Your No. 1 tool for detecting malicious activities is your log files. Most admins don't turn them on, and those who do usually don't monitor them. Additionally, many companies only turn on logging on their servers, even though most of the malicious break-ins occur on their user's workstations. Every company should enable an enterprise-wide log management plan, a topic I covered the basics of last year. In a very small nutshell, you need to collect all your log events in a central location and generate alerts on abnormal events that dictate a reaction. Don't be that company with an enabled event logging management system that sends dozens to hundreds of "alerts" a day, a figure that guarantees that none will be acted upon. A well-designed events-management system only requests action for the stuff that deserves to be investigated. (On a related note, I'm just finishing up a review of event log management systems that should be published on InfoWorld soon.) Another effective way to detect hackers is to scan for common hacking tools: password crackers,
