Cannabis ISAO Director’s Cut: January 07

In this blog series, our Executive Director Ben Taylor highlights a selection of cybersecurity, physical security, health or natural threat related stories relevant to the cannabis industry.

Cybersecurity

Here’s What Happened with Log4Shell While You Were Out

The New Year is traditionally a time for “ringing out the old” and “ringing in the new” – for taking stock of what came before and what waits ahead.

Unfortunately, IT and security teams didn’t have that kind of luxury this New Year. Instead, they put the party hats and champagne aside and spent the New Year in something like a dystopian fight for survival. Their adversaries? Hacking and ransomware crews anxious to exploit Log4Shell, a “10 out of 10” remotely exploitable vulnerability in the ubiquitous Log4j open source logging library.

We have compiled a list of useful Log4j related references for IT teams to utilize.

• FBI: “If you feel your systems have been compromised as a result of the Log4j vulnerability or are seeking remediation, we encourage you to employ all recommended mitigations and follow guidance from CISA. If you think your organization has been compromised as a result of the Log4j vulnerability, visit fbi.gov/log4j to report to the FBI. Please include as much information as possible to assist the FBI and CISA in determining prioritization for victim outreach. Due to the potential scale of this incident, the FBI and CISA may be unable to respond to each victim individually, but all information we receive will be useful in countering this threat. As always, we stand ready to assist any impacted entities.”
• NCSC-NL/log4shell: Operational information regarding the vulnerability in the Log4j logging library.
• GitHub – cisagov/log4j-affected-db
• What should boards be asking of IT teams? The UK’s NCSC provides some guidance for medium to large size organizations with dedicated IT teams, providing questions boards should consider asking. Read the complete guidance for additional detail on each question and more.
• CISA has also released an open-sourced log4j-scanner derived from scanners created by other members of the open-source community. The new tool can be accessed here.
• List of vendors and software affected by the Apache Log4J vulnerability (CVE-2021-44228)
• SANS: Log4j 2 Security Vulnerabilities Update Guide
• SecurityWeek resources on ICS updates: https://www.securityweek.com/ics-vendors-respond-log4j-vulnerabilities

OMMA Warns Of Email Scam Targeting Medical Marijuana Patients

The Oklahoma Medical Marijuana Authority (OMMA) is warning about scammers targeting medical marijuana patients. The OMMA says an email went out asking license holders to verify their email addresses. The agency said a scammer is asking licensees to verify email addresses with a link while using a fake Gmail account. The fake email follows a legitimate OMMA email sent out Tuesday about updating licensees on new software. The OMMA says that if you get that email, delete it, do not click on the link and do not reply to the message.

This is an important reminder about phishing attacks. Training employees to always be suspicious of unsolicited emails can go a long way to building a good cybersecurity safe culture.

Physical Security

Americans for Safe Access Releases Robbery Preparedness Guide

Unfortunately the new year has seen the same trend of dispensary robberies continue. A recent Ganjapreneur article featured industry leaders offering their predictions for 2022. According to The People’s Ecosystem Co-Founder & CEO Christine Del La Rosa, “If California and Oregon are any indications of the future of retail where mass mob robberies are happening with very little intervention or protection from the state I would say that 2022 is going to see an incredible increase in delivery. It is more practical for small operators to implement delivery rather than face the risk to their safety, their employees’ safety, and their business safety in the current climate. And, based on the actions we’ve seen from law enforcement it does not appear that this type of danger to operators and their business will change anytime soon.”

In an effort to educate the industry and provide best practices before, during, and after a robbery, Americans for Safe Access released a Robbery Preparedness Guide last month. The guide is adapted from materials in their Patient Focused Certification (PFC) Business Operations Training program.

Recent incident headlines include:

• Police Seeking Suspicious Cars Found Near Cannabis Dispensaries

• Thieves steal $15,000 worth of marijuana in seconds from Oklahoma shop

• Calgary police confirm: cannabis store robbed on Boxing Day morning

• City Investigating SFPD for Lax Response to Dispensary Robberies, Pot Shop Owners Unsatisfied

• Deputies searching for suspects after man shot at pot shop

• San Leandro police officer shoots two men during marijuana dispensary break in

Natural Events

10 cannabis Industry Trends to Watch for in 2022

While this is an interesting read from MJBizDaily for anyone in the cannabis industry, the item we want to focus on today is  #8 on this list, “Climate change unpredictability will continue”. The author notes that “Cannabis growers must remain flexible and adaptable, as climate change means normal weather patterns can no longer be trusted.” While weather patterns will be harder to predict, scientists do expect tend to agree that severe weather events will increase in frequency. We have previously blogged about best practices in preparing for severe weather events, and we’ll link to those resources below.

• Tornado
• Earthquake
• Hurricane
• Wildfire

Be sure to check back every Tuesday as we publish our Library Card Series where we highlight one of the resources available in our library!

Check out the latest blog highlighting issues important to cannabis security!

Tweet