Ask a security firm, and it is usually willing to tell you, what it thinks is the biggest threat on the horizon. Most times, the answer is also the one getting the biggest coverage in the media -- the latest Microsoft flaw, or the current hacker exploit. This makes us feel happy, as it means we are getting it right, but it also raises doubts. Maybe these people have the same attention span we do. That would be seriously worrying.
But I got a different answer from security testing firm NTA Monitor the other day. The technical director, Roy Hills, had plenty of stories about conventional dangers. He regularly finds Web sites where the software used to build them (Front Page, most often) is on the same server without a password. Not only can you deface the Web site, but the company has kindly placed the tools in your hands to do it with.
NTA Monitor has also done its fair share of exposing flaws in software, having recently nailed bugs in Borderware and Check Point.
But, in Hills' experience, the most widespread danger he uncovers comes from a source that most of us rarely think of: logfiles.
Every product on your network, pretty much, will have the option to log its activities, and what is done with and through it. If you have an incident -- which could be anything from a blackmail attempt through a hacker attack or a police raid -- these logs may be the only way to sort out what happened. When the dust settles, they may be the only comeback you have. They may be the only thing between you and getting the culprit.
One customer asked for help because of a blackmail email from Russia. The sender claimed to have extracted the customer data from their servers, and wanted money. Before calling in the police, the customer wanted to know if the claim was actually plausible.
This firm was reluctant to go public -- even as far as contacting the police -- as any leaks of its information would open it to legal action under the Data Protection Act. If its security was lax, that constitutes misuse of its customer data.
It turned out that the company had lots of logs for its system, but not enough to make an audit trail. Given the number of routes into data, it would be impossible to rule out the blackmailer's claim, but a good set of logs could have allowed the company to decide it was very unlikely, and perhaps called the blackmailer's bluff.