Reflections on a Security Career and the Evolution of Cyber Defense

It is oddly encouraging as I sit at my desk, having just finished my third cup of morning coffee — reviewing a security career (which predates most tech buzzwords) and hasn’t really slowed down. 1993 — as a network admin also involved with the cables, wire and switches transporting voice and data over the PSTN networks. Ah, those ancient phone lines: talk about nostalgia.

Miles: Tech may have changed, but what about the cat and mouse with bad actors? It’s as fierce as ever. Slammer worm hit like a freight train at the time–invisible little packet, massive consequences. The first call from a customer — everything is down, what the hell do we do? A fast-reaction course in the days before it was on-trend.

Many years later, I am now running my own security outfit, P J Networks Pvt Ltd, and we are assisting businesses (three banks just last month upgraded their zero-trust architectures! But more on that in a bit.

Why Zero Trust Is Not Getting The Credit It Deserves

Zero trust — everyone is talking about it, but not many completely understand it. No silver bullet sticker-on-your-server-and-walk-away solution. It’s a mindset. Astute readers have lived through the days of firewalls and routers, servers and other perimeter-based defenses failing as sophisticated attacks became increasingly prevalent — zero trust reshuffles the deck.

If you were to think of banks as a ghost town like the Wild West, Sand Hill Road would be the new gold rush. They have heavy regulation, and entrenched legacy systems that aren’t going to get thrown away just because it’s last season’s shiny sports car. However, this week I had the privilege and challenge of assisting three banks with implementing zero-trust.

• Protect important data stores and communication end-points from both internal/external prying eyes using micro-segmentation.
• Microsegmentation is the way to prevent lateral movement! You do not want to hop an attacker around like a joyride in a stolen car.

Quality gating — Continuous verification keeps everyone honest. Never again will be this once he has an indelible mark of good to go.

Least privilege access: May sound elementary, but you’ll be surprised how often it is overlooked.

Zero trust should be thought of as having a guard checking IDs every time someone comes in (we all already understand this concept — hence the gated community), except that it doesn’t have to be a well-meaning old man with a flashlight — it can be an automated system running checks every second.

Slammer Worm, Lessons Still Relevant

If you actually experienced the Slammer worm as I did, two facts were rapidly evident:

1. Tens of products can be derailed by a few kilobytes of small payloads.
2. The speed is important for the worm and your incident response.

Although the malware payloads today may be more sophisticated, they can learn a lot from that principle. At the same time, when I hear about companies that continue to rely on perimeter defense per se, it irritates me as if a firewall were sufficient to fend off a modern multi-vector attack.

Personal Opinion Based On AI Security Solutions

Fine—now it’s time for me to piss someone off in the security community: I am suspect of any solution claiming to be AI. AI seems destined to make an impact, and don’t misunderstand me: I do see real potential. But there is no magic! AI is only as good as:

• the data it’s fed.
• The ones that aren’t black boxes.
• your comprehension of how it operates.

Putting it another way, if you drive a Tesla in autopilot through the interstate during a hailstorm, that would be as close as imagine the oversized disappointment of blindly relying on artificial intelligence for intrusion detection (ID) and threat hunting. You should keep your hands on the wheel, and eyes on the road.

Insights from DefCon Hardware Hacking Village

Such was the case at the hardware hacking village on DefCon …. Still blowing minds!

So I just returned from DefCon and the hardware hacking village there had me bouncing around like a sugar-infused five-year-old. It serves as a gentle reminder, that sometimes the weakest link is not digital but physical. But in an age of the relentless focus on software vulnerabilities, I could not write this:

• People tend to miss out on physical security.
• Software defenses can be bypassed through hardware implants and tampering.
• What you do with your devices all the way down to the circuit board level.

To own your security chain is to understand if you think having a firewall or server patch will protect you and to know it won’t. But more often than not, the crux of the problem lays in what is inside your machines or how devices are behaving on the network.

Firewalls, Servers, Routers—Still The Backbone

Infographics receive a lot of lawl, but remember that firewalls, servers and routers are still the backbone of network security. This or that AI is doing no good if the beneath infrastructure has its cracks; same happens with cloud.

• Firewalls enabled vs configured.
• Routers should be kept up to date, why not just leave the front door open otherwise.
• Servers in general are targets, answer them! Patch like there is no tomorrow.

In all honesty, I firmly believe the majority of breaches are because of forgotten fundamentals. In some cases, it’s as straightforward as a default password alive and well on a 2010 router: (don’t even get me started on password policies — we’ll talk about those in a little😉).

My Never-Ending Rant About Password Policies

There is little I get more vexed by than password policies. The security world loves to complicate passwords — mix case, special characters and more. But the reality of it is this:

• User experience matters. If your policy is too hard, people write it down or use variations that become predictable.
• Frequent forced changes? Typically, users just rotate between a couple of passwords.
• Multi-factor authentication (MFA)? Now we’re talking. It’s the real game changer.

It’s like cooking. You can pretty much put any spice on a dish yet if the base ingredients are not on point, at that point I am sorry you will never have the genuine taste of it. Secure auth is that base.

Key Take-away What Any Business Should Remember Today

• Do not — DO NOT — drop your firewall and router configs and forget about them. No really.
• Zero trust is not a checkbox, but a journey.
• Boring but critical: patch management.
• MFA should be non-negotiable. End of story.
• Physical security and hardware are components in YOUR digital security ecosystem.
• Ask: AI-powered (from Mavericks) at your own risk, They are not always what you think.

A Last Word of Old-School Wisdom

In ’92 or so network admins had to eat their cables and multiplexers for lunch. Troubleshooting back then meant getting your hands dirty, tracing wires and knowing the exact point where it becomes weak. These days, a lot has changed (thankfully), but the thinking goes:

You never trust the docker file completely, so be sure you are 100% aware of your environment.

Security is not a silver bullet tech or the next hip tool. It is about knowing your network — the servers humming in your closet, the firewalls filtering traffic and the routers acting as gatekeepers — and asking every day: Are we REALLY safe right now? What are we missing?

Cybersecurity is a living process. This is not set and forget and especially not solved by buzzwords. It requires determination, education and yes — occasionally some desk-bound thinking fueled by caffeine.

If you care about your business, then take the simple steps and inspect the minutiae for greatness — and not let the glittery gear shift your attention away from what would better serve: robustly secure, pragmatic security.

– Sanjay Seth, P J Networks Pvt Ltd

Stay awake on caffeine waiting for the next DefCon.