Reflections on Three Decades of Networking and Cybersecurity Evolution

If you’d said to me in 1993—when I was up to my knees in configuring MUXes and managing voice and data over PSTN—that three decades later I’d still be neck-deep in networking and security, I would have laughed. But here I am, third cup of coffee deep at my desk, still wired (pun intended) about the shifting cybersecurity world. It’s been one hell of a rollercoaster going from a network admin, to starting my own security consultancy. Seen it all. Like the notorious Slammer worm, ramming across systems like a wrecking ball.

Allow me to share some hard-earned knowledge—learned not only from books but from trench warfare and lessons extracted over three big-bank security upgrades I’ve been running, from recently attending DefCon, and from simply keeping abreast of the latest developments—whatever the case, usually with a bit of skepticism (hello, AI-powered solutions, I’m looking at you).

From PSTN to Now: Networking Was Never Easy

In my early years, running older school networks wasn’t simply plugs and wires; it was nearly artistic. Sinking into the console of a rack-mounted router was like opening the hood of a classic car. But the vulnerabilities? Oh, they lay beneath the surface, like rust all waiting to break out.

The Slammer worm in 2003 was a wake-up call for all of us — how such a small (376 byte) packet could grind the world’s systems to the halt was scary and kind of, well, interesting in a geeky sort of a way. It made one thing clear: patching is important, and sometimes it’s the proactive people who put off updating who are the worst affected.

Zero-Trust Architecture: Buzzword or More Than That?

Here’s the thing — zero-trust can’t be the latest marketing fad that then gets checked off your list when you become compliant. I recently advised three banks on their zero-trust architecture deployments or updates, and it’s one of the most significant evolutions in enterprise security I’ve witnessed.

But it’s not plug-and-play.

Zero-trust means:

• Authenticate everything. Even if it’s inside your perimeter
• Users and devices restricted to the lowest privileges – no freeloaders
• Continuous surveillance and risk analytics—not just a blue-moon audit

Banks, which are extremely sensitive to data issues, can’t make do with half measures. And my experience is that very few organizations get that right the first time. That requires consistent policy enforcement, layered firewalls, strict control over servers, and yes, blind obedience to routing configurations.

Oh, and don’t look now — but people still hate stringent password rules. But, if you ask me, demanding legacy password rules alone is akin to protecting a classic automobile with duct-tape on the brakes. It won’t cut it anymore. Multi-factor authentication is not a nice-to-have; it is table stakes.

DefCon and the Hardware Hacking Village – Eye Opening Stuff!

Just got home from DefCon—my third, or whatever—and the hardware hacking village absolutely destroyed me. The creativity, and complete outside-the-box thinking about IoT and embedded systems vulnerabilities simply served as a reminder that the attack surface is gargantuan and growing.

But the real linger was this: unlike software, which we have been trained to patch—or we ought to be technically updating all the damn time—hardware is regularly and continually sent to the world without being meaningfully improved on after it’s out in the public. And yet, directly into our critical infrastructure we continue to shove more and more devices.

A Couple of Takeaways

• Vendors must take control of every layer of security, not just software patches
• Companies should consider hardware as a significant vector of attack rather than an afterthought

Your old routers and servers in your backend room is a good place to start. They’re artifacts, but they’re not innocent.

Firewalls, Servers and Routers – Your First Line of Defense

I run P J Networks which involves me spending an absolute shed load of time optimising and securing infrastructures that often feel like they was just thrown together in the 90s. You want to know why? Your firewall is not magic, that’s why. It’s a tool, and like any tool, its efficacy depends on the hand that wields it.

My no-nonsense list of things I go through for firewall sanity check:

• Have everything blocked by default and only allow what is absolutely necessary
• Periodically audit your rules; old rules are security holes
• Divide and Conquer: separate and contain assets behind rings of security

Not to be outdone, servers and routers:

• Service harden your servers—turn off services you don’t need, close ports you’re not using
• Keep firmware and OS updated but test patches in a controlled environment
• Router ACLs (Access Control Lists) are not a nice to have: if properly configured, they can block entire categories of malicious traffic

Okay, pet peeve: Too many organizations are set it and forget it when it comes to infrastructure. That’s the recipe for disaster.

Passwordz and Policies—Yeah, I Bitch About It

Fine, I’ll come clean: I have some opinions about password policies.

The industry loves complex passwords. But complexity often drives humans into predictable patterns, or worse, sticky notes on their monitors. I’ve seen top executives jotting down their passwords next to their keyboards, because the policy was too confusing.

So rather than more complexity, I argue for:

• Long rather than complicated—it should be a literal phrase, not an encrypted muddle
• Encourage password managers—they’re lifesavers and more secure
• Comply with multi-factor authentication like it’s a regulation (because it should be, in cybercrime)

Quick Take: Security Essentials for the Modern Enterprise

• Zero-Trust Architecture: Assume breach and continuously authenticate and authorize everything
• Multi-tier Firewalls: Split and deny by default
• Server and Router Hardening – Keep these old machines patched or budget for them to be replaced
• Password Management: It’s the length, not the complexity, that matters most plus MFA and FIDO enough ransoms to lose those old password complexity rules
• Hardware Vigilance: Don’t forget about IoT and Embedded Systems
• Continuous Monitoring: Logs, alerts and response plans, folks

Closing It Out: Experience Still Matters

Now, I’m a skeptic by nature — especially when the market is saturated with buzzwords or AI offers to solve ALL of our security problems. The reality? Cybersecurity is equal parts art and science, and a whole lot of discipline.

From the early days of PSTN networking all the way through to the cloud-first zero-trust world we know today, the basics have changed, but the enduring problems have not:

• People make mistakes
• Attackers are more creative than we are comfortable having them be
• Failure when tools is overemphasised instead of strategy

If you are a business leader who is reading this, I second this advice: cybersecurity is not a project; it’s a journey. It takes repeated effort, commitment and, yes, uncomfortable truths.

Good technology can also only get you so far—it’s useless if your policies, people and processes aren’t all on the same page.

Thanks for bearing with me on this coffeed-up ramble again. You can always hit me up to talk firewalls, routing idiosyncrasies or that crazy DefCon hardware hacking session.