats
bysbmiller87
 
Networks
byjanani thirupathi
 
Application Threat Modeling
byPriyanka Aash
 
ITT408_Unit#1_InformationSecurity_Fundamentals_STUDENTS.pptx
bysrizvi9
 
Protection and security
bymbadhi
 
Civilian OPSEC in cyberspace
byzapp0
 
Threat modelling(system + enterprise)
byabhimanyubhogwan
 
Chapter 1 a
bykibrutry
 
Information security and compliance areas
byrahulshah641439
 
Protection and Security in Operating Systems
byvampugani
 
Residency ResearchISOL 536 Security Architecture and Design.docx
bybrittneyj3
 
Module 1 Introduction of Network security
byhoangvttlu
 
Architecting for Security Resilience
byJoel Aleburu
 

Recently uploaded

PPTX
Storage-and-HCI-Positioning-update-sales.pptx
byhungungphu123
 
PPTX
Apache Kafka 101 for Techies in IT dep.pptx
byamulyareddyk97
 
PPTX
apidays Australia 2025 | Building AI RAG Applications with No Code.pptx
byapidays
 
PPT
connectives-linking words in English.ppt
byAmrMohammed82
 
PPTX
Coded Agents – with UiPath SDK + LlamaIndex.pptx
bysuhanisingh58689
 
PDF
Best 10 Dedicated Servers in Amsterdam, Netherlands (2026 Enterprise Edition)...
byAtal Networks
 
PPTX
Accelerate Innovation with Engineering R&D Services
byChetu
 
PDF
TopMate ES11 3-Wheel Electric Scooter: Comfort, Stability, and Independence f...
byTopmate
 
PPTX
Microsoft Azure News - January 2026 - BAUG
byDaniel Toomey
 
PPT
Database Management Systems: Basics, History, Data Models, etc.
byParithi Thamizh
 
PDF
One String, Many Prompts: AI Code Generation
byGeoffrey Goetz
 
PPTX
Fortify Your Digital Defenses with ServiceNow Security Operations by Suma Soft
byGavin Ellis
 
PPTX
A CIO’s Guide to Salesforce AI Architecture, Governance, and Implementation R...
byKerry Millar
 
PPTX
computer science class 11 ( phishing and fraud mails) .pptx
bybalajichess314
 
PPT
Telecommunication system introduction to wireless communication
by143irha
 
PDF
TopMate ES11 3-Wheel Electric Scooter: Comfortable, Stable Mobility for Every...
byTopmate
 
PDF
Français Patch Tuesday - Janvier
byIvanti
 
PPTX
Webinar: EVerest for Production: Accelerating EV Charger Development w/ Indus...
byDanBrown980551
 
PDF
Safer’s Picks: Recent FME Enhancements with Big Everyday Impact
bySafe Software
 
PDF
UiPath Coded Agents - A Developer Driven Agentic Automation Era
byUiPathCommunity
 
Storage-and-HCI-Positioning-update-sales.pptx
byhungungphu123
 
Apache Kafka 101 for Techies in IT dep.pptx
byamulyareddyk97
 
apidays Australia 2025 | Building AI RAG Applications with No Code.pptx
byapidays
 
connectives-linking words in English.ppt
byAmrMohammed82
 
Coded Agents – with UiPath SDK + LlamaIndex.pptx
bysuhanisingh58689
 
Best 10 Dedicated Servers in Amsterdam, Netherlands (2026 Enterprise Edition)...
byAtal Networks
 
Accelerate Innovation with Engineering R&D Services
byChetu
 
TopMate ES11 3-Wheel Electric Scooter: Comfort, Stability, and Independence f...
byTopmate
 
Microsoft Azure News - January 2026 - BAUG
byDaniel Toomey
 
Database Management Systems: Basics, History, Data Models, etc.
byParithi Thamizh
 
One String, Many Prompts: AI Code Generation
byGeoffrey Goetz
 
Fortify Your Digital Defenses with ServiceNow Security Operations by Suma Soft
byGavin Ellis
 
A CIO’s Guide to Salesforce AI Architecture, Governance, and Implementation R...
byKerry Millar
 
computer science class 11 ( phishing and fraud mails) .pptx
bybalajichess314
 
Telecommunication system introduction to wireless communication
by143irha
 
TopMate ES11 3-Wheel Electric Scooter: Comfortable, Stable Mobility for Every...
byTopmate
 
Français Patch Tuesday - Janvier
byIvanti
 
Webinar: EVerest for Production: Accelerating EV Charger Development w/ Indus...
byDanBrown980551
 
Safer’s Picks: Recent FME Enhancements with Big Everyday Impact
bySafe Software
 
UiPath Coded Agents - A Developer Driven Agentic Automation Era
byUiPathCommunity
 

Threat modeling nihilists v. vegans

Editor's Notes

  • #3 So you’ve just heard a bunch of scary stuff and I bet you’re wondering how to make sense of it. Should you be using Tor for all your browsing? Should you be using a VPN? Should you be sending all over your email using PGP? Should you throw your phone off a cliff? Trying to protect everything from everyone all the time is exhausting. But you probably don’t have to do that. And if you want to figure out what tools and procedures you should be using to give yourself meaning privacy for the things that are important to you, you need to learn to threat model.
  • #9 What’s meta-data?
  • #12 As you can see, this is not all about bad guys hacking into your computer. Legal attacks. Social attacks. Physical attacks.
  • #14 Assessing capability is HARD: you have to make a guess about what resources your attacker has and how far they’re willing to go to attack your assets. When you’re thinking about your physical assets, that may seem simple. You lock your doors. You put your important papers in a safe. You can see if you’re being physically followed. But the Internet doesn’t work the way it appears to most people. The same goes for courts. So in order to understand legal attacks, you talk to a lawyer. In order to understand, attacks over the Internet, you talk to hackers.
  • #16 Snowden leaks taught us a lot about NSA and 5-Eyes capabilities up to until very recently. But remember that capabilities are constantly changing. New laws get passed. New technologies are invented. New bugs are discovered and exploited. This work is never done.
  • #17 How likely is a particular threat against a particular asset? Related to capability: sure, your telco has access to all of your call data, but the risk that they will publish this publicly in order to harm your reputation is low. Threat is important to distinguish from risk. A threat is a bad thing that can happen. The risk is how likely it is that it will occur. There’s a threat that your house will collapse. But this is more likely to happen in San Francisco, where earthquakes are common, than Stockholm, where they are not.
  • #18 Conductive a risk analysis is a very subjective process. Not everyone has the same priorities or views threats the same way. Many people find certain threats (like the government spying on their internet traffic) unacceptable no matter what the risk. Other people disregard high risks because they don’t view the threat as a problem. For example, if I might not care so much if someone steals my credit card numbers because the credit card company will just reverse the charges.
  • #22 Want advice about threats/capabilities/tools? Check out SSD. Available in Arabic, English, French, Thai, Vietnamese, Spanish, and Urdu.