Threat Profile: Knowing yours is the first step to improving online security


 healthy dose of paranoia is a good thing with it comes to online security. The fact is, indeed, there are “out to get you” when you are connected to the Internet. But rather than sit in fear and anxiety, you can take effective steps to mitigate your risk, and the first step is to conceptualize your potential attackers with a thoughtful examination of your threat profile.
If these concepts sound scary and dangerous, it might help to treat it like a game, or, as I like to do, treat it like you are the star of your own James Bond movie. It is kind of fun to think of hackers as classic Bond villains. You have a secret that they are trying to get, and you must prevent them to save the world.

Two things comprise your threat profile: threat actors and their attack vectors. Simply stated, threat actors are who might attack you, and attack vectors are how they might attack you.
You can start building your threat profile by first dividing threat actors into two categories: people you know and people you don’t know. An example of a known threat actor might be a disgruntled ex-employee. Dealing with known threat actors requires actions and planning that is specific to the given circumstances, including issues of physical security. Most of us don’t have known people who pose a threat to us, but all of us have unknown threat actors who are lurking on the Internet.
Unknown threat actors can be placed into three broad categories: incompetent criminals, professional criminals, and state actors. 

Incompetent criminals are fairly easy to identify. They are the ones who spam email full of misspellings and offer get-rich-quick schemes that are so obviously scams. Most of us are well aware of what we need to do to minimize our risk from incompetent criminals. For example, don’t open email attachments and click on links in such emails.

At the other end of the spectrum are state actors who have the backing of a government, with the resources to hire and equip high level engineers and computer scientists. If state actors are a significant component of your threat profile, then you need the assistance of security professionals with experience at that level, as well as the assistance of your own government (assuming that your government is not the threat actor you are concerned about).

Which brings us to the most concerning category of threat actors: professional criminals. While professional criminals may be skilled, they lack the resources of a state actor, which means their activities are constrained by cost. It is this constraint that gives you the margin within which you can minimize your exposure and your risk.

It is expensive to plan and execute an attack that that is tailor made for one individual target. Conversely, it is relatively cheap to broadcast an attack to a population, even if only a few fall victim. An important part of your threat profile is an assessment of the degree to which you may be an individualized target of a professional criminal threat actor. This is where you employ your healthy dose of paranoia, by imagining the professional criminal out there who is homing in on you, seeking every opportunity infect your computer with malware to steal your passwords and everything you hold dear on line. Chances are very good that you are not being individually targeted, but that is why paranoia is important. To effectively protect yourself, you need to act as if you are being directly targeted — that you are James Bond with a secret that Blofeld desperately needs to destroy the world.

Which brings us to the second component of your threat profile: attack vectors.

You nemesis is out there, lurking, but how will he attack you? From what direction and by what means? This is something you must constantly assess, for which you must constantly be alert. That is why it is important to have fun with your threat profile, because otherwise it is exhausting to be in constant fear and anxiety.
You are most vulnerable to attack when you are at a computer, exchanging data over the Internet, usually via email or web browsing. This is when an attacker is most likely to be able to trick you or induce you in some way into sharing sensitive information or installing malicious software that can steal it from your computer. 

Rather than go into an exhaustive list of do’s and don’ts for safe browsing and email, let this be your guide: slow down and be mindful of what you are doing when you are on line and ask yourself with every action: do I know what is happening right now? Is it possible I am being deceived or tricked? How can I be as certain as possible I am not being deceived?

You should always have your threat profile in mind when you are on line, and you should also regularly re-think your threat profile to make sure it makes sense with changing circumstances. And most importantly, have fun with it. The future of the world depends on your heroism to thwart the evil doers out there.

About the Author:  Jim Bursch, Director, DASH Bug Bounty ProgramDash Messaging and Dash Digital Cash