Reflections on Two Decades in Cybersecurity
Three, but maybe four coffees deep. Honestly, I’ve lost count. Yet, here we are over two decades later from… on my desk… reflecting back on all the chaos and calm that has followed these interruptions throughout those years of one’s time in cybersecurity. I see the network from time to time, although it’s been a decade and a half since I scraped my knuckles on Teridian TL1 (remember TL1?) in the middle of the night for slow-as-molasses 56kbps FRADs that connected VoIP traffic over long-haul copper. But, some things stay the same.
Back in the early 2000s… there was May 2003 Slammer worm epidemic I had first hand experience of it. And the little daemon started zooming through SQL servers faster than a racecar coming out of the gates, causing network havoc around the globe. That pretty much drilled into me how quickly and maliciously vulnerabilities can spread. If you believe that the threats we now face are bad, (and you should), well, trust me we have seen worse; just of a different flavor.
Fast forward to the present, I own a security company — P J Networks Pvt Ltd, and in the past few months have rebuilt zero-trust architecture for three banks. Yep, three separate financial institutions. Talk about a high-pressure situation. Zero-trust is more than a buzzword, it’s the future but if you don’t adopt it soon too you might as well wear a sign saying try to breach here. I also just got back from DefCon too, and man was I feeling it the hardware hacking village made me feel like I had watched a bunch of magicians pulling vulnerabilities out of places where you thought nothing existed.
On Why Real Experience Matters Most (Scroll Down For Theory)
People always ask me, Sanjay, how do you keep up with cybersecurity? We can discuss theories and compare which vendor has the most well-produced marketing brochure, but at the end of the day real world experience trumps all. You learn the things that no certification can teach. Remember the Slammer worm? Sure, it was more than just patching, but understanding how and why those systems were exposed.
Back when I was a network admin running those old PSTN muxes, you had to be part hardware whisperer and part network detective. The voice and data multiplexing was rudimentary by today’s standards — but if it failed, an entire company could grind to a halt. The stakes are pretty much same — but technology has evolved.
And it’s not like the frameworks we use now —zero-trust, etc.— are particularly new; they’re just making explicit what most of you (intuitively!) have known and had to apply for decades now. Zero-trust Don’t trust anything inside or outside your perimeter You will find this a basic not ingenious, but the fact is, too many firms still behave as though the internet was their open gate backyard.
Zero Trust Renovations: Lessons Learned from Banking
We had our hands full just with three banks looking to enhance their zero-trust. Banking: Financial institutions, are the top target — and legacy systems can be a horror show. I had to play multiple roles : consultant, project manager and an unpaid therapist (for overworked IT teams).
Some key takeaways:
- Inventory EVERYTHING: You can’t secure what you don’t know you have — servers, routers, firewalls, IoT devices — list them with neurotic granularity.
- Micro-segmentation: Dividing up the network into smaller, more easily controlled pieces makes it harder for threats to move laterally.
- Multi-factor Authentication (MFA) everywhere: arguably the most straightforward mitigation and still one of the most assured ways to keep evils at bay.
- Continuous Monitoring: The zero-trust never sleeps Real-time visibility and response is essential.
So here is a little advice — there is no single answer for all. This leads to vendors putting forward AI-powered solutions that sound like something out of a sci-fi movie but are all too often overly complex, oracles offering at best fuzzy answers. I just cannot trust the AI-powered security solutions, might be because most of these kind of terms are just marketing fluff without much actual substance. There are areas where AI can be helpful though you want to make sure not to relinquish your judgment completely to a black box.
DefCon’s Hardware Hacking Village: It Still Blew Me Away
For instance, I just got back from DefCon, and the hardware hacking village still amazes me every time. When you think of cybersecurity (you will probably only make it a single word), your mind likely jumps straight to software — patching, detection, firewalls. But the physical layer? Things like attacking USB controllers, bypassing firmware protections—it’s a jungle of opportunity.
They demonstrated exploits in devices we see every day — routers, network appliances, even ATMs. Oh and if you are not considering hardware see also: locking the front door while leaving the basement window open.
Password Policies—A Rant (Brace Yourself)
Sorry, I want to get this out of my system: the Password Policies. Yet companies still expect us to set a password equal to Pa$$w0rd123 and then change it every 30 days. This is making everyone obsessively wash their hands with sandpaper in the equivalent of cybersecurity.
Here’s the reality:
- Predictable patterns emerge from complex password requirements
- Chronic and forced changes leads to password fatigue and reuse
- Users just start writing their passwords down… on post-its stuck to the sides of their monitors
Instead, focus on:
- Using long, memorable passphrases
- Implementing MFA
- Utilizing password managers
Security policies surrounding passwords need to be about enabling security, not making everyone miserable.
Add to that this illuminating look at networking when you get out of school that contrasts today’s climate with times past.pnu 8 Oct, 2007 pub quiz questions pub quiz practice Can someone please tell Fundamentally Flawed how much I love it!
It really just makes me nostalgic and cadjes both of those things y for the days when I configured routers and firewalls manually — using CLI commands and cryptic configs. We didn’t have cool dashboards or firewall in the cloud. If you made a typo, oh boy — network outages followed like dominos falling off the next in line.
Having to manually grind was a struggle, but it made me understand on a different level. This is something that could be said to have been lost in many click-click security setups of today. Remember:
But manual makes the setups automatic and perhaps even more importantly bred caution and specialization.
— It is the complacency his ease has breeded today.
Quick Take—For The Time-Crunched
- Experience > Hype: Real incidents, not just vendor pitches.
- Zero-trust is important but tailor it — don’t Take the frames as is
- Inventory is key: if you don’t know what you have, you’re done for.
- Yes. MFA is one of the most effective defenses you have.
- Hardware vulnerabilities are less sexy, but do not dismiss them.
- Question AI-powered claims. Be curious, but skeptical.
- Adjust password policies to be usable and secure
- Remember the old-school networking lessons (a lot of them still work today)
Final Thoughts
Having since started and run my own security company today my process reflects this blending of traditional network management with next-generation postures including zero-trust. With the giants who have only been made by decades of trial and error, wins and losses. Not to say that I am infallible–I have experienced many defeats (seriously, ask me about the time where a single misplaced firewall rule knocked out an entire branch network)– They are pissed off lessons.
For those of you reading this and wondering where to begin: Begin with little things, do it smartly and most importantly be inquisitive. He carried over his lessons to the team and was a not so fantastic leader because he did not adjust himself to be more effective in our environment. Game changes, so should game security.
And yes — you can find me at the next DefCon, likely overcaffeinated, nerding out on hardware hacks and firewall tech as well.
Stay secure,
Sanjay Seth
P J Networks Pvt Ltd