Know Your Services and Configure Them All Securely
Now it's time to focus on sound security practices.
You Need a Backup
Your installation of Mac OS X may not have a restore DVD. The default system backup software is Time Machine. Buy an external drive. Put a few partitions on that drive. Use one partition for Time Machine backups. Give another partition an exFAT format, and you can use it with Windows systems and your Mac OS X system.
I like a strategy of using Time Machine for the operating system and many files. I think confidential data is best kept on other removable drives.
Encryption Gone Wild!
The Disk Utility application builds file systems on removable drives with encryption. File Vault can encrypt your data and the entire disk. Should you use these security features?
File Vault has had problems in the past. Encryption is only as effective as the password used to secure it. Encryption is one of several tools that provide access control. Keeping confidential information from live access on a computer seems as effective as encrypting it, with less risk of losing the data to a technical issue, such as file corruption creating irreversible encryption.
Remember that to be truly effective, true encryption must make the data irretrievable through any method different from the encryption tool. Check the Internet for vendors offering to decrypt your data or drive. That can indicate there are well-known holes in the encryption system. (Also check for stories of File Vault's improvements in Lion. Encryption is a terrible feature to over-trust and over-implement.)
The hacking community moves fast. Your computer updates need to happen more frequently, to keep pace with the attacks. Go into “Software Update” in System Preferences and check for updates everyday. Plan on downloading them automatically. Once you learn there's an update to install, do so promptly.
The more you share a computer's data, the less secure you can keep it. I like firewalls and have written extensively about them. I've enabled my firewall to slow attacks. But sharing and firewalling don't mix.
I recommend enabling the firewall and enabling as few exceptions to its blocking action as possible. If you choose to use your computer with online games and the like, you may need to disable the firewall.
At some point, you must balance your desire to provide file shares, web shares, printer shares, Remote Login, Remote Management (of your computer!!!), etc and the difficult firewall configuration these require. As you select more sharing technologies in the “Sharing” applet in System Preferences, your firewall won't be as effective.
The App Store
The App Store can be a secure place to pick up applications for your computer. Beware of getting software from the Internet, especially when prompted to do so from banner ads. This is a common way to fool people into installing hackware onto their computer.
While at the App Store, pick up anti-virus software. There are still very few Mac OS X viruses, but the software can stop some attackware from running on your system.
Be sure to secure your App Store and Apple ID.iTunes Store & Mac App Store: Best Practices for Protecting the Security of Your Account explains excellent information needed to keep your ID from compromise.
Location services are controversial. I struggle to balance the ability to prove all people evacuated a burning building with the Internet knowing my location at all times. You must decide whether this service is a security plus or privacy takeaway. Once you make this decision, enable or disable this service.
Apple provides great guidance at http://docs.info.apple.com/article.html?path=iChat/5.0/en/17157.html. Sharing remote access to your computer is very risky. Many hackers have learned to ask for you to enable screen-sharing or remote control for them. We Mac users have a reputation for being gullible. Don't be.
You must beware of screen-sharing, control sharing abilities in iChat, in X Windows, the ARD Agent (in /System/Library/CoreServices/RemoteManagement/), etc.
Hackers often attack computer time settings. Create too big a change in the system time, and some systems shut down with a kernel panic. Create enough of a time change, and the logs can be made worthless. Let NTP, Network Time Protocol, keep your system time accurate.
Figure 5 Set time automatically
Now that the time is set, it's time to conclude this article. Lion's security features are impressive, but none of these will matter if you do not enable them and do not back them with sound security practices. The operating system can warn you that a password is simplistic and prone to easy guessing. It is you who must work with Lion and choose to use good passwords and sounder security practices and configurations.