As the Mac slowly becomes more of a target for malware, it's becoming increasingly important that people know how to keep their computers safe. I figured it might be a good way to start the New Year with yet another resolution: Don't get infected! Of course this applies to other areas of your life as well, but I'll stick to the computers for now so this doesn't get awkward.
First of all, let's take a few minutes to go over the security settings on your Mac and what they do. I'm going to be covering High Sierra, but many of these settings are the same for earlier versions of the OS. I'll rate each setting in terms of importance, with a recommended setting if you just want to go through this article quickly without reading all the good bits.
Start by going to the Apple Menu and open System Preferences, then click on Security & Privacy. Then click the padlock in the lower left and authenticate with your user password so you can change the settings.
Under the General tab you have a few options:
Require password after sleep or screen saver begins
Recommended setting: On / Immediate
If someone steals your laptop, this is what will keep them from just oppening the lid and immediately getting into all of your data. You can choose how long before it takes effect, which goes hand-in-hand with your screen saver settings under Energy Saver. I recommend setting it to Immediate, and then using the screen saver setting to determine how long of a delay for you have to enter your password. My screen saver kicks in after 5 minutes or so.
Show a message when the screen is locked
Recommended setting: On
This setting is helpful for laptops if you're the kind of person who might accidentally leave your computer somewhere. You can set a message that says something like "Reward if found, call Charles at 555-555-5555." Otherwise, if someone finds your machine they will have no easy way of getting it back to you (although if you have Find My Mac turned on in iCloud preferences, you can use Lost Mode to set this message remotely, but it's a better bet to have it on ahead of time).
Disable automatic login
Recommended setting: On
Without this setting turned on, all someone would need to do to get into your files would be to turn off the machine and turn it on again, and it would take them right into your account.
Allow apps downloaded from
Recommended setting: App Store and identified developers
With the latest version of macOS, Apple has removed the option of allowing software to be installed from anywhere. Now, you can only easily install software from the App Store or if the software itself has a developer ID that matches Apple's database. This setting will dramatically reduce the likelihood that you install software that could be a security risk, but it doesn't remove it entirely. It's also possible to get around this option and install anything you want with a simple keystroke, but at least it forces you to pay attention to what you're doing. Installing applications from questionable sources is the most likely vector for getting truly malicious malware on your machine. The reason I rate this low is because Apple only gives you two options, and they're both pretty darn safe.
The FileVault tab has one setting, which is to enable FileVault.
Recommended setting: Enabled
FileVault encrypts all of the data on your Mac. When you log in, the files are automatically unencrypted on the fly, but if someone doesn't have your user password then they won't be able to access your files. The reason why this setting is so important is that if FileVault isn't enabled, all of the previous settings you configured about passwords and logins can be gotten around by simply booting the Mac into Target Disk Mode and then connecting it to another Mac. Voila, instant access to everything on your machine. But with FileVault enabled, they won't be able to enter Target Disk Mode without the FileVault password.
Note: With the new FileSystem Apple introduced with High Sierra, this setting is actually somewhat redundant as APFS has its own encryption. I expect Apple to remove this setting in the future, and just have everything encrypted by default.
Recommended setting: Off
Turning on the Firewall forces the system to question all incoming and outgoing network connections on the machine, and if they're unrecognized then you have to manually approve them. The primary reason I don't recommend this is because almost all home internet connections are already behind a firewall anyway. In addition, the firewall messages are confusing to most users. Not only that, but if you deny anything then the app that made the request won't function properly, and you may have no idea why a few months down the road.
This is where you have granular control over what apps have access to what services. When you first run an app, it should tell you what it wants access to and why, and will ask for approval. Without your approval, an app will not have access to any of these items by default. If you ever want to revoke access later, you can do it here.
Here you'll see what apps are capable of using your location and whether they're enabled or not. It's useful for Siri to have your location, so she can give you directions without you having to type in your start address. If third-party apps like Crystal Blaster Pro want your location and you don't know of a good reason why they should have it, turn it off (or better yet, assume the company is using you for data mining and delete the app).
Recommended setting: On for apps where it makes sense, such as Maps, Siri, or Weather
These apps have access to everyone in your contacts app. Third-party apps will almost certainly want this so they can send marketing emails to your friends, which is really crappy.
Recommended setting: Off for third-party apps
These apps have access to your calendars. Third-party apps will use this to add appointments to your calendar. If in doubt, deny access.
Recommended setting: Off unless the app needs the ability to add appointments to your calendar
These apps have access to your reminders. Things like meditation or health related apps may want to set reminders to alert you at specific times of day.
Recommended setting: Only on for apps that you want to be able to remind you
This app will have access to your photos. This includes the ability for apps to add pictures to your photos.
Recommended setting: On for any apps you use that modify or create photos
This can be obscure. Accessibility is the feature of macOS that is intended to allow modifications to how things work to make it easier for people with disabilities. Sometimes apps will want to take advantage of an obscure setting in here to make them easier to use. Dropbox, for example. Keep in mind that turning off those apps may limit their functionality.
Recommended setting: On for apps that you trust
You only have two choices here, and Apple asked you for your permission when you first set up the OS. YTou can choose to share data with either Apple or third-party app developers to give them a better idea of how people are using the apps and to help them fix crashes. Apple is very conservative about what data can be shared.
Recommended setting: On for both
Now that we've covered the security settings, let's talk very quickly about installing software.
Anytime you install an app on your Mac, it's the equivalent of inviting someone into your home. Apple has some built in protections to try and prevent apps from doing anything really malicious (like putting locks on the bedroom doors in my analogy), but the fact remains that this is still the biggest threat on your computer itself.
One problem I've been dealing with on an increasing basis is Adware. This usually involves popping up windows in your web browser, extensions that track what websites you're visiting, changes to your homepage and search engine, and other bad juju. The most common vector for infection is downloading software from suspicious websites.
Most infections I've seen end up being related to Adobe Flash. The problem isn't with Flash itself, but the websites where people are getting it from. They download an installer that installs Flash (although likely not the latest version), and also installs adware that the user isn't aware of. Then the fun begins! And by fun I mean calling me in a panicked state because your computer is popping open porn websites while your daughter tries to play Minecraft.
Whenever you download software from somewhere other than the App Store, be sure to get it straight from the developer's website. This is usually the top hit in Google, but not always. Pay particular attention to the URL of the website, especially the domain immediately preceding the suffix (such as adobe in adobe.com, or slashdot in slashdot.org). See the screenshot below.
Note that seeing adobe in the URL isn't sufficient, it needs to be immediately before the suffix that you pay attention. If you make the mistake of going to Softonic, there's a possibility you'll end up infected after you run the installer you download.
When in doubt, feel free to shoot me an email and ask, and I can help you find what you're looking for safely.
Have a safe and happy New Year!