The Ever-Evolving World of Cybersecurity by Sanjay Seth

Me, at my desk, third coffee just starting to sink in: It strikes me that the cybersecurity universe sure has changed a lot — and yet certain fundamentals never really change. My Name is Sanjay Seth, formerly a network admin in 93. It was a time when most interactions involved muxes and PSTN lines, getting voice to talk data without bringing down entire network. No fancy cloud back then. Raw copper wires and a lotta patience.

But how about this blast from the past: the Slammer worm in 2003. The meltdown is a blur — bins overflowing, the IT suite like an old diesel engine in winter; firewalls spluttering into life. The thing that was really chaos, calling home. That was on my mindset ever since I learned a lesson of how to be prepared, but ironically even before that it occurred to me that perimeter-based security is creek.

Fast forward to today. I also operate a security consultancy, P J Networks, and I have spent the last few weeks knee-deep in actual deployments for three of Australia’s largest banks that are aggressively avoiding being labeled as defunct zero-trusters. Honestly? As exciting as it is incredibly tiring.

Why Zero Trust And Why You Should Care

But the zero trust concept is more than just a buzz word; it’s a mindset shift. In the good old days, if you had penetrated a network then that would be it: full stop. That mindset landed us in hot water a few times.

Trust no one, verify everything, 0 trust (sounds fundamental but the number of failures in implementations are through even) Multi-factor auth is a band-aid a lot of teams slap on and think they are done. Nope, not enough.

Which is why on those bank jobs we got the word down:

• Every asset, user mapped. Let there be no shadow IT crap lurking like a live spark in your wiring.
• Strict, micro-segmentation of zones within networks. It’s similar to not wanting that awesome engine bay of your classic car you just restored getting bathed in the cooling system water all over when your radiator bursts.
• Continuous monitoring with realtime alerts. Because hearing about the breach report is like seeing your car being driven away because you forgot the keys in the ignition.

And what about all those legacy systems? The core of a bank is often similar to an old and new technologies combo. My team needed to determine the way to do this securely without getting pushed into deep fryer.

At-a-Glance Zero Trust Fundamentals

• Do not trust internal network traffic.
• Take stock of your assets— even old junk you have hidden in those fondly neglected corners.
• Segment your network like a bouillabaisse — different recipes, different pots.
• Continuous verification, not one-and-done checks.

DEF CON FEVER Why Hardware Hacking Still Matters

Man, the hardware hacking village was busy when I came back from DefCon. We love looking at the insides of devices that get torn down. As an aside its also a reminder that cyber attacks are no longer just about taking advantage of software vulnerabilities. You have routers, you have servers, like firewalls all the physical layer hardware can be a weak link if they are not locked up.

I sat in on one talk about firmware bugs in network switches. I sat there considering the thousands of firewalls I’d put in place with default settings because somebody (not me!) believed security was just one more item on their compliance checklist.

Seriously, if you don’t set up your kit correctly it is like putting a top-of-the-range lock on the door and then leaving the keys under the garden welcome mat.

Ranting Password Policy As If You Could Stop Me

Okay. I have to say it. The Password Policies in so many companies is a joke. You must change your password every 30 days. Why? It promotes the use of weaker passwords or reusing them. That is like forcing a cook to replace fresh ingredients every day although the old ones are still in good shape.

Better approach? Longer passwords are better, but complexity may be just as important (and both way more so than time to live). Use a passphrase — not random gibberish!

Oh, and multi-factor authentication. Not optional.

The Skepticism with AI-powered Solutions

Everyone loves AI right now. However, when I see the flash of any security vendor talking about having AI as part of their offering without going further, I question that.

Sure, AI can help us to recognise anomalies herd. But it’s not magic. Not backing up AI with a strong foundation is like setting your car on autopilot to drive down a mountain road when the brakes are not working.

Teacher still need to be involved, even if with systems of smart automation.

Lessons From My Early Days

Mechanics with just a wrench and those instincts were the network admins of the 90s. No fancy GUIs, no dashboards just telnet and raw logs.

Direct experience like that is hard to forget. I get paranoid when I see someone who is just leveraging tools without even care about the process and what lies beneath.

Cybersecurity is not just plug-and-play. It boils down to grokking your microservice environment.

The memory of the panic rooms in Slammer, and the rush of playing whack a mole with worms flooding servers will always resonate to humble me. You can never know everything, sure, but fundamentals? Those stay.

What I Tell My Clients

• Security is journey not destination. You’re never done.
• People are your worst liability and greatest protection. Train them.
• Never keep all your eggs in one basket. Defense in depth will save your ass.
• Regularly test your defences. Pen-testing isn’t some fancy exercise. It’s a necessity.

Wrapping It Up

After observing networks for multiple decades as well, from the primitive PSTN circuits in the 90s to today’s complex zero trust architecture formed by clouds: security is NOT a product you can buy — but a culture you build. Learning your systems inside out, like a car guy with his engine.

This can be an old server in the corner gently humming to itself or a shiny new firewall that you just put in; Do not trust anyone, verify everything.

And yes, it’s hard. On the flip side, if you believe achieving security for your org merely means dotting the i’s and crossing the t’s or just slapping on some AI label… Then let me tell you: you’re in for a bad time.

Ultimately, treat your network like its that classic car. Respect it like the delicate flower that is,* and for the love of all that is holy, don’t let just anybody drive your car.

— Sanjay Seth, P J Networks Pvt Ltd

Back to that coffee…