Tuesday, September 13, 2005

Common sense security

This is based on a comment I made in the MacBytes forum. It was in response to an article about Mac OS security, but is equally valid for everybody.
All security for all operating systems must start and end with the user. If the user is knowledgeable and vigilant, then most security products are unnecessary. If he is not, then no amount of add-ons will protect him.

I use a wide variety of computers at home and at work, running a wide variety of operating systems, including Windows. I employ the following security measures for all of them:

  • The networks (home and work) are behind hardware firewalls. The home LAN is behind a Linksys router with NAT turned on and all but one inbound port (SSH) blocked. The corporate LAN has its own firewall, administered by the IT department.
  • Operating system software is kept up to date with all the latest patches. I use the auto-update facilities to inform me of updates, but not auto-install them. (I want to know what and when I'm installing these patches, even if I end up installing them all.
  • I keep my applications (especially internet-using ones) up to date with the latest patches from their respective vendors.
  • I only install software that I purchase or download from well-known sites. This is almost always the publisher's own site or a genuine not-pirated CD.
  • I do not trade "warez"
  • I do share my disk volumes over the LAN, but with some restrictions. At home, all volumes are exported as read-only (if I need to put a file on another computer, I log-in locally to that computer and use the network to fetch it from the file's source computer, which also exports its volumes as read-only.) At work, I use our network's domain-level security so that only my personal account can mount one of my volumes read-write - other domain users are read-only, and guest-access is blocked.
  • I disable auto-installation in all programs, including web browsers, games, and the OS itself. I will let apps notify me when updates are available, but I must always give approval before download or installation. When stuff has certificates (like Windows updates), I review them to make sure the files come from where they are supposed to be coming from.
  • I never run a program e-mailed to me. Never. Even if the message is expected and comes from someone I know, I won't trust it. If I want someone to give me a program (which happens very very infrequently), I'll have him put it on a known web server and send me a URL to it, or (even better) snail-mail me a CD or load it into a flash drive I always carry with me.
  • I don't use known-insecure programs (like Outlook)
  • I configure my e-mail program (Thunderbird) to disable plugins, Java and JavaScript. Remote images are blocked.
  • Whenever possible/practical, I work from non-administrator accounts. Unfortunately, this usually isn't practical for Windows systems, but it is no big deal on other systems (including Linux and Mac OS.)
Note that none of these procedures require the purchase of any special software and none require the overhead of background software.

I do keep a virus scanner (provided by my employer) running on the Windows PC's just in case something should slip by my procedures. (The scanner updates itself every day at 1:00am and scans the local hard drives every day at 2:00am.) To date, I have gotten exactly one virus over the entire time I've had computers attached to the internet (which is as long as the internet has existed.) And this virus arrived via Microsoft's own Office Update server.

I also run AdAware and SpyBot S&D to scan for spyware on the PC's. I run these scans infrequently, but they have never found anything more intrusive than tracking cookies in my web browsers. (Which I make no attempt to block - I don't consider cookies a serious threat.)

I run the Microsoft software firewall on my Windows XP boxes, but I do not normally run software firewalls on any other computers, preferring to rely on the LAN's hardware firewall. I do keep a copy of Zone Alarm installed, but disabled on Windows laptops - I enable it when traveling in case other networks don't have proper firewalls in place.

Sometimes people ask if I should run antivirus software on my Mac. I tell them what I just wrote above. With proper security procedures, a virus scanner should not be necessary. If the Mac should ever become a target of intense malware activity (like Windows is), I will probably invest in antivirus software "just in case" it should be needed, but I intend on waiting until then.

No comments: