Q: Why shred or burn sensitive information? A: Have you ever heard of dumpster diving?
Dumpster diving is the process of rifling through a corporation's or individual's trash (at home or at the office) and searching for "starting points" of vulnerability -- a written down password, a printout with the name of a Web page or file most users don't know, user ID lists where hackers can focus on using brute force to hack the account, source code, which is a gem for hackers, and a whole bunch of other sensitive things most people just wouldn't think about. People assume that once it's in the trash, it's gone. Don't think this way anymore; it's just not true.
Do you turn on Secure Sockets Layer (SSL) first, then ask for user IDs and passwords, or do you do all those transactions with clear text (text that is clearly readable)?
I think this one is self-explanatory. If you have a page that asks for a user ID and/or password, use a corridor page to turn SSL on before getting to that page. Then, on the next page, query users for user ID and/or password information.
Do you know many hackers' tools and defenses?
There is Crack (for Unix passwords), l0phtcrack (for Windows NT passwords), and SATAN (for networks). Better yet, there's Net Sonar (network/server prober), Tripwire (binary checksum calculator), Tiger (scanner), and numerous other tools. Many password crackers can break the security behind six- and seven-character passwords in mere minutes; words from dictionaries take only seconds.
Another hacker favorite is "rootkit," a tool for capturing passwords and e-mails to a system. Sure, this would require a hacker to force an execution of the file to start the process, but embedded binary code in a malicious CGI call could start the process of capturing this data.
Get these tools and run 'em! See what hackers see when they look at your systems. Get to know your system's weaknesses. Get to know its strengths. Finally, understand how easily hackers' automated programs can get them into your machines and networks.
Are you really checking those logfiles?