Library items tagged:

Connecting an insecure computer to a network places that computer, its users and any information it contains at risk. Insecure computers also represent a threat to other computers, users and information on the network, since intruders frequently use one compromised machine to attack others either simply by using it to generate network traffic in a distributed denial of service attack, or more subtly by using the access that the compromised computer or its users have to compromise others.

1.1 Connecting to the Internet

This document has dealt only with the logs that can be recorded by individual computers and other systems. A great deal of useful information and early warnings can also be obtained by looking at computers and networks in combination. Any organisation that is concerned to protect its own systems and reputation should also be developing systems to monitor these systems. Two examples are given below of what can, and should, be done.

The remaining group of systems whose logfiles are likely to be of interest is servers. Whilst logs from clients and intermediaries will usually indicate attacks against other sites, logs from servers will normally be used to detect attacks, or attempted attacks, either on the servers themselves or on other local systems. Public servers such as web or mail systems are likely to be the most exposed to hostile activity on the Internet so these should always be configured to keep good and secure logs.