Every now and then I am intrigued by the specificity of leaked information disclosed when learning about a security breach of some company. "They got this information, and this information, and some of that". I assume that there is some worst-case logic going on here, and a lot of it probably involves trawling around in logs somewhere, however I often wonder how much more there is to the story than I am aware of.<p>Lots of online security stuff tends to be things like "lock down your SSHD and you'll be fine". I am curious to know if anyone has any stories or recommended reading regarding what <i>else</i> should be done to ensure security and allow successful investigations, etc. ie, sufficient logging, indefinite storage of logs, etc.<p>Is there more to this, or is it as simple as "just log everything!"?
The question is very broad - if you narrow it down to a specific area, it's a bit easier. Generally, by industry and company type, company make up (eg: peopele, process, technology) will focus your directives and approach. A risk assessment, performed on the people,process,technolgoy and roles within them helps. You can narrow it down by looking at security focus for your vertical. Look at the easiest targets (generally those not requiring physical access) .... so email phishing, spoofing, and in some cases external penetration. Although external penetration is not as large a threat as many make it out to be compared to other factors.