My Journey in Cybersecurity and the Importance of Zero Trust

I am now at my desk, third coffee of the morning in hand and still excited from DefCon last month — and recalling that I started doing network admin way back in 1993. In those days, we were layering multiplexers on top of one another to carry voice and data traffic across PSTN lines — yes, the old Public Switched Telephone Network. There was nothing like today’s cloud insanity, but it was a hell of a time just keeping those circuits running.

Today, I own my own cybersecurity company and helped three banks adopt zero-trust at their networks in the past few months alone, all while yesterday playing around with hardware hacking demos in DefCon’s hardware hacking village. It’s all connected.

Why Zero Trust is More Than a Buzzword

Let me begin with a subject of paramount importance to me. Zero Trust architecture: people use this term like they sprinkle it on top of a magical security protection. But You know what — it is as good as how you actually implement this plugins.

The bankers I worked with in the past actually believed that if they added some fancy tools then their entire network became invulnerable. Nope. You have to go deep:

• Verify every device, user and session (no trusted internals)
• Use micro-segmentation aggressively
• Make sure to monitor and log everything (do not rely on the device being clean because it is within the perimetre)
• Automate but not blindly trust AI-Powered Security solutions. And the “trader” in these blasts is also bothering me, but I could give a pass for that (will expound more on it a while).

I will say this, and its a confession; in the begining I think my firewall and AV ( anti-virus for non-technical people) was solid. Anybody recall the Slammer worm of 2003? Spread that little sucker so fast it was like an earthquake. It hit some clients hard who figured they could patch later, but oh well. Big mistake.

For this reason, zero trust is not just another buzzword or a checkmark for compliance-related work. It is the security equivalent of that change in lifestyle, much like when carbureted engines went the way of fuel injection — your car was cleaner, faster, and more reliable than ever before but only if you did it properly.

A Slammer Worm Reality Check

Oh, for the days of outdated tech — and dealing first-hand with the Slammer worm. Wowee did most of us have that crown dumped the following season

• It targeted unpatched SQL Server 2000.
• Spread across networks like wildfire
• Crippled corporate systems, ATM networks, even emergency services.

After that I could not count how many times I ranted about slow patch cycles. A good patch management process reminds me of regular oil changes for your car. You can miss a step slightly, and suddenly all comes tumbling down.

But nearly 20 years later, we still have companies that fail at patch management. Why? Because it’s tough — and sometimes management doesn’t pick up the urgency until it’s too late.

Thus, as someone who survived such fire unscathed, do not underestimate the basics!

DefCon: Hardware Hacking Village And Why This A Big Deal

Back from DefCon, and still digesting all the cool—and terrifying—things that I witnessed at the hardware hacking village. These people make hacking routers, IoT devices, and embedded systems look like fun with their own built tools. It really demonstrates how if attacers do get a hold of physical access layer they can own your network.

Protecting you software and cloud infrastructure is one thing… but how about when your hardware has holes or weak firmware? You’re sitting ducks.

Some of the eye-openers I would like to share:

• Too many routers that are still shipped with default or even hardcoded passwords Please—change those.
• Many of such firmware exploit hardwares are not even updated to the latest as it has known vulnerabilities.
• Physical access; one of the largest risks. Keep in mind: if folks can get physical access to part of your network, you lose half the battle.

That hardware angle gets lost in the shuffle, and that’s understandable given how much of security has shifted to software and cloud services in recent years for most enterprises. Which brings me to this: Your firewall is great at blocking packets that are bad — but only if they come in from the outside… these seem fine, no problem with these and your firewall.

5 Password Policies That Actually Piss Me Off

Okay, I gotta rant a bit. Password policies. Why are they so complicated? Organizations often build complex rules:

• Must contain as uppercase, lowercase, numbers and symbols.
• Change every 30 days.
• No reusing any of your previous 10 passwords.

Sounds good, right? But typically, users will simply write passwords on sticky notes or reuse the same password with some predictable variation. Seriously.

So instead, I tell my clients:

• Long with pass-phrases preferred. Consider a favorite cooking recipe, not some random string.
• Say no MFA, tell them to leave
• Educate users, don’t just rule-dump.

Your passwords should be something like the ignition key to start your car, not a multi-layered concrete fortress you have to remember. Your rules are bad enough to make people hate their keys and then just hide them under the mat!

Networking Nostalgia and Lessons Learned

In the old days, as they say (I started in 1993 FWIW), networks were a different animal. Fixed leased lines, multiplexed voice and data streams, manual configurations. At the time, a firewall was a new concept.

Today we have next-gen firewalls and intrusion detection systems (IDSs), cloud-based services…and not just voice mail but visual email! But some lessons remain:

• Visibility is crucial. You need to be cognizant of the stuff you have in your network all times.
• Trust nothing. Although connected they may still be a threat vector, for example a letter block would generate a print in the homes printer.
• It is going to be a hassle for configuration management, but you must do it.

Every time I advise clients, I reminisce about those days: If only we could look back in time and tell our younger selves to take security seriously. But we are here at the moment, so let us do our utmost.

Quick Take What You Should Know NOW

• Zero Trust is important but introducing it matters Don’t just buy tools.
• Patch early, patch often. Less good doings Maintenance Like Skipping an engine oil change at your peril.
• Hardware security matters. If possible, change the default passwords and update firmware.
• Password policies should enable users, not drive them mad—think passphrases + MFA

AI-Driven Security Solutions From My Standpoint

Lastly — don’t believe in the hype of AI powered Cyber Security tools. Vendors constantly talk about AI like its some kind of magic wand. However, I have witnessed too many tools advertize AI and create more false positives or identify less threats.

That may be where AI comes in, but it’s never going to replace good network design, monitoring and user education along with any kind of incident response.

Don’t get me wrong, I do not hate AI but I trust that the automation of so many things will lead to complacency — attackers love complacent robot armies.

Final Thoughts

Cybersecurity is not a sprint, it is more like running a marathon over constantly changing terrain. Whether you yearn for the glory days of networking past, or are lost in your quest to understand zero trust and AI — just remember:

• Your response should be all-encompassing
• You can’t afford shortcuts.
• And — if you do half-ass it, at least own the fallout.

I certainly made my own mistakes — in the mid-2000s, I didnmeowhing worms were extinct and perimeter defenses were all that was needed to security my networks, and there was this password policy implementation they implemented then (yes, even I rolled out a password policy that users hated). However, each trip-up was a lesson learned that I carry with me to make security better today.

Thus, hear those words of a player that has seen his fair share from dial-up days; accept newness with conscientious bemusement and stick to fundamentals while you cultivate the mind.

It is how we are that one step ahead in the jungle of cybersecurity.

Cheers,
Sanjay Seth
P J Networks Pvt Ltd