• 31 August, 2025
• No Comments

From PSTN Muxing to Zero Trust: A Cybersecurity Journey

It’s just a little after my third coffee, and I’m sipping on it and I’m reading my email, and I’m thinking over my career which actually named back in 1993—when I was just a humble network admin, I was managing PSTN muxes for voice and data. Those early days seem like a lifetime ago, and yet there are still a few lessons that are wildly relevant today. Three decades later, I now own a cybersecurity firm and I have recently helped three banks revamp their zero-trust designs. And just last week, I returned from DefCon—still vibrating from the hardware hacking village and all the bleeding-edge chaos.

The thing about cybersecurity is this: It’s a never-ending game of cat and mouse. You believe you have your defenses calibrated, and then something like the Slammer worm comes along and shows you up instead. Yep, I recall, I remember Slammer well — right there on the front lines, as it laid waste vast sections of the internet in minutes. The slam dial-up modem noises back then were music compared to today’s lightning-fast barrages. Those worms were a wake-up call for a brand new way to defend ourselves.

From PSTN Muxing to Zero Trust

Recalling the days of the PSTN, we had the voice and data multiplexers, it was like running an old symphony on analog gear. Sounds vintage? It was. But it instilled in me a profound sense of just how fundamental networks are to everything we depend on today.

Fast forward, and my attention today is on zero-trust architectures, particularly in financial institutions, where the stakes could not be higher. Lately I’ve been working with three banks to improve their zero-trust approaches, which means throwing out that old, perimeter-based mindset, and replacing it with never trust, always verify.

Why zero trust matters now more than ever:

• Inside attacks are true — Your own employee or compromised user can be much more harmful than external attacks.
• Legacy networks sputtered — The old castle-and-moat security model just doesn’t cut it anymore.
• Data segmentation is key: You want to reduce movement of threats across laterally whenever they start to take root.

But — it’s not just purchase a shiny product stamped with AI-powered and hope for the best. I’m dubious about buzzword however, most AI in security today is glorified pattern matching. Not that A.I. is useless, but nor should you hold your breath for any A.I. miracles either.

Hacks from Hardware Hacking Village at DefCon

DefCon’s hardware hacking village? Mind-blowing. Why? Because it made me remember that hardware security is one aspect not considered in the enterprise security. You’re pretty sure you’ve got your firewalls, servers, and routers locked down? Maybe. But hackers messing with the physical layer, whether that’s USB-based exploits or supply chain tampering, are getting more creative.

Takeaway for your business:

• You can never do enough screening of your hardware vendors.
• Treat devices as you do users – with zero trust.
• Whether in fantasy or reality, never underestimate the physical attack vectors: locks, you need locks.

Password Policies—A Rant (You Have Been Warned)

Password policies… oh boy. I don’t give a tin shit what the standard declares, you forcing users to enter 30 char long alphanumeric gibberish + 8 weird chars? It’s dumb. It annoys users – so they write it on post-its. Security teams don’t like to admit that, but complexity without usability is a fail.

Here’s what actually works:

• Longer Pass Phrases Always Trump Complexity Think CorrectHorseBatteryStaple instead of P@ssw0rd! 123
• Implement MFA (or 2FA), like its air
• Use password managers (because no one can remember 100 different passwords)

And yes, yes, I know there are debates here. N.I.S.T.’s protocols have been changing, though corporate policies have been slow to follow.

Real-World Wins and Slip-Ups

Operating my own security company has been a crazy experience — the clients always want to hear stories, generally for cautionary purposes. Such as the time a monstrous client didn’t want to use patch management because “it could break production.” Spoiler: It did fail — but in failing to patch, they ended up paying for ransomware, which was much more expensive.

Or the time I assisted a bank migrating their firewall policy from a monolith to a microsegmented zones. It was a painful process, but once it was completed, the attacks sort of bounced off of the segmented internal network like pinballs.

Front-line pro tips from the trenches:

• Don’t let patches be an annoyance. Schedule maintenance windows religiously.
• Segmentation isn’t just for cloud-native companies Everything you need to know about the cloud, explained “Segmentation is awesome,” said Rachel Stephens, an analyst for RedMonk. On-prem networks need it too.
• All employees in the org must receive at least awareness-raising (just not IT).

Quick Take

• Zero trust isn’t a nice-to-have, particularly in finance.
• Hardware precautions are becoming more common among mainstream threats.
• With passphrases + MFA, make passwords easier to manage.
• Patch early, patch often.
• When it comes to cybersecurity, consider it akin to maintaining a car: Regular tuneups can prevent roadside breakdowns.

Wrapping Up

If you’ve made it this far, bravo. Cybersecurity is not just a job — it’s a way of thinking that is constantly evolving. From those analog muxes in ’93, battling Slammer, to now architecting zero-trust for banks and geeking over hardware hacking, the lesson is clear: Stay curious. Stay humble. And keep sipping that coffee.

Security is complex. Sometimes frustrating. But also extremely satisfying when you see your network blocking personal attacks instead of being attacked.

And keep in mind: Your system is only as secure as its weakest device. So, patch up, segment rightly, and dissemble all you can, not out of deceit but simply to be discrete. Because in this game, the hackers are always one step ahead, but so can you.