From PSTN to Zero Trust: Lessons from 28 Years in Cybersecurity

The fresh coffee aroma is barely lifting and I’ve just plonked down into my swivel chair having had my third cupper – yes, third – thinking it’s about time I started sharing some stories and lessons with you all from a career spanning 28 odd years. I began in ‘93 as a network admin, when voice and data routed over PSTN pipes was the standard. Fast-forward to today: I am coaching some of the largest banks on upgrading to zero-trust architecture. What has changed in cyber over that time? Mind-boggling.

Allow me to tell you the lowdown here—not some dry theory, but gritty experience, real hands-on experience that’s molded me into what I am today. Spoiler: It’s been rocky, sometimes frustrating, but always instructive.

Old-School Networking and The Slammer Worm Disaster

I can still recall it like it was yesterday — OK, 2003. I was drowning in setups where there was voice as well as data flying about. All those legacy systems, all those humdrum multiplexers, and then the Slammer worm happened to blow up across the world, spilling out over networks that were not prepared for it.

If you remember, Slammer was an itty bitty SQL Server bug that went pandemic. I saw our network stats spike as they happened — saw the kind of traffic spike that screams WE’RE UNDER ATTACK.

Lesson 1: If you can’t segment off your most critical assets, you are a sitting duck. We had to rapidly construct firewall rules and segregate SQL servers, but the time when zero-trust was mainstream was a few years in the future. Fast forward 20 years, and I’m now helping banks build that — no trust anywhere implicit.

Zero-Trust, Not All Hype

My team and I recently completed zero-trust architecture upgrades for three large banks. I can tell you this much:

  • Zero-trust is not just changing your password policies.
  • It’s all about ongoing verification. No device is trusted, no user is trusted, no request is trusted.
  • Micro-segmentation is key.

But here’s a slight tangent — instead of every one of you obsessive password people getting worked up about the insane rules to have a password, you should be concerned with multi-factor authentication (MFA). Seriously, if you make MFA optional or difficult, you’re leaving yourself wide open.

And yeah—I’m aware that some people believe password managers are the be-all end-all. They’re excellent, but you’d better not leave behavior analytics out. You want a system that raises a flag over weird access patterns, not one, as in the case of most passwords, that has all kinds of “hard to crack” ones.

Hardware Hacking: The Buzz at DefCon’s Hardware Village

I just returned from DefCon last week and man, that hardware hacking village was an eye opener. Hacking open old servers, routers, and firewalls helped me realize how physical security is often taken for granted.

Because the thing is — however tight your software defenses, if I can just walk up to an internet-connected device and plug my USB stick into it, you’re screwed big time — or, if applicable, also use debugging ports without them being locked down.

You’ve heard me say this previously but it bears repeating:

  • Weakest link is physical security (NOTE: this directly impacts security of service from the datacenter)
  • All management interfaces must be protected.
  • Countermeasures such as enabling of device lockdown-modes and tamper detection can protect your infrastructure

A hardware village is always a great reminder of just how far we’ve all come from handling raw networking gear. But also, how progress can sometimes mean returning to the basics.

The Importance of Nostalgia in Cybersecurity

I find myself wistful for networking and security tools of the early 2000s. Why? Because that foundation matters — a lot.

Remember SNMP v1? Insecure by design and, and what’s worse, it’s even present in a myriad of legacy systems today. I have watched organizations getting hit because they never did patch or segment those devices.

This is why I always enforce clients to get a detailed asset inventory and know their infrastructure better than their own IT. Legacy bugs and forgotten devices — those are your quietly rattling saboteurs.

Let’s Be Real for a Second: AI-Ready Products— You’re on Notice

I have to say, I am skeptical of the never-ending buzz around AI-powered cybersecurity tools. And this is not to say I don’t believe in the potential of machine learning, but:

  • AI is as only as good as the data it’s given
  • It’s not a wand you wave to fix bad security policies
  • Human complacency: Relying too much on AI causes complacency

It wasn’t very long ago that I reviewed a vendor’s AI firewall demo and while it certainly was exciting on paper, it miserably failed to flag some basic brute-force attempts in real time while I was testing it.

Here’s a novel idea — you don’t substitute the fundamentals with AI. You augment them.

My Password Policy Take On The Inside Device_EXTRA

All right, some of you are rolling your eyes, but hear me out.

Most password complexity requirements are over the top. Here’s why:

  • Users jot them or reuse them down anyway
  • Or else, with MFA non-enabled those complex passwords without context are for nothing
  • Security posture increases significantly once you are zeroed on to user behavior and detection.

That means investing in continuous monitoring, risk-based access and behavioral biometrics. That may sound fancy, but the recipe is good old-fashioned common sense with modern tech.

So when your IT department bugs you about password length and special characters, push back and ask, “What about adaptive risk scoring?”

Quick Take: What Do I Need to Do Right Now?

  • It doesn’t matter where you are on your journey, whether you are starting out or years into it, start with visibility: know what your assets are — what is the hardware, what is the software, what are the interfaces.
  • Segment as if your network life depended on it (it does)
  • Take zero trust seriously—allow only what is necessary period.
  • Don’t place all your eggs in the AI basket, verify your defenses using hands on testing
  • You must use MFA.
  • Physical and device security should form a part of your threat model

Concluding (Before More Coffee)

Here I am after all these years, continuing to learn — and continuing to make mistakes. Or the time I forgot to shut down one switchport during a network lockdown (I did feel the fire that day, yes). Yet those missteps codified my process:

There is never a “set it and forget it” when it comes to security. It’s alive, breathing, changing. And so is your adversary.

If you want actual security, buy the basics, challenge the latest buzz words, and never assume your systems are too large or too secure to escape notice.

And hey — if you want to talk about strengthening your architecture from PSTN-age vulnerabilities to modern zero trust, reach out to us at P J Networks. We’ve walked the walk, and we are pleased to guide you through how to avoid the mistakes I’ve observed — and yes, survived.

Okay, one more gulp, and back to the trenches. Wait, watch, and never underestimate the value of a decent firewall.

Sanjay Seth
P J Networks Pvt Ltd
First, Everybody Is Hacked, Do You Even Know?

Leave a Reply

Your email address will not be published. Required fields are marked *

This field is required.

This field is required.

sales@pjnetworks.com
(+91)9818361787
C-160 Mayapuri Ph II
Copyright © 2025 PJ Networks: Innovative Networking & Cybersecurity Experts, All Rights Reserved.