The Crucial Lessons of Cybersecurity: An Expert Insight

There is something about that third cup of coffee — the one that lifts the morning fog but still kind of makes your eyes shake back and forth — and it has me thinking on a more global sweep level about cybersecurity issues. My foray began all the way back in 1993, spinning up old-growth tech that only seemed historical but was really at the center of global connectivity — mux boxes, PSTN lines trafficking both voice and data (a little like coaxing an antique car along a freeway). Well, you see — those were early lessons and they stuck!

In that moment, I did not know that in my future was going to be an encounter with the Slammer worm; a few years later. For the uninitiated, Slammer was a worm that went off in 2003 and around the same time infected tens of thousands machines within minutes. As though a small bit of viral code had set dry grass alight and begun to spread uncontrollably through those critical servers and accessible networks.

This experience? This was no longer just a harbinger but an alert that we could no longer regard cybersecurity as secondary to the quality of our business. And forward these couple of decades and now we are the so many cybersecurity company (P J Networks Pvt Ltd) that protect firewall, server to routers for real security and speed for sure in the businesses.

But here’s the thing. Security is not a product or tool, it needs to be learned in the most obsessively paranoid fashion.

Introduction — The Zero-Trust Revolution

According to the preliminary results of my zero-trust survey, a whopping 84% of you are looking at implementing this in your organizations (collective) and if possible with as much automation as you can muster.

I have recently supported three separate banks with the uplift of their zero trust architecture. Banks are a fascinating study. Legacy systems are layered in with new tech over at CCC, and tying that stuff up sounds like a nightmare. Conceptualizing and implementing Zero-trust is easier said than done; it basically translates to trust no one, verify everything (I insist that the architect was visited by Count Dracula in a dream when they came up with this slogan).

Here are three lessons learned from those engagements:

• Least privilege access — not just a buzzword: It’s a lifesaver. You limit granting each user, service or device the minimal access required. No exceptions. No shortcuts.
• Micro-segmentation isn’t negotiable: Segmenting your network into tightly secured compartments restricts lateral movement of threat.
• Always Continuously Monitor & Detect Anomalies: Because nothing is ever secure until we live in a world where attackers find the holes.

Sure, the cynic in me did roll my eyes just a little bit as some AI-powered security tool was pitched like a magic bullet. AI is great—it continues to amaze me—but every time I see a product slapped with an AI label, I roll my eyes. Conclusion: It is not a silver bullet, it’s a tool. If you know what to do with it, it is a tool: Like a wrench.

DefCon and the Hardware Hacking Village: Organised Chaos — Why It Rocks

Just returned from DefCon — OMG the hardware hacking village there is epic!! A place where the old crashes into the new in a mad jumble of education and innovation. Yes, this is considered debasing the industry after years in cybersecurity, but yes also.

Hardware vulnerabilities are often overlooked. But as I witnessed, even a boring change in the firmware of your router— something almost nobody ever looks at — can make way for hostile invaders. This is a little like the classic car kept idling in the driveway, hood up to cool the engine, maybe even right out there on display — and when you hear its backfire startle you at your desk through an open window upstairs because of course it was locked tight against theft but not against reverse swordplay into your future prior to sailing off unheard: Thud..

A couple of points I have been discussing with clients post-DefCon:

• Your hardware should face the same scrutiny you expect your code to endure. Firmware and embedded systems vulnerabilities can be equally terrible as software ones.
• Do NOT Neglect supply chain and distribution Risks — No one does good with a trojan horse in hardware components.
• Physical security still matters. The idea of, if you can touch it, you (can probably) hack it.

What About That Password Policies — The Rant I Cant Help

Basically — this is a bit of a rant and also relatively unpopular opinion. I despise the standard password policies that most companies mandate. Size, intricacy, requiring updates every 30 days? Please.

Here’s what I really think:

• Making people change passwords every 90 days is just training them to use weaker ones.
• When complexity requirements enforce certain predictable patterns (first letter is uppercased, the end has a number), you have bots who anticipate these things.
• Instead: length greater than complexity & Push passphrases – Take the proper horse battery staple — yes, it is old famous person meme gas, however it is really helpful.

I know, passwords suck but also — we all continue to rely on them for 90% of our defenses. That is, when you combine smart password policies and MFA, touchwood, you have the potential to deny 99% of account take overs.

Quick Take: Password Security Checklist For Your Business

• Complex passwords < long passphrases
• Use MFA religiously
• Teach users about phishing, not password requirements
• Audit and retire old accounts on a regular basis that are no longer in use.

Firewalls, Servers and Routers are still important and here is why

I have been working with network gear since the Mux days, and no matter how much hype you hear about Cloud, SaaS and everything in the ether; it still all matters. You know it as surely as the sun rises every day.

Here’s the blunt truth:

• Firewalls aren´t just gateways — they are the frontline troops. An improperly configured firewall is like a broken lock on your front door.
• Servers, especially on premises servers need frequent patching and monitoring. Ignore them, and you may as well be opening the door yourself.
• Routers are one of those things that unless they’re breaking down, people hardly ever change them. It even has a nice-sounding list: segmentation, firmware updates done right.

Every one of these elements has to fit together. It’s kind of like an Indian thali that is well-made — each item sits in dinky little bowls meant to serve one portion and has a place and a purpose, but too much of one inevitably means the end of the whole.

Cybersecurity: Lets Get Real — Business Needs to Know

Cybersecurity isn’t one-size-fits-all. I run into so many customers who desire quick fixes, socks to do all the work for them and 100% protection wish is impossible in my opinion. Bad guys evolve, tools change and so…

• Security is a process, not a single event. Kind of like tuning a classic car; you never stop tweaking.
• Your people are the largest risk and your greatest defense. Training, awareness, and culture.
• The gleaming new tool is nearing obsolescence – The proppy device might be better than nothing (unless your customers hate them). Technology enables processes, it doesn’t destroy them.

Having spent almost 30 years in this work, I have made so many mistakes. A perfect example was provided when I accidentally allowed a vendor to tunnel traffic through my misconfigured router, asking for trouble.

What I Had to Learn The Hard Way

There, I said it. The thing about this field, though, is that every single screw-up is a chance to learn.

The Conclusion: after only my fourth coffee

Cybersecurity isn’t a day job, it’s an all-consuming life obsession, broken down into scenes: the days of wrestling networks over PSTN from payphones; surviving Slammer; pioneering zero-trust rollouts at major banks and then hardware hacking at DefCon.

Business leaders, if you are reading this, do not forget: security is a combination of technology and process with human factors as well. That is just respect for your legacy systems, PLUS respect to your clients, essentially to the rest of these clever adversariesmfers out there.

Here’s the bottom line:

• Don’t ignore the basics. Firewalls, servers, routers—keep them tight.
• Zero Trust: Yes, but prepare for complexity.
• You got to train your people, a tool won’t save you.
• And stop hating yourself: Rethink your password policies!

In any case, the path to less-flimsy cybersecurity can only be paved in experience — one cup of coffee and one day at a time.

Hit me up if you want to chat or get a tip on how to better secure your network.

Sanjay Seth
Cyber Security Consultant
P J Networks Pvt Ltd