Security 2007: Issues to Be Aware Of: Page 2

What’s different about OS X? This past year was a major one for my small business, as I switched from a Linux desktop to an Apple OS X desktop. Truth be told, I never had much respect for Macs (and that’s an understatement), but then Mr. Jobs came along and put BSD UNIX under the hood and my attitude shifted. I’ve been using various UNIXes since the early 1980s and have always just felt “at home” there.

I also feel more secure, but what really makes them different than Microsoft’s offerings from a security perspective? I’m going to explore this question more in my columns this year, but I have a few preliminary thoughts: 1) Applications are in the /Applications folder, where my desktop user has no write access to; 2) user application data, options, settings, etc., are stored in each user’s home directory; and 3) my desktop user has no system privileges (though that wasn’t an Apple default!).

I know these are nothing new—mainframe folks have known about this stuff for decades. They’ve taken the Redmond crowd a long time to catch on to, however. Try logging into a default XP desktop user sometime and deleting all the files in say Program Files or Windows sometime just for fun, and see what happens. (No, don’t really do this!) Indeed, I still have numerous applications loaded on my old XP laptop that require write access to Windows to store configuration settings and such. How can you ever hope to be secure in such an environment?

Email: Guilty Until Proven Otherwise

Delete emails with wanton abandon. Between the rise in spam emails and phishing attacks—which often go hand in hand—it’s time to switch to a whitelist approach when handling emails. That is, much like setting firewall rules, we have to assume everything to be deadly dangerous until we prove it to be safe, not the other way around. When I go through my inbox each day, I look through the senders and subject lines for people that I know and subjects that mean something in the context that I expect; all else gets deleted. Seriously. No previews. No clicking on emails that might be interesting. Sorry. There’s a serious risk that I’ll miss something that I shouldn’t have, but that’s the cost of doing safe email in 2007.

So that’s my little list of things to consider as we look forward to 2007 and all that it holds in store for us. Apart from anything else, we’ve got to realize that the for-profit attacks have upped the ante on us and we simply must find ways of doing our work better.