Lost in Boelter: Threat modeling

Have you ever wondered about those people who use cable locks for their laptops? Well, I’m one of them.

Contrary to conventional wisdom, that doesn’t mean that I’m overly protective of my laptop or that I have something to hide. I’m just taking precautions that, arguably, few do. Now, you might say to yourself that lugging around a cable lock is excessive and that no one would want to steal your laptop.

But what’s to stop someone from stealing your laptop if there isn’t a cable lock?

Whichever way you look at it, unless your laptop is locked up somewhere or someone is constantly watching it, there’s nothing to stop someone from pouncing on the opportunity and walking away with it.

Still, there are measures we all can take to stop being the low-hanging fruit or up-for-grabs for malicious users in the physical and digital world.

Threat-modeling

A fundamental concept in security is threat modeling, or the idea of understanding what the potential threats are. To put it simply, threat modeling can be summed up in two questions: “Who are we defending ourselves against?” and “What are we doing to defend ourselves?” Both questions can be answered well with common sense alone.

Suppose it’s finals week and you’re sitting in Powell Library during its quiet study hours. Your calendar alerts you that in several minutes, you need to make an important phone call and you realize that when you step out, you need to leave your belongings behind. In order to secure your laptop, you can create a simple threat-model.

First, who would you be defending your laptop against? Probably a student inclined to steal a laptop if given the opportunity. Of course, you could say “an armed robber” as well, but chances are, your everyday laptop theft at Powell won’t happen that way.

Next, how would defend your laptop? This is where common sense kicks in: When you leave your laptop lying around with no protection whatsoever, there’s virtually nothing to stop someone from snatching it. Anchoring it somehow to a stationary object, however, perhaps by using a cable lock, keeps someone from easily walking away with it. Now, cable locks don’t protect against cable cutters or a chainsaw, but your everyday laptop-snatcher probably doesn’t carry either of those in his back pocket. Hence, the cable lock is a deterrent, making your laptop seemingly unattainable to the petty thief – your most likely threat.

The fascinating thing about all this is that these same threat modeling principles can be applied to digital security as well to keep ourselves from becoming the low-hanging fruit. Creating a threat model for the individual user reveals that the likely threats are not nation states or seasoned hackers, but amateur hackers and malware that comes from clicking on suspicious ads, not from some complex malware deployment process. In this regard, we can see that the reason hackers exploit vulnerable systems isn’t just because there may be a monetary gain, but also because the system is easy pickings.

Interestingly, a majority of the cybersecurity threats we face can all, for the most part, be defended against by implementing everyday, personal security measures such as passwords, encryption and firewalls – measures that are simple to enact. The unfortunate truth, however, is that not all of us take these critical steps to securing ourselves digitally.

Imperfect Security

While there are many utilities we can use to keep our digital information secure from malicious users, the fact of the matter is that many everyday users do not implement these security measures. This is especially ironic, considering that more and more of our personal data is going electronic.

One factor in this disparity is user convenience – no everyday user is willing to remember a 100-character password as opposed to the shorter “1234.” The other, more frightening factor is the notion of absoluteness – that because no security system is completely foolproof, there is no use in worrying over security. While this second reason may sound farfetched, it wasn’t so long ago that a senior engineer at Google proclaimed that privacy may be an anomaly – and the same could potentially be said of security as well.

While no security system is invulnerable, security and privacy alike, are not absolute; rather they sit on a continuum. Take the fact that Microsoft releases a software security patch on the second Tuesday of every month, but within 24 hours, exploits for those patches are released on “Exploit Wednesday.” Our decisions to implement things like firewalls or two-factor authentication do not ensure or invalidate security, rather make it easier or harder for people to trespass on our digital data.

To quote Andrew Lee, CEO of ESET North America – who I had the good fortune of meeting over the summer – the most secure computer is one that is turned off, unplugged and locked up in a windowless dark room with a security guard standing outside. In other words, absolute security equates to absolute uselessness. On the flip side, the most convenient computer – one with no passwords or security measures to inconvenience the user – is also the lowest-hanging fruit, or easiest picking for a malicious user. As neither of these extremes are desirable, it’s clear that practical security – what anti-virus systems and CCTV cameras both accomplish to a certain degree – is aimed at deterring those malicious users from easily attacking our computers and our data. The degree of that deterrence, however, is determined by the threat models we develop and the actions we take to address those threats.

Hence, the question should not be about whether we have security, but about how much security we have. And, in that regard, it’s not too hard to see why I carry around a cable lock.