Secure by default
Encyclopedia
Security by default, in software
, means that the default
configuration settings are the most secure
settings possible, which are not necessarily the most user friendly
settings. In many cases, security and user friendliness is waged based on both risk analysis
and usability tests
. This leads to the discussion what the most secure settings actually are. As a result, the precise meaning of secure by default remains undefined.
In a network operating system
, this typically means first and foremost that there are no listening INET(6) domain sockets
after installation. That is, no open network ports
. This can be checked on the local machine
with a tool such as netstat
, and remotely with a port scanner
such as nmap
. As a general rule, a secure network, is only as secure as the least secure node
in the entire network.
If a program
uses secure configuration settings by default, the user
will be better protected. However, not all users will care about security and may be obstructed by secure settings. A common example is whether or not blank password
s are allowed for login
. Not everyone can, or is willing to, type or memorize a password.
Another way to secure a program or system is through abstraction
, where the user is presented an interface in which the user cannot (or is discouraged to) cause accidental data loss
. This however, can lead to less functionality or reduced flexibility. Having user control preferences does not typically cause this, but at the cost of having a larger part of the user interface
for configuration controls.
Some server
s or devices that have an authentication
system, have default usernames and passwords. If not properly changed, anyone who knows the default configuration can successfully authenticate.
claims to be the only operating system
that is fully secure by default. This, however, does not mean it's inherently the most secure operating system, because that depends on the definition of an operating system. There are many operating systems that are not capable of networking with other systems. Thus, considering the amount of network-based security compromises today, one can argue such an operating system is more secure. OpenBSD is a network operating system
.
Ubuntu is a GNU
/Linux
distribution
aimed at the desktop
user that by default hides the administrative
account
and only allows the first user to gain administrative privileges for certain system tasks (such as installing
system updates, and managing disk drives). Mac OS X
does not hide this account, but users with limited rights can still fully utilise the system.
Microsoft Windows
and Linspire
have been critic
ised for allowing the user to have administrative privileges without warning—a potential threat to the system. Windows Vista
attempts to remedy this situation through its User Account Control
system.
Computer software
Computer software, or just software, is a collection of computer programs and related data that provide the instructions for telling a computer what to do and how to do it....
, means that the default
Default (computer science)
A default, in computer science, refers to a setting or value automatically assigned to a software application, computer program or device, outside of user intervention. Such settings are also called presets, especially for electronic devices...
configuration settings are the most secure
Computer security
Computer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...
settings possible, which are not necessarily the most user friendly
Usability
Usability is the ease of use and learnability of a human-made object. The object of use can be a software application, website, book, tool, machine, process, or anything a human interacts with. A usability study may be conducted as a primary job function by a usability analyst or as a secondary job...
settings. In many cases, security and user friendliness is waged based on both risk analysis
Risk analysis (engineering)
Risk analysis is the science of risks and their probability and evaluation.Probabilistic risk assessment is one analysis strategy usually employed in science and engineering.-Risk analysis and the risk workshop:...
and usability tests
Usability testing
Usability testing is a technique used in user-centered interaction design to evaluate a product by testing it on users. This can be seen as an irreplaceable usability practice, since it gives direct input on how real users use the system...
. This leads to the discussion what the most secure settings actually are. As a result, the precise meaning of secure by default remains undefined.
In a network operating system
Network operating system
A networking operating system , also referred to as the Dialoguer, is the software that runs on a server and enables the server to manage data, users, groups, security, applications, and other networking functions...
, this typically means first and foremost that there are no listening INET(6) domain sockets
Internet socket
In computer networking, an Internet socket or network socket is an endpoint of a bidirectional inter-process communication flow across an Internet Protocol-based computer network, such as the Internet....
after installation. That is, no open network ports
TCP and UDP port
In computer networking, a port is an application-specific or process-specific software construct serving as a communications endpoint in a computer's host operating system. A port is associated with an IP address of the host, as well as the type of protocol used for communication...
. This can be checked on the local machine
Computer
A computer is a programmable machine designed to sequentially and automatically carry out a sequence of arithmetic or logical operations. The particular sequence of operations can be changed readily, allowing the computer to solve more than one kind of problem...
with a tool such as netstat
Netstat
netstat is a command-line tool that displays network connections , routing tables, and a number of network interface statistics...
, and remotely with a port scanner
Port scanner
A port scanner is a software application designed to probe a server or host for open ports. This is often used by administrators to verify security policies of their networks and by attackers to identify running services on a host with the view to compromise it.A port scan or portscan is "An attack...
such as nmap
Nmap
Nmap is a security scanner originally written by Gordon Lyon used to discover hosts and services on a computer network, thus creating a "map" ofthe network...
. As a general rule, a secure network, is only as secure as the least secure node
Node (networking)
In communication networks, a node is a connection point, either a redistribution point or a communication endpoint . The definition of a node depends on the network and protocol layer referred to...
in the entire network.
If a program
Computer program
A computer program is a sequence of instructions written to perform a specified task with a computer. A computer requires programs to function, typically executing the program's instructions in a central processor. The program has an executable form that the computer can use directly to execute...
uses secure configuration settings by default, the user
User (computing)
A user is an agent, either a human agent or software agent, who uses a computer or network service. A user often has a user account and is identified by a username , screen name , nickname , or handle, which is derived from the identical Citizen's Band radio term.Users are...
will be better protected. However, not all users will care about security and may be obstructed by secure settings. A common example is whether or not blank password
Password
A password is a secret word or string of characters that is used for authentication, to prove identity or gain access to a resource . The password should be kept secret from those not allowed access....
s are allowed for login
Logging (computer security)
In computer security, a login or logon is the process by which individual access to a computer system is controlled by identifying and authentifying the user referring to credentials presented by the user.A user can log in to a system to obtain access and can then log out or log off In computer...
. Not everyone can, or is willing to, type or memorize a password.
Another way to secure a program or system is through abstraction
Abstraction (computer science)
In computer science, abstraction is the process by which data and programs are defined with a representation similar to its pictorial meaning as rooted in the more complex realm of human life and language with their higher need of summarization and categorization , while hiding away the...
, where the user is presented an interface in which the user cannot (or is discouraged to) cause accidental data loss
Data loss
Data loss is an error condition in information systems in which information is destroyed by failures or neglect in storage, transmission, or processing. Information systems implement backup and disaster recovery equipment and processes to prevent data loss or restore lost data.Data loss is...
. This however, can lead to less functionality or reduced flexibility. Having user control preferences does not typically cause this, but at the cost of having a larger part of the user interface
User interface
The user interface, in the industrial design field of human–machine interaction, is the space where interaction between humans and machines occurs. The goal of interaction between a human and a machine at the user interface is effective operation and control of the machine, and feedback from the...
for configuration controls.
Some server
Server (computing)
In the context of client-server architecture, a server is a computer program running to serve the requests of other programs, the "clients". Thus, the "server" performs some computational task on behalf of "clients"...
s or devices that have an authentication
Authentication
Authentication is the act of confirming the truth of an attribute of a datum or entity...
system, have default usernames and passwords. If not properly changed, anyone who knows the default configuration can successfully authenticate.
Operating systems
OpenBSDOpenBSD
OpenBSD is a Unix-like computer operating system descended from Berkeley Software Distribution , a Unix derivative developed at the University of California, Berkeley. It was forked from NetBSD by project leader Theo de Raadt in late 1995...
claims to be the only operating system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
that is fully secure by default. This, however, does not mean it's inherently the most secure operating system, because that depends on the definition of an operating system. There are many operating systems that are not capable of networking with other systems. Thus, considering the amount of network-based security compromises today, one can argue such an operating system is more secure. OpenBSD is a network operating system
Network operating system
A networking operating system , also referred to as the Dialoguer, is the software that runs on a server and enables the server to manage data, users, groups, security, applications, and other networking functions...
.
Ubuntu is a GNU
GNU
GNU is a Unix-like computer operating system developed by the GNU project, ultimately aiming to be a "complete Unix-compatible software system"...
/Linux
Linux
Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...
distribution
Linux distribution
A Linux distribution is a member of the family of Unix-like operating systems built on top of the Linux kernel. Such distributions are operating systems including a large collection of software applications such as word processors, spreadsheets, media players, and database applications...
aimed at the desktop
Desktop computer
A desktop computer is a personal computer in a form intended for regular use at a single location, as opposed to a mobile laptop or portable computer. Early desktop computers are designed to lay flat on the desk, while modern towers stand upright...
user that by default hides the administrative
Superuser
On many computer operating systems, the superuser is a special user account used for system administration. Depending on the operating system, the actual name of this account might be: root, administrator or supervisor....
account
User (computing)
A user is an agent, either a human agent or software agent, who uses a computer or network service. A user often has a user account and is identified by a username , screen name , nickname , or handle, which is derived from the identical Citizen's Band radio term.Users are...
and only allows the first user to gain administrative privileges for certain system tasks (such as installing
Installation (computer programs)
Installation of a program is the act of putting the program onto a computer system so that it can be executed....
system updates, and managing disk drives). Mac OS X
Mac OS X
Mac OS X is a series of Unix-based operating systems and graphical user interfaces developed, marketed, and sold by Apple Inc. Since 2002, has been included with all new Macintosh computer systems...
does not hide this account, but users with limited rights can still fully utilise the system.
Microsoft Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
and Linspire
Linspire
Linspire, previously known as LindowsOS, was a commercial operating system based on Debian GNU/Linux and later Ubuntu. Linspire was published by Linspire, Inc. and focused on ease-of-use, targeting home PC users...
have been critic
Critic
A critic is anyone who expresses a value judgement. Informally, criticism is a common aspect of all human expression and need not necessarily imply skilled or accurate expressions of judgement. Critical judgements, good or bad, may be positive , negative , or balanced...
ised for allowing the user to have administrative privileges without warning—a potential threat to the system. Windows Vista
Windows Vista
Windows Vista is an operating system released in several variations developed by Microsoft for use on personal computers, including home and business desktops, laptops, tablet PCs, and media center PCs...
attempts to remedy this situation through its User Account Control
User Account Control
User Account Control is a technology and security infrastructure introduced with Microsoft's Windows Vista and Windows Server 2008 operating systems, with a more relaxed version also present in Windows 7 and Windows Server 2008 R2...
system.
See also
- Computer securityComputer securityComputer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...
- UsabilityUsabilityUsability is the ease of use and learnability of a human-made object. The object of use can be a software application, website, book, tool, machine, process, or anything a human interacts with. A usability study may be conducted as a primary job function by a usability analyst or as a secondary job...
- Default (computer science)Default (computer science)A default, in computer science, refers to a setting or value automatically assigned to a software application, computer program or device, outside of user intervention. Such settings are also called presets, especially for electronic devices...
- Secure by designSecure by designSecure by design, in software engineering, means that the software has been designed from the ground up to be secure. Malicious practices are taken for granted and care is taken to minimize impact when a security vulnerability is discovered or on invalid user input.Generally, designs that work well...
- AuthenticationAuthenticationAuthentication is the act of confirming the truth of an attribute of a datum or entity...