Pocket Threat Modeling

okay so thank you so much for staying so late in the afternoon it's 4 o' and you are not drinking a cold beer some somewhere so it's a real pleasure or you are drinking there so that's good so um I have I have 20 minutes for a 40 minute presentation so I will just take this very very fast I have 5 Seconds to introduce myself so I just want you on a count of three to shout your name so I know you and I will out mine so 1 2 3 bam very nice to meet you it's it's great to have you here so you can see what I do why I'm here so imagine I'm driving

the car the wife is next to me and I'm listening to hackish language what what else and there is of course like a conversation about I think it was like password managers or something and driving listening you know and there is like ninja says oh yeah but that's not part of my front model I'm like you guys have front models I'm like um where do I get one so um I work in Risk so it's not that far but when you go and you just look at all of the existing Frameworks they are like strid the Microsoft application um frat modeling tool is it's not something that you can use so who who knows what is a frat model raise

your hands I can go home it's great so um but for the others who don't know it the Fret mod is simply identifying and evaluating the dangers to any system process or even a person and that's what we are doing here we are doing personal threat modeling and here is the thing so personal threat modeling does not really have many Frameworks so I thought that you know I have to make one one of my own so um I have some facts of course I have no citations because I made all of this [ __ ] up but hey so most people I'm guessing not me but you I don't really worry about constantly stuff so that's

one thing the other thing is that humans as a species have the ability to kind of Imagine scenarios and imagine what what you would do like that's why we go to movies read books or I don't know do the crossroads who's what who's doing what so learning from the mistakes from others I think is a superpower and this is what you can do when you start thinking about stuff and how do you think about this is you have to model it but of course there is you know model is a model that's like you know an abstration of what whatever you are facing so we'll never be perfect perfect um the other thing is that compared to

any like application revieww business threat assessment there are clearly guided and described processes hopefully most of the time but um uh with a personal threat modeling well everybody is very unique and you kind of need to do your own you cannot download it from the internet so when you start with this you actually have to clear um the mental F of war that your mind is using to keep you sane and not worrying about that stuff that I mentioned in the previous slid and and uh you have to discover you know how things are interconnected around you and um so why by a pocket threat model well you just need to start somewhere so you could um well do do some selective

other stuff but this is what I came up with I'm like okay let's start the Fret model what's in my pocket so the the concept of pocket threat modeling is very easy you start with stuff that is literally on you and why is that because um even with the trust of society that we already have and we we don't need to keep the nuts you know always on us um most of the stuff that we carry with us actually TR have um either value or access to other stuff or control over other stuff or actually claims so just think about this access could be like a key um control could be like maybe your phone um a claim could

be your identity card because that is where you claim who you are so my my thought was that you should just start writing stuff down that you have and start to connect out to things that are in your life and that are important to you so well this is very abstract how would we start with that so let's see let me show you um I don't know you could just do it on pen and paper which is like real secure and offline way of doing it but my tool of choice is actually obsidian and you will see well in few five minutes how and why obsidian is a note taking tool that kind of handles markdown you can have a

little U um project that that handles all of your notes and you can just go and and write what's what's in your pocket so I'm guessing everybody has the same thing in their pockets if you just reach into it it's poop bag or uh maybe maybe just a to but okay you have a phone and you have probably keys in it but but doas probably have like poags so let's just write down that

okay thank you we are done okay um kind of joking with this but actually when when you start with this what's really great about obsidian here I I tried like a lot of Mind mapping tools other um Solutions is when you click one of these links that I just use by creating double brackets could just go into the food

bag and I can add context so it's like if if you had like hyper card I'm too old for this but yeah so hypercard was like cards connected and it's very good for this so um let's go back to the presentation now you understand the gist what I'm talking about what's put in your frat model you know so you just put in things things are like tangible intangible but things connect to other things maybe they are like um providing access maybe they are not providing access but you would also need to put that in as well so I could have a phone with me and I would be like able to say that I have some apps on it

I have an Instagram app but if I would have like um password that I would use for Instagram I could say that it is like an Instagram password and if I'm reusing that password I would be able to link that password to others or if I have Dino in my password then I could just link it to the dog and that would enable me to you know clear that mental fog and ex explore the the the territory of all of the stuff that is important for me uh you would add people as well because of course when you go they're like oh I have the home key and then there is the home then then there's

surely somebody there maybe burlar we could add those um but you can also list your reputation like oh I did a very bad bides presentation this year like you can add that so and once you're done with that then you have to think about the dangers like what's happening with these and most Frameworks have you know a tried you have to go through spoofing repudiation everything you don't have to do that two things what if you lose it and what if somebody else has access to it this is the only two things you need to think about everything is kind of falling under this but each um item or asset that you have will bring to this and how will you be able

to well get a keymate maybe the wife can let you into the apartment if you lose it uh maybe you need to buy a new phone but how do you get those two fa codes so um the the previous uh sample was just a little bit um short so I heard many Steves in the audience so this is not predestination but Steve actually came to my talk and he wanted to have a frat model and he started doing it and that's why we have his frat model and that's what I will show you so he has more f I hope that you can I hope that you can see this he has um a lot of things and

of course poag is in his pocket as well so who who can tell me what is the biggest danger to Steve right now Steve sample cancer he has cigarettes don't smoke it's not good for you so let's go let's see poop bag well he has a dog named Dino Dino is a do hund he has a chip the chip has you know home address pH number that contact details uh we can go back to the pocket we can check that oh Steve has a vedding band he's married to Vilma Vilma is the wife they have a boy baby boy Billy wife is active on Facebook Instagram Tumblr you can go with that you know well the boy is every is

everything for Steve if you go back we can also check that Steve has a car but his car is like a company car so he he doesn't have to really worry about it you you see if you lost it um well work has another set of car keys so he can just pick that up and move the car but if somebody took it well that's bad but there is insurance so this is like you know threat assessment we have it done for you so um how would we able what good is this for apart from yeah really nice clicking through things and like you can go back here as well po bag um but um so

here is the magic uh obsidian actually has a craft view this I'm guessing this is where you blow your mind is you know you can see you know what what's are on the home Keys um where is grammar we could search for her we we can see Grandma gerud is active on Facebook and she's very political oh that means that's like uh something to consider like okay Steve also has a midnight munches Minecraft server and he's a mod and if you have been here earlier today then you know oh that's where exploits get born like Minecraft servers so it it's very easy to think about your stuff once you have all of these relationships um mapped for you and if

you would do this in a mind mapping tool I tried I actually tried it would take you days to connect and then just something changes so this is the the whole idea Defenders thinking lists attackers thinking graphs and you are now thinking in graphs as well so you are on the wrong right side of this use obsidian it's very good for you links and back links make look a breeze I could present it in two minutes everything is in markdown you can actually edit the markdown outside obsidian so if you prefer any other editor then at the end you can still have the links you can also use tags as I did with Grandma gude

like she's polit political I could have had um additional layers I did and I could have only you know Tech products show up on a filter or anything and as you saw graph view is mindblowing so I mentioned maybe saying that okay I have um like the dog's name in the password well never put this into obsidian this is like clear text you could mitigate some of it if you just put the um the Vault that obsidian cause your back of folders in like an encrypted container one drive has one and also keybase but yeah this is very straightforward who who who who thinks this is very easy to do okay oh look oh I have like five

people so this is an asset inventory nobody likes to do this but this is the only thing that only you can do nobody else um because nobody else knows what is important for you I mean um you could check I did check you go to Belling cat like what what does um investigative journalist worry about hopefully you don't have the same frat model as they and you don't have mosad on your neck and and others but if you do well you could just put mad on the map and say that okay they can hack your phone and you can check what connections your phone has you can think about the threats if you don't know about threat you can

listen to podcasts you can listen to hackish language you can listen to other podcasts as well Risky Business to mention some of the others and of course it never be it will never be perfect if you spend just an evening with a cold rink on on typing alone with the light of the monitor uh on Shining down on your face and and you just come back later and read it and you just realize yeah my computer is out of warranty like I don't have I did have the insur laps and so there are a lot of things that you will just think and it will click for you and when it clicks you will see the solution

to it because we are problem solvers by Nature that means when you would have the problem future in life then you would be doing well maybe probably the same thing you would go back for the keys but now you know that that is an issue maybe you know if if Steve loses his job car is gone so he has to think about that so in in summary you need a frat model and um it's dangerous to go alone so take this any questions so does anybody have a question in their pocket nice no okay in that case Benedict thank you very very much