How Cybersecurity Has Evolved: From PSTN to Zero-Trust Frameworks

But I am sitting here at my desk —Third coffee in, yes, buzzed out of my brain -and marvelling at how much cybersecurity has changed since when I was a network admin back in 1993. At that time my world was all you could care to know and more about voice and data over the PSTN, including Networking/Mux. The tech looks ridiculously old compared to today, but it had a big impact on how I see the security issues the world is surrounded by. And that down-and-dirty, hands-on time with legacy systems? This is when you have a nugget of pure gold as you seek to wrestle the challenges being thrown at us today.

The Slammer Worm: Early Lessons in Cybersecurity

Exhibit A: The Slammer worm, barging in just after midnight on a night as clear and unsuspecting as 2003. I remember seeing that thing bulge its way through networks faster than I would have thought imaginable, transmorgrifying down into digital zombies whole swarms of your basic low-security SQL server boxes. This was an early lesson in why patching is not simply IT hygiene, but rather the difference between life and death. I remind folks, to this day, that if you do not believe that staying a few weeks behind on your patch releases is significant, the image of a worm knocking and us foolishly leaving a door unlocked…

Modern Security Consulting and Zero-Trust Approaches

Now: Security consulting, my own firm which lets me dive headfirst into modern challenges including firewalls all the way to zero-trust a remote kind of approach. Over the last month I worked with three banks to revise their zero-trust frameworks, an experience akin to performing open-heart surgery whilst also changing the patient’s medical records. But — it is not only about fancy tech. It is a question of confidence — or rather, the very deliberate erosion of it.

Zero-Trust is Not a Magic Fix

Many tout zero-trust as a panacea. But it’s not. If driving fast, i.e. moving data efficiently and swiftly, is your Web 1.0 meme from the “dammit Jim” era I see zero-trust as your braking system: not something you rely on to do the job but essential when all else fails to stop you before you crash! Similar to missing brakes on a descent, if your Identity Management or Microsegmentation ain’t right, the whole system falls to pieces.

Insights from Bank Zero-Trust Projects

These bank projects were to illustrate what I realised was quite painfully obvious:

• Zero trust is synonymous with identity verification in perpetuity. Trust nobody, verify relentlessly.
• Network segmentation is no longer a nice to have, but an essential. You think it will look more like neighborhoods of data centers. You are going to want some insulation from getting one fire in a house that burns the whole block.
• Legacy systems always fuck up the plans So you upgrade to some new firewalls, only for that decade-old app of yours still to be around making your life annoying as well.

Hardware Security: Lessons from DefCon

Speaking of wrenches, I just got back from DefCon and man — that hardware hacking village is lit af. As you watch hackers dissect dozens of devices from routers to IoT, you realize, this security after-the-fact mentality is all too common among manufacturers. That’s like building a performance racecar and forgetting the seatbelts. Hardware security is not sexy, but it is required.

Skepticism Towards AI-Powered Security Solutions

Oh, and I am still skeptical — nay, flat-out untrusting — of all those gleaming self-proclaimed “AI-powered” security solutions that people are so desperate to hock. Here’s the catch:

• AI is a tool, not a savior. Just like blindly trusting autopilot without understanding how it works at all, referring to it too much can be harmful as well.
• Other AI assertions are nothing more than good old fashion marketing fluff. If you can’t backwards-engineer an algorithm or at minimum audit it yourself, are you deploying security, or just wishing?

Password Policies: The Developer’s Rant

At this point, let me take a break and rant on a topic close to the hateful developer within me — password policies. Oh boy, do I have opinions. I see companies mandating passwords that might as well have been typed by a housecat discovering the computer for the first time and requiring them to be changed every 30 days. Why? However, over time it has led to predictable behaviors (sticky notes on monitors), password1, password2, andpassword3..redi-rect1on_andali423) This is not security. It’s a recipe for disaster.

My Brief Opinion on Passwords

• Passwords should be long and easy to remember — for example, passphrases.
• Don’t: mandate arbitrary complexity thresholds just to annoy users;
• Start allowing and encouraging password managers — yes, really, get over the story that they’re unsafe.
• One linked to end all is multi-factor authentication (MFA) — That simple, full stop.

The Art and Science of Cybersecurity

The reality is that cybersecurity is some art, but also quite a bit of science. Dumping all the ingredients into a bowl without understanding why is akin to cooking a difficult recipe. It’s the same with security controls, you need to strike a balance.

For all the coding and software security, oh sir no. Since I was in charge of network mux for PSTN and have now been manipulating routers and firewalls, the hardware does take a significant part— one that is often overlooked.

Routers and such can be your soundest friend or your fiercest foe — like owning a car with power steering but using crank handles because the steering column linkages are rusted. No ifs, ands or buts about it; to prevent breaches means keeping tabs on configurations — and patches.

Quick Practice Tips Based on Four Decades of Experience

• Do not allow default credentials in your routers or firewall Ever.
• Harden those devices by shutting down unneeded services. And seriously, if you can get away with not exposing SNMP and Telnet in some manner then don’t.
• Network monitoring isn’t just syslog. Treat it as if you were a detective searching for clues from logs. Crashes are not always anomalies — they also slowly and secretly build.

The Grand Lesson: Importance of Cybersecurity Fundamentals

So, what is the grand lesson from my journey-from mux and PSTN to zero trust and hardware hacking villages?

Cybersecurity remains an ever-evolving battlefield, but the importance of the basics will not change. You cannot create skyscrapers upon quicksand patches or pretend that AI-powered solutions are bulletproof shields.

Quick Takeaways

• Patch early, patch often. Slammer had to teach us this, the brutal method
• Zero-trust is not a fix it and forget it plan It’s continuous validation.
• All of your software defenses can be wiped away by hardware vulnerabilities
• Take buzzwords on the marketing side with a grain of salt — true security is complex and nuanced
• Password policies need adjusted — what users human do and usability matters.
• Firewalls and routers are not plug-and-play, you need professional to configure them.

Final Analogy: Treat Cybersecurity Like an Old Classic Car

Here is an analogy that I will leave you with, because I love them: Take care of your cybersecurity like an old, classic car. You can’t take the new turbocharger and throw it in a car and be automatically on top of the podium. You keep up on everything — the engine, the brakes, even the tires. You have one weak link and the whole ride is done for.

And sometimes I indeed indulge in some nostalgia over those early network days— the simplicity, the true hands-on-ness. However, the kind of complexity that we have to deal with now more than makes up for all of those difficulties. So if you are considering this and are not sure where to start, then I can tell you one thing — fundamentals, your company´s security (and those around you) depends on it.

Excited to bring back more true stories and learnings from the frontlines, as our field continues to grow. Pin those firewalls down and drink that coffee with purpose for now.

—Sanjay Seth
P J Networks Pvt Ltd