0
Get A Free Quote

No Title

  • 08 August, 2025
  • No Comments

Reflections on Cybersecurity from Three Decades in the Field

I am sitting here at a desk on my third coffee of the morning, my hardware hacking village post-DefCon high finally starting to subside. It is strange that some things after nearly three decades in this business (I started as a network admin back in 1993, managing PSTN multiplexers for voice and data), remain somewhat the same. The tools have changed, the threats are more numerous, but the central reality is unchanged — security is not a product; it’s a mindset.

But allow me to share some hands-on anecdotes that have influenced my perspective on cybersecurity today. _ — Things I believe every business, and the IT teams that support them, should internalize.

The 90s Network Admin Diaries: From PSTN Muxes to Early Worms

In the early 90s, my day job was rooted to the Public Switched Telephone Network (PSTN). The old multiplexers — stout creatures, brick-like boxes optimized for bronzing voice and tabulating data flows. Today’s network gear is difficult enough — imagine managing a telco multiplexer older than some folks on your IT team with this thing.

A quick lesson I learned: though it may appear that technology will stand the test of time, complexity introduces an element of risk. Oh, and on the topic of risk — I can recall that Slammer worm day better than yesterday. Slammer was a SQL worm in 2003 that spun through vulnerable network segments like wildfire. You name it — fixing all things routing and subnet isolation, keeping voice up when data began to crumble in front of me….

The thing is, Slammer taught me a very important lesson — patching is not optional. It’s mandatory. But even to this day, organizations are dragging their feet. I know, I know — maintenance windows… systems are fragile; though ignoring patches makes attackers jobs that much easier, whatever firewall vendor or expensive IDS you might have.

CEO of P J Networks Pvt Ltd | Learning how to Lead in Security

Cut to today — running my own cybersecurity consultancy with an added managed NOC(Network Operations Center). Despite working in different industries one-part stays the same — getting execs to understand their defence cannot be a castle with a single moat. And that’s where I’ve been lately, assisting three banks to upgrade their zero-trust architecture.

The term zero-trust is pretty much just buzzword bingo anyway. However, my concern is that zero-trust isn’t simply a tech solution – it’s a mindset predicated on the idea that breach will occur eventually. You receive no traffic based on trust from the inside or outside. Every request verified, interrogated, and logged

Some of you will recognize what that looks like in practice, and for these banks this is essentially a bird eye view of what we focussed on with those banks:

  • Micro-segmentation of network assets (for lateral movement control)
  • Testing you should perform includes- Stringent user authentication -multi-factor, everywhere!
  • Continuously monitored with machine learning alerts (we work as a team, and there are lots of false positives) you won me over but dashed my dreams of AI inspired fixing powers.
  • WhistleDrive: Respect user privacy and protection of their data- End to end encryption for the data at rest and in motion across all the systems.

Still, I have to admit: it has been satisfying to watch these banks follow NIST’s lead and begin pivoting away from traditional perimeter-based defense models. The old castle and moat? Dead. Trust no one.

The Hardware Hacking Village: The Seitchesino DefCon Villages fire too fast to do all of them justice.

Back from DefCon — my yearly geekMecca-pilgrimmage. The biggest buzz I got was from the hardware hacking village. Why? Because: despite the software holes making all the noise, hardware attacks are still woefully underrated.

For me, watching people open up hardware and flash firmware and create bypasses on essentially instant. Software is fugacious: patches and updates. Hardware flaws? They’re baked into silicon.

It made me think of an automotive analogy where most people are obsessive about changing their car’s oil or tires but have never inspected the health of their brake lines. The hardware vulnerabilities are those brake lines. Ignore at your peril.

Three Things by the Desk, Post-DefCon

  • Don’t forget hardware risks — evaluate your firmware, device supply chains and physical security
  • Zero-trust is not just isolation but verification and context-awareness for every request (e.g. who, what, where).
  • Patch early, patch often — but don’t be complacent just because you have shiny tools. Flashy pales in comparison to traditional hygiene.

My (Mild) Rant On Password Policies

And a hot take I have no quibbles with is most password policies in the wild are totally misguided. That would be equivalent of making 15 special characters mandatory — just as if we required each cook to add truffles in the soup. Sometimes, less is more.

When a 16 digit password is not an option for users you get password123, written down on scraps of paper or even worse in plain sight using sticky notes. If You Need Security, Design for Usability First.

  • Instead of real strings, use passphrases.
  • Require multi-factor not overly complex passwords.
  • Do not make any forced expiration cycles unless you have been compromised

To put it simply, think of cooking pasta. No one simmered their spaghetti sauce for an hour praying it gets better. And passwords — don’t over cook complexity.

What Keeps Me Up at Night?

I complain, but i do, you know. Because I am concerned that in undertaking this exercise, companies will give into the false security of checking compliance boxes and as we witness creeping AI-mania, neglect basics.

Something I have learned the hard way — security fatigue is a real thing. Blasting teams with tools and alerts provided in a vacuum freezes them. I remember, weeks spent watching dashboards getting wasted.

And the best way to tackle it is by learning how to earn revenue before you scale: which leaves me to this advice for business leaders.

  • Invest in people, not in technology & in shortcut — train, retrain and empower.
  • Start with basic controls before running after shiny new tech.
  • Reminder: technology is there to support human intuition, not replace it.

After all, your security posture is only as strong as the mindset of your team and your risk culture.

Closure – My Cybersecurity Mantra

Others might call it a little traditional already, but for me, I still swear by the basics:

  • Robust network design (managed NOC support one who?)
  • Regular patching, not just when you find time but as part of your operations
  • Zero-trust principles
  • Physical and hardware awareness
  • Juice- and a healthy dose of skepticism (but especially when it comes to AI hype)

Experience still plays well in today’s rapidly changing threat landscape. Years of watching routers, old PSTN muxes and now bleeding edge zero-trust implementations provide me a view that no marketing material can compete with.

If there is one thing that I want you to takeaway — security is a journey and not a checkbox. But maybe, just like I learned from Slammer’s havoc or DefCon’s hardware flubs of the past, you can avoid the next initial shot.

Ok, I guess its coffee number four. Stay sharp out there.

Hardware Hacking Insights

Leave a Reply

Your email address will not be published. Required fields are marked *

Categories

Let’s Talk About How Can Help You Securely Advance

Get A Free Quote