This article is a pre-release chapter in the upcoming “Take Control of Security for Mac Users,” by Joe Kissell, scheduled for public release later in 2015. Apart from, and , these chapters are available only to ; see  for details.
Time to get to work improving your security! Let’s begin with a few things everyone should do (with small variations depending on your risk level). This chapter contains steps so fundamental to your security that you’d be doing yourself a huge disservice to avoid them. Just as you need to check that the appliance is plugged in before you call customer service, the steps in this chapter constitute a sort of minimum threshold for security awareness.
It’s a fact of life: software has bugs. And some of those bugs result in security vulnerabilities. Fortunately, most major software vendors, including Apple, have teams of programmers working constantly to identify and fix security-related bugs. I can’t tell you how many times I’ve read breathless news reports about some newly discovered and seemingly disastrous Mac security issue, only to see a software update from Apple fix it a few days later before any widespread damage occurs. This is Apple’s normal pattern, and it’s why you should never lose sleep about the Mac security crisis du jour.
However, Apple security updates don’t help unless you install them! If you have automatic software updates turned off and never bother to check for updates, you could be needlessly putting your Mac and your data at risk from problems that were solved months or years ago.
Software updates fall into several categories, all of which can fix security issues:
Which of these should you keep up with? Ideally, all of them—but at a bare minimum, be sure to install the stand-alone security updates. The next-highest priority would be minor OS X updates.
In most cases, when Apple releases a security update, it’s available for the current version of OS X and the previous two—so an update in early 2015 would apply to Yosemite, Mavericks, and Mountain Lion. If you aren’t at least on the third-most-recent version of OS X, you risk dangers from known security problems that Apple won’t ever fix.
Meanwhile, each major new version of OS X contains entirely new security features, independent of bug fixes. Yosemite offers certain intrinsic protections that Mavericks did not, and Mavericks has security features that Mountain Lion lacks. So if you really want all the latest security goodness, you should (if your hardware supports it) upgrade to the latest version of OS X and install all the pertinent OS X, security, and app updates.
All Apple software updates are now delivered through the App Store app, which also handles a good bit of third-party software. You can use that app to manually install any available update, and you can configure its preferences to automatically download and/or install new updates as they appear.
If you haven’t recently checked for OS X updates, open the App Store by clicking its Dock icon, double-clicking its icon in
/Applications or in Launchpad, or choosing Apple > App Store. Then click the Updates button on the toolbar.
Now, to update a single app, click the Update button next to it. (In some cases, Apple groups multiple software updates together; click the More link to see details on each one.) Or, to update all the listed apps at once, click Update All. You may be asked for your Apple ID and password, but otherwise the App Store downloads and installs the updates automatically.
You can have your Mac check for, and even download and install, updates from the App Store in the background—with or without asking for your explicit approval.
In fact, the first time you update an app in the App Store app under Yosemite, a dialog appears (Figure 1) asking if you want this automatic installation—click Turn On or Not Now, as you prefer (you can change the setting later, as I describe in a moment).
Personally, I prefer to learn about updates as soon as possible. And, because there’s a greater than 95 percent chance that I’ll install any given update, it saves time to let OS X download updates automatically in the background. I don’t necessarily install updates as soon as they appear, because occasionally updates cause more problems than they fix. I like to keep an eye on social media to make sure the new software won’t wreak havoc if I install it.
You can decide on your desired level of automation, but at the bare minimum I urge you to turn on automated checking for updates so that you’ll be notified when something new is available.
Follow these steps to configure software updates:
Of the above settings, I suggest selecting Automatically Check for Updates, Download Newly Available Updates in the Background, and Install System Data Files and Security Updates. That way, the most urgent security fixes will be installed automatically, while less-critical updates will be downloaded as soon as they’re available, enabling you to install them more quickly when you’re ready.
Software that didn’t come from the App Store must be updated separately. The majority of modern apps include a Check for Updates menu command—or something with similar wording—and a preference that lets you enable automatic checking if you like. So go through your most frequently used apps now, use the Check for Updates feature, and if applicable, enable the preference to tell you automatically about new updates as they appear.
The Security & Privacy pane of System Preferences is (as the name suggests) the spot to adjust many of your Mac’s security settings. We’ll cover them all at some point in this book, but for now, I want to draw your attention to a few especially important settings here. I’ll also mention settings in the Users & Groups pane and in the Keychain Access utility that deserve a quick look.
In the General view of System Preferences > Security & Privacy are a couple of settings you should check:
Your changes take place immediately. But wait! There’s one more thing to do. In Step 2, if you selected Require Password after Sleep or Screen Saver Begins, you must also make sure that one or both of those things will happen automatically! Here’s how:
When you set up a new Mac, one of the first things you must do is create a user account for yourself (your Mac can have many such accounts but at least one is mandatory), along with a username and password. By default, OS X logs in that initial user account automatically when you turn on or restart your Mac,. That means you can get right to work without entering a password, and it’s the most convenient arrangement for Macs with a sole user—especially if the Mac is kept in a secure place.
However, if anyone else (including a thief!) can get to your Mac, that automatic login becomes a problem, because your Keychain unlocks automatically (see, next) and all the files on your Mac are readily available.
Therefore, if your risk (see) is greater than Level 2, I suggest disabling automatic login. The consequence will be that you’ll have to type your password whenever you turn on or restart your Mac—but of course the very thing that poses a small annoyance to you is a much greater barrier to those you want to keep out of your Mac.
To disable automatic login, go to System Preferences > Users & Groups > Login Options and choose Off from the Automatic Login pop-up menu.
Your Mac’s Keychain contains passwords for apps and Wi-Fi networks, credentials for local network servers, encryption certificates, and other important information your Mac needs to function securely. If you use iCloud Keychain (see Use a Password Manager in Chapter 5), it may also contain credentials for Web sites where you have accounts as well as your credit card details.
Because this information is valuable and potentially sensitive, OS X encrypts the contents of your Keychain. However, whenever your Keychain is unlocked, your credentials can be passed to apps, Web sites, and network services without any additional intervention on your part. And how do you unlock your Keychain? That’s the crazy part—by default, all you have to do is log in to your Mac’s user account. And (as we saw in) another default setting is to log you in to your account automatically.
In other words, unless you take steps to change the defaults, merely turning on your Mac unlocks your Keychain! That means anyone else who might have physical access to your Mac can log in to all the Web accounts (like your bank, Amazon, or PayPal), file servers, and other resources for which you’ve saved credentials (like iTunes or the App Store)—although no one can see the individual passwords without knowing your login password, someone can use all your passwords.
Rather insecure, wouldn’t you say?
Well, if you decided that you’re at the lowest risk level (see), it probably doesn’t matter, because your Keychain is unlikely to hold anything terribly valuable. The inconvenience of having to log in and/or unlock your Keychain more often wouldn’t make sense.
For everyone else, however, I recommend taking one or more of the following actions:
/Applications/Utilities), go to Keychain Access > Preferences > General, and make sure Show Keychain Status in Menu Bar is checked. You can then choose Lock Keychain or Unlock Keychain from the Keychain menu.
/Applications/Utilities). Select login in the Keychains list and choose Edit > Change Password for Keychain “login.” Enter your current password, enter and repeat the new password, and click OK. (You should also enable the Keychain menu, as in the last bullet point, for easier locking and unlocking.)
Read More: Chapter 12 |  |  |  |  |  |  |  |  |  |  |  |