Think Positive Cyber

One thing I learned in cybersecurity is that not every file on a computer matters the same way. Some files change constantly, and that is normal. Data files, logs, and cache files will update all the time because apps are always saving settings, writing temporary content, and keeping things running smoothly. But the core system files are different. Those are supposed to stay stable, and if they change unexpectedly, that can be a serious warning sign. That’s why organizations use File Integrity Monitoring (FIM) to detect suspicious changes. On Windows, one basic built-in tool is SFC (System File Checker). On Linux, a tool like Tripwire can monitor files for tampering. Some host-based intrusion prevention systems (IPS) do similar monitoring too. The key point I learned is that FIM is a host-based control, not a network-based intrusion detection system.

I also learned that protecting files isn’t just about malware, it’s about preventing data leaks in real time. That’s where Data Loss Prevention (DLP) comes in. DLP systems look for sensitive data such as Social Security numbers, credit card numbers, and medical records, then block or stop it from being exposed. DLP can protect data in use (on an endpoint device), data in motion (moving across a network, sometimes detected by things like next-generation firewalls), and data at rest (stored on servers or operating systems). One detail that stood out to me is how removable media like USB drives can be a major risk. In November 2008, the U.S. Department of Defense dealt with the Agent.BTZ worm, which replicated through USB storage devices. After that, USB restrictions became much more serious, and many organizations began implementing tighter USB control policies and USB-focused DLP agents. Cloud-based DLP can also inspect traffic going in and out of cloud services, helping stop malware and prevent sensitive content from leaving the organization.

Finally, I learned that email is still one of the most critical risk vectors in cybersecurity because it’s constantly used for both normal business and attacker activity. Inbound email DLP and security tools can scan messages for suspicious keywords, detect impersonation attempts, and quarantine risky messages. Outbound email protections can stop sensitive leaks like W-2 forms, wire transfer fraud attempts, or accidental attachment of private employee data. For example, an attacker might send an email pretending to be the CEO asking payroll to “urgently send employee W-2s,” and outbound DLP can detect that sensitive content and block it. A real-world example of how serious this is happened in November 2016, when a Boeing employee emailed their spouse a spreadsheet to use as a template, but it contained the personal information of around 36,000 Boeing employees. What’s even more interesting is that Boeing sells its own DLP software, showing that even security-aware companies can still suffer data leakage when human behavior and email convenience collide. I learned these concepts by watching “Monitoring Data – CompTIA Security+ SY0-701 – 4.5” on Professor Messer, and it helped me connect the technical controls to real-world mistakes and real-world risk.