At this point, remarking that people are now more concerned about online privacy than ever before isn’t a novel observation. In other words, instead of experiencing a short-lived spike, Internet privacy awareness has been sustained.
This is particularly encouraging to me personally, because I attained my background in technology precisely from the desire to safeguard my very own digital autonomy.
I know as well as anyone that it is not always obvious where to switch to enhance one’s Internet security.
My hope is that a guide from the view of someone who not long ago probably knew less than you do now, you will develop enough of a base to journey forth by yourself.
Gluing Along Your Threat Model
So where do you begin? Quite simply, on your own. Consequently, security is possible only after you determine the item of value. Only then can you assess just how much to go to protect it.
Before you can consider the way, you must select the end. In the event of Internet security, you have to determine what it is you are trying to protect. This could be as straightforward as certain files on your devices, or even the contents of your communications with associates.
It might be abstract. For instance, as a result of your behavior, certain personal facts about you — although not included in documents as such — may be inferred and automatically captured as data streams akin to files, called”metadata.”
In the context of Internet security, everything basically takes the form of information, so you need to think long and hard about what information you are guarding, and each of the forms it can take or ways it may be retrieved. This can be quite a job at first, but it becomes easier with practice.
Defining the information you would like to safeguard gives you the first component that contains what is called a”threat model” — essentially your high-level strategic view of the way to keep your data secure. In the circumstance of your threat model, your valued info goes by the succinct name of “asset”.
Once you have defined your asset, it’s time to recognize your own”adversary,” which is the glorified title for things who want to take your asset. This exerts a powerful impact on which your threat model finally will look like — your own plan for holding onto your asset will look very different depending on if your adversary is your neighbor or a hostile government.
When considering your adversary, it is critical to enumerate realistic threats. It may seem counterintuitive but, as you will see by the end of the primer, it really does not help to overestimate your enemy.
The word”adversary” may evoke a diabolical nemesis, but that doesn’t have to be the case. Although you should not inflate your antagonist, neither if you overlook it. As soon as it’s quite easy to single out an adversary such as a criminal hacking collective (if that’s really yours) for its overt ill purpose, your adversary could be a ceremony you willingly use but don’t totally trust. The purpose is, you want to catalog every participant that wants your asset, regardless of the reason.
With those two pillars in place, it is time to complete the tripod: Accounting for your advantage and adversary, you have to size up the means the adversary has in its disposal and, most importantly, the means you’ve got and lengths you’re prepared to go to protect your asset. These two things aren’t always the same — thus the differentiation.
Fortunately a wealth of tools is available to keep your asset secure, if you understand how to use them. Even better, the best ones are free. The actual limit in practice is that of self-discipline. Keep in mind that a strong guard is futile with no resolve to utilize it consistently without relenting.
I like to think of Internet adversaries as inhabiting one of 3 categories:
Category 1: Operating mostly in the private industry, actors are those that passively collect information from you as a result of your use of their services. However, in recent years we have learned that firms overstep this implicit covenant to accumulate information on individuals even if those individuals don’t explicitly do business with them. Ordinarily, these adversaries don’t find your information directly. Instead of coming to you, they wait patiently for one to come to them. Therefore, they can be thwarted by shrewder customer options.
Category 2: adversaries are the ones that employ primarily offensive approaches to execute both targeted and untargeted (i.e. indiscriminate) attacks on consumers. This category involves a varied spectrum of attackers, from lone black hats to complex criminal enterprises. What they all have in common is that their approaches are somewhat intrusive, actively breaching the defenses, and definitely not legally sanctioned.
Category 3: encompasses the very formidable adversaries — foes that can leverage state resources. In point of fact, the actors in this category are the only ones that qualify for the data security consensus duration”advanced persistent threats” or even APIs. Like category two opponents, they conduct invasive offensive operations, but they do so with the financial assets of a political faction or government behind them, and in many cases, the legal resistance of one as well.
This is my very own taxonomy, rather than approved industry terms, but my hope is that it exemplifies the kinds of adversaries you may face vividly enough to help on your risk modeling.
If you don’t consider your work especially sensitive and only wish to mitigate the creepiness factor of intimate personal details constantly and mercilessly being saved and analyzed, you’re confronting a category 1 scenario. Most of you likely will find yourselves in this ship, particularly if you rely on any degree on social networks or communication services run by advertising revenue-driven technology companies.
For all those of you in possession of highly valuable information, for example six-figure-plus financial data, there is a fantastic chance that you need to arm yourself against group 2 attackers. The lucrative nature of the info which you handle means you likely will attract actors that specifically and actively will function to breach your defenses to steal it out of you.
Dealing in sensitive information, the kind that could spell life or death to particular people, exposes you to category 3 adversaries. If you’re the kind of person who risks assault from a state-level celebrity, such as a national security journalist or defense industry professional, you already know it. If fending off class 3 attackers is your reality, you need far more operational security than I possibly could supply you. My therapy of class 3 celebrities will be more for the sake of painting a comprehensive picture for readers generally, and also to convey a sense of the scale of potential countermeasures.
By this time, you ought to have a sense of what your asset is, and exactly what adversary it attracts. This aligns with my roadmap for this four-part series. Subsequent installments will focus on deciding which tools and practices your asset and adversaries necessitate.
In the next installment, which delineates risks from class 1, you will learn the electronic hygiene that’s beneficial for everybody and sufficient for many, but insufficient for those squaring off against foes in categories 3 and 2.
The content that follows, together with educating those expecting threats from category 2, might draw in those who wish to get in front of the pack fending off class 1. It also will build a bridge for people bound for the challenging road of resisting category 3 strikes, but it won’t be enough in itself.
Rather than focusing on software tools themselves, the final piece will attempt to outline the idea patterns needed to combat the many daunting opponents you can face in information security. Considering the inherently amazing capability of category 3 dangers, the objective is to clarify the disposition mindset of people who need to defend against them.
You Can Not Have It All – but You Need To Attempt and Have Some
I will leave you with one parting thought to place the tone for this series: No matter how your threat model shapes up, you will face a tradeoff between Internet security and convenience. You won’t ever have both, and their reverse relationship means an increase in one decreases the other. A viable hazard model is one which finds the balance between the two you can stick with, but still addresses the threat accessible. The only way to maintain that balance is through discipline.
This is exactly why plans that overkill that your adversary does not do the job. They all do is trade away more advantages than you can tolerate for Internet security you don’t need, which leads to abandonment of the threat model entirely more often than to some revision of it. Instead, if you discover your balance and have the will to maintain it, you will put yourself on the road to achievement.
That course, as you may see, is hard and long — possibly endless — but there’s a reward purely in traveling it.