As I wrote the other day, anything the mind of man can make, the mind of man can break. The piece I wrote earlier was relating directly to the security of the client operating system. However, there is another aspect to consider, specifically the human factor.
While an OS itself can be secure as a rock, there is always a human factor involved. Even the most intelligent individual makes foolish decisions and actions at times. It is very difficult to protect the user from him/herself. It is very difficult to explain that some emails requesting their information are legitimate, and others are not. Or that some website popups only look like an application window, and are not to be clicked on.
These days, attackers find information more valuable than random destruction and wreaking havoc among systems. Consequently, the majority of attacks are designed to infiltrate and recover information, while doing their best not to alert the user. After all, why turn off the information hose as long as it’s producing information?
Consequently, one of our primary concerns should be the interaction the user makes with their computing device. If it is not possible to easily educate them on legitimate activities or requests vs. illegitimate ones, make it easy for them to understand how to control what is happening. For instance, even when they provide an administrator password to a seemingly legitimate prompt, there should be no lasting, hard to control activity. For example, an application editing the Windows Registry should not be permitted to alter settings outside the application scope (sandboxing). An educated user is a safer user. We need to do more to educate our users on the safe usage of computers, and teach them how to discern legitimate activity from illegitimate. I also believe that the OS has a place in educating the user to an extent, and providing them with easy to understand control over changes they’ve made/approved.
Windows 7 has improved the control over this particular example, but unfortunately at the expense of user understanding and interaction. Linux, Unix, and OS X on the other hand, sandbox applications and their configurations, requiring minimal administrator level permissions. Consequently, the user has to very explicitly and conscientiously make a decision whenever an application requires an administrator permission level. The controls to manage any permanent changes are very easy to use in OS X. A user deletes an application, and it no longer is capable of executing. There are no core registry changes that the user needs to be concerned about removing. Configurations are in individual text files, specific to each application. I digress however.
I do not run antivirus on my Macs. However, I run a network firewall (LittleSnitch) that informs me of network traffic going in & out. Just because my OS provides fewer attack venues, and is fairly secure, does not protect me from accidentally/foolishly approving a change which will transmit my personal information.
0 Responses
Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.