Security for MacBook Air

My_first_Macair wrote:

I just bought my first personal MACBOOK AIR. I recently read that Macs are not as secure as they once were. Can you please tell me the current recommendation for security? For our windows laptop, we have both virus protection and a VPN. What's the thinking for these regarding MacBook? Many thanks.

macOS has full end-to-end tunnel support built-in. As does Windows, with TLS.

The widely-hyped first-few-hops VPNs protect against security issues that really haven't existed for a decade or so—Apple has been requiring encryption by default for all app networking activity for a while now—and by centralizing and personally-identifying your network traffic for easy collection and logging (and various no-logging providers were caught logging when the "non-existent" logs leaked), with the use of a weak (known credentials) second tunnel for the first several hops. Too many of the VPN providers are just sketchy, too.

macOS also has effective anti-virus package built-in, with XProtect, XProtect Remediator, and related features. As does Windows, with whatever Microsoft is calling Defender this week.

macOS has a write-locked operating system, encrypted storage, and various other security features, and optionally adds private relay akin to a two-hop Tor connection with iCloud+, and supports DDR, DNS over HTTPS, and DNS over TLS when you want that with iCloud+.

Encrypted DNS support is built in. Here is how to set up encrypted DNS with Quad9 DNS, and other providers offer similar connections. The built-in encrypted DNS available with iCloud+ uses CloudFlare. Or set up DDR, and get it automatically.

One of the other core features for data integrity and platform security is backups. macOS has built-in support for backups to locally-attached devices, and to network-attached storage (use of NAS requires Time Machine server support):

... Back up your Mac with Time Machine - Apple Support

Details of Apple platform security:

... https://help.apple.com/pdf/security/en_US/apple-platform-security-guide.pdf

PS: I'd suggest not trying to map Microsoft Windows concepts and norms over to macOS, too. The two are very different platforms, with different tooling, and different assumptions.

MrHoffman wrote:

PS: I'd suggest not trying to map Microsoft Windows concepts and norms over to macOS, too. The two are very different platforms, with different tooling, and different assumptions.

There are threats common to all platforms though, Macs / Windows / iOS / Android et al. Doesn't matter. The primary extant threat to all of them is not platform vulnerability at all; it's human gullibility. Macs and iOS devices are the most secure consumer-grade devices on the planet by far, yet human beings remain eminently hackable. Would you willingly divulge your passwords or Apple ID credentials to anyone just for the asking? Or, would you call some 1-800 number just because some message pops up on your Mac telling you to, lest dire circumstances ensue? I hope not, yet people succumb to such scams with disturbing regularity.

There is no technological defense for human frailty, but Apple does provide defenses in the way of two-factor authentication and others:

Recognize and avoid phishing messages, phony support calls, and other scams - Apple Support

Security and your Apple ID - Apple Support

... and many others.

If your defenses fail: If you think your Apple ID has been compromised - Apple Support

The bottom line? The three numbered points in Effective defenses against malware and other threats - Apple Community. And if that's too many steps, the simple phrase think before you click.

Other than user knowledge, nothing else is required for your Mac.

Effective defenses against malware and ot… - Apple Community

https://discussions.apple.com/docs/DOC-8071

Read the links stedman1 provided. It goes into specific detail regarding the reasons non-Apple "anti-virus" products are entirely worthless — and are for the most part, scams. Some are arguably malicious. All such products will do is to increase a Mac's threat profile, when your goal should be to reduce it.

To be nitpicky it is not the macOS application firewall we're discussing, which is an entirely different subject altogether. Don't use it either.

My_first_Macair wrote:

ok thanks. My understanding is that VPN is a point-to-point tunnel between my Mac and the VPN provider (therefore Encrypting my traffic again and hiding my public IP). In general, isn’t that actually more secure?

Your Internet traffic are already encrypted. MrHoffman addressed that question. VPNs can offer no more encryption than what you are already using.

What's more important — and more disturbing — is that the VPN can retain all your traffic for whatever purposes that may entail, which can and has included divulging it to anyone willing to pay for it, or to anyone with a court order subpoenaing that data. Think that hasn't happened? Think again. And they won't tell you when they give you up. They're not required to.

My_first_Macair wrote:

ok thanks. My understanding is that VPN is a point-to-point tunnel between my Mac and the VPN provider (therefore Encrypting my traffic again and hiding my public IP).

ALL OF YOUR TRAFFIC IS ALREADY ENCRYPTED! END-TO-END!

IP addresses are all known, too. A decently-speedy computer with a big network connection can scan the whole IP (IPv4) address space in four or five minutes, too. But if you do want to ‘hide” your association with that what is usually a varying address, iCloud+ Private Relay or Tor is the path for that.

In general, isn’t that actually more secure?

Nope. It’s slower, and the second (weak) tunnel wrapping the existing and (stronger) end-to-end tunnels adds little. Or adds nothing.

It does make your traffic much easier to collect, though. Which is the goal here; centralizing and tracking and harvesting your activities through your use of the second first-few-hops authenticated tunnel, across the whole of the ’net.

MrHoffman wrote:

But if you do want to ‘hide” your association with that what is usually a varying address, iCloud+ Private Relay or Tor is the path for that.

👍

About iCloud Private Relay - Apple Support

Not a problem; but as you probably suspect by now a VPN provides exactly nothing in the way of security.

The only valid reason for using a VPN is as its name implies: to access a private network that is otherwise completely inaccessible to the world beyond it. Using a VPN to communicate with networks accessible without using a VPN (in other words — what we call "the internet") is utterly pointless.

Now I’m on my own with this, pretty much untethered.

You're much better off that way 😄

One more thing: lots of people use VPNs for reasons that lack justification, but more importantly VPNs can interfere with routine activities like using the App Store, or some Safari websites. It is one of the generic reasons addressed in If Safari doesn't open a page or work as expected on your Mac - Apple Support.

That's a subject that covers many iterations of security and OS upgrades. The amount of data is staggering to say the least.

I suggest you begin a web search and start reading Apple security articles as of about maybe 5 years ago. That should bring you up to speed.

What are your reasons for using a VPN?