Here’s how to quickly and easily enact a sensible* amount of security for your Mac above and beyond the defaults activated with every installation/upgrade of OS X.**
FileVault encrypts your entire hard disk so that nobody can access its data without your login password, or without a recovery key that’s created when FileVault is setup (and which is typically stored as part of your iCloud data, although you can opt to keep it private for maximum possible security).
To activate FileVault, just open System Preferences, click Security & Privacy, click the FileVault tab, and select Turn On FileVault. Then follow the steps. FileVault makes its initial encryption pass of your data in the background while you work but it will pause if your MacBook isn’t plugged into the power.
Despite what you might read there’s no difference on a modern Mac between using FileVault, and having it switched off, so there’s little excuse not to use it.
2. Firmware password
I’ve written about this in the past but, in summary, you can add a password so that should anybody try to boot your Mac to anything but OS X (i.e. booting to Recovery, or booting via a USB stick) then they’ll need to type a password. PC people refer to this as a BIOS password, although on a Mac the prompt only appears if you attempt to boot into anything other than the default operating system.
It’s from the Recovery Console that you’ll need to activate it, so restart the computer and just before the Apple logo appears, press and hold down Cmd+R. When the progress bar appears you can lift your fingers from the keyboard.
Select your language and location when prompted, then click Utilities > Firmware Password Utility. Follow the instructions. Be extremely careful here! If you forget this password then apparently only Apple can unlock your computer. This is probably why this feature is optional!
3. Browser extensions
I don’t think it’s controversial to say that – thanks to HTML5 – you simply don’t need browser plugins nowadays, aside from the defaults added by Apple for various system functions. You especially want to get rid of Adobe Flash, which is repeatedly proving itself to be insanely insecure.
Apple provides advice about how to go about cleaning your browser plugins but in a nutshell start by quitting Safari, then open a Finder window, tap Shift+Cmd+G, type /Library/Internet Plug-Ins/, and hit Enter. Then drag everything you see to the Trash with the EXCEPTION of the following, which are provided by Apple for various system functions:
- Default Browser.plugin
- Quartz Composer.webplugin
- QuickTime Plugin.plugin
You’ll need to type your login password when prompted.
4. Scan for adware
Sadly, adware is becoming an increasing problem on Macs nowadays, although it’s nowhere near the epidemic levels reached with Microsoft Windows.
Malwarebytes Anti-Malware for Mac will scan your system for notorious culprits, and fix things if there’s trouble. It’s free of charge.
Your Mac includes background malware protection that fixes things automatically and invisibly should a threat become apparent. However, a variety of antivirus apps are available for the Mac. To my mind, keeping one of these installed on your system for occasional scans is perhaps wise but I definitely don’t feel there’s a need to have a antivirus app running all the time in the background, as with Windows. Of all the choices available I’ve been using BitDefender, which is available for free in the Mac App Store. Remember that antivirus scanners will also find Windows and Linux viruses, such as those in email attachments.
Open System Preferences, click the Security & Privacy icon, select the Firewall tab, and click Turn On Firewall (if it’s not already turned on). You may need to click the padlock icon at the bottom left to unlock the panels so you can make changes. This will require you to enter your login password.
Personally, I also like to have out-going firewall protection to watch out for any trojans that might land on my system, and just to keep an eye on apps that like to “phone home” without my knowledge. Little Snitch is easily the best example of such an app although at $34.95 it isn’t cheap.
Talking of Internet protection, again open System Preferences, click the Sharing icon, and ensure there’s not a check in any of the boxes at the left of the program window – unless you specifically want that service to be running.
6. Protect your USB sticks
OS X lets you format USB memory sticks so that their contents are encrypted. You’ll need to enter a password whenever the stick is inserted into your Mac, or any other Mac (although notably enacting this protection will mean the stick WON’T work on a Windows or Linux PC, where it will be reported as being corrupted).
Just follow these steps, which were created using OS X El Capitan. Be aware that files already on the stick will be deleted during the process, so you should temporarily copy them to a safe location and then copy them back once the following procedure is finished.
- Start by opening Disk Utility (open Finder, select the Applications list, and then double-click Disk Utility in the Utilities folder), and then insert the USB memory stick you intend to use.
- Look for the memory stick’s entry in the list of disks on the left side of the Disk Utility window. It will probably be identified by its size. Select the entry, but make sure you select the disk itself and not the partition(s), which will be listed below and indented slightly.
- Click the Erase button in the Disk Utility toolbar. In the Format drop-down menu, select Mac OS Extended (Journaled). If you see a Mac OS Extended (Journaled, Encrypted) option in the list then select that instead and skip to step 5 below. However, if not then in the Name field, type whatever you want to call the memory stick. This name will appear in Finder’s sidebar whenever you insert the stick in the future. Click the Erase button.
- Once erasing has finished, click the Partition button on the toolbar, then in the Format dropdown list of the window that appears, select OS X Extended (Journaled, Encrypted).
- You’ll be prompted to enter a password and verify it by typing it again immediately below. It’s important that you don’t forget this password! If you do, there is absolutely no way of recovering the contents of the memory stick — they’re lost forever. However, you will be able to reformat the memory stick so you can keep using it. Because of the risk, it’s a good idea to type something in the Password Hint field that might provide a clue to what the password is — the hint will appear in the future should you get stuck when entering the password.
- When you are done, click the Choose button in the dialog box, and then the Apply button in the parent dialog box. Erasing, partitioning, and encrypting will take a minute or two depending on the size of the memory stick. Once you’re done, the new memory stick will be ready for use. You can copy files to it by selecting its entry in the sidebar of Finder. You can also close Disk Utility.
You can now use the encrypted memory stick just like any other. Before physically unplugging it, be sure to eject it by clicking the Eject button next to the disk’s entry within Finder.
When you reinsert the memory stick, you’ll be prompted for the password. If when prompted for the password you check the box Remember the Password in My Keychain, you’ll never be prompted for the password again on that computer. However, if it’s inserted into another Mac, the password prompt will appear.
Don’t install Java. It’s one of the main attack vectors for hackers. If there’s an app you have that insists on Java, such as some older Adobe apps, download a newer version of that app that doesn’t.
If you’ve no choice but to use Java, or if Java’s already installed, then the best you can do is disable its browser plugin as described above. Notably, it’s virtually impossible to uninstall a Java installation from your Mac once it’s there.
You can find out if you have Java installed by following these instructions. Meanwhile, here’s how to disable Java’s plugin if you decide not to follow the steps above.
* I mention “sensible security” because there are a thousand hardware and software hacks you can implement to really lock down your system – using a YubiKey for two-factor authentication, for example, which also involves hacking OS X’s PAM system. But I’m looking here only at the tools built-in by Apple, and which are actually considered very adequate for most instances (unless you’re a spy… but then you probably know about this kind of thing already.)
** Default settings include Gatekeeper activation, which I therefore don’t need to deal with here. I’m saying this just so you don’t start going on about it in the comments…