Zero Trust and Hardware Hacks: Real Cybersecurity Experiences from the Trenches
Sanjay Seth here, checking in — this at coffee No. 3 of the day. You know how it goes. I’ve been doing cybersecurity since before I crawled out from under MTU tables in 1993, starting out as nothing more than a humble network admin wrangling PSTN muxes and data lines which were past their prime. Fast forward twenty odd years from then, and now I run my own security consultancy P J Networks Pvt Ltd. I just returned from DefCon’s hardware hacking village — still riding high on all the shiny toys, and next up are zero-trust upgrades for three banks. So I wanted to share some real stories and lessons learned over the years.
Because, let’s be fair — you can read zero trust whitepapers till your eyes glaze over, but nothing beats doing it.
The Slammer Worm Experience: Back When Worms Burned the Net
I’ll never forget the Slammer worm in 2003. If you missed it — lucky you. Slammer was real fast, propagating on UDP port 1434 and inundating networks around the world in minutes. My team were wrangling networks where voice and data shared some PSTN mux line and went pew pew pew.
And here’s the kicker: when Slammer struck, it didn’t just slow things down; it broke them. Routers froze, firewalls sputtered.
Lessons from Slammer?
- Small exploit = large infrastructures crumbling.
- Even then zero trust was a great concept — but we had neither the tools nor the motivation.
- Firewalls weren’t “smart” enough — most of them simply blocked entire ports or protocols, which stopped Slammer, yes, but also a lot of legitimate business traffic.
Today most security folks have forgotten about the panic in those moments. The silence before the alarms, the windows that weren’t patched because, let’s be honest, everything was “working well enough”. I was one of those people — thought it was perfectly fine to miss one update or two. Bad move. Very bad.
Zero Trust: A Buzzword and a Necessity
Zero trust architecture (ZTA) is the hot topic these days. I just helped three large banks rip out their legacy networks. These were places still stuck in perimeter-based defenses — think a castle and moat — but with threats evolving like wildfire, you simply couldn’t hang your hat on perimeter defense.
Here’s what we focused on:
- Microsegmentation — Dividing the network into microscopic sections users and systems require explicit access to. No more flat network mistakes
- Authentication — Not only at login We added identity-aware proxies and adaptive risk scoring.
- Enforced Least Privilege Access — See “everyone has a VPN forever.” Sessions are brief, rights reassessed each month.
- Real-time Visibility and Analytics — All the logs. And believing nothing until it’s verified.
- Multi-factor Authentication — Always No exceptions.
And yes, there is pushback on implementing zero trust: It’s too complicated, or Our users hate it. The thing is — a secure network is not about making users’ lives easy, it’s about not having your bank’s deposits stolen by hackers.
I’m a little old school — but I see zero trust as the next generation of the enterprise network defenses I’ve spent decades patching and rebooting. If only you could have told past-you, am I right?
The Hardware Hacking Village at DefCon — Why It’s Still Relevant
I returned from DefCon a week ago and spent an eternity in the hardware hacking village. Why am I so excited about this?
Because not all cybersecurity is, you know, software and encrypted tunnels.
Physical vulnerabilities in routers, servers, firewall appliances are still overlooked.
- None of the fancy AI or heuristic detections, if someone can reach around and open your firewall box [you’re owned if] insert a rogue device.
- Hardware hacks are an uncomfortable truth: a screwdriver can get you past your perimeter.
And a small rant: I’m very skeptical of the other AI-powered security solutions I see hitting the market. That word is thrown around as if it’s a magic dust. In truth, AI is nothing more than pattern matching — and if your hardware or network has been compromised, AI cannot overcome a faulty physical architecture.
Some Thoughts — Old Tech, New Challenges
In the old days I used to run multiplexers with voice and data down PSTN lines. For those who didn’t see it — picture attempting to cook a gourmet meal on a camp stove. Should never put ‘slow’, ‘noisy’ and ‘constantly needing babysitting’ when it comes to my service. Today’s networks are smart gas ovens with timers, gauges and alarms.
But those old days taught me patience — and how every bit and byte matters.
It also taught me to be cautious about the hype:
- Not every new “security product” is a seat at your table.
- Numerous vendors sell “one-size-fits-all” solutions. Spoiler: it doesn’t exist.
- When you place the entirety of your security stack capabilities in the hands of a single vendor, you’re setting yourself up for trouble.
Quick Take: What Do I Have to Offer?
If you’re skimming, here’s the no-frills take:
- Security is about layers, not a silver bullet.
- Zero trust IS your best defense today, more than banks, enterprises.
- Ignore hardware vulnerabilities in real-world systems at your own risk.
- Patch with no compassion — even small amounts of downtime can be deadly.
- Question AI-powered claims — know what you’re buying.
- User convenience matters — but not at the expense of security.
- Retro lessons count. Lessons from 1993 and 2003 yield nuanced takeaways for today.
What About Passwords? My (Slightly Heated) Take
I’ll admit it: I’m a bit of a Luddite in this regard, though hear me out.
The password policy is a necessary evil, but many organizations do it in a pretty ridiculous way. Too many:
- Enforce ridiculous complexity requirements.
Then they:
- Force regularly reset passwords that result in sticky notes stuck on monitors.
- Don’t consider password managers (for reals, why?)
- Do not pair passwords with MFA by default.
Here’s a better approach:
- Advocate for passphrases — lengthier and more memorable.
- Use multi-factor everywhere you can — SMS is better than nothing but push for apps or hardware tokens.
- Avoid forcing people to reset passwords unless there’s evidence of compromise.
I’ve seen way too many password breaches from weak or reused passwords. It frustrates me to no end that the security community still treats users occasionally as the enemy, rather than as a partner.
Final Thoughts — What Motivates Me
It’s a wild ride when it comes to cybersecurity. While the technology and threats have changed — from JSON injection attacks to killing multiplexers to fighting Slammer worms to the need for zero trust in banks — the core principles remain the same.
I started P J Networks because I want to help businesses build reliable networks. Not trust because a check sheet said so — but trust because these solutions have been tried, tested and proven in real world battles.
If you’d like to talk about upgrading your firewall, that you secure your routers or audit your servers, then shoot me a note.
Because — and that’s the thing — security is not a product, it’s a practice. A lot of the grit, smarts and yes, coffee needed.
Cheers,
Sanjay Seth
P J Networks Pvt Ltd
Since 1993 Cybersecurity Consultant