0
Get A Free Quote

No Title

  • 04 August, 2025
  • No Comments

Lessons From Thirty Years in Cybersecurity

Having said that (and sitting here after my third coffee of the day — yes, I drink three cups), what are a few things thirty years in cybersecurity have taught me? I started work as network administrator back in ’93 (before pretty much everyone knew what a firewall was) and I have seen the lot. Wiring up voice and data over the PSTN mux (yes, that grey thing hanging outside next to the street light), literally shutting off cabinets when Gazza signed for England (it was his fault) and dealing with real world nasties such as worms like Slammer face-to-face.

And here I am today, having my own security consultancy — PJ Networks and getting my hands dirty all day long (just got back from DefCon and the hardware hacking village set me on fire). You better believe the lessons I learned through those decades — including and even more so since shoring up zero trust archs for three of the largest banks in the world over these past years — must get passed down.

My Journey From PSTN to Zero Trust

Cybersecurity was not even a thing in the 1990s and network admins rock then worried about your voice and data getting muddled over those ancient PSTN muxes. I used to configure these devices manually… Patch panels… blinkin ‘ lights everywhere…” No fancy GUIs or automation. The stakes were so high, failures not only meant downtime, they meant no phones and transaction processing.

Jump to 2003 and the Slammer worm slams on the scene. Oh my god, that was next level. Slammer worked like a wildfire, ripping through vulnerable SQL servers in minutes. Everything happened on a scale and at a speed that nobody had ever imagined. Servers crashed, networks clogged—some banks I supported went from running to zero access to their core systems within seconds.

Previously, the fellas probably thought they could get away with simply surrounding the castle. But the attack on Duqu was a wake-up call that perimeter defenses weren’t going to cut it anymore.

Ok, so those perimeter firewalls are equivalent to the security guards at the entrance of a building. However, the guards have no idea if something in one of these prisoners is broken, because all they can see are people walking in and out from the front door. The Slammer worm brought down systems by infecting so rapidly inside the network that even the guards could not react quicker.

Zero Trust is Coming: Lessons From The Banks

Most recently, I have played an active part in three banks (read: heavily-regulated,de facto conservative) modernizing their security model from decades old crown-jewel perimeter defenses to next-generation zero-trust architectures. If you have not already, zero trust is a matter of Zero Trust: Never trust, always verify. Every user, every device, every service must prove trustworthy all over again each and every time they try to connect

OK it sounds controversial but I am tired of hearing everyone in the industry talk about zero trust like a magic poo brown check box. Nope. It is a Continuing Architecture, Not a Stair Product Can AI help here? Yes, but frankly I have my doubts with any single AI-powered solution that says it will just do all your security absolutely hands-free.

Gleaned stuff — from recent bank projects:

  • Micro-segmentation: partitioning networks into small, isolated segments. Much like how you have fire doors in a building and not just one main exit – if the fire starts it stays contained.
  • Continuous Authentication : You do not login once and trust for the whole day. Each step is verified if your session passes through a number of sensitive systems.
  • Least Privilege Access — users and devices are only given the exact level of access that they need, for the exact duration that they need it.
  • Device Hygiene Checks: Every device that connects meets security criteria (patch levels, antivirus status).

No shortcuts, no silver bullets. And a bitter, bitter truth — then one size is all. But what was a great implementation for one bank, often needed considerable customization to fit the legacy systems and culture of another.

DefCon and Hardware Hacking : Why Physical Security Still Matters

Came back from DefCon, largest hacker conference in the world, if you never been there is like Disneyland for security geeks and sometimes IT teams worst nightmare. The hardware hacking village was particularly enlightening there. A lot could go wrong with this, physically tampering with devices carried so many risks that we failed to appreciate.

Your data center or office has a firewall or router sitting there. It is a black box for many of us but physically anyone can tap signals, change firmware or insert a hardware module that may be malevolent and monitor or control traffic.

This is why:

  • Physical security must not be an afterthought

Best Practices:

The above mentioned should not get overlooked just because you have a firewall. Regularly doing a physical inspection then attestation of hardware and using tamper proof seals are as important as placing firewalls in place.

Sure, you can have the best zero-trust software policies in place but as soon as someone plugs a rogue something into your network or fucks with some hardware, all bets are off.

I encounter too many companies that put almost all their effort into the most advanced software defenses — but forget that hardware is the substrate.

Password Policies… Can We Talk?

Today, I want to call out the nonsense of industry forced complex password rules. Yeah, I get that we need strong password. But mixed case, special characters and every 30 days to change your password?? That is a recipe for user annoyance and homogenous patterns.

Here’s the reality:

  • Users will write passwords users down or reuse them
  • Long passphrases are superior to short, complex passwords.
  • Multi-factor authentication is the new king, long live multi-factor auth recommend things amid pass the hat workaround.GetMapping Real about Password Complexity

This is a bit like driving a car: do you want a really complex ignition system that just serves to waste your time, or one which is safe but also user friendly and causes you less headaches slamming your head against the steering wheel?

Fast Take — The Quick Info

  • Legacy threats like Slammer: The one thing that works to our advantage is that once they get in, the bad guys want to move quickly.
  • Zero trust is continuous verification, least privilege, and micro-segmentation not a product.
  • Physical security doesn’t go out the window, hardware hacks are real.
  • Password complexity rules are old news; Shift to passphrases and MFA
  • AI hype is just that, some tools can help but no magic wand

Wrapping Up

Speaking as someone who’s been up to his elbows in networking ever since the days of modems singing to each other, I can tell you that much has changed where cybersecurity is concerned—but some things remain constant. You’ve got to think holistically. Personnel, operations, engineering — and coffee.

If you want to seriously improve your cyber security, especially in industries like banking or financial services, have no substitutes. Design using zero-trust principles You shouldnt be buying cool products with glossy marketing Blend old-school lessons with new tech, add zero trust and spice things up by watching your hardware — not just software.

Oh, and a note: a secure network is kind of like a great meal — properly cooked, well-balanced, without taking the risk for half-baked shortcuts.

Now, where’s my fourth coffee?

PJ Networks Cybersecurity image

Leave a Reply

Your email address will not be published. Required fields are marked *

Categories

Let’s Talk About How Can Help You Securely Advance

Get A Free Quote