In this episode, we talk with Jacob Ansari, a Security Advocate at Schellman, who leads the firm’s security best practices advocacy. With experience as a CISO and assessor, Jacob develops and leads educational efforts on security practices, emerging threats, and security industry developments for both internal and external audiences.
Tune in as we talk with Jacob about topics like:
- What a “Security Advocate” is [02:14]
- What it means to promote good security practices [07:42]
- High-profile vulnerabilities such as Spring4Shell and Log4j [08:45]
- Threats and concerns around cyber regarding the Russia and Ukraine conflict [14:08]
Jacob also shares his thoughts on what’s most critical for companies building applications in the cloud as well as interesting updates around the area of compliance.
John Vecchi: Welcome everybody. You’re listening to the Security on Cloud Podcast, live on Anitian radio. I’m your host, John Vecchi.
Scott Emo: And I’m Scott Emo. We’ve been talking about security in the cloud on our podcast for over a year now. And folks who tune in to listen to us are for sure security advocates. I know that I’m always reminding my family not to click on that link in that email, or don’t click on that text from that guy, or be hyper aware of phishing and other attacks. I’m pretty sure that they think I’m the most paranoid person on the planet.
John Vecchi: Well, like they say, Scott, security paranoia is a good thing or at least a healthy dose of skepticism is always pretty good. As we’ve said before, we all have to be on the lookout when it comes to cyber security, especially in the cloud, and doing that is often paired with what we call good security best practices. In fact, today’s guest does that on a grand scale. So, let’s introduce him, everybody. He’s a security advocate at Schellman where he leads the firm’s security best practices advocacy and develops and leads educational efforts on security practices, emerging threats and security industry developments, for both internal and external audiences.
John Vecchi: He’s spoken extensively on security-related matters, he’s trained and mentored assessors, and he’s contributed to groups on emerging standards and advisory bodies. He has also acted as the CISO for Schellman and has an extensive history in PCI assessment services and software security frameworks. As far as the geek side goes, he has a long list of securely related certifications including Certified Information Systems Security Professional (or CISSP), he’s a PCI Qualified Security Assessor, and a Payment Application Assessor, just to name a few. Coming to us from Racine, Wisconsin, I’d like to welcome our guest, Jacob Ansari. Welcome, Jacob!
Jacob Ansari: Thanks very much. It’s great to be here today.
Scott Emo: Jacob, before we get started, could you describe to our listeners what a security advocate actually is and what security advocacy means to you?
Jacob Ansari: Sure. So what I do is just that, I advocate for good security practices. I look at emerging threats, I look at trends and security behaviors, I look at the needs of both our own organization and our clients and I say, “Here are the kinds of security practices you should adopt.” Sometimes that’s writing something either for our clients or for our own blog or other content that we publish, sometimes it’s putting together some training, sometimes it’s providing some additional services to our existing audit work when we are helping our clients to be able to say, “Hey, here are some big picture threats or security matters that you need to look at as a result of,” or as something we’ve discovered along the way of doing the audit or the assessment work that we’ve done.
John Vecchi: Got it. And I know you’re with Schellman and I’ve got a question following up about your experience there. Can you just quickly talk a little bit about what you’ve done with Schellman and just tell our audience a little bit about Schellman if they don’t know who Schellman is. Just a little bit to describe Schellman’s focus and what they do.
Jacob Ansari: Absolutely. So Schellman is a global provider of independent audit and assessment services. We are technically a CPA firm, but we don’t do the financial audit or tax pieces. We do IT controls, right? So we do a lot of SOC 2, we do ISO audits, we do FedRAMP, we do a number of PCI services, privacy, high trust, things like that. So if there’s a security or IT controls audit, that’s our wheelhouse, right? Where we can be the independent authoritative expert and provide that audit service.
John Vecchi: Perfect. And that makes sense. So, with Schellman, you’ve acted as a CISO for some time there, right?
Jacob Ansari: Yes.
John Vecchi: Which probably means you’ve got an interesting perspective from both sides as a CISO, as an assessor. Can you give us an example of when those two points of view — a CISO and an assessor on the audit side — helped you across the advocacy and other things you’re doing today?
Jacob Ansari: Sure. I think being able to sit on both sides of the table, or having done so, gives you a lot of empathy for the whole process. A lot of security audit types are the overachiever, like the smart kids in school who skipped all the steps in math and just wrote the answer at the end, right? The “do things fast” kind of people. And a lot of security audits are designed or essentially have to be that way, right? You’re always playing catch up to your client. You have days to orient yourself and learn about a client’s environment when they maybe have months or years to know what’s going on in their environment. And so, you have to move quickly, figure out what happens in that client setup, and make evaluations to say, “Hey, this is where you meet this compliance requirement,” or this is where you don’t, right? This is where you’re doing these security practices properly, or this is where you’re not. That’s a fast-moving kind of thing and it shifts your perspective. It influences your perspective about how you look at these things.
Jacob Ansari: When you play defense — when you sit on the other side of the table — you have to realize that every step you take moves in concert with a hundred other things in the business. So, a lot of security assessments maybe say, “Hey, your third-party security onboarding practices, your vendor security review needs more stringency,” right? You need to put more effort into the vendor security review. And you do, absolutely you do. But as the CISO, one of the things that I did was institute a lot of vendor security practices, “Hey, before we just onboard a vendor and start hooking them up to all of our cloud storage or our IAM or whatever else, we need to do some due diligence on them.”
Jacob Ansari: And that had a very significant effect on the whole organization where now it affects the timelines for how quickly we can respond to any number of things, like, “Hey, we need this vendor to do this marketing thing, to deliver this thing to our clients.” And of course, you’re in information security, so you get blamed for everything, right? So the common refrain was, “I sent this vendor request to security and that’s where it went to die,” right? And the truth was, I never rejected any of the vendors that anybody came to me with, but I asked them a lot of tough questions and bit down until I got real answers. So, it affects things, it does change things, and that helps you understand like, “Look, you need to have the right mix of being aggressive about your security practices,” and understanding where that costs you, as an organization, in terms of time, in terms of effort, in terms of how many other things it touches, that matters.
Scott Emo: Yeah. And well, Jacob, you mentioned in there, you’re playing defense, and you mentioned vendor security practices. Can you give us an idea of what it means to promote good security practices because I think that’s why we’re here?
Jacob Ansari: Right. It is. And I think what you do, when you’re promoting good practices when you’re doing advocacy or education, you really want to take the practice or the understanding of the threat or the risk and think about how it is most appropriate to your audience, right? A lot of security hype is fear, right, is FUD (fear, uncertainty, and doubt) and I think you have to be very careful about that. That’s a dangerous pitfall. One of the things that I think we’ve learned, or maybe we very specifically haven’t learned after this many years of dealing with COVID-19, is that when you have this amorphous impossible to think about threat, people respond to that by just not dealing with it, by pretending it’s not there. And so that happens with information security threats as well.
Jacob Ansari: When you say “Oh, your web applications are lousy with insecure, outdated, backend web components, like Log4j or vulnerable versions of Spring Boot or Spring Framework or whatever.” And you need a massive re-engineering project to go deal with that, right? That’s impossible to comprehend if you’re the product manager and you’re trying to get features out by the deadline. And so you just don’t deal with it, right? You just pretend it doesn’t exist, right? “Lah, lah, lah, nobody’s listening to Jacob.” And so if you’re going to advocate for good security practices, you have to think about how you’re going to take the threat and render it into something manageable and comprehensible, and that ultimately means — at the risk of using too many buzzwords — actionable, right? Here is a thing you need to do, right? Here is a thing that you can do, a thing that you can conceive of and act upon, start there, right? And then there’s the next thing, right?
Jacob Ansari: To just throw, “Hey, fix your Log4j” at people when they don’t even know where it is, what it is, how to get at it, how many things they have to crack open to get at all of those vulnerable packages is bewildering at best. But being able to say, “Here’s how to start, and then here are the next couple of steps.” That’s something you can work with.
John Vecchi: Yeah. And you mentioned rip from the headlines, right? Log4j. These are high-profile vulnerabilities. You’ve got Spring4Shell. You’ve got others, I think, as you said IT teams, especially when we think of cloud environments, they’re hair on fire with some of these high-profile vulnerabilities, right? So from an advocacy perspective, as you said, these are tough. how do you go actionably address these? And so not just the couple two we just mentioned, but other threat vectors that are here in the future do you have general advice on how they just deal with them or prepare for them or address them in general? It’s a tough one but…
Jacob Ansari: It is a tough one. I think part of what you’ve got to do, I think if you’re playing defense, right, if you’re the security professional guarding your own organization, you have to shift your focus to categories of vulnerabilities and not maybe individual vulnerabilities, right? The number of individual vulnerabilities will just drive you completely bonkers, right? And you end up playing that sort of what Bruce Schneier calls the Movie-Plot Threat Game, right? Where you’re fixated on overly specific attack scenarios, which are individually improbable.
John Vecchi: Yeah.
Jacob Ansari: And instead, you need to say, “Okay, what are the broad ranges of things that I have to contend with and how do I address them?” And part of that is doing the reading on what actual attacks are like. So ripping the Log4j or SpringShell from the headlines, that renders down to a category of things like backend web components, right?
John Vecchi: Mm-hmm (affirmative).
Jacob Ansari: Or software supply chain security, right? And people throw around the software, build materials or SBOM. And that’s a useful first step. I would say, start there, right?
John Vecchi: Mm-hmm (affirmative).
Jacob Ansari: Inventory your software components. But that’s just your map. That’s the array of things that make up your applications. From there, start figuring out which of these are outdated, which of these are vulnerable, which of these are maybe not currently under exploit. Although if there are some that fit that bill, you should start there, do that first. But then also be thinking like, “Hey, I have this other component that’s a Java toolkit or part of some Apache package that I use or whatever the thing is and it’s old. I haven’t updated it in a while. My development team tells me that if we updated this framework, they would potentially have to rewrite a whole bunch of functions. And there are no current vulnerabilities.” Then maybe don’t squeeze them to get it done next week, right? But say, “Let’s not catch up when some inevitable vulnerability arises. Let’s think about what your path is to pay down this technical debt and get to the point where we can update this,” right? Not just “We can fix it once,” but that we can have a regular pipeline of when we expect updates to this package or this set of components,” and what we need to do to be able to then apply that update and not break our application along the way.
John Vecchi: Which is really part of best practices, right? And that is, I think, essential. Yeah.
Jacob Ansari: It is. And it’s a ton of discipline and a ton of buy-in from people whose incentives are generally not aligned toward that. So, my hat [goes] off to anyone who can negotiate that solution because that’s a really tricky scenario.
Scott Emo: Yeah. At the time when we’re recording this, there are some issues going on in Ukraine. So on the same thread — and it could be the same answer looking at categories of vulnerabilities — are there any threats or concerns around cyber and Ukraine and what you think our listeners should be looking at?
Jacob Ansari: I think so. I think, what’s the saw we’ve been hearing for the last couple of years “when people show you who they are, believe them.” And so, when you hear the Putin government talk about retaliation from meddling in what they’re trying to do in Ukraine, you should believe them. And so I think, organizations that are in other parts of the world, particularly maybe NATO countries that have attracted the ire of the Russian security services, should be prepared for those kinds of attacks. You can look at the threat actors like APT28, right? Or Sandworm or Fancy Bear. I lose track of all of the names of each of the individual identifiers for these sets of players. The Sandworm shop is very destructive, right? They’re very interested in sabotage and destruction, unlike the Fancy Bear types who are more about disinformation.
Jacob Ansari: And I think the attribution of a lot of like the wiper malware or attacks against infrastructure entities are attributed to them and while they can and do have access to sophisticated zero day exploits and the like, they often make use of things that are well understood, right? Even the NotPetya or the prior anti-Ukrainian malware that affected their energy sector now almost 10 years ago was not the most sophisticated stuff. It wasn’t truly groundbreaking attacks. And keeping aware of the basics — apply patches, secure remote access, things like that — those are the drum that we’ve beaten until a whole is ripped into the skin because they matter, right? Keep doing that stuff, keep thinking about how you’re going to get your components up to date, keep thinking about how you protect against insecure, remote access mechanisms, right?
Jacob Ansari: Continue to ire on that even, right? Get rid of SMS based OTPs for your multifactor authentication in remote access because it’s horrendously insecure and almost worse than nothing, just in the sense that it provides this false sense of security rather than really mitigates against serious attackers. But I think you have to look at both ends of the spectrum, right? On one hand, you’ve got nation state intelligence services doing very persistent kinds of things. And on the other hand, you’ve got a bunch of kind of dumb teenagers with private telegram channels who are still managing to roll over sophisticated organizations with real security practices and budgets, right?
Jacob Ansari: I’m talking about the Lapsus$ gang, right? Who, we all sit there and look at it like, you just downloaded PsExec and dropped it on the endpoint that you compromised, or you just bribed somebody with a bunch of Bitcoin to give you access to things. And the answer is “Yeah they did. What are you going to do about it?” And so, I think, if you as an organization, struggle to defend against somebody who just comes along and turns off your XDR agent on the compromised endpoint, and then suddenly you’re blind, you have to imagine like the nation state intelligence service is going to be a much harder nut to crack.
John Vecchi: Right. They’ll have a field day with…
Jacob Ansari: One surmises.
John Vecchi: Right, exactly. And again, as you mentioned, sometimes it’s not so much about sophistication. Some very unsophisticated attacks can be very successful, right? So it’s an interesting landscape, to say the least.
John Vecchi: Let’s talk about, specifically, those organizations who are managing these environments in cloud environments, right? Any difference there? All of what we’ve been talking about, is it harder in the cloud? Is it different relative to the cloud? Are there other things that are maybe a little bit more important than others in the cloud? Is there anything we should be thinking in terms of all of what we’ve talked about relative to a company just managing all of this in the cloud? Does that make sense?
Jacob Ansari: It does. I think a lot of application layer stuff maybe has some similar qualities, right? Like whether you run your web app on prem or in the cloud, the app layer stuff has a lot of similar security practices, right? You need to worry about secure coding and you need to worry about your software composition and your supply chain. I think you don’t have to scratch too far before you get to where the cloud services make a difference, right? If you’re using serverless components or you’re using database as a service (DBaaS) things, then some of the nature of that changes pretty quickly.
Jacob Ansari: I just read something this morning over breakfast about a vulnerability or a pair of vulnerabilities in, I think the Azure PostgreSQL as a service where some researchers discovered a series of vulnerabilities that allowed for essentially a cross tenancy access, right?
Jacob Ansari: There was a thing where like the regular expression used to parse the certificate that was used for authentication had like an improper wild card in it. And so if you were a tenant with the Azure, like PostgreSQL as a service database in a common, not universal configuration, but in a commonly used configuration, right? And anybody with a credit card can spin that up in less than an hour, you could conceivably then use the certificate that you have issued to you to get access to somebody else’s tendency, which is one of those like almost incomprehensibly scary and what do you do about it sorts of things.
Jacob Ansari: And in this particular case, the security researcher reported it several months ago, it’s been fixed. And so now this is the responsible disclosure bit where we all find out about it. And the net result is, you don’t have to do anything, it was never at the tenant level, and there’s no tenant-level fix you have to apply, we’ve already done it. And you are like, “Okay, good. But what else is lurking under the covers that I don’t have any ability to see, think about, [or] mitigate any of it, right?
Jacob Ansari: And I think you have to contend with the reality that your cloud services have vulnerabilities and have outages, and yes, they have ostensibly dedicated security teams full of smart well-intentioned people who work really hard, but if you run something mission-critical or if you run really anything, you’ve got to think about the category of vulnerability that my cloud service provider (CSP) is adversely affected, or my cloud service provider is down. We don’t have to just throw stones at Azure, we can all count how many, like AWS outages in the last month, or the last 12 months, affected real things on the internet.
Jacob Ansari: So if you’re not, as part of your BCPEDR or your incident response, brainstorming and tabletop scenario planning, thinking about those situations, “What do I do if my CSP is down? Or what do I do if a SAS application that I rely on, I don’t know, my IAM goes down because of a cloud service outage, right? Or goes down on their own, like, what do I do if I can’t get into all of my stuff because my Identity and Access Management (IAM) is taking a nap for a few hours.
John Vecchi: Yeah.
Jacob Ansari: You need to work on that.
John Vecchi: It’s so true. And so what you’ve just outlined as you can just see, on top of all your own environment, your application, your own infrastructure, all the things you’re using, the CSP, the cloud provider itself, just the fact that you’re in the cloud, in production there, that’s where your production environment is, on top of all the other things, there are all those other potential issues that you have to be thinking about, right? It’s on top of it, and that’s why we do this podcast.
John Vecchi: And for our audience who’s in Azure, you just heard Jacob talk about something pretty interesting. Sometimes you have to be digging and finding this stuff, because like you said, you’re going to find out about it after the fact, perhaps they may have fixed it already, but three months, four months, six months later, you find out about it, right? And you have to be on top of that. It’s fascinating.
Scott Emo: I’m going to switch gears here a little bit, because we’ve talked about… And we could go into this vulnerability and security practices and the business planning and contingency planning that you just talked about, but you’re also an experienced security assessor and QSA. We haven’t really talked about that part of it. You’ve spent years on that side of things and we’d like to pick your brain a little bit on that. Are there any new or interesting updates around the area of compliance? Because we’ve been focused on the whole security and vulnerability side of it, and we’ve got a lot of our listeners that focus on the compliance side. Can you share with us any areas around like updates of compliance that you could share with us? It could be anything that comes to mind.
Jacob Ansari: Sure. I’ll talk about two standards updates. One that I know very little about, and that’s the ISO standard update, ISO 27002. There are folks in my firm who know a lot about this and have spoken eloquently and extensively about this, and I’m not one of them, so I’m going to avoid saying something dumb. But the standard that I do know quite a bit about is the new version of the PCI DSS, v4.0, which just released and has made a big splash.
Jacob Ansari: I got to be part of some of the feedback process of that that a number of assessors got to participate in where we saw some draft standards and made a lot of proposals to the standard language and how it’s reported and some of the new features, right? Like the customized approach. And so, there’s a lot of change in v4.0 of PCI DSS. It’s the most significant change to that standard in, I want to say, eight years, right?
Scott Emo: Wow.
Jacob Ansari: It’s been building for a long time and now the dam has kind of broken in terms of what’s in the new version. If you’re subject to PCI DSS, and you deal with that as a regular thing, you have a good window where both versions of the standard are active. In fact, today, right now, assessors need to go through a separate v4.0 training piece in order to be able to do v4.0 assessments. So, it’s not like you can just go out and do it today. It would probably completely wrap you around the axle, even if you did. So you have time and you should probably continue on the track of assessing under the current version of the standard v3.2.1, but you should probably start working with your assessor and your compliance folks, and if you have Internal Security Assessors (ISAs) on staff, definitely them, to say, “What are the things we’re going to need to do differently for v4.0 of PCI DSS?”
Jacob Ansari: v4.0, like v3.0 and the iterations of v3.0 over the last several years, contains some future dated requirements that are going to be best practices for some time and will sunrise over the next several years. So, there are things that even when v3.2.1 of PCI DSS dies and goes away and you have to use v4.0, there are still several requirements that are future dated that are best practices until some date in like 2025 or 2026. So, you have time, but many of the changes are significant and you should not squander it.
John Vecchi: Yeah. Like you said, the gap to v4.0, there are some things you got to be thinking about and you have time. So for those in the audience, dealing with PCI DSS, it’s good information. You have time, but don’t wait until that time runs out and you’re trying to run around and fill some gaps that could be substantial, right?
Jacob Ansari: Significant. Yeah. If you check out of what you have to do for v4.0 for the next 12 months, you are going to be hurting 12 months hence. So yeah, get going, have the conversation, right? Talk to your assessor now, even if you’re not in the middle of your current PCI DSS work, but even if you are saying, “Hey, at the end of this, we want to have a real conversation about v4.0, right?” But if you’re not, pick up the phone and say, “Hey, we want to talk, we want to hear your take. We want to hear what you think the lift is. We want your sober opinion, knowing our environment,” particularly if you’ve worked with that assessor for some time to say, “You know us, where do you think we’re going to struggle,” right? And be honest with yourselves about what answer you hear and what you think you got to do to get from here to there.
Scott Emo: Yeah, no surprises. I think that’s what I’m hearing, you don’t want the surprises, just ask.
Jacob Ansari: Definitely.
Scott Emo: Ask now you’ve got some time.
Jacob Ansari: Right.
John Vecchi: Well, and I guess, as we come toward the end here, Jacob, this is why you should view Schellman — your partner — as a trusted advisor as well. They’re your auditor, but they’re also trusted advisors. We just talked about PCI but there’s SOC 2, there’s a lot happening with things like CMMC on the defense side. And not to mention a lot of companies already meeting things like FedRAMP, and we talked about ISO 2700X and all that. There’s so much, right? And your assessor can be a very trusted advisor for companies.
John Vecchi: And I think that’s one of the reasons we wanted to have you here as well, because you can just see, the audience can see, all that you bring and you need to take advantage of that for your advisor. They’re a very critical partner in this whole process, given all the complexity and changes with multiple compliance. Some companies are meeting three to four different compliance mandates at one time, right?
Jacob Ansari: They are. And many of our clients get multiple of the same. They have many different SOC 2s for different aspects of their business or different PCI DSS. So we’ve got clients where we produce upwards of 50 reports a year…
Scott Emo: Wow.
Jacob Ansari: For that entity, right, across three, four, five compliance frameworks. So, it can get very complex very quickly. And if you want to have the experience where you work with your audit team to minimize the number of times you have to go badger, like, the network security engineering folks about more or less the same topics, right? Like that doesn’t happen organically. And that doesn’t happen with one side or the other in a vacuum. It happens through careful assiduous planning collaborating with the audit team and the compliance management folks at the client to say, “How do we organize this vast array of things in such a way that we can be the most efficient about it?”
John Vecchi: Perfect.
Scott Emo: Well, Jacob, this has been an awesome discussion, and thank you so much for joining us today. If our listeners want to learn more, where can they look?
Jacob Ansari: I would send folks to our website, www.Schellman.com. If you go to the blog there, the articles page, there are a number of things that my colleagues and I have written about a variety of compliance and information security topics. And there’s a contact from there you can get in touch with me or any of my colleagues about the services or just the security practices that you want to talk about.
John Vecchi: Got it. So they can find you, right?
Jacob Ansari: Absolutely.
John Vecchi: If some of our listers might want to try to reach out to you, you can do that. And it’s just been fantastic to have you here and representing Schellman, a great company. So, it’s terrific. Thanks so much.
Jacob Ansari: Thanks for having me.
Scott Emo: And remember the Security on Cloud Podcast is brought to you by Anitian, the leading cloud security and compliance automation provider, delivering the fastest path to security and compliance in the cloud.
John Vecchi: And thanks again to our guest, Jacob Ansari. Till we meet again, I’m John Vecchi.
Scott Emo: And I’m Scott Emo.
John Vecchi: See you next time on Anitian Radio.
About Our Guest
Jacob Ansari – Security Advocate at Schellman | LinkedIn
Jacob Ansari is the Security Advocate at Schellman, where he leads the firm’s security best practices advocacy. Jacob develops and leads educational efforts on security practices, emerging and extant threats, and related industry developments for both internal and external audiences, and regularly represents the firm as an experienced security practitioner, security officer, and industry expert on technical information security matters and leadership in the space. Jacob has also acted as the CISO for the firm and has an extensive history in a client facing role as the technical lead for Schellman’s PCI services. Over the 20 years of his career, Jacob has spoken extensively on security-related matters, trained and mentored assessors, and contributed to groups on emerging standards, advisory bodies, and special interest groups.