When you get a new Mac, how can you make sure you’ve set it up to be as secure as possible? If you walk through a completely fresh installation process, Apple tries to guide you into making the most-secure choices among alternatives, but it’s probably the worst time to try to sort out the options available and make those decisions.
A reader asked for advice for the next time they start from scratch, and I can offer that in this column. However, all of my suggestion can work just as well as later additions, whether you’re reinstalling OS X, installing and then migrating from a different Mac, or just continuing to use an existing installation. It’s better to set this up first, but it’s never to late to add layers.
Say yes to FileVault 2
FileVault 2, introduced in OS X 10.7 Lion, is Apple’s name for full-disk encryption (FDE). With FileVault 2 enabled, OS X starts up using the OS X Recovery partition instead of boosting directly from your startup volume, which presents an account login selection screen. OS X uses that to unlock an encryption key, which is in turn used to decrypt your startup volume in real time, and the regular boot proceeds. When powered down, the entire contents of your drive are strongly encrypted.
There’s a secondary advantage with SSDs, which distribute writing new data to avoid excessive wear on specific flash memory cells, as flash eventually degrades. Without FileVault 2 enabled, there’s no absolutely secure way to delete data permanently on an SSD; with it enabled, fragments scattered around an SSD are encrypted, making recovery effectively impossible.
With a new system. Starting with OS X 10.10 Yosemite, Apple enables FileVault 2 during the setup or upgrade process unless you uncheck the “Turn on FileVault Encryption” box during that stage of setup. You can choose between using iCloud as a backup method to unlock the disk; if the iCloud option is unchecked, create a recovery key. If you forget your password, either iCloud or the recovery key will be your only way to unlock the disk—the data is otherwise lost forever.
With an existing installation. Follow these steps:
- Open the Security & Privacy system preferences pane.
- Click the FileVault tab.
- Click Turn On FileVault.
- Decide whether you want to use iCloud or a Recovery Key as a backup if you can’t recall your password.
- Select which accounts can start up a Mac from being shut down, and unlock the startup volume.
- Click Restart to begin the process.
The FileVault process can’t be halted once it’s underway, and it can slow down normal system performance. Start it on a Friday afternoon so it can run for hours or days. (You can disable FileVault, however, which requires another restart and a long period of time for decryption.)
Make routine clones and backups
This may not seem like a security issue, but having a reversion position in case your system is compromised is all about security. Macs have largely, but not entirely, escaped malware, and the fact that most attackers can’t get their claws into OS X or Safari to spread an attack widely doesn’t mean it won’t happen. Ransomware has such a high rate of financial return that criminals have started to try to infect Mac users; they don’t need to comprise millions of people, only thousands or tens of thousands.
Apple will prompt you about setting up Time Machine while finishing up OS X’s installation, as it will every time you attach a new disk to your Mac if Time Machine remains enabled. If you’re not ready to get another backup solution in place, take Apple’s advice. You can get extremely inexpensive, fast, USB 3.0-compatible multi-terabyte portable and AC-powered hard-disk drives from a number of sources, so there’s no excuse to not be backing up from the get-go.
If at all possible, I recommend a three-pronged attack:
- Use SuperDuper or Carbon Copy Cloner to create regular, even nightly clones of your startup volume. This lets you get back in business right away, even if you have to wipe your entire startup drive. I’d recommend always using a clone in addition to or instead of Time Machine.
- Cycle clones to an off-site location, like a safe-deposit box. Even if you can’t do this regularly, it’s still another insurance policy.
- Backup documents to encrypted cloud-hosted storage, preferring a service that lets you set a passphrase in such a way that the service never has access to it, such as CrashPlan or Backblaze. This prevents employees of the company, hackers, and warrant-free government intrusion of your files.
Should you get infected, in the worst case, you can roll back to a clone or copies of document in cloud storage, or an earlier Time Machine snapshot.
Two-factor authentication with your Apple ID
Enabling two-factor authentication (2FA) for the Apple ID or IDs you use with your computer and iOS devices is a must in the current cracking climate. Seemingly every day, passwords are exposed from major online networks and retailers. If you’ve ever re-used your Apple ID password, its exposure with a crack could let someone gain access to your account.
Someone could also potentially gain remote access to a Mac if you have Back to My Mac enabled and allow your iCloud login to be used with it. That attacker would use your Apple ID credentials on another Mac, see the Mac show up in the list of available devices in the Finder, and then log in with the same Apple ID.
Apple’s 2FA is an update to its older two-step system, but it still relies on trusted devices to verify that you’re a legitimate person using a password to use an Apple ID for any online purpose.
In El Capitan, Apple doesn’t yet prompt you during setup to enable 2FA. When I set up a macOS Sierra system from scratch, I already had 2FA enabled, so had to provide confirmation, but couldn’t see whether you’re prompted if you don’t have it turned on yet. If you’re using two-step authentication, you have to disable it first in order to turn on 2FA. (iOS will, however, prompt you while setting up a new device or after erasing a device and setting it up from scratch.)
In OS X:
- Open the iCloud system preference pane, and click Account Details.
- Click Security.
- Click Turn on Two-Factor Authentication.
Follow the steps to add a trusted phone number or trusted devices.
I’ve had Apple’s 2FA enabled for months, and it’s such a relief every time I get the notification on multiple devices when I log into an Apple Web site or set up a new device—it reminds me positively that Apple is keeping track.
Consider installing some limited monitoring software
As a post-installation consideration, you might enable OS X’s firewall (in the Security & Privacy system preference pane), which offers some reasonable but very limited baseline behavior, or install third-party software that’s more extensive and customizable. Something like Little Snitch is a good idea—the software monitors incoming and outgoing connections, and lets you approve or deny them.
Little Snitch and similar software don’t prevent malicious activity, but if you’re paying attention as it asks you what’s acceptable and what’s not, you might notice if something awful has inserted itself into your system. You’ll also be able to control the “phone home” behavior of legitimate apps that you don’t want to connect back to the mothership to report information about you—even if that information is benign.
While network-monitoring software makes sense, I’ve been down on the anti-virus category for the Mac for many years, because by the time an app is capable of identifying and removing malware, it’s generally too late to be of any good. Apple updates its silent Gatekeeper in OS X to add malware signatures to prevent them from running, and that’s seemed to forestall any widespread attacks.
However, if you regularly exchange documents with people on other platforms or use multiple platforms yourself, or run Boot Camp or virtualized instances of Windows and other OSes, it’s worth not just installing virus-detection software on those platforms, but also on a Mac so long as it detects cross-platform viruses. Macro-based viruses that don’t activate in OS X software as well as payloads in documents you might transfer to Windows could turn you into a carrier. Intego Internet Security X9 combines application networking access and anti-virus software, including recognizing Windows malware, into a single bundle.