Cannabis ISAO Director’s Cut: December 10

In this blog series, our Executive Director Ben Taylor highlights a selection of cybersecurity, physical security, health or natural threat related stories relevant to the cannabis industry.

Cybersecurity

Log4j Vulnerability Affects Multiple Apache and Legacy Services; Exploit Code Publicly Released

Proof-of-concept exploit code for a critical zero-day vulnerability, designated CVE-2021-44228, in the Apache Log4j Java-based logging library has been released publicly, exposing enterprises and services to remote code execution (RCE) attacks by attackers. Systems and services that use Log4j between versions 2.0-beta9 and 2.14.1 are all affected by CVE-2021-44228, which includes many services and applications written in Java. The vulnerability allows for repeated and reliable unauthenticated remote code execution in targeted environments.

The vulnerability was first discovered in the popular Java-based game Minecraft but researchers warn that other cloud applications are also vulnerable. Log4j is incorporated into a host of popular frameworks, including Apache Struts2, Apache Solr, Apache Druid, and Apache Flink. That means that a large number of third-party apps may also be vulnerable to exploits that carry the same high severity as those threatening Minecraft users.

In analyzing CVE-2021-44228, security firm Randori determined the following:

• Default installations of widely-used enterprise software are vulnerable to CVE-2021-44228.
• CVE-2021-44228 can be exploited reliably and without authentication.
• CVE-2021-44228 affects multiple versions of Log4j 2.
  • The United States Cybersecurity and Infrastructure Security Agency (CISA) Cyber Information Sharing and Collaboration Program (CISCP) has stated that CVE-2021-44228 affects Log4j versions 2.0-beta9 to 2.14.1.
• CVE-2021-44228 allows for remote code execution as the user running the application that utilizes the library.

Social Media Account Protection

The Cybersecurity and Infrastructure Security Agency (CISA) helps to secure the safety of the nation’s critical assets, and has developed a product with recommendations on social media account security. While this product is specifically written for federal agencies, the best practices noticed in this document are widely applicable.  CISA recommends the following actions—which are further detailed by clicking the link above—to establish a baseline to secure their social media accounts from unauthorized access:

• Establish and Maintain a Social Media Policy
• Implement Credential Management
• Enforce Multi-Factor Authentication (MFA)
• Manage Account Privacy Settings
• Use Trusted Devices
• Vet Third-Party Vendors
• Maintain Situational Awareness of Cybersecurity Threats
• Establish an Incident Response Plan

Physical Security

New rash of California marijuana robberies threaten survival of businesses

As Reason  points out “both this year and in 2019, the House of Representatives has passed versions of the Secure and Fair Enforcement (SAFE) Banking Act, which would loosen the requirements that disincentivize banks from taking marijuana businesses as clients. But even under Democratic control, it has stalled in the Senate, leaving hopeful cannabis businesses in the lurch.”  As the trend of robberies continues across the cannabis industry, owners are operators are looking for solutions. Loss Prevention Magazine has recently looked at the trends of “Brazen Retail Theft” and offers suggestions on what can be done about it and Security Infowatch has provided some guidelines as well. 

Cannabis ISAO has shared two documents to our FREE Slack Workspace that is open to all cannabis industry professionals (click on previous link for an application). We have recently posted two documents into that space which have been classified as not available for public release by the authors, but can be accessed via the Slack workspace.  A summary of the documents is below:

• ORGANIZED RETAIL CRIME INDICATOR AND MITIGATION BEST PRACTICES. The Real Estate-ISAC, along with partner organizations the Real Estate Roundtable (RER) and the Retail Industry Leaders Association (RILA), have published a bulletin to provide indicators and best practices related to “flash mob” retail theft. As the document state, “Law enforcement agencies in major cities across the country have reported ‘Flash Mob’ thefts targeting businesses to include high-end retailers, jewelers, pharmacies, sporting goods stores, convenience stores, and cannabis dispensaries. Large groups of criminal actors engage in coordinated planning on social media sites, arrive at the target location on foot or in vehicle caravans when the store is open or closed, and are often armed with burglary tools to break into the location and into product displays.” A sampling of the possible indicators and best practices follows, while the report in Slack includes the full list:

  • Possible Indicators of Pre-Planning for Criminal Activity:

    • Questions about staffing and security

    • Observing opening and closing procedures

    • Testing/opening emergency exits

    • Entering unauthorized areas of the property

    • Bulk thefts / purchases of blunt objects / cutting tools such as bolt cutters, crow bars, hammers, etc.

    • Thefts or missing keys, access cards, security device removal keys

    • Photographing security devices

  • Best Practices:

    • Establish a point of contact with Law Enforcement

    • Build communication with local police and request patrol checks

    • Register with local police and office of emergency operations to receive notices

    • Maintain awareness of local/regional crime trends

    • Establish business community crime watch contact groups

    • Place private security / police near entrance and exits in visible locations, confirm reporting of suspicious activity

    • Document suspicious activity and contact police when observed

• FBI LIAISON INFORMATION REPORT. BURGLARY CREWS’ USE OF WIFI AND CELLULAR SIGNAL JAMMING DEVICES POSES A THREAT TO COMMERCIAL FACILITIES NATIONWIDE. The FBI’s Dallas Field Office, in coordination with the FBI’s Office of Private Sector (OPS), prepared this Liaison Information Report (LIR) to alert private sector partners in the Commercial Facilities sector of burglary crews using signal jamming devices to disrupt security alarms systems and delay law enforcement responses. Jamming devices create white radio noise and disrupt the Wi-Fi or cellular connection between the wireless alarm system and the alarm monitoring company. If burglars determined the type of security system and it’s transmitting frequency, they could use a signal jammer to prevent the alarm monitoring company from receiving an alert from the wireless alarm system, thus delaying law enforcement response. Cannabis organizations should review this threat internally, or share the information with their contracted security provider to assess potential vulnerabilities based on these trends. According to the LIR, the following are some best practices to consider while trying to mitigate the effects of signal jamming devices on security alarm and security camera systems:

  • Utilizing a wireless security system with software designed to detect intentional radio frequency interference and alert the system administrator;
  • Using a network-monitoring tool to track the performance of the business’ wireless network and alert the system administrator of any abnormal radio frequency interference or system outages; or
  • Installing a wired, Ethernet supporting security alarm system or security camera system as a compliment to the wireless system.

Cannabis ISAO will continue to monitor the ongoing rise in dispensary robberies, as well as share latest resources and best practices for preventing the crimes. Some of the other headlines related to this ongoing threat include:

• Police Looking for Suspects in Armed Robbery of Marijuana Dispensary

• Car Smashes Into Denver Dispensary During Apparent Robbery Attempt

• Schools Put on Lockdown After Deadly Shooting at Church of Herbs Pot Shop

• Looters steal $5 MILLION of products from 15 cannabis shops in the San Francisco Bay Area in a single month

• Bay Area Cannabis Mayhem: 175 Shots Fired, Products Worth Millions Stolen

Natural Events

Weather-related Cannabis Supply Disruptions Show Need for Direct Delivery, British Columbia Retailers Say

Some independent British Columbia cannabis retailers are speaking out after supply delays in the wake of recent devastating weather, saying the holdups demonstrate an urgent need for a more flexible supply chain from the province-owned BC Liquor Distribution Branch (LDB). Torrential rains caused chaos, including mudslides and severe flooding, across Canada’s westernmost province in November, with washed-out roads contributing to supply-chain disruptions for multiple industries, including cannabis.

Association of Canadian Cannabis Retailers (ACCRES), which represents 51 independent marijuana retail brands in the province has pushed for a system that allows for local deliveries directly from B.C. cannabis producers to stores, rather than the current system of shipments from the government wholesaler’s central distribution hub in Richmond, B.C., according to ACCRES Executive Director Jaclynn Pehota.

As you hopefully use the situation in B.C. to evaluate your own supply chain vulnerabilities, we recommend checking out this NCIA member blog on “Cannabis Supply Chain Roadmap – Control What You Can, Plan For The Rest” from Lightning Labels.  The blog recommends 5 steps cannabis companies can take to stay on top of supply chain issues:

1. Determine what suppliers are clearly able and willing to meet your needs.
2. Ramp up customer service efforts.
3. Make shipping as predictable as possible.
4. Research buying trends into near-to-mid term planning.
5. Build in breathing room where possible.

Be sure to check back every Tuesday as we publish our Library Card Series where we highlight one of the resources available in our library!

Check out the latest blog highlighting issues important to cannabis security!

Tweet