Reflections on Three Decades of Cybersecurity Evolution

Here I sit, coffee number three finally starting to work, reminiscing of when I started as a network admin in 1993. Those were the time of mux boxes and riding the PSTN like it was the tech highway. A lot has happened since then — or has it? The more I’ve looked, the more I’ve found cybersecurity is such a rush, sometimes your car breaks down by the side of the road and you gotta fix it >> yourself. I now run my own security company — P J Networks — and recently helped three banks upgrade their zero-trust environments. But man, something about AI-powered security solutions still makes my stomach turn (more on that later).

The Beginning: Network to PSTN and the Slammer Worm Standoff

Back then, networking was raw. What we used to do was primarily voice and data multiplexing over PSTN lines. You had to know, really know, the idiosyncrasies of the physical layer, because if that cable was bad, your entire system was dead. I recall one day in 2003 when the notorious Slammer worm hit us like a runaway freight. Minutes in, servers drowned under the traffic. It was chaos. Firewalls back then were a joke to what we have now, IDS systems are likened to a smoke alarm going off just telling you your house is burning down.

The thing is — it was one of the early times I realized how speed and simplicity in attack can decimate networks unprepared for fast spreading of threats. It has influenced how I build security architectures to this day: quick containment over fancy detection.

Zero Trust in 2024: Theory into Practice

Fast forward, and I’m now running my own outfit, assisting banks install zero-trust architectures. I’ve done three major bank rollouts in the past year — and zero trust is not just some buzzword or check-the-box exercise. We need to be absolutely reimagining how we do network access.

Key Takeaways From These Projects

• Micro-segmentation is your friend. You don’t want side-to-side movement when there’s someone else inside.
• Continuous monitoring isn’t optional. We’re not simply taking a single trust leap with a one-time login — trust is established and violated all the time.
• Identity is the new perimeter. And the days of castle-and-moat security are long past.

But here’s what a lot of people miss — zero trust is not simply tech. It’s people, process, and culture. If your users are annoyed or your admins don’t understand, it will fail.

We had one bank partner that was adamantly against a multi-factor authentication (MFA) implementation, which they felt hurt user experience. But with a well-staged roll-out and good internal education, adoption went through the roof. You need to sell the ‘why’ before you give the ‘how’.

Straight From DefCon: The Hardware Hacking Village and Why You Should Care

Just back from DefCon — I’m still buzzing, honestly. A highlight was the hardware hacking village. You programming nerds out there who believe hacking is fancy code and distance exploits, it isn’t.

They were cracking open IoT devices, routers (yes, routers—our first line of defense!), and hell, even some old-school network gear (hi there, nostalgia!) exposing glaring vulnerabilities. That part blew me away. Some so-called enterprise-grade firewall boxes had vulnerabilities a two-bit hood with a screwdriver and a rudimentary knowhow of computing could take advantage of.

Here’s a bit of a soapbox moment: A lot of companies that spend an arm and a leg on software firewalls simply forget to account for physical security and ensuring firmware on the devices themselves is uncompromised. It would be as if you could buy the best, most expensive, high-security door, but the frame remained rotting. They're one firmware update away from being pwned.

Password Policies: I'm Still Not a Fan of Complexity Rules

Oh, passwords. I'll be honest: I loathe most corporate password policies.

You’ve heard them: must be 12 characters, use upper and lower case and a number and symbol, no dictionary words, no your birthday, no your pet’s name, change every 60 days, etc. All right, whatever. But here’s my hot take:

Shoving complexity down the throat usually simply results in users writing their password down, or using variations of the same dumb password.

People are reusing passwords because they are tired and frustrated and, come on, human. If your policy doesn’t allow for them to use something like passphrases or to enable password managers, you’re putting everyone on the path to failure.

What I Recommend Instead

• Advocate for phrases longer than crazy complexity.
• Use MFA wherever possible.
• Monitor for credential stuffing and brute-force attacks and instead of frequent forced expiration.

Quick Take: My No-BS Cybersecurity Nuggets

For all of you skimmers, bravo (I understand), and here’s what I’d say if you read nothing else:

• Zero Trust is not a product; it’s a philosophy. Start small, think micro-segmentation.
• Pay attention to firmware and hardware security. You can patch software a thousand times and never touch firmware at your own risk.
• Remove password complexity requirements, while enforcing MFA. People will always be the weakest link; help them do better.
• Remain suspicious of AI-powered security products. Most of them are hype-driven and are no substitute for strong fundamentals.

AI in Cybersecurity? Proceed With Caution

Listen, I love tech and innovation as much as the next guy. But to me, AI-powered cybersecurity tools often sound like snake oil. The truth is: most AI detection systems are using the same heuristics and pattern matching that old-school IDS systems did, just with a sexy name.

Don’t get me wrong, machine learning can be great — but blindly handing over control based on that is dangerous. Also invaluable is the human analyst’s intuition and experience (the kind you get from having adminning networks leave scars on you for decades).

Next time somebody is trying to sell you their AI solutions as a panacea? Grab your wallet and run.

Wrapping Up—The Road Ahead

So where does that leave us? The world of cybersecurity in 2024 is akin to driving a classic car on a race track. You want to keep using the old reliable chassis (the basics of solid firewalls, hardened routers, trusted servers) but constantly upgrade the engine (new protocols, zero trust, continuous monitoring). And don’t discount your tires — your users — and your fuel — the culture in which your company operates.

I am thankful for having grown up with these early days of hacking on PSTN networking because the lessons of resilience and adaptation still apply. And here’s a reminder for anyone new here, or with security thingies to deal with for big companies:

It’s not glamorous. It’s not easy. But it’s absolutely necessary.

Keep your systems updated, understand your infrastructure, be skeptical of buzzwords, and whatever you do – remain curious.

Now to coffee number four, and perhaps I’ll even dust off the soldering iron and mess around with some vintage routers from DefCon. Because, at the end of the day, I still love the labor and the hustle of this business.

– Sanjay Seth

P J Networks Pvt Ltd