🤑 Join the Treehouse affiliate program and earn 25% commission!

✨ No-code curious? Check out 4 new FREE Adalo courses and start building an app in minutes — no code required!

🌟 Dreaming of a bright future? 🎓 Ask about the Treehouse Scholarship program! 🚀

Well done!

You have completed Security Literacy!

Sign up for Treehouse Back to Library

Preview

Sign up for Treehouse Continue

Threat Model

3:24 with Greg Stromire

Learn to create and apply a defensive framework used by security professionals in many industries. This video will explain how it's really just an extension of behaviors you already do.

Teacher's Notes
Questions?
Video Transcript
Downloads
Workspaces

New Terms:

Threat Model -- A conceptual framework to identify assets and risks, possible mitigations, and optimizations.
Actors -- The people, agencies, or devices involved in the threat model.
Risks -- The vulnerabilities related to exposure or loss of assets.
Assets -- The people, resources, or possessions you wish to protect.
Mitigations -- The possible strategies for prevention or minimization of risk
Breach -- An event where assets were lost or exposed, through failure of mitigations or other protections.

Related Discussions

Have questions about this video? Start a discussion with the community and Treehouse staff.

Sign up

Related Discussions

Have questions about this video? Start a discussion with the community and Treehouse staff.

Sign up

Now that we've explored how common traffic flows through the Internet and 0:00

the kinds of information attached to that traffic, 0:03

we can make some informed decisions about our online activity. 0:06

One way to establish some secure practices is to create what's called a threat model. 0:10

This is a defensive framework used by security professionals in many industries. 0:15

But don't let that intimidate you. 0:20

It's really just thinking through behaviors and 0:21

attitudes that you already do on a daily basis. 0:24

First, let's establish some threat model basics. 0:27

Creating a thought model is asking yourself a set of questions. 0:31

Who would be most likely to target me? 0:34

A repressive government, organized crime, corporations, my ex, my coworkers. 0:36

How much money, time, and 0:43

skill do they have to dedicate to target me, an important aspect of this activity. 0:45

What would they most likely want from me? 0:49

Money, incriminating information, access to trusted contacts. 0:52

How much effort am I willing to put into protecting it? 0:57

Is this worth the effort? 1:00

What would happen to me if they were successful? 1:01

It's all about being prepared. 1:05

Number 1 is about identifying the actors in the model. 1:07

Number 2 is about identifying the risks in the model. 1:11

Number 3 is about identifying the assets in the model. 1:15

Number 4 is about prioritizing your concerns with mitigations. 1:18

Number 5 is about planning for breach. 1:22

As I mentioned earlier, most of these really are questions you've 1:25

already asked yourself in some form or another. 1:28

This process is just collecting them together for risk analysis. 1:31

Consider when you leave your home in the morning to go to work or school. 1:36

Do you lock your door? 1:39

You've likely decided that the effort to lock the door is worth protecting the risk 1:41

for a burglary through the door. 1:46

You've identified the actors as burglar, but the front door provides 1:47

a vulnerability or risk that your valuable possessions are the assets. 1:52

You've established the lock as a risk mitigation strategy. 1:57

And you'll likely have an understanding that you can call the police 2:01

should you find out that you've been breached and had your things stolen. 2:04

An important aspect of this is to point out that there is no 2:09

one mitigation strategy that can protect against all risks. 2:12

You choose the ones that fit the task best. 2:16

For example, that lock on the door may keep out a casual burglar, but 2:19

not a dedicated one that chooses to break a window. 2:24

So now you add some bars on your windows. 2:27

Well locks and bars do nothing to protect those same assets against a fire. 2:30

Of course, the most convenient thing would be to not have to lock your door at all. 2:35

But as always, it's a trade off between security and convenience. 2:40

Your online security can gain a lot from the same threat model treatment. 2:45

And, in fact, you're already doing this as well. 2:49

The fact that you use a password to protect an account is a mitigation itself. 2:51

It's also pretty analogous to the door lock. 2:56

If you use the same key for your door as your dead bolt and 2:59

back door, you'll have to change every lock even if you lose one key. 3:02

By viewing your own online activity through the lens of a threat model, 3:07

you can really identify your own threats and 3:11

prioritize the effort you want to make to help protect yourself. 3:13

In the next stages, we'll dive deep into other actors and risks and 3:18

offer some solid mitigations so you're prepared. 3:21

You need to sign up for Treehouse in order to download course files.

Sign up

You need to sign up for Treehouse in order to set up Workspace

Sign up