For a segment on the Typical Mac User Podcast I was asked by the host, Victor Cajiao, to discuss the security (or insecurity) of Mac OS X and some defensive measures. I came up with 5 things that I believe are most important in terms of security, and really they can apply to any operating system.
Encrypt Your Data
Whether you use TruCrypt, the built-in File Vault, or even PGP, encryption is important. If malware were to get on your system, well, yeah they could most likely grab the key to your encrypted data. However, if your system gets stolen, you'll be glad that you have it. I tend to shy away from full-disk encryption, simply because I am afraid of losing any flexibility during backup and recovery. While I know it is technically possible, I am still skeptical. I do find that the built-in encrypted file system is a great way to protect my data. I use Disk Utility (Applications -> Utilities -> Disk Utility) to create DMG image files that have an encrypted file system. Once in Disk Utility I go to File -> New Blank Disk Image and configure it as follows:
Once you click create, you will be asked to provide a password, which will need to be entered each time you mount the volume:
An important thing to note is that I have chosen NOT to store this password in my keychain. If my machine becomes compromised I do not want the password for this file to be stored anywhere on the system, even in the keychain. I tend to store my sensitive documents and files, such as my business documents (proposals, reports) and any sensitive files (such as SSH keys, PGP Keys) on these encrypted values. Of course, if you store SSH and PGP keys, you will need to adjust your configuration to point to the DMG file path (/Volumes/) and have the volume mounted for it to work.
Use Strong User Authentication
While two-factor authentication would be best (such as a finger print reader or smart card), most often just tuning the default settings can greatly improve the security. For example, in OS X make certain that you set a password on your screensaver, and use a hot corner to activate it. Hot corners can be found in System Preferences -> Desktop & Screensaver -> Hot Corners button. To enable a password on your screensaver go to System Preferences -> Security -> General tab:
I always check the box next to "Require password to wake this computer from sleep or screen saver", which, well, is pretty self explanatory. I also disable automatic login, so users must enter the password in order to login to the system when it first starts up, I disable the remote infrared receiver, and use secure virtual memory. I don't like to use the infrared because I don't believe it can stop someone else from controlling my Mac using their remote. The authentication is, at best, weak, and could be easily defeated. I like to use secure virtual memory to prevent malware from diving in and looking at my passwords that might be stored in virtual memory. This may or may not be able to prevent it, but hopefully I've raised the bar by checking this option without having a negative impact on performance.
Don't Run With Administrative Privileges
I believe this is an important step to securing your operating system, especially OS X. While it does not prevent many targeted attacks (for example, on penetration tests I can typically collect the information I need without administrative privileges), it can help defend against malware by not letting malicious programs access restrict areas of the system and do some of the more evil things, like access kernel extensions. First, you must create an admin user (You can call it "admin" if you like) and be certain it has administrative priviliges. Then go to System Preferences -> Accounts, highlight your account (NOT the "admin" account) and uncheck "Allow user to administer this computer".
TIP Did you know that using the Terminal application you can gain access to the administrative functions using sudo command? Its easy, simple open the Terminal application and then type sudo then a command. For access to the command shell as admin (or root) simple type sudo -s. It will ask you for your password and then grant you access to the System with the highest privileges available.
Keep Your Software Up-To-Date
This is probably one of the most important things you can do to secure your system. Applying patches hits the bottom line most directly when it comes to security, it patches the software that is broken/vulnerable. However, this is not your cure-all solution for everything. Some vulnerabilities do not require software to be vulnerable to a patchable bug (such as weak passwords, or protocol attacks). However, it never hurts to have your system check frequently for updates by going to System Preferences -> Software Update and setting "Check for updates" to "Daily" and checking "Download important updates automatically.
Enable The Firewall
While some may say its "so 90's", a firewall is still an essential part of your defense. It keeps out the unwanted network traffic, which can make it more difficult for attackers to compromise your machine when on wireless networks especially. On these wireless networks attackers could be on the same network segment as you, and without a firewall you are giving them access to your machine. There are many services in OS X that can be abused, for example Bonjour has a long history of being very noisy and insecure. This presents another problem however, the OS X firewall typically allows protocols such as Bonjour to operate! My suggestion depends on your technical ability. If you are a typical mac user (like the pun?), then you might try simply going to System Preferences -> Security -> Firewall and clicking "Allow only essential services". For the more advanced users, I recommend taking a look at Bastille UNIX, a great project that will help you lock down OS X and create the most secure and comprehensive firewall ruleset. The firewall in OS S is a slippery slope, and has a history of problems and ways around the defenses. However, it can't hurt to enable it to stop the more obvious and less sophisticated attacks, leaving you to deal with some of the more advanced ones.