Secure by Default: cyber security without compromise 

Table of contents

• Secure by Default: the new standard in cyber security
• What is Secure by Default?
• Key principles of Secure by Default
• The benefits of Secure by Default
• Secure by Default vs. Secure by Design: key differences

Secure by Default: the new standard in cyber security

In today’s digital landscape, cyber security can no longer be an afterthought. Cyber threats are constantly evolving, and systems must be designed to be secure from the very first use, without requiring complex configurations from users.

This is where the concept of Secure by Default comes into play—an approach increasingly adopted by software and hardware manufacturers to ensure optimal security settings from the start.

In this article, we’ll explore what Secure by Default means, its core principles, the benefits it offers, and how it compares to Secure by Design, another essential cyber security strategy.

What is Secure by Default?

The Secure by Default concept represents a fundamental shift in cyber security, prioritizing security from the very first use of a device or software.

This means that users, whether experts or not, don’t need to manually configure advanced settings to secure their systems: the product comes with optimal protections already enabled.

In the past, manufacturers often prioritized ease of use over security. A classic example is home routers, which were once sold with weak default credentials like “admin/admin” or “1234.”

• This approach created a major vulnerability: anyone could access the device if the user didn’t change the password manually. With Secure by Default, modern routers now automatically generate strong passwords and often require users to change them upon first login, significantly reducing the risk of attacks.

Example
Modern operating systems. Previously, Windows XP shipped with its firewall disabled by default, leaving users vulnerable to worms like Blaster and Sasser, which rapidly spread across the internet.

Today, operating systems such as Windows 11, macOS, and Ubuntu come with firewalls enabled, automatic security updates, and user privilege restrictions, preventing malware from easily taking control of the system.

Example
In the world of cloud applications, Secure by Default translates into stricter access policies. Platforms like Google Workspace and Microsoft 365 now enforce two-factor authentication (2FA) by default, reducing the risk of business accounts being compromised through phishing attacks.

In the past, 2FA was an optional feature that many users neglected to activate, exposing their accounts to security breaches.

The impact of Secure by Default is also evident in enterprise databases. Historically, databases like MySQL and PostgreSQL were installed with root access enabled and weak or default credentials.

Today, most modern database software enforces strong authentication during installation, preventing unauthorized access by default.

• Even the Internet of Things (IoT) industry has adopted Secure by Default principles. Previously, many smart devices were shipped with open network ports and weak default passwords, making them easy targets for hackers. The infamous Mirai Botnet exploited these vulnerabilities, hijacking millions of devices for large-scale cyberattacks.

Now, manufacturers require unique credentials for each device, disable unnecessary network ports, and enforce automatic security updates.

• In summary, Secure by Default not only reduces the attack surface but also ensures that users and businesses operate in a protected environment without complex configurations.

This approach has become a best practice adopted by all major tech companies, ensuring that security is integrated and accessible to everyone.

Key principles of Secure by Default

For a system to be truly Secure by Default, security must be built-in from the start, without requiring manual configurations from the user. This drastically reduces the risk of cyberattacks, vulnerabilities, and misconfigurations.

Minimizing the attack surface

Minimizing the attack surface means reducing the number of exposed features, network ports, or services that attackers could exploit.

Practical example:
A server should disable all unnecessary ports and enable only essential services.

Secure by Default solution (Closing unused ports on a Linux server with iptables):

# Drop all incoming connections except SSH (port 22) and HTTP/HTTPS (80/443)

iptables -P INPUT DROP

iptables -A INPUT -p tcp --dport 22 -j ACCEPT

iptables -A INPUT -p tcp --dport 80 -j ACCEPT

iptables -A INPUT -p tcp --dport 443 -j ACCEPT

With this configuration, the server rejects any connection that is not SSH or web traffic, significantly reducing attack vectors.

Secure default configurations

Systems should have secure default settings, such as strong passwords, encryption enabled by default, and minimal user privileges.

Practical example:
Modern Wi-Fi routers no longer allow login with weak default credentials like “admin/admin” but instead generate a strong password automatically.

Secure by Default solution (Enforcing strong password policies on Linux using PAM):

# Install password security module

sudo apt install libpam-pwquality 

# Enforce strong password policies

echo "password requisite pam_pwquality.so retry=3 minlen=12 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1" | sudo tee -a /etc/pam.d/common-password

This configuration requires passwords to be at least 12 characters long and include uppercase, lowercase, numbers, and symbols.

Automatic protection

Systems should be able to defend themselves against common threats without requiring user intervention.

Practical example:
Modern firewalls and antivirus software automatically block suspicious activities without requiring manual setup.

Secure by Default solution (Automatically enabling UFW – Uncomplicated Firewall on Ubuntu):

# Install and enable UFW firewall

sudo apt install ufw

sudo ufw default deny incoming  # Block all incoming traffic

sudo ufw default allow outgoing # Allow outgoing traffic

sudo ufw enable                 # Enable the firewall

With this configuration, the system automatically blocks all incoming traffic, reducing exposure to attacks.

Secure update management

A secure system should receive automatic security patches, ensuring that known vulnerabilities are fixed without requiring user action.

Practical example:
Modern operating systems automatically apply security updates in the background.

Secure by Default solution (Enabling automatic security updates on Linux Debian/Ubuntu):

# Install the unattended-upgrades package

sudo apt install unattended-upgrades

# Enable automatic security updates

sudo dpkg-reconfigure unattended-upgrades

This ensures that the system automatically applies critical patch security updates, protecting the user from newly discovered vulnerabilities.

The benefits of Secure by Default

Adopting the Secure by Default principle provides numerous advantages for both end users and businesses. This approach not only reduces vulnerabilities and simplifies security management but also optimizes operational costs and ensures compliance with security regulations.

Reduced risk of cyberattacks

One of the primary benefits of Secure by Default is the reduction of cyber security risks. Systems and applications that follow this principle are less vulnerable because they are deployed with secure settings from the start, without requiring manual configuration.

Practical example:

• A database like PostgreSQL installed with default settings may accept connections from any IP address. With Secure by Default, remote connections are blocked by default, preventing unauthorized access.
• Windows Defender is enabled by default in Windows 11, protecting users without requiring third-party antivirus software.

Secure by Default configuration to restrict database access (MySQL):

-- Restrict access to localhost only

ALTER USER 'root'@'%' IDENTIFIED WITH mysql_native_password BY 'SecurePassword!';

RENAME USER 'root'@'%' TO 'root'@'localhost';

FLUSH PRIVILEGES;

With this configuration, the database only accepts local connections, reducing the risk of unauthorized access from external networks.

Reduction of human errors

Many cyberattacks exploit misconfigurations or weak settings left by users. With a Secure by Default approach, the risk of human errors is minimized because systems start with secure configurations.

Practical example:

• In the past, users often left default passwords on networking devices, exposing them to unauthorized access. Today, with Secure by Default, routers and access points generate random strong passwords and often require mandatory password changes during setup.
• Modern operating systems disable open RDP connections by default, reducing the risk of brute-force attacks.

Secure by Default configuration to enforce strong passwords on Linux:

# Install password security module

sudo apt install libpam-pwquality 

# Enforce strong password policies

echo "password requisite pam_pwquality.so retry=3 minlen=12 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1" | sudo tee -a /etc/pam.d/common-password

This configuration ensures that passwords are at least 12 characters long, containing uppercase, lowercase, numbers, and symbols, reducing the risk of credential-based attacks.

Time and cost savings for businesses

Businesses that implement Secure by Default can reduce the workload for IT teams and lower the costs of managing security.

Practical example:

• Modern operating systems automatically install security updates, eliminating the need for manual patching by administrators.
• Firewalls in cloud services (e.g., AWS Security Groups) automatically block all unnecessary traffic, preventing misconfigurations by users.

Secure by Default configuration for automatic security updates on Debian/Ubuntu:

# Install and enable automatic updates

sudo apt install unattended-upgrades

sudo dpkg-reconfigure unattended-upgrades

This configuration ensures that critical security patches are installed automatically, reducing the time needed for security maintenance.

Compliance with security regulations

Secure by Default facilitates compliance with regulations such as GDPR, NIST Cyber Security Framework, and ISO 27001, which require robust security measures for handling sensitive data.

Practical example:

• GDPR requires data protection through encryption and restricted access. Cloud services like Google Workspace and Microsoft 365 now enable encryption and two-factor authentication (2FA) by default.
• The NIST Cyber Security Framework recommends the principle of least privilege, ensuring that access to critical resources is restricted to authorized users only.

Secure by Default configuration for enforcing encryption on a PostgreSQL database:

-- Enable TLS encryption for secure connections

ALTER SYSTEM SET ssl = 'on';

ALTER SYSTEM SET ssl_cert_file = '/etc/ssl/certs/server.crt';

ALTER SYSTEM SET ssl_key_file = '/etc/ssl/private/server.key';

SELECT pg_reload_conf();

This configuration forces the database to use encrypted TLS connections, ensuring data protection in transit and compliance with security regulations.

Secure by Default vs. Secure by Design: key differences

While often used interchangeably, Secure by Default and Secure by Design are distinct yet complementary concepts.

Secure by Design focuses on building security into a system’s architecture from the ground up. This involves security engineering methodologies, such as advanced encryption and secure data handling practices implemented at the code level.

Secure by Default, on the other hand, specifically addresses secure default configurations. Even a system designed securely can become vulnerable if released with weak or easily adjustable security settings.

In short, Secure by Design ensures that the system is built to be secure, while Secure by Default ensures that, upon first use, no configurations expose the system to unnecessary risks. Ideally, organizations should integrate both approaches for maximum protection.

Conclusion

The Secure by Default principle is a crucial evolution in cyber security, reducing the risks associated with misconfigurations and poor security choices by end users.

Ensuring that software and devices are secure from the moment they are installed not only lowers the number of successful cyberattacks but also improves the user experience by eliminating the need for complex manual configurations.

To achieve optimal protection, Secure by Default should always be combined with Secure by Design, ensuring that systems are not only configured securely by default but also built with a robust security foundation from the start.

Questions and answers

1. What is Secure by Default?
   Secure by Default is a cyber security principle stating that a system should come with secure default settings, reducing the need for manual security adjustments.
2. How does Secure by Default differ from Secure by Design?
   Secure by Design focuses on building secure systems from the ground up, while Secure by Default ensures that default configurations are as secure as possible.
3. Why is Secure by Default important?
   It reduces cyber security risks, minimizes human errors, and simplifies security management, especially for non-expert users.
4. Which companies implement Secure by Default?
   Major companies like Microsoft, Apple, and Google integrate this principle into their operating systems and security software.
5. Does Secure by Default eliminate the need for manual security configurations?
   No, but it reduces the need for manual adjustments, ensuring a strong security foundation from the start.
6. What are some examples of Secure by Default?
   Pre-installed antivirus software, enabled firewalls by default, and automatically generated strong passwords.
7. Is Secure by Default legally required?
   In some regulated industries, such as data protection (GDPR), it is strongly recommended to ensure compliance with security standards.
8. Can Secure by Default impact system performance?
   In some cases, it may introduce restrictions that limit unnecessary functionalities, but security-performance balanceis usually well-optimized.
9. Which industries benefit the most from Secure by Default?
   All industries, but particularly banking, healthcare, and critical infrastructure sectors, where data security is paramount.
10. How can I check if a system is Secure by Default?
    By reviewing official documentation, analyzing default security settings, and verifying automatic protection features in the system.