Cyber Security Checklist for Macs

Mac already has a lot of security tools built-in and can prevent virus and malware infections much better than Windows. You can read about all of these tools in detail on Apple’s app security overview.

That said, not all Mac security preferences are enabled by default. You’ll want to do a regular review of them when you’re reinstalling or updating the system and if you’re setting up a new Mac. Great security is no good if it’s disabled.

In this blog post, we focus on Mac cyber security and leave Windows and other operating systems to someone more knowledgeable.

Mac Cyber Security Checklist

This checklist for Macs is split into five sections:

This is an 80-20 checklist. It will cover the 20% of tasks you can do to prevent 80% of problems.

Instead of manually going through this list, you can also install the Pareto Security app (only $17 for Personal licenses) that checks all of this for you in a few seconds and does it on a daily basis. 

If you want to do it on your own, follow the Mac cyber security checklist below.

Access Security

With these preferences, we’re preventing easy login to our Mac when someone gets physical access to it. This can prevent annoyances like children playing on your company’s Slack to more serious issues like a thief getting access to your business files.

Automatic login is off

This preference disables automatic login which allows anyone to log into your Mac without a password. We strongly recommend you have this setting disabled, even if your computer is mostly at home. If your computer is stolen, they will be able to access everything immediately. And if you have children, then you don’t want them playing on your administrator account.

If you have other people using your Mac, we recommend creating non-admin accounts for them.

How to turn Automatic login off on Mac »

Password after inactivity

This preference requires entering a password after Mac wakes from sleep or screen saver. In combination with automatic screen saver, it locks your computer after inactivity and requires the password to log back in.

How to enable password after screen saver or sleep on Mac »

Password to unlock preferences

This requires an admin password to unlock any system preferences. As such, it prevents other users from changing important preferences and that includes malicious programs that can launch under a different user.

How to enable password to unlock preferences on Mac »

Screen saver shows in 5 min

With the screen saver showing automatically and the password after inactivity preference, your Mac automatically locks and prevents easy login if someone gains physical access.

How to enable automatic screen saver on Mac »

For developers: SSH keys require a password and use a strong encryption

If you use SSH with key encryption, then the keys should have a password or hardware key authentication. In case the device is stolen, it’s a lot harder to rebuild the keys that are protected this way.

A strong key size is required to prevent brute-forcing of the private key or at least delay it.

How to set a password for SSH keys and how to check SSH keys’ encryption

Firewall & Sharing

These preferences prevent (malicious) remote access to your Mac. This is to prevent bots that scrape the Internet for vulnerabilities to gain access to your computer.

Firewall is on with enabled stealth mode

Firewall prevents contact from other computers on the Internet or on your network, but still allows access through the firewall for your apps. This is a must as it has almost no impact on your regular work while blocking potentially malicious requests to your computer. 

Enabling stealth mode means your computer does not respond to ping requests.

How to enable Firewall and stealth mode on Mac »

Remote Login and Management are off

Remote Login and Management allow you to log into and manage your computer remotely, or that someone else can do it. There are legitimate uses, like your company administrator helping you set up your Mac, but it should also be disabled most of the time.

How to disable Remote Login and how to disable Remote Management.

Sharing is off

Mac offers easy sharing of files, media, printers, Bluetooth, and many other services. While all of these can be useful when you’re in an office or at home, they should be disabled most of the time. You don’t want to share some files at home, only to have them still publicly available in a coffee shop.

These settings include:

  • Screen Sharing
  • Media Sharing
  • Printer Sharing
  • Remote Apple Events
  • Internet Sharing
  • Bluetooth Sharing

How to disable file sharing on Mac »

macOS Updates

macOS updates include not only system updates but also many security configurations, like malware definitions, security patches, and certifications.

The settings are:

  • Check for updates
  • Download new updates when available
  • Install macOS updates
  • Install app updates from the App Store
  • Install system data files and security updates

How to enable all macOS updates »

Software Updates

App Store apps are up-to-date

Apps downloaded from the App Store are managed there. You can manually update them, or better yet enable auto-updates. You can do that by going to App Store’s Preferences and checking Automatic Updates.

Browsers are up-to-date

Browsers are your main contact with the internet and as such it’s important that you always use the latest version. Launch all your browsers every now and then and make sure they’re up-to-date. We would also recommend having them auto-update.

Chrome

Firefox

Messaging apps are up-to-date

Messaging apps are another contact with the outside world and potentially malicious actors. So you’ll want to keep them updated as well. A few examples are Zoom, Slack, or Facebook’s Messenger.

System Integrity

Boot is secure

If you use non-signed apps or test a lot of them, you might have disabled Mac’s security checks. Every now and then you’ll want to make sure the security workings are still in place.

How to make sure your boot is secure »

FileVault is on

Without disk encryption, your files on the computer can be accessed without requiring a login to the computer. The person would not be able to access the operating system but they can still extract all files, documents, photos, and any sensitive data from your disk.

Even if your computer is always at home, the encryption takes no time on Big Sur and macOS versions and it can be automatically disabled with your iCloud account, so there is no reason not to have it.

How to enable FileVault »

Gatekeeper is on

Gatekeeper helps protect from malicious apps by not allowing installation of unnotarized applications. Gatekeeper is always on unless you disable it through the command interface. You can run spctl --status in your Terminal and the result should be assessments enabled.

How to enable Gatekeeper on Mac »

Time Machine backup

Backups are a must. They allow you to go back and find deleted files, restore a stolen Mac, and just have a general peace of mind that your files are available on at least two devices.

With Mac, backups are so easy, it’s a crime not to have Time Machine set up. All you need is an external disk that you choose as a Time Machine disk and you’re good to go. Just make sure you plug it in at least every week. And if you have it regularly connected to an external disk drive, check the automatic backup as well.

When you’re creating the Time Machine disk make sure you encrypt it. The same rules apply as for using Filevault for your Mac.

How to enable Time Machine backup »

WiFi connection is secure

Unsecure WiFi is defined as one where the connection between your Mac and the access point is not encrypted. This usually happens on public hotspots. In those cases, you’ll want to use a VPN (Virtual Private Network), or it’s strongly recommended you avoid doing sensitive things – like sending important emails, accessing bank accounts, or shopping.

Other Security Considerations for Mac Users

With the above, you’ve covered the 80%. Here are a few more tasks if you want to be more thorough in your cyber security.

Password Managers

While Mac has Keychain as a password manager, it leaves a lot to be desired. If you are sharing passwords with your coworkers, employees or family, you’ll want to use a better password manager. There are two main options: 1Password and DashLane, both with similar features and offer easier control of your passwords.

A note on antivirus software on Macs

There are many antivirus and anti-malware options out there. However, for us, as a company of almost 10 Mac devices and with most of us with them for more than a decade, we haven’t ever had issues with viruses.

It is completely up to you. If you feel you might benefit from antivirus protection and you don’t trust your browsing habits, then feel free to purchase one. But if you know the risks when it comes to clicking links and plugging in USB keys, then the chances of getting a virus are really slim.

Summary

Macs have great security options out-of-box. But it’s not worth anything if it’s not turned on. Pareto Security app makes sure it is.

Dejan Murko

Dejan is the Pareto Security co-founder and Marketing Lead.

See other posts »

See code on GitHub