Question

Question 3. Pick three security failures of Mac system and explain how you would address them.

Answer 1

Maintaining privacy and keeping data secure are hugely important for any Mac user. Yet many of us give it scant attention and do little more than the bare minimum, if anything at all to ensure that hackers, opportunists and, yes, even the authorities, are able to access as little of our personal data as possible.

Yet, macOS makes securing your data very simple, thanks to a host of tools in System Preferences and Safari, and several third party apps.

There are three places threats to your data are likely to come from: over the internet, via an email, or from someone with direct access to your Mac. Taking steps to protect yourself will minimise the risks.

When it comes to Mac security we'd normally recommend that you make sure the macOS software is up-to-date, however, from time to time Apple has been caught out by security flaws in the Mac operating software, such as the High Sierra Root bug that made it possible for a hacker to access all the settings on a Mac just by logging in as root in System Preferences. Luckily this flaw has since been fixed in an update to macOS.

It is wise to update macOS when Apple issues security updates, such as in January 2019 when the company issued an update to macOS that addressed vulnerabilities that could allow your Mac to be hacked. More information about that here: How to stop your iPhone, iPad or Mac getting hacked.

Apple normally reacts quickly when Mac malware surfaces, and has various measures in place to guard against threats, as we explain in this article about how Apple protects you from malware. However, from time to time malware may appear and it may be necessary to make changes to the way you use your Mac while waiting for the necessary protection. For example, the advice regarding the Mac CookieMiner malware in January/February 2019 was to clear Chrome browser caches after logging in to financial accounts. There is more advice on the CookieMiner malware here.

We will go through the various Mac security settings you can use to protect your Mac in the article below. If you are still concerned, we have a round up of the best Mac antivirus apps here, in which we recommend Intego as our antivirus option of choice.

Additional reporting by Kenny Hemphill

Security & Privacy settings

Let's start with the basic Mac settings you should be checking to ensure security is watertight.

To familiarise yourself with the controls, pay a visit to the Security & Privacy pane in System Preferences. Here, you'll find four tabs that control various aspects of security.

1. Open System Preferences. You can get to System Preferences from the Apple menu in the top left of your screen. (We have a complete guide to System Preferences here).
2. Click on Security & Privacy.
3. You'll see tabs for General, FileVault, Firewall and Privacy.
4. To change any of these settings you'll need to click on the padlock at the bottom of the screen and type in your user name and password.

If you have an administrator account, you'll be able to make changes that affect the whole Mac, if not they'll only apply to your account.

We will look at the various changes you can make here to secure your Mac below.

Read next: Best Mac Antivirus software | How to remove Mac malware | How to open app from unidentified developer.

Turn on the Firewall

The first step to securing any Mac is enabling the firewall, which blocks any unwanted incoming network connections. You might think the firewall is enabled by default but it often isn't. (And, no, we have no idea why not.) Luckily, enabling it is dead easy and doing so is entirely wise.

Here's how to turn on the Firewall on a Mac

1. Click the Firewall tab in the System Preferences > Security & Privacy pane we just opened.
2. Click the padlock icon at the bottom left to unlock system settings (you'll need to type your login password when prompted).
3. Click the Turn On Firewall button.
4. Then click the Firewall Options button and, in the dialog box that appears, click the Enable Stealth Mode box. This last step means your computer will be largely invisible on public networks, such as shared Wi-Fi in a cafe.
5. In the Firewall tab, click Firewall Options to make changes. Here, you'll see a list of apps and services which are able to receive inbound connections. To add one to the list, if, say you try to run an app and it displays an error telling you it has been prevented from accepting an inbound connection, click the '+' beneath the list.

It's important to note that macOS's Firewall, while useful, offers only limited protection from malware. That's because it shields you from inbound traffic only. Its job is to limit which apps and services can accept incoming connections. It doesn't provide any control over outbound connections ie apps and services which initiate connections. So, for example, if you download a piece of malware, macOS's Firewall won't stop it connecting to the internet.

Some people choose to block outgoing network connections too so that certain apps can't "phone home" without their knowledge. This also means accidentally installed malware is unable to leak your data without you being made aware.

However, as we said, OS X/macOS offers no built-in way of blocking outgoing connections. Luckily third-party apps like Little Snitch (circa £30) and Hands Off (£38.95), or an outbound firewall found in anti-malware tools from the likes of Intego, Sophos and Norton, will do the job with aplomb.

Read our round-up of the best Mac anti-virus tools here.

Use a password

Let's go back to the first tab in the Security & Privacy pane: the General section.

There are three settings here you should pay attention to:

The first is the one that allows you to set a password for your account if you haven't already done so, or change your password if you think it's necessary. You should have a password (we have a guide to creating a good password here).

The next allows you to specify if a password is needed to unlock your Mac when it goes to sleep or a screen saver begins. You can choose to do so immediately, or at different increments of time following the sleep or screen saver starting. If you work in an office with other people, you should consider switching this setting on. (Here's more advice on How to lock a Mac.)

There's also an option to Disable automatic login, which you should do - you would have to be exceptionally lazy and unconcerned about security not to use this setting, but if you did then you wouldn't have to enter your password when you start up your Mac. You should check this, particularly if you use a mobile Mac. If your Mac gets stolen, you don't want the thief to be able to access your data.

You can also choose to Allow your Apple Watch to unlock your Mac, assuming you have an Apple Watch. With this option selected all you need to do it be wearing your Apple Watch (and for the Watch to be unlocked) and your Mac will automatically unlock when you are nearby. (You won't be able to use this setting if you have Internet Sharing turned on though).

While we're on the subject of passwords, we'll remind you that good passwords should be difficult to remember. They should also not be written down.

Luckily, Apple provides iCloud Keychain as a way to remember your passwords and suggest good passwords for you to use via its built-in random password generator.

With iCloud Keychain turned on you need only log in with your Apple ID and it will automatically enter any required password for any service or website.

iCloud Keychain can store all your account details, credit card numbers and other personal information (including settings for email, contacts, calendars, and social networking services) and automatically make them available if you need to log into something on any of your Macs and iOS devices.

Alternatively you could try a password manager such as 1Password (£3.99 a month) or Dashlane (£38.99 a year), or check out our list of the best Mac password managers. These apps allow you to create and store robust passwords and sync them across all your devices. Crucially, however, they encrypt the data and allow allow access when you type in the master password.

For more ideas, read: How to choose a strong password, what is a good password

App download preferences

At the bottom of the General screen are two options relating to which apps can run on your Mac.

The safest, but most limiting option, is to only allow apps from the App Store to run. The other option is a good compromise, allowing you to run apps from the App Store and from developers known to Apple.

In older versions of MacOS there was an option to allow apps from Anywhere. If you have this option we would advise against using it.

You will still be able to run an app that doesn't come from the App Store or an identified developer, but you will have to approve it before it will run.

Here's how to open an app from an unidentified developer if you do want to do that.

Turn on FileVault

With FileVault turned on all the files in your user account will be encrypted.

To decrypt them, you'll need to type in either your account password or the recovery key created when you switch FileVault on.

For most users, the inconvenience of having to type in a password to open a file, together with the time it takes initially to encrypt all the files on your Mac, outweighs the security advantages.

But if you have reason to keep data as secure as it can be, switch it on.

Check your privacy settings

The last tab, Privacy, covers a number of different controls and settings. These are listed in the window on the left of the pane.

Location Services allows you to control which apps have access to your location data. You can switch Location Services off completely here, or prevent individual apps from accessing data.

Likewise, Contacts, Calendar, and Reminders allow you to specify which apps on your Mac can access the information stored in those core OS X apps.

If you click on Photos you'll see all the apps that have requested access to your Photos library.

If you've added your Twitter, Facebook, and LinkedIn details to the Internet Accounts System Preferences pane, you can control which apps have access to those accounts here.

Then there's the Accessibility section. Despite sharing a name, this, confusingly, has nothing to do with the settings available in the Accessibility pane in the main System Preferences window. Here, you can control which apps are able to control your Mac in some way. For example, Deeper and Onyx allow you change settings which would normally require Terminal commands. To use them, you'll need to enable them here.

Finally, an option added in macOS High Sierra was Analytics, which allows Apple and app developers to improve their products based on data gathered about your use of their apps. You can choose not to share this data here.

Read next: How private is your iPhone data?

Check Safari privacy settings

Away from System Preferences, Safari has several settings that allow you to control privacy.

The first is New Private Window, from the File menu (or Shift+command+N), which allows you to visit websites, without a record of where you go being stored in the History menu, or anywhere else on your Mac.

The second is Clear History, in the Safari menu, which if you click it periodically, erases cookies and other cached data from the sites you visit and removes them from the History menu.

In Safari's Preferences, the Privacy section allows you to prevent websites tracking you, and control which sites can store cookies on your Mac.

It used to be possible to specify how your location data is made available from this window, but since High Sierra these settings have been addressed under a separate tab, in Websites > Location. Here you can choose to set Safari to always deny location information, or allow specific websites to access your location.

And if you're concerned about storing website username and passwords, or personal data, go to the Auto Fill and Passwords sections and uncheck the boxes that enable those services.

Check what you're sharing

Your Mac is able to share files with other Macs, and can share data in various other ways too - including sharing the whole screen to facilitate remote working. Once a sharing service is enabled it's like fitting a new door or window to your house

Yes, that door or window might be considered secure - people will need a password to utilise screen sharing, for example - but there might be a flaw in the door or window that makes it not quite as impenetrable as you might think. In simple terms, it's a good idea to turn off any sharing service you're not using, and the majority of Macs used in the home environment should have all sharing services turned off.

Here's how to turn off sharing:

1. Open System Preferences.
2. Click the Sharing icon.
3. Go through the list on the left, and look closely for any ticks in the boxes beneath the On heading.
4. Remove any ticks you see but if in doubt take a look at the following list to make absolutely sure you're OK disabling that particular sharing service.

Screen Sharing & File Sharing

Screen sharing: Used mostly in corporate environments to let tech support workers see or control your screen, and perhaps perform repairs/updates. Windows and Linux computers can also use it to control your Mac's screen via VNC. Not heard of VNC, not in a corporate environment, and never access your Mac remotely? Ensure it’s turned off.

File sharing: Lets other computers on the network access your computer's file system, including Linux and Windows computers - technically speaking, it enables Windows File Sharing (SMB), Apple Filing Protocol (AFP), and Network File Service (NFS).

The file sharing system was used by the Back To My Mac service, which was part of iCloud but Apple removed it when Mojave launched. Back To My Mac allowed you to access your Mac's files from another Mac via the internet (although it has absolutely nothing to do with iCloud Drive, which performs a similar function). If you're not sharing files across the network, and are not using Back To My Mac, then this option should be switched off.

Printer Sharing, Remote Login and Remote Management

Printer sharing: Shares any printer connected to your Mac with other computers on the network, again including PCs. Should be turned off if you're not sharing your printer, or if you don't even have a printer attached to your Mac.

Remote login: Allows connection to your Mac via SSH/SFTP, and mostly used by techies to work at the command-line when away from their Macs. Should be turned off if that description doesn't apply to you - and we're pretty sure it won't!

Remote management: Used in the corporate environment to let administrators access your Mac to do things like perform upgrades, or make fixes. Should be turned off in all other circumstances.

Remote Apple Events, Internet Sharing, Bluetooth Sharing and Content Caching

Remote Apple Events: One of Apple's many Good Ideas From Long Ago, this lets one Mac control another to print, or do just about anything, in fact, thanks to tie-ins with AppleScript, at one point a cool joke among Mac fans was to use Remote Apple Events to make another Mac speak, via speech synthesis.

The user of that Mac would be scared half to death when his computer seemingly came to life. However, if you need Remote Apple Events in our modern age then you’ll already know all about it. The rest of us can switch it off without worry.

Internet sharing: Lets one Mac share a Net connection with other Macs. This was created in the days of dial-up internet. It's extremely unlikely to be used now that broadband, Wi-Fi routers and home networking are the norm, so should be switched off.

Bluetooth sharing: Lets a Mac send and receive files to and from another Bluetooth-enabled device, such as a mobile phone. iPhones and iPads can't share files this way, so you're only likely to use it if you've got an Android phone. You'll find guides online telling you how to do this. However, in all other situations this option should be turned off.

Content Caching: A new option in High Sierra is to turn your Mac into an iCloud server that stores iOS updates on your Mac so that you don't have to download them directly from Apple to each of your devices - instead your devices just sync with your Mac and download them from there. That could speed up the process of updating your devices, as you won't have to download the update multiple times over what could potentially be a slow Wi-Fi connection. Content Caching can also be used for iCloud documents, photos and app downloads.

Apply a firmware password

macOS turns on FileVault encryption by default nowadays, which means the entire boot disk is encrypted and impossible to access unless it's unlocked at login via the user's password.

However, that doesn’t stop somebody using a USB memory stick to boot the Mac and potentially wipe all the data from the hard disk, or simply reinstall OS X/macOS.

The solution is to apply a firmware password. Unlike with a PC's so-called BIOS password, the Mac's firmware password prompt will only appear if anybody tries to boot your Mac in a non-standard way, which is to say, via a USB stick, or if they try and boot to the Recovery Console. Most of the time you won't see the password prompt.

In fact, it's from the Recovery Console that you'll need to activate the firmware password, so restart the computer and, just before the Apple logo appears, press and hold down Command+R. When the boot-time progress bar appears you can lift your fingers from the keyboard. Read all about booting in Recovery mode here.

Select your language and location when prompted, then click the Utilities > Firmware Password Utility menu item. Follow the instructions. Be extremely careful here! If you forget the firmware password then only Apple can unlock your computer. This is probably why this feature is optional!

Enable guest user

If you know anything about computer security you might be wondering if we've gone mad: we're asking you to enable the guest user? Doesn't that let anybody who's stolen your Mac actually use it?

Well, it's more that we're asking you not to turn it off, because it's a vital tool within the Find my Mac service, which is a part of iCloud that lets you attempt to track down a lost or stolen Mac.

Apple says the following: "The guest account works with the Find My Mac feature of iCloud, which can help you find your Mac if you lose it. You can locate your Mac if someone finds it, logs in as a guest, then uses Safari to access the internet."

So, don't turn off the Guest account if you have Find my Mac enabled in iCloud. To check, open System Preferences, click the iCloud icon, and then ensure there's a tick alongside Find My Mac at the bottom of the list at the right.

Check you have Guest User enabled by going to System Preferences > Users & Groups.

We have a complete guide to using Find my Mac to find a lost of stolen Mac here.