You can't do a security audit of the type you ask for on with modern computers. They are simply too complex. If your attacker has enough resources, they may be able to embed secret code in you network adapter that phones home for instructions upon seeing a specific 128 bit number. A second number immediately following can encode the address of the server to contact. Black-box testing is useless in this case because the search space is too large.
Some software, such as the L4 Microkernel
has been formally proven to be correct (assuming the machine checker and compiler are correct).
For usable software, you may want to investigate OpenBSD
. While not formally proven correct, they regularly audit the code for known security vulnerabilities. Be sure to read their Security Page
for more information.
If you insist on using Windows/Linux/MacOS, be sure to use your computer as a limited user. I would avoid logging in as the administrative user even to install software. In windows, most software refuses to install under a limited user. The only time the administrative user should install software is if you want all users on the machine to use the same software.
For some software like Adobe Flash I have found the easiest way to install it is install it as the Administrative user, then manually disable the browser extensions as the administrative user. This is an error-prone process. For untrusted software that you don't know what it does, you should definitely install it as a limited user. If the software requires administrative access, you can install it on a test machine; virtual or not. At the risk of multiple personality disorder, you may want to create separate user accounts for different high-risk activities. One for playing flash videos/games, one for bitcoin, one for business, and one for personal use. This only improves security if all of those accounts are limited users. This implies that your "gaming" machine should be separate from your bitcoin machine: most games have DRM that requires administrative access to install (and sometimes even play).
You Sir are a good man.
I enjoy the method you provide to disable and/or sanction certain software to different user accounts.
how do feel about disabling java? From my wanderings I have noticed very slight mention of it, however the slightest of mentioning were indeed ways of compromising systems through JVM.
What of scripts people can run on systems can anyone recommend anything?
Similar to OSX, how a user can fix system software problems through running AppleJack, or on several Linux systems where a person with limited knowledge can actually run a security audit with rootkit hunter?
I haven't seen anything beyond pocket protector talk on technet about security audits. Basically says security audits on windows is useless from what I can glean.