Good summary, Randy! I think for switchers who assert that they have been struck by a "virus" on their new Mac-whatevers the skeptical response may seem derisive, but I don't think we intend it that way. It's just that as a frequent visitor here the cry "I have a virus!" becomes wearying and our responses get shorter. And when someone insists that it MUST be a virus because yadda, yadda, yadda, it generally turns out to be something they allowed to be installed, or something that they did to diminish the built-in security, or something they downloaded from a dodgy site, or a "helper" package they installed that not only doesn't help but brought a host of parasites with it, or even something that is working exactly as advertised but the user didn't expect it to work that way. One user complained that he had a virus in Thunderbird that caused mail to be moved to the junk folder without human intervention.. That's not a virus, that's how Thunderbird works! From Mozilla:
To deal with the large amount of unsolicited email ("spam" or "junk mail") that most people have to cope with, Thunderbird uses an adaptive filter that learns from your actions which messages are legitimate and which are junk.
So when the software did what it was designed to do, that is to move junk mail to the junk mail folder without human intervention, the user was surprised and immediately leapt to the conclusion of "Virus!"
And then you have the category of folks who believe that those of us that choose not to run A/V are too stupid, naive, whatever, to see the risk of that choice. These folks come here and tell us we have our head in the sand, don't know what the real challenges are or that we're mindless fanbois who drink the Apple Kool-aid about OSX.
Here is what I have done for security:
1. No Java, period. No reason to have it, it's carried malware in the past, don't have it installed.
2. No operative Flash, but I do have Click to Flash installed. That way
I get to choose what runs, so that
I will be responsible for what happens. (And I generally choose NOT to run Flash, unless I know for certain where the file originated and trust the source.) Again, Flash has carried malware and therefore goes into the sin bin.
3. Gatekeeper is always on. Folks who get annoyed by having to acknowledge that the thing they are about to install came from someplace other than Apple and disable Gatekeeper are like folks who get annoyed by having to unlock the front door with a key every time they come home. Leaving the front door unlocked is convenient but NOT smart and will eventually lead to someone coming in that you wouldn't want in.
4. I don't go to sites I don't know. I don't click on links until I get to examine them. I don't respond to things that sound too good to be true. When I get a prompt to update Flash, or some other application, I ignore the prompt and then go directly to the Flash options in System Preferences to see if there really IS a valid update waiting. I don't let Adobe, or anybody else, automatically update anything. I want to KNOW what is going on in my system.
5. I leave my OSX firewall on. Yes, I know my WiFi router has a firewall from my ISP, and it works well, but I also know that there are ways to get to a system through WiFi. If I had Ethernet cable, I would turn off the firewall, but as long as I am on WiFi, the firewall is on. It doesn't cost me anything to have it running, so why not have the extra layer there?
6. In Safari, the "Open safe files..." option is de-selected. As I said, I want to be in control of what opens on my system. Period.
7. My mail is strongly filtered for malware/adware/junk. I use a third-party mail forwarder who has a strong filter to screen my mail and then forward it to my ISP email address. My ISP provider then has their own spam/virus filters that they apply before delivering the email to me. As a result, I get little true junk or spam, and no Windows virus-infected mail.
8. I run Ghostery. I don't run Ad-ware, as Ghostery seems to block most of the annoying stuff. I choose to have Ghostery block EVERYTHING, which does mean that I occasionally can't see a picture, or a video on a site, but the lost of that picture or video is worth it to me to avoid all the other stuff Ghostery blocks.
9. I don't run any "helper" software. No downloaders, no torrents, no cleaners other than Onyx, no "speed up my mac" stuff. I run Onyx about once a year. I run ClamXav also about once a year, just for giggles.
10. I don't use any Google product. Period. Why? Because Google now insists on automatic updates. See my point 4 above. I have uninstalled all Google products from my system and set Bing as my default search engine.
11. I have a Facebook account, very few friends, never click "Like" and I have every security setting set to the highest level.
12. I use a password keeper and my passwords are all generated by the keeper as a minimum 16 digits of letters, numbers, symbols and mixed cases. I change the master password to that keeper frequently. I'm thinking of going to 32 character passwords on the sites that can handle that length. I do use two step verification at every site that supports it.
13. I use Paypal to pay for internet purchases. The Paypal account is linked to a single credit card with fraud insurance. If the seller doesn't take paypal, I only use the same credit card with fraud protection on it for all those purchases. I have the account set to notify me by SMS and email every time the card is used and is not present.
14. I use backups in depth. I have two backup systems to two different external drives with archival copies on each drive going back at least six months. Yes, I'm paranoid about that, and proud to be so. Backups are a better investment than A/V software, as I'll explain next.
Running A/V on OSX is, IMHO, of little value, if any. Any attack on OSX must come from some currently unknown vector, as all the known vectors are pretty well stopped up. So any A/V software can ONLY scan for the known vectors, because that's all they know. But the attack, when it comes, won't come from there, it will come from some unknown weakness or opening. And no A/V software can protect from the unknown unknown.
I was managing a data center when the
Morris Worm struck. Popular press at the time claimed that nobody knew about the potential problem until it occurred. Not true. I had a staff member who had been a developer at Bell Labs on the Unix project and he had months earlier plugged every avenue by which the worm attempted to come in. It was at a major university, and we were in the Administrative Data Center. We warned the Engineering school about the weaknesses, but they ignored our warnings because we weren't engineers, just administrators. When the worm hit, every computer at the Engineering school got infected and every one had to be completely purged and reinstalled. On OUR side, however, we had zero infections because we had listened to the sysadmin who knew his business. The lesson we all learned was that prudent computing practices can anticipate attacks through KNOWN weaknesses, but that it's still impossible to know EVERY weakness. That's when we came up with the term "unknown unknown." And you cannot protect against the unknown unknown except by having backups to restore to a time before the unknown unknown hits. I'm hoping six months is far enough back.
I was in the IT business for over 30 years before I retired a few years ago. In that time I learned that security is always a tradeoff of cost/benefits. Each user has to assess his or her own tolerance for risk in terms of what the cost might be if/when security is breached. For me, I've done what I think I need to do to operate at a level of risk that is acceptable to me. So when someone comes along and cries out that I'm being stupid, ignorant or a fanboi because I don't immediately adopt THEIR solution, I guess I do get dismissive at little.