document set: DRAFT DIGITAL SECURITY CHECKLISTS FOR U.S. NON-PROFITS
title: Appendix A: Simplified Threat Model
author: Jonah Silas Sheridan, Lisa Jervis
version: "2.0 DRAFT NOT FOR PUBLIC USE"
last modified: 9/6/17
***
# Appendix A: Assumed Threat Model
## Introduction
What follows is a simplified threat model that outlines the landscape in which these checklists are expected to be effective. You may note that many of these assumptions map to the individual items in the readiness assessment tool as they are foundational to the recommendations in the checklist.
These checklists do not promise to mitigate the threats listed here in their entirety. If all items in these checklists were to be implemented across an organization, any Adversary as described by this threat model would face a high bar to impacting the confidentiality, integrity or availability of that organizations' information systems. Although not annotated with this information, many single recommendations are directly oriented at defeating one or more of the list Adversary capabilities. If there is a specific capability you that is of high risk for your organization, seek guidance from a technical support professional in determining which checklist items are most appropriate for mitigation of that risk.
We list the threat model in terms of assumed technical operating conditions, assumed user skills and Adversary capabilities, delivered in narrative form rather than with technical detail. We believe this adversary profile fits both common criminal adversaries as well as low skill political or otherwise aggressive opponents of non-profit organizations' work.
## Assumed operating conditions
* Working environment is free from physical threat and devices are not consistently stolen or destroyed.
* Work is occurring primarily on adequately powered Windows or Mac computers with some use of Android or iOS phones for communications.
* All devices which have been sourced through verifiable channels and are running official versions of operating systems.
* Devices do not cross international borders, though communications and data may.
* Work occurs using a limited set of applications and tools which have been selected, administered and managed by the organization.
* Authentication mechanism for these systems MAY be open to login attempts from any device.
* Staff have regular and consistent access to the Internet to perform their work.
* Networks used to connect to the Internet MAY also be used by other organizations and the public -- including potential Adversary.
* Networks in use do not also host publicly available servers or services.
* All organizational data is regularly backed up and available for restoration in a reasonable time period in most disaster circumstances.
## End user assumed capabilities
* End users can physically protect their hardware and devices inside their homes and offices as well as when in public spaces.
* There is a mechanism for and end user availability to provide/receive training in information systems topics.
* End users can operate the limited set of applications and tools their organization supplies for their use effectively.
* End users can install browser extensions on their devices. End users, technology responsible staff or technical support providers can install other applications on end user devices.
* End users can remember strings of letters, numbers and symbols of length 12 or more for use as pass phrases or shared secrets for accessing systems.
* Pass phrases or shared secrets are used to authenticate a single or small group of individuals to a system.
* End users know how to request and receive technical support for problems with their information systems.
* End users know how to request files from backup repositories.
## Adversary assumed capabilities
* Adversary can connect to publicly available information systems and attempt to authenticate with them.
* Adversary can send arbitrary content, including spoofed headers, malware executables, infected documents and links to email addresses.
* Adversary can send arbitrary content to smartphones via SMS or other open messaging platforms.
* Adversary can use promiscuous mode on their networking devices to collect wireless network traffic from all networks.
* Adversary can use collected WEP encrypted wireless traffic to determine the password for that network and decrypt all content.
* Adversary can collect user credentials from unsecured exchanges on wireless networks with which they can authenticate or whose passive traffic they can otherwise decrypt.
* Adversary can set up wireless access points (WAP) in any public place with arbitrary or spoofed SSIDs.
* Adversary can using routing attacks to route traffic on public shared networks through their devices.
* Adversary can take over poorly configured or secured commodity gateway routing equipment using well known credentials or attacks on out of date firmware sets.
* Adversary can spoof DHCP server announcements on public shared networks to attempt to act as the gateway for that network.
* Adversary with appropriate position (via routing/DHCP attacks, WAP spoofing or router takeovers) can perform man-in-the-middle (MITM) attacks on unauthenticated traffic including returning arbitrary results to DNS queries, downgrading STARTSSL email submission, rewriting unauthenticated exchanges and sniffing credentials or other content.
* Adversary cannot generate or purchase certificates for arbitrary domains from commonly trusted Certificate Authorities to MITM CA mediated authenticated connections.
* Adversary can scan devices to identify their operating system or other software versions.
* Adversary can exploit well known vulnerabilities in operating system or local software with open listening ports.
* Adversary may be able to perform Evil Maid attacks on hardware that they have physical access to.
* Adversary may be able to use brute force mechanisms on hardware that they take possession of.
* Adversary cannot brute force encrypted information other than otherwise noted in this document.
