Washington Apple Pi

A Community of Apple iPad, iPhone and Mac Users

Security in Depth: or how to think about security

by James Kelly

Washington Apple Pi Journal, reprint information

A frequent question that arises between Macintosh and Windows users is “Is my computer secure?” “Is my computer more secure than the other guy’s computer?”

The purpose of this article is to suggest a different way to think about computer security.

First, we should understand that security is a relative state not an absolute state. None of us has enough money to become impregnable. Instead the precautions we take should be within our budgets and make it difficult enough to be victimized that the bad guys pass us by.

What I’m referring to here is the concept of the “low hanging fruit.” The thinking goes that with a limited amount of time, the bad guys will first pick those they see as “low hanging fruit.” The “low hanging fruit” would be those people that haven’t taken the most basic of precautions to protect themselves.

OK that’s nice, so what should we do? We should take every little precaution we can take, so as to raise the bar of difficulty and discourage the bad guys.

The analogy I like to use is parking at the shopping mall. We are all aware that shoppers have their cars broken into while doing their Christmas shopping.

I’m hoping we all lock our cars right? Ok, but do you park in a well traveled area of the parking lot? Do you avoid displaying wrapped presents on the back seat inviting thieves to break in? Do you use Lowjack in case your car is stolen? Do you hide the vehicle id number in your windshield to keep thieves from obtaining a copy of your car keys from the dealer? What other barriers can you throw in the way of the car thief?

By thinking about and implementing all the little barriers we could erect against the bad guy we are practicing Security-in-Depth.

Lets think about our Macs now.

1. Do you use a dsl/cable router (Linksys, Netgear) to provide basic protection?

2. Do you use the built in firewall of Mac OS X? (You can use this or a third party product called Brickhouse:
http://personalpages.tds.net/~brian_hill/brickhouse.html

3. Do you use virus protection? While the number of viruses on the Mac
Platform are few give it a thought at least. If you have a dot mac account you can get it for free.

4. Do you have a small network at home with one or more Windows boxes? If you do, you should keep them up to date using Windows Update from Start>Windows update or using Automatic Updates (Start>Control Panels>Automatic Updates and here I check the radio button that says “Automatically download the updates, and install them on the schedule I specify” and I pick Every day at 3am).

5. If you remotely access your Mac via ssh, do you use firewall rules and tcp-wrappers restrictions limiting that to only those connections you usually connect from like your office subnet?

6. Do you run software update under Mac OS X regularly?

7. Are you careful who you give your email address out to? Many websites sell the email addresses they harvest to spammers.

8. Have you learned how to utilize the mail filtering capabilities in Mail.app? Have you turned off html rendering in Mail.app? (Mail menu>Preferences>Viewing and uncheck “Display images and embedded objects in HTML messages”) Many spammers hide html in ordinary text spam to verify your email address. Also never never reply to spam.

9. Do you send email with sensitive data in it? Consider using PGP to encrypt the email. See:

http://www.pgpi.org/products/pgp/versions/freeware/mac/8.0/
http://www.cryptonomicon.net/howto/pgp.html

10. If you use a wireless network at home, are you using WEP encryption?

11. Do you change your WEP keys every month?

12. Do you turn off your wireless access point when you go out of town?

13. Do you keep up with wireless technology and look for a more secure replacement for WEP?

14. Most important of all do you ask the question “If I don’t know how to securely do something, how do I find out how to do it securely, or do I really need to do it in the first place?”

The above list is not exhaustive by any means. Its just a start.

What precautions can you think of to add to this list?

Again the idea is not to look for one silver bullet solution, but to do all the little things you can do. Once you do all those little things you’ll find you have made yourself a tough target