Many people don’t realize that there are a number of built-in settings on your computer that will improve your defences just by being turned on. Your computer is by default in a generic and accessible configuration so that it works easily right out of the box. However, these generic settings are usually sub-optimal in terms of security. One of these easy to tweak settings is the internal firewall.

Turn on the application specific firewall. Even if you have a firewall on the network level (which you should have… Always.), it’s important to have an application specific firewall on your device as well. “Application specific” means the firewall monitors and restricts an application’s use of the network and internet. It protects you from programs which may be trying to do malicious things without you knowing, like tracking, or phoning home (which is necessary for Ransomware) by asking you if the application is allowed to use the internet.

The application specific firewall that comes on your mac isn’t as good as the one I mentioned in my other blog post, Little Snitch, but it’s not unsubstantial and it will offer more protection than having nothing.

To turn it on go to:

System Preferences > Security & Privacy > Firewall

and change the default setting to “On”.

On the same page, you can go into “Firewall Options” (you may need to authenticate yourself by clicking the lock and typing your password). There you can then turn on “Enable stealth mode” so your computer won’t respond to a certain type of network queries (ICMP). You can also disable “Automatically allowed…” options to further limit what applications are allowed access automatically.

Another important element for best practices is password quality and that will be getting its own dedicated post very soon. In the meantime, let us know if you have any questions on other default software settings that may be leaving you vulnerable.

Advanced

If you’re familiar with the command line and are comfortable with using some python you can use this script: osx-config-check. It goes through a list of changes to similar default security settings as the one above and allows you to pick and choose. It does a lot of the heavy lifting for you, but not every ‘check’ is right for everyone so I don’t recommend aiming for 100% compliance. Your machine still has to be useable afterwards

As always, you should be critical of code before running it on your computer. In the case of Open Source code on GitHub you can often get a good idea of its legitimacy by looking at the changes that have been made and how popular it is.