Start with Security Basics
Security has a broad meaning in everyday life, but a more specific one when it comes to data, networks, computers, and mobile devices.
In this chapter, I want to introduce you to what you have at risk and how to set your goals in protecting your Mac as part of the philosophy that you’ll find throughout this book.
Understand What Security Means
As a general rule, we talk about security when we mean a way to reduce the likelihood of harm. You go through a security checkpoint at the airport. You have a home security system. A lecture is cancelled due to security concerns. An ad for a bike lock claims it offers high security.
With computing and networking, however, security is more specific: it’s the measures you take to prevent harm to you by the extraction, interception, loss, or corruption of your data.
It’s rare that a violation of your Mac’s security would result in physical harm to you or anyone else—unless someone breaks in and attacks you while also stealing your Mac.
But even without a physical assault or fear of it, you can suffer emotional harm from the sense of invasion or damage that results from an invasion, particularly if someone violates your security to steal personal information that is then disseminated or used against you.
You can also certainly incur financial damage (theft of identity or money), waste your time (canceling credit cards, changing passwords), find yourself spending hours coping with the aftermath (removing malware, restoring deleted files), and so on. If your Mac becomes part of a botnet, you could also harm other people’s devices. You might, as a result, also have your internet service cut off temporarily by your ISP in an attempt to block attacks coming from inside its network.
Previously, Apple’s security options focused mostly on resisting network-based attacks or local ones from software that was downloaded and installed with or without your permission. But Apple has stepped up tremendously over the last few years in a new area: protecting your data when someone can take physical control of your Mac.
That includes someone merely sitting down in front of your machine for a few minutes and extracting the contents of your drive without leaving a trace, popularized by hackers in movies; or someone purloining your computer temporarily or indefinitely to try to crack into it at their leisure or with specialized equipment. It could be as simple as them rebooting a Mac from a USB drive, installing malware, and restarting—or as fiendish as a little hardware tap.
As a result, you now should think both about the digital sense of security and the physical sense:
The digital part involves protecting your passwords, guarding against remote attacks over the internet, and halting the delivery, installation, and deployment of malware.
The physical part involves configuring and understanding Apple’s features that deter hands-on attacks, up to and including someone removing a motherboard or an SSD or hard disk drive.
Improving your Mac’s security reduces the chance of certain harms:
Loss of data
Data taken off your device and sent elsewhere
Degraded performance
Malware that sends spam from your Mac
Loss of control over your Mac, including being locked out
Determine Your Risk Profile
In his 2004 TidBITS article Evaluating Wireless Security Needs: The Three L’s, Adam Engst laid out the three factors he considered relevant to determining one’s risk when it comes to Wi-Fi security. He called them the three L’s: likelihood (the probability that someone will violate your security), liability (the cost—financial or otherwise—that you’d incur if a security breach happened), and lost opportunity (what you lose in terms of time and convenience by implementing stronger security). That article is still well worth a read.
Times, technologies, and threats change, but some people still face greater risks than others. If you can assess your own level of risk soberly, you’ll be able to take appropriate measures—neither too weak nor too strong.
The Risk for Most People
Years ago, it made more sense for nearly all Mac users to consider their susceptibility to outside attack: how likely were you to visit sketchy sites, download applications that might contain Trojan horses, be infected by malware by visiting a site or running software, or even configure a network sharing setting that allowed people on the internet to scan and find weaknesses they could use to potentially copy data from your Mac, or worse.
That profile really changed by 2021. The biggest risk that most Mac users face comes from phishing email and websites that appear to be legitimate ones but are fraudulent, as well as general social engineering, in which people attempt to convince you to do something harmful to your computer—and your security and privacy.
Phishers want your personal data, preferably financial elements, like your credit card number, expiration date, and verification code. They try to offer credible-looking security warnings and fraudulent webpages at which you enter payment information, or credentials they can use to access your bank and other accounts. More general attackers want to fool you into installing software that appears to be legitimate, but actually encrypts your personal files and holds them for ransom (ransomware).
The nice part is that, again, for most Mac users, Apple largely has this covered, though a few third-party options can help:
With two-factor authentication (2FA) enabled on your iCloud (and other) accounts, your username and password by themselves won’t allow someone to log in to an account. They need your SMS messages, your trusted devices, or your authentication app. (See Apple’s 2FA how-to webpage, or read Take Control of Your Apple ID for more about 2FA.)
With Apple Pay via an iPhone or on a newer Mac with Touch ID, your credit card number is never shared. You can avoid sites that don’t let you pay by Apple Pay—or you may view them a lot more carefully. Financial apps and notifications also make it more likely you will know immediately if your card is used without permission.
By not allowing the easy installation of unsigned software, Apple prevents most malicious software from running at all. See Apple Protects with Gatekeeper.
Anti-malware software has improved to the point that it can deter all common threats and new variants as they are released by malefactors. Some can even detect ransomware generically, and block its actions. See Fortify Yourself and Your Mac.
The technology for making constant, secure online backups of documents and creating local clones and backups obviates risks more present now than in the past when those options were slow, expensive, or not feasible due to cost or bandwidth limitations.
By using Apple technologies and safeguards, running anti-malware software, and creating backups, you can dramatically reduce your likelihood of risks while also obviating the liability. Even if you’re infected by ransomware and don’t want to pay, you might lose no files; or if someone guesses an account login, you’re alerted as they try to log in, so you can change the password.
These modern options are generally easy and often free or included with other services. Even if you have to pay for them, the cost is typically modest, and can seem cheap compared to prices of the past.
The change in our general risk profile over time, however, comes with one big flashing red light. I noted a couple of times above that most people only need to take certain default strong, reasonable measures. However, if you’re someone in particular fields of work or who engages in political advocacy, you may face targeted attacks that evade basic measures that suffice for everyone else.
A human-rights reformer in an incipient dictatorship needs to take more safeguards than a suburban online shopper in Ohio. But identity theft can sometimes lift that Ohioan—or you—into a much higher category of risk, because someone decides your assets or information are valuable to them, and they’ve acquired credentials or personal information that will let them attempt to crack your security shell.
Elevated Risk Affects Many Categories
If you’re at higher risk, you should consider taking the most stringent measures in this book. Check the following criteria to see if they apply:
You work in the financial, legal, medical, or government sector: If you use a Mac at work—or carry one between home and work—you are likely subject to and have been given classes or briefings about regulatory requirements. You may be required to engage additional security, like using a VPN (see Umbrella Protection with a VPN) or enabling full-disk encryption (see FileVault Protection). If you don’t take these steps, and it’s discovered, or your machine is lost or data intercepted, you could be sanctioned, fired, fined, or even charged with a crime.
Your Mac contains unusually sensitive data: This could be old love letters you don’t want your partner to see, confidential business information from your employer (even if they’re not in the financial, legal, etc., categories above), records of a delicate medical condition, or anything else that could cause you serious problems (like loss of your job, insurance, or marriage) if it were to get out.
You’re famous: Congratulations! You already know the price of this in social media and when dining, traveling, or walking around, depending on how well known you are. But you’re also more of a target online, because of the obsession so many sites and people have with secrets about people who are seen to be famous.
Wealthy in real terms or cryptocurrency: People with more than a little money are regular targets, especially if they have significant Bitcoin or other cryptocurrency holdings. Having an expensive house doesn’t mean much in the current real-estate market; it’s more likely that you have elevated risk if there’s coverage or securities filings that disclose your wealth, stock grants, or other assets.
Rough travel: You frequent any of the internet’s seedier neighborhoods, such as sites that traffic in online gambling, porn, or pirated content (like software, television shows, or movies).
Secret or pseudonymous identity: You have an online identity, separate from your real-life identity, that you need to keep private. A number of times in recent years, someone whose job or political position has prevented them from having a public persona have been outed for writing under another, typically fictitious name. (Pierre Delecto or Carlos Danger, anyone?)
Heated online interactions: You engage in controversial discussions that might result in people being exceptionally angry with you.
Careless co-users: You share your Mac with less-sophisticated family members who may not be as careful as you would be about things like downloading files from unknown sites, clicking links in email messages, and using good passwords. While you can set them up with their own macOS accounts—you should!—some of their actions can affect the entire Mac and your online accounts.
People in particular professions and of genders other than male: It’s a sad fact of modern life that being a responsible journalist, being an advocate for vulnerable people, believing the Earth is round and evolution legitimately established in the fossil record, or having the temerity to be a gender that someone else has chosen to be angry about online can cause reactionary individuals and groups to target you.
Now for the good news! Ten years ago, or even five, my advice to you would have likely been far more extensive and stringent than for the average user. In 2021, however, Apple’s and other companies’ baseline security is more accessible, easier to use, and more effective.
Throughout the book, I’ll note when people at elevated risk should consider add-ons or upgrades. My general advice will be do everything I suggest as the baseline and build a bit from there.
For instance, if you fall into the above categories, in thinking about physical security of data:
Upgrade to a Mac with a T2 Security Chip or an M-series Mac: The additional physical security is worth it. (For more about M-series Macs, read Take Control of Your M-Series Mac.)
Enable FileVault: Use FileVault (see FileVault Protection) and also power down your Mac whenever it’s not in use; never leave it idle and running for more than a brief period.
Never make local, unencrypted copies of your data: All local copies should be on encrypted volumes that are unmounted after backup or shutdown when you regularly shut your Mac down; all hosted backups, if any, should only be with firms that offer strong, user-owned encrypted.