Security Measures for macOS Computers

Advice on digital security measures for high-risk macOS users

Problem

High-risk users might not be protected sufficiently by the default security settings of macOS computers. We need to check that basic security settings are set up correctly and that the client is also using the safest software available.

Solution

Initial assessment

We need to ask the client about their job and security context.

1. What do they use the computer for?
2. Do they travel with it?
3. Do they have any specific needs?

If the client’s threat model needs to be assessed more thoroughly, also see the questions in Article #200: Lightweight Security Assessment.

Recommendations

These are some digital security best practices for user at risk:

1. Hard drive encryption: check that FileVault is enabled, and enable it if it’s not.

   In recent Mac versions, FileVault is enabled by default. It is worth checking in any case that it is enabled in the client’s computer. For more information, see Article #104: Full-Disk Encryption on Mac with FileVault 2.

   • Instructions for enabling FileVault can be found here.
   • More information on FileVault and full disk encryption can be found in Citizen Lab’s Security Planner.

2. Enable the application firewall.

   • For an explanation of what a firewall does and why it’s important to enable it, we can send this link of the Security Planner to the client.
   • Instructions on how to enable Mac firewall can be found here.
   • When enabling the firewall, it’s a good practice to also enable stealth mode - this will prevent an attacker in the same network to discover the machine using probing request like ICMP requests (ping).

3. Enable Encrypted Time Machine

   Follow this link to help the user create an automatic and encrypted backup for their most sensitive files. This will help the user restore their important information in case it is lost or corrupted (e.g. in case they are targeted by ransomware).

4. Disable Apple Analytics

   Users at risk should not share unnecessary data outside of their safe environment. Therefore it is a good practice to disable Apple Analytics in order to stop their machine from sending their usage information to Apple. Follow the instructions in this link to opt out of sharing analytics.

5. Make sure that the system automatic update is enabled.

   • Send the client this link with instructions to update their software and enable automatic software updates.
   • More information on why automatic software updates are important can be found in this guide.

6. Make sure Gatekeeper is enabled

   Gatekeeper is Apple’s application white-listing control that stops applications from unverified sources from running without authorization. Disallowing unverified software will reduce the risk of unauthorized or malicious applications running on the system. Gatekeeper is turned on by default, but some users may choose to disable it or, in an extreme scenario, an attacker could disable it to make their exploit possible. We need to verify that Gatekeeper is enabled following the instructions in this link (section “View the app security settings on your Mac”).

7. Install an antivirus, and consider installing an antimalware.

   For more instructions on antivirus tools for Mac, see Article #128: Antivirus for Mac

8. Suggest the client to use Chromium or Firefox as default browser and to install addons for privacy and security.

   For more instructions on browsing security, refer to Article #212: Safe Browsing Practices and Plugins.

9. Change the default search engine to DuckDuckGo.

10. Consider sending recommendations on basic security hygiene and on other security tools, such as password managers and VPNs.

Comments

Related Articles

• Article #200: Lightweight Security Assessment
• Article #104: Full-Disk Encryption on Mac with FileVault 2
• Article #128: Antivirus for Mac
• Article #212: Safe Browsing Practices and Plugins