Guide to Best Security Practices on your Mac

If you own a Mac it’s easy to take security for granted. While our Windows-using friends have been dealing with viruses and other malware for years, Mac users have been largely ignored by the virus-creating community. This is not by chance - the Mac OS is a better-written, tightly controlled operating system, and with ten times more Windows machines out there than Macs, Mac users are a smaller target audience.

This doesn’t mean, however, that Mac users can take security for granted; virus protection is only one aspect of good security practice. Macs (and iPhones) are still vulnerable in a number of ways. This guide is intended to provide reasonable steps you can take to keep your data secure without being obstructive. Below is a list of eleven things you can do to keep your Mac - and your personal information - secure.

1. Protect your Mac with a password
The Mac operating system requires a password for every user account on your computer. Unfortunately, by default the Mac operating system also automatically logs into your default user account without requiring this password when you turn on your computer. We recommend that this automatic login be disabled, and that your computer be set to require both your username and your password every time you turn on your computer. These options are available in the “Accounts” section of System Preferences.

This is especially important for laptop users who travel with their Macs. If your laptop is lost or stolen, do you really want the person who finds and/or stole it to have access to all of your emails, pictures, and documents? This first level of security can thwart the average snoop or thief.

To supplement this measure, we also recommend enabling the “Require password after sleep or screen saver begins” option (in the “Security” section of System Preferences) and setting your computer to activate a screensaver within 10 or less minutes of inactivity. This way, if you walk away from your computer without shutting it down (or travel with it asleep,) you’ll have this first level of security protecting you.


2. Protect your iPhone with a passcode
Your iPhone probably has important data on it. It’s configured to send and receive your email, it has your personal photos, and has the email addresses and phone numbers of your personal contacts. If your iPhone is lost or stolen, the cost of replacing the iPhone may be the least of your worries; the breach of your personal data is the painful part. Luckily, the iPhone has some built-in features that can protect you when this happens.

From your iPhone’s home screen, launch the “Settings” app. Go to the “General” section and find the “Passcode Lock” section. From here you can set your four-digit code as well as other options. The “Erase Data” option is especially useful - if someone enters an incorrect password ten times on your iPhone, the  iPhone will begin an unstoppable erase of itself, clearing all of your personal data.

If you have a MobileMe account, your iPhone can also be remotely located via GPS or erased if it’s lost or stolen. If your company uses Kerio Connect (or Kerio Mailserver,) your iPhone can be remotely erased by your administrator if it’s lost or stolen. Ask your CompuCraft representative about all of the features of Kerio Connect.

3. Use a reasonably good password
This applies not only to your computer password, but to other electronic accounts you use. Good passwords should not be actual words, as they can be easily guessed or hacked. A series of only numbers is also not a good password choice (for the same reason.) Some general guidelines:
a. Use a minimum of eight characters in each of your passwords.
b. Use at least one number, one letter, and one “special character” in each of your passwords.
c. Incorporate some randomness in your passwords. For instance, when you’re choosing a password, use the current time in the password somewhere. Some examples of good passwords: “good@121”, “5%numbrs”, “98Van(4)”, “don’t##3”, “10.5.4fv”

4. Use different passwords for different services
If an unsavory character obtains your email address and email password, what other services will they be able to access? Do you have a Facebook, Twitter, iTunes, Amazon.com, or an account at a major bank? Do you use the same password for all of these services and more? If so, you’re putting yourself at risk of identity theft for the sake of convenience (only having to remember one password.) Different services should have different passwords assigned to them.

To help you keep track of all of these passwords, we recommend an application called “1Password” from Agile Web Solutions: http://agilewebsolutions.com/products/1Password. It’s reasonably priced and has an iPhone app which syncs with the desktop application. Contact your CompuCraft representative to help you with configuration and usage of 1Password.

5. Don’t share passwords (where it can be avoided)
Does your organization share a single account and password for any services? If everyone uses one account to access your organization’s FTP server, iStockphoto account, or wireless network service, what happens when one of the users leaves your organization? Wherever possible, individuals should be given individual accounts and passwords for services. Wherever it’s not possible, passwords should be changed when an individual leaves your organization.

6. Distrust open wireless networks
Network traffic (email, website use, etc.) is fairly easy to intercept on unsecured open wireless networks. If you connect your laptop or iPhone to an open wireless network (at Starbucks, the airport, a hotel, etc.) - do so with the knowledge that any network traffic you generate could potentially be intercepted. Use appropriate caution: don’t send or receive email unless using SSL or a VPN (see item 7.) Don’t transmit or receive confidential data on websites unless they employ SSL.

7. Use SSL and VPNs
SSL (Secure Sockets Layer) is a protocol that encrypts network traffic between two endpoints (for instance, your email application and the email server or your web browser and your bank’s website.) SSL encrypts your credentials and data so that it cannot be intercepted by unsavory users or devices. If your email server supports SSL, you should use it both for sending and receiving. If your mailserver does not support SSL, talk to your CompuCraft representative about a better solution.

A VPN (Virtual Private Network) is a way of creating a secure network connection from your travelling computer into your organization’s network. Configured properly, a VPN can encrypt ALL network traffic from your computer into your organization’s network. If your organization has a VPN server available, you can connect into the VPN while travelling to secure ALL of your email and web use. If your organization doesn’t have a VPN server, contact your CompuCraft representative for a solution.

8. Use your Mac’s built-in firewall
A firewall is a device or piece of software designed to block unwanted incoming network connections. Mac OS X has built-in firewall software which should be used whenever you’re travelling with your Mac or are connected to an unsecured network. To activate your Mac’s firewall, go to the “Security” section of System Preferences and click on the “Firewall” tab.


9. Avoid “social engineering” tricks and scams
Social engineering is a fancy way of saying “fraud.” Be wary of unsolicited requests for personal information via email and the phone. If someone claiming to be from your bank calls you to request information specific to your account, don’t provide the information. Call the bank back using the phone number you already know, not the number on the caller ID.

Similarly, if you receive an unsolicited email don’t click on any of its links. Email is relatively easy for unsavory people to forge, and that link that looks like it takes you to www.mybank.com may actually take you to a forged site that only looks like www.mybank.com and accepts your personal information, only to be stolen and used by criminals. If you receive an email from your bank that you believe to be legitimate, avoid the link and explicitly type your bank’s URL into your web browser (www.mybank.com.)

Another common trick: unsavory people will figure out your friend’s email account password and use their new-found power to solicit help from you, impersonating your friend. One of the common scams right now goes something like “I am on a trip to London, but have been mugged, and am now marooned without passport or cash.”

Use your spider-sense. If something doesn’t feel right, it probably isn’t.

10. Use good judgement when using your credit card online
The Internet is rife with companies selling goods at low, low prices. It can be tempting to find a “good deal” at www.random-website.com and purchase with your credit card. The site may even use SSL to protect your personal information and credit card info during the transaction. But what is the Random Website Co. doing to protect your personal information once they’ve collected it? Are they using appropriate measures to protect the data they’ve collected from you from hacking and social engineering? Unless you’re purchasing from a well-established company, the answer is sadly: probably not. Use discretion when providing personal information online. Purchase from companies you know and trust.

11. Stay on top of security updates
While the Mac operating system is very secure, vulnerabilities are constantly being discovered and patched by Apple. Apple delivers these updates (and others) via a mechanism called “Software Update” (available from the Apple menu.) Installing these security updates on a regular basis will help keep your Mac protected from known vulnerabilities in the operating system.

Please be aware that while “security updates” are generally benign, other updates (MacOS updates, iTunes updates, etc.) are not always so. These other updates occasionally cause unexpected (and undesirable) effects to mission-critical applications. If your computer is used for mission-critical work, avoid installing these other updates and talk to your CompuCraft representative about a managed service solution to keep your Mac up-to-date.



These eleven tips will help keep your personal and business information safe with a minimum amount of effort, but there are also more robust solutions available. If you’re looking for more security than these tips provide, ask your CompuCraft representative about other solutions, such as Filevault, Check Point Full Disk Encryption, and LoJack for laptops.

Article by Brian Swets, Technical Service Manager