Hey,

Welcome to the first issue of The SecureByDefault Brief.

Every week, I’ll send one practical security lesson based on real attacks, real configurations, and the boring security basics that quietly prevent very bad days.

No scare tactics. No fake guru energy. Just signal.

This week: your server is not invisible.

The quick brief

A brand-new server can start getting scanned before anyone knows your site exists. Not because you are famous. Because attackers and bots scan massive chunks of the internet continuously, hunting for the same boring mistakes every time:

  • Exposed config files

  • Old, unpatched software

  • Default credentials nobody changed

  • Backup files sitting in a public directory

  • A lonely .env file waving from the web root like it wants attention

Please do not give your .env file a public speaking career.

Real attack breakdown: the internet found the server fast

When I put the SecureByDefault server online, it was probed within 24 hours for exposed secrets: .env files, .aws/credentials, database config paths, backup directories. No big launch. No marketing push. No reason to be interesting except one: it was reachable.

The attackers were not people sitting at keyboards. They were automated scripts running 24 hours a day against millions of IP addresses, checking for the same list of common mistakes on every single one.

Most of those requests were blocked. The Nginx config denied access to sensitive paths, and the security headers did their job. But a handful of requests returned 200 OK before the configuration was tightened, which is exactly the kind of gap that causes real incidents.

Attackers do not need your homepage to be popular. They just need an IP address, automation, and a list of common mistakes.

Treat early log activity like a free security audit from very rude strangers. They are showing you exactly what to lock down.

Why this matters right now

The internet has shifted from "people manually poking around" to "automation constantly scanning everything, always." Two data points worth keeping in mind:

The takeaway is simple. Patch the systems. Protect the accounts. Test the backups. Watch the logs. Security is not one magic control. It is a collection of boring controls quietly doing their jobs.

Tiny applause for boring controls. They deserve more credit than they get.

Practical fixes you can apply this week

1. Check for exposed sensitive files
Look for anything that should never be web-accessible: .env, .aws/credentials, backup files, database dumps, private keys, old config files, test files, admin panels you forgot existed. If a file contains secrets or customer data, it should not be reachable from a browser.

2. Patch internet-facing systems first
Not every update is equal. Prioritize what attackers can reach from the internet: web servers, VPNs, firewalls, CMS platforms, WordPress plugins, and remote access tools. CISA's Known Exploited Vulnerabilities catalog is a practical priority list for exactly this decision.

3. Turn on MFA where it matters most
Email, banking, cloud platforms, your domain registrar, your hosting provider, your password manager, and every admin account. If the service supports an authenticator app or hardware key, use that over SMS when possible.

4. Test one backup restore
Not "we have backups." Not "the job says successful." Actually restore something and verify it works. A backup you have never restored is just a security blanket with a loading spinner.

5. Review old accounts
Former employees, old contractors, forgotten service accounts, test users. Disable what is no longer needed. Reduce privileges on anything that does not require admin access. Attackers love stale accounts because stale accounts do not complain during meetings.

This week in "Please Don't Do That"

Someone, somewhere, is still storing production credentials in a file named:

passwords_final_FINAL_do_not_delete.xlsx

Friendly reminder: if the filename sounds like it survived three group projects and a 2 AM panic save, it should not hold your credentials.

Use a password manager. Restrict access. Rotate shared secrets. Keep sensitive files out of public web paths. Your future self will thank you. Probably with coffee.

Tool worth knowing: CISA KEV

The CISA Known Exploited Vulnerabilities Catalog is a free, government-maintained list that separates "this vulnerability exists" from "this vulnerability is being actively exploited right now." That distinction matters a lot when you have limited time and need to decide what gets patched first.

How to use it: once a week, search the catalog for software products you actually use, starting with anything exposed to the internet. If it shows up on the list, patch it or apply the vendor mitigation as soon as possible.

Useful beats flashy. Flashy usually has a monthly subscription and a dashboard nobody opens.

Checklist

This issue connects directly to the Website, Network and Cloud section of the SecureByDefault 25-Point Security Checklist, which covers firewall rules, exposed credential files, cloud storage lockdown, and website platform hygiene.

If you have not worked through the checklist yet, start with these three:

  • Turn on MFA everywhere it is offered

  • Use a password manager with zero reuse

  • Set up automatic, tested backups

Those three will not make you invincible. They will make you significantly harder to casually ruin. That is a solid Tuesday.

If this issue made you think, “I should probably check my own setup,” start here.

One question for you

Have you ever checked your server logs and found something unexpected?

Hit reply and tell me what you saw. No judgment. The internet is strange, and sometimes the logs look like raccoons learned Python.

Talk soon,
Ron
Cloud and Cybersecurity Engineer, SecureByDefault

Sources

Verizon 2026 Data Breach Investigations Report · Microsoft Security research on MFA and account compromise · CISA Known Exploited Vulnerabilities Catalog · SecureByDefault 25-Point Security Checklist

Keep reading