30 Years in Cybersecurity Taught Me This Hard Truth

I’ll get straight to the point — it was not always this complicated. Way back in the ’90s, when I was a kid network administrator, all we had to worry about was keeping the servers running and the odd password reset. Now? Attackers will always be faster, smarter and better funded than the vast majority of companies they target.

I recently returned from DefCon, where I spent oodles of time at the hardware hacking village, and I was reminded yet again: No system is unbreachable. All we can hope for is to make it so difficult that the attacker goes after an easier target. And believe me, there is always a softer target available.

One-Take: The Key Not to Forget

Don’t assume your network is safe merely because you meditate on the very idea of it. Attackers don’t give a donkey’s ass about your assumptions — they just mowed over your weak areas, and trust me, you have weak areas.

What businesses (I mean banks, since just recently I helped three of them remake their security): here is absolutely what they need to do now:

  • You cannot afford not to adopt Zero Trust. If you’re continuing to work with a perimeter-based security model, you’re begging for trouble.
  • Patch everything. Regularly. If you’re ignoring updates because they could possibly break something, you are doing it wrong—getting breached breaks things, too.
  • MFA is required, but not sufficient. Attackers are getting around MFA using social engineering, so you must also have behavior-based monitoring.
  • Security is not a one-off cost. It’s like looking after a car — if you don’t do it, at some point you’ll find yourself stuck on the highway.

Okay, well, let’s really dig into the problems, and how to actually fix them.

The First Time I Licked My Screams: The Slammer Worm

I’ve seen some pretty awful days in cybersecurity, but few can match the day the SQL Slammer worm struck in 2003.

  • It went global in 10 minutes.
  • Brought down banks, ATMs, airlines — essentially anything that had unpatched Microsoft SQL Server 2000 running.
  • The patch it exploited? they had been available for 6 months

I was dealing with voice and data muxing on PSTN at the time—seemed cutting-edged back then. And overnight, networks were collapsing because simple patching had been neglected. That was when I had my epiphany: Most cyberattacks aren’t world-class hacks. They’re just taking advantage of laziness.

Zoom forward to now and what do you know? The same continues to happen today. Companies leave known vulnerabilities unpatched for months, sometimes even years, and then feign surprise when they get breached.

The Fix: Patch all of your damn systems

Automate updates if you can.

  • If you are concerned about breaking production, test patches in a sandbox first.
  • Prioritize critical vulnerabilities — not all patches are created equal.
  • Zero-day awareness. Keep up with cybersecurity news (or, better yet, hire someone to do that for you).

Oh and if you are still running Windows Server 2008—you’re not saving money, you’re buying time until disaster strikes.

Zero Trust: More Than a Buzzword (Please Believe Me, I’ve Had to Implement It)

I have recently assisted three banks in moving to a Zero Trust Architecture (ZTA). You’d assume that financial institutions already knew all this, but no; they were still assuming implicit trust as long as you were in the network. Big mistake.

Here’s the reality: Act as if every device, user and connection is compromised. Adjust your security model accordingly based on that assumption.

About Zero Trust for Your Business

  • No default trust. Having a company laptop does not grant someone unlimited access.
  • Strict least privilege. Employees will only have access to what they truly need – not one thing more.
  • Continuous authentication. An identity doesn’t end after logging in; look for behavior tampering.
  • Microsegmentation. If an attacker gets in, they shouldn’t be able to lateral move.

As much as Zero Trust is today’s solution, some argue it’s overkill for smaller businesses. Those people are wrong. Even small firms are targeted by ransomware. Your size will not keep you safe — your security strategy will.

MFA Fatigue Is Real — And Attackers Are Aware Of It

Many companies treat Multi-Factor Authentication (MFA) like some sort of magic protection. But here’s the thing: attackers have evolved.

Ever heard about MFA fatigue attacks? Essentially, hackers flood authentication requests until the user simply accepts one out of sheer irritation — or by mistake. It’s way more common than you may realize.

Smart MFA, Not Just MFA

  • Replace approve/deny prompts with number matching
  • Install phishing resistant MFA such as FIDO2 keys
  • Monitor new MFA prompts for unusual behavior and report to users repeated failed attempts.
  • Train employees: MFA requests that they didn’t initiate should raise a red flag.

MFA is still needed, but it’s not enough. Security must advance.

More Hype Than Help? AI in Cybersecurity Up to October 2023

Controversial, but I don’t give a damn: Most so-called AI-powered security solutions are simply fancy automation.

Vendors typically love to slap AI on whatever they sell, but here is what is usually going on:

  • Machine learning to find patterns in log data (nice but not very innovative).
  • Automated incident response which could be done without AI
  • Nice filtering algorithms that sound intelligent but still need human intervention.

Am I suggesting that AI has no role in security? No. But if a vendor tells you that their AI solution will eliminate all cyber threats — run in the opposite direction. There’s no such thing as complete protection.

The Biggest Risk? Believing Cybersecurity Is Someone Else’s Problem

I’ve been doing this for 30 years. And if there’s one lesson he learned, it’s this: Security fails when people assume that someone else is taking care of it.

Have witnessed this happen too many times:

  • IT thinks the security team is taking care of it.
  • Security assumes IT has already patched it.
  • The CEO thinks, well, we have a firewall, so we’re good.

Meanwhile, attackers are taking advantage of such laxity.

How To Fix This Mentality

  • Share the responsibility for security across the organization. This includes everyone, from the CEO to the intern.
  • Regular security training. No, not just once a year. Make it ongoing.
  • Test response plans. Tabletop exercises, red team assessments — try actual attacks.

And because I guarantee you — hackers are already probing your defenses. If you are not doing the same, you are at a huge disadvantage.

Last Week’s Quote: Cybersecurity Is a War of Attrition

Hackers don’t need to penetrate every defense. They just need one weakness. And if it comes down to waiting for you to miss a beat — failing to patch something, recycling a password, neglecting to fix a misconfigured setting — they will pounce.

Your job isn’t to be perfect. To make it a little bit difficult, enough that it is not worth the effort to attack you.

I’m going to need another coffee now, excuse me. And probably a nap.

Leave a Reply

Your email address will not be published. Required fields are marked *

This field is required.

This field is required.

sales@pjnetworks.com
(+91)9818361787
C-160 Mayapuri Ph II
Copyright © 2025 PJ Networks: Innovative Networking & Cybersecurity Experts, All Rights Reserved.