Just another zero-trust pub sub, parasite network (3 coffees deep)

And it’s amusing that all of these years later (yes I started in your traditional sysadmin kind of role w/ a title and everything back in ’93) when the big concern was keeping PSTN lines open and dealing with multiplexers to have voice/data at the same time we are still dealing with core trust issues. That said, cybersecurity not only has been changed. It has become a monster which demands respect for the power it wields, and indeed a level of subtlety1102 too… ohh…and perhaps an irreverent eyeball roll?

Slammer worm, I recall you so well ~ It was the bullet-train-fast worm pulling plugs through networks, right at the damn SQL Server vulnerabilities we hardly knew existed. That is when we saw the first signs of how fragile systems make patching delays systems and in turn an interest for attackers.

Fast forward to today. I run my own security consultancy at P J Networks Pvt Ltd, and have been advising multiple banks to update their zero-trust frameworks recently. These projects brought home the importance of knowing the architecture instead of just punching in vendor-sanctioned checkboxes. All in all, I’m not sure how to sum up DefCon from my recent experience: as ever I’ve come away absolutely fizzing — especially after a trip to the hardware-hacking village; which has got me musing on vulnerabilities that aren’t only about software. Physical hardware security (Spoiler: Not enough consideration)

So sit back — or swivel-chair-bob if you can, because I am about to pass down some tough love and share some of those experiences together with one big nerdy rant (you have been warned) on our struggle against cybersecurity solutions.

From PSTN (Pullusmanat) walks back to the old days of Fomderan STI authentication

In 93′, my world was all network admins and voice mirrors, data lines poured just right Examples from my world: Multiplexers (MUX) that allowed you to cram more signals over a single PSTN line. Everything was about high-availability and TOTAL UPTIME! Being security and encryption the axis, always in the cone of shadow between are ignored to keep call clearance and data continuous.

That felt like, the foundation that I laid down then? Priceless. Once you knew how data move, it would set the foundation of detecting anomalies in traffic. E.g: weird traffic during Slammer outbreak. If that worm dropped today, those networks would not be ready. It was one of the fastest worms we have seen, spreading within a few hours; it grounded organizations who couldn’t segment or isolate traffic quickly enough to contain the worm.

Lesson? Security comes from knowing your infrastructure extremely well. So, now when I get the question from a prospect — “should we adopt zero-trust?” — I say: only if you can map out your network down to all of its routers and firewalls; otherwise forget about it.

Beyond the Buzzword — Implementing a Zero-Trust

Most recently, I helped three mid-sized banks migrate to a zero-trust architecture. Why banks? Simply because financial data is a juicy target. Zero-trust is simply the concept of never trust, always verify.

However, in practice, zero-trust is more like playing an ultra-performance high-performance engine.

  • You can know all the things (user,device,app,network)
  • Expect constant revalidation
  • And DO NOT fall into the “set it and forget it” trap

That is where a lot of organizations gets caught. They will implement MFA, enable micro-segmentation but forget monitoring for example. That’s like… buying a car with anti-lock brakes and then flooring it on an icy road. You have to constantly fine-tune.

But that being said — my more controversial take is this: AI driven security is snake oil and nothing else. While AI may help, it cannot ultimately replace human judgment especially in the complex nuanced game of cybersecurity. All the zero-trust rollouts I have been a part of are underpinned by human authority and matured procedures — not sexy dashboards spamming you alerts that you will never get to.

Hands-On Kings: DefCon Hardware Village, Physical Security Matters

I just got back from DefCon and I am buzzing on the hardware hacking village. Seeing people crack devices just reinforced that once the device is physically accessible, all your software defenses mean nothing.

Takeaway:

  • Physical security is cybersecurity-isable
  • Secure your actual hardware the way you do your network
  • Do more than just software patches: if only ever tamper-evident stickers, lock all your server rooms and practice access control like your life depends on it

I Think This Is Not Given Enough Emphasis Cybersecurity leaders may obsess about firewalls, intrusion detection, and endpoint management but how many have a hardened security posture in their data centers or branch offices?

Enough Already With The Password Policies

Rant incoming. Password policies are the red-headed stepchild of security. All you see are 20-character minimums, complexity requirements, forced changes every 30 days—and then wonder why users write passwords on sticky notes.

Here’s the thing:

  • Length trumps complexity
  • Change is good but too much forced change one right after the other does no benefit
  • Passphrases (e.g. random words such as bluePasta87$car) are easier to remember and hard to crack

But there is no WAY I learned the hard way: annoying password policies only serve to push users towards insecure workarounds. Rather focus on adopting features such as multifactor auth and educate your users — make security a team game.

By my side: Tips that are actually helpful

For those of you who have limited time; here is the short non-nonsense version:

  • Before You Design Security – Understand your Network
  • Zero-trust is not a product; it is an ongoing process.
  • Healthy skepticism around ‘AI-powered’ security tools—don’t believe the hype
  • Physical security should not be overlooked — hardwares hacks are a thing
  • Update password policies to emphasise duration, usability and MFA
  • Take cues from past epidemics (hi there, Slammer!) —patch quickly and segment networks

Conclusion: Experience Does Matter after all

One question I am frequently asked is how cybersecurity has evolved since I began. Sure, the tools got cleverer, the attacks sneakier and the networks more intricate. It can be tricky, but one thing never changes — the basis. You are unable to automate trust and unfortunately, you also decided so easy on the fire-and-forget of your security posture.

Early on, I used all the wrong solutions, I trusted what was there, and got burnt. However, there is one piece of wisdom that I will pass on to anyone trying to build a modern security in depth approach.

Experience counts. Another set of tools are not the answer — knowing your environment, seeing threats coming and out adapting your opponent always wins.

This will be true for Matchstick in 2024 and it was true for me when I was a network admin — keep learning, stay skeptical, and never underestimate the simple things.

Cool, coffee number four. Now go make sure your network is segmented, passwords are long and no one can plug a PS4 into servers.

Leave a Reply

Your email address will not be published. Required fields are marked *

This field is required.

This field is required.

sales@pjnetworks.com
(+91)9818361787
C-160 Mayapuri Ph II
Copyright © 2025 PJ Networks: Innovative Networking & Cybersecurity Experts, All Rights Reserved.