evacide
I'm seeing a lot of bad digital security advice out there right now. I'm begging you, for the love of God, if you are trying to tighten up your digital security, please start with threat modeling: https://ssd.eff.org/module/your-security-plan
Your Security Plan

Trying to protect all your data from everything all the time is impractical and exhausting. But, have no fear! Security is a process, and through thoughtful planning, you can put together a plan that’s best for you. Security isn’t just about the tools you use or the software you download....

Nov 9, 2024 at 5:10amWeb
Show threadLoren KohnfelderNov 9, 2024
@evacide Yes! And I'm writing about going further, software makers should publish their threat models so customers know the security posture.
https://designingsecuresoftware.com/writings/flaunt/
Flaunt your Threat Models!

Threat modeling is the most powerful, underutilized, easy-to-do security methodology we have: why isn’t everybody doing it already, or why do those who are keep their work secret? If you already threat model your digital systems and products, and are doing the work already then you are doing security right so you should share it with pride. Publishing threat models may be the best evidence of excellent security work that customers and users can appreciate the value of, short of a rigorous detailed design and code review. You’ve already done the work — or if not you really should — and making it public not only is great promotion but it also helps all stakeholders understand their respective roles and responsibilities in securing larger systems. (about 4000 words)

Designing Secure Software
Show threadjesterchen42Nov 9, 2024

@evacide Thanks. 🙏

I'm actually thinking of up-ending my game, and I'm used to threat-model and risk-manage at the office. It honestly never occured to me to do it formally at home.

Show threadMichael WeissNov 9, 2024
@jesterchen @evacide you can kind of make it second nature. I talked about it enough at home that my wife does it too without missing a beat. It doesn't take over our lives, but when we're thinking about things we want to protect, it's just part of our natural conversation.
Show threadned haughtonNov 9, 2024

@jesterchen @evacide

Coming at this from a completely different angle (climate risk). We usually talk about risk and exposure/vulnerability. I guess exposure+vulnerability are analogous to threat in the security sense?

Do either of you have any good resources on how threat assessment relates to risk management?

Show threadjesterchen42Nov 10, 2024
@ned Perhaps have a look at 100-3 or 200-3 from Gwrman BSI (avail. in English).
Show threadned haughtonNov 12, 2024

@jesterchen

Er... isn't the BSI like a government department? Is there a report they produced that you're referring to?

Show threadjesterchen42Nov 12, 2024

@ned https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/BSIStandards/standard_100-3_e_pdf.html
and

https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Grundschutz/International/bsi-standard-2003_en_pdf.pdf?__blob=publicationFile&v=2

BSI Standard 100-3: Risk Analysis based on IT-Grundschutz

BSI Standard 100-3: Risk Analysis based on IT-Grundschutz

Federal Office for Information Security
Show threadavs Nov 9, 2024
@evacide Asking ”who are my allies” is so important, beyond digital security. The stereotype of a prepper who assumes everyone will be out to get them is a sad one. A community that is prepping as a whole, either via government support or self-organising, will be much more resilient - and most notably, a much happier place if shit hits the fan…
Show threadLi ~ Crystal SystemNov 9, 2024
@evacide worth noting ulthough it’s a good tool things can go horribly wrong when threat modelling is done wrong, see the PlayStation 2 …
Show threadMichael GurskiNov 9, 2024
@evacide even before this past week, I've been having to point out that things like "disconnecting all electronics I'm not using, especially when I leave the house" and "read only VMs for all financial transactions" are so far outside any reasonable home-based threat model that it's basically play acting at being a super spy.
Show threadWade McGillisNov 9, 2024
@evacide the only things i'm tightening up are the graphics on level 3
Show threadsamir xNov 9, 2024
@evacide doing threat modelling makes sense but if someone is likely to follow bad digital security advice they might not be qualified to do threat modelling. For example, the minute someone **feels** law enforcement or their government is an “adversary” they would be instantly out of their depth
Show threadthe esoteric programmerNov 9, 2024
@evacide what kind of bad opsec strategies?
Show threadNobodyNov 9, 2024
@evacide I like this idea but I think I would need help defining this a bit more. Seeing an example would help a lot
Show threadJonathanNov 9, 2024
@evacide NIST has a lot of resources as well.
Cybersecurity

NIST develops cybersecurity standards, guidelines, best practices, and other resources to meet the needs of U.S.

NIST
Show threadRODD AND TODDNov 11, 2024
@evacide I would love to attend your privacy and security classes. You can reach me here or at roddandtodd.com