Posts

Productive Habits in Tech

Image
I'm often trying to find ways to be more productive with my time or more efficient with what I am already doing. I've found several suggestions over the years -- some that have worked and some that have not -- and want to share them here. Most come from a mix of sources and I will do my best to give credit to the original source. Time Efficient Since having a child I often think about one of Troy Hunt's oldest blog posts -- "Want to be a better programmer? Have a baby!" . Everything in the post is true. One thing he doesn't talk about much there, but does discuss heavily in one of his other posts is optimizing his time. While this post is not about having kids, having one really shows you just how much free time you used to have and you didn't even know it. It's a great way of forcing you to become as efficient with your time as possible and not getting distracted. Or at least it's been for me. Here's what's worked for me to also help with

Protecting Applications Using AWS WAF

Image
  Amazon's Web Application Firewall (WAF) allows for seamless integration with existing AWS resources and easy configuration. It may have its limitations, but it provides many common protections for web applications and can be spun up very quickly. Everything I've included below can be found in Amazon's documentation . However, I've highlighted parts that I found particularly important and left other details out. AWS WAF Classic vs AWS WAF If you're still on WAF Classic, you should try to migrate to AWS WAF. The "new" version has been out several years (though rules do not automatically convert and Amazon's conversion tool does not work in all scenarios). There are a number of new capabilities and features, notably managed rules. And if you have version control and infrastructure as code (IaC) implemented widely throughout your environment, rules are now JSON objects. I will leave it at that as I suspect most people are on the current AWS WAF. Resource

Cybersecurity Fundamentals

Image
  While some hacks truly are sophisticated, nation-state attacks , many more are the result of simpler exploits or just social engineering. After the details of such a compromise are released, people comment about how organizations should be doing at least the "basics" or "fundamentals." So what are the fundamentals? And at what point do you cross over into intermediate or expert practices? I have my opinion, but let me first share a couple official lists: NIST - Cybersecurity Basics CISA - Cyber Essentials These are great lists but allow me to expand. Multi-factor Authentication First up is multi-factor authentication (MFA). Even in 2024, lack of MFA has resulted in account or organization compromise. Take the recent SEC X / Twitter hack  -- the US Securities and Exchange Commission had their X account taken over and was used to post false information. While "SIM swapping" also played a role in the hack, had MFA been enabled, the threat actor may have bee

The Power of Procmon (Process Monitor)

Image
  Procmon (Process Monitor) is "an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity." This accurately describes what Procmon does, but it doesn't come close to describing the power that it provides to monitor, investigate, and troubleshoot on a Windows system.  Let explore it (download from Microsoft to follow along). Activity Options Procmon had a hard time adjusting to my display resolution, but you can see here and in the screenshot at the top the Activity display options. These will enable / disable various types of activities from being displayed. Deselecting one of these options doesn't erase any existing logs, but just narrows down the output to the types of events you want to see. These include registry, file system, network, and process/thread activity.  These are helpful for narrowing focus when troubleshooting an issue, but you can still be left with thousands of entries. This is where filters come

Regular Expressions (Regex) for Beginners

Image
  Regular expressions (regex) are used to to extract information or patterns from text. They are used by programming languages, AV/EDR software, application whitelisting software, data loss prevention (DLP) software, personally identifiable information scanning software, and more. While simple in concept, regex can become quite complex depending on what strings of text need to be extracted. I'll be using regex101.com  to show my examples, but there are a ton of great resources and "testers" available for free on the Internet.  Tokens  are how regular expressions are defined. There are dozens available, and we'll get to them in a minute, but nothing is more basic in regex than just typing the exact string you're looking for.  Example 1 - string If you're searching for the string "fire" in a given sentence, you would make your regular expression  fire . We can see here that this regex pattern patches on lines "fire", "firetruck", &q

SPF, DKIM, and DMARC Explained

Image
  I found myself reading RFC 733 today as I had no idea how long BCC emails had been around. Turns out, it's a long time (November 21, 1977). In fact, that is when the "Standard for the Format of ARPA Network Text Messages" was ratified so a whole lot of other things were included in that RFC that are still used in email today, not just BCC emails. Some things that weren't proposed in 1977 for obvious reasons are SPF , DKIM , and DMARC . We'll be talking about those today! (If you're curious like I was what those RFCs are anyway, I linked them so you can check those out too).  SPF - Sender Policy Framework SPF is an authentication mechanism that allows an email server to verify that an email it receives was sent from an authorized server. SPF does this by checking the domain contained in the email header (specifically the envelope sender/MAILFROM), queries for an SPF TXT record that should be contained in that domain's DNS records, and depending on what t

Detecting Phishing Emails

Image
Detecting and preventing the effects of phishing emails has become a primary interest for enterprises and governments today. Often because phishing emails lead to network breaches, ransomware, and exfiltration of sensitive information. Patching vulnerabilities, ensuring AV/EDR/XDR is installed on endpoints, network segmentation, and MFA are all great to do, but one step we can take before relying on these measures is ensuring the end-user community is routinely educated on how to detect phishing emails.  So how do we detect phishing emails? Screening Emails Here are some of the items on what I call my "initial phishing screening checklist": Sender name and email address (especially domain) that doesn't match a legitimate one. Statements urging me to act quickly. Was I expecting an email like this? If I know the person and/or can reach them by phone, can I confirm it is them truly sending the email? (Out-of-band communication).  At least on this one they give 24 hours not