In this blog series, our Executive Director Ben Taylor highlights a selection of cybersecurity, physical security, health or natural threat related stories relevant to the cannabis industry.
Physical Security
Police Investigating if Recent String of Cannabis Shop Burglaries in Washington State are Connected
Multiple stores in western Washington were victims of smash-and-grabs last week, according to police. The suspects involved used stolen vehicles to ram into the front of the businesses. Police said the suspects used stolen Kia’s or other vehicles to ram into the front of the stores, then run inside and steal merchandise before taking off. We recently detailed in The Bluntness the threat that the TikTok trend Kia Boyz poses to the cannabis industry and the potential for increase of stolen vehicles to be used to breach dispensaries.
In nearby Bellevue, detectives with the Bellevue Police Department (BPD) arrested three people who face a combined 20 charges, including burglary, car theft and identity theft. The incident in Bellevue represents a good example of the benefits of working with law enforcement to identify trends and shut down crime rings. That remains the best opportunity to get meaningful prosecutions against those individuals who target cannabis businesses. Most states have renewed emphasis on these prosecutions through Organized Retail Task Forces. Cannabis organizations are encouraged to work through those entities to try and tackle this ongoing issue within the industry.
Extremist Threats in a Volatile Midterm Election
According to Homeland Security Today, “Election security preparations are necessarily concerned with the safety of early and day-of voters casting ballots as well as the processing or certification of results, protests that can stem from whether or not a candidate accepts those results or chooses to fan discontent among supporters, or potential attacks against election infrastructure itself or the officials overseeing what may be perceived to be flawed systems or procedures.”
As the political environment in the U.S. continues to be incredibly volatile, the results of the upcoming election have the potential to spark protest activity. We have seen in recent years protests escalate to include violent acts, vandalism, and looting. Cannabis businesses are encouraged to review civil unrest preparedness plans to include communications plans with staff and customers, and enhanced security postures such as additional security staff, and fortified facilities. As always it is so important to plan for the worst to ensure smooth business continuity during any turbulent times.
Cybersecurity
Meet the Cannabis ISAO at MJBizCon in Vegas
Cannabis ISAO will be in Vegas for MJBizCon this year! Besides being a participant in Association’s Day, we’ll be participating in a panel titled “The Threat Is Real: Cyber Attacks and Data Breaches in the Cannabis Industry“. The panel will focus both on cybersecurity best practices that any (and every!) organization can implement, as well as discuss incidents that have occurred in the industry already.
Controlled Growth: Mitigating Cyber Vulnerabilities in Cannabis’ Automated Systems
As technology continues to grow its influence on the cannabis industry, it is important to ensure that the security of our operational technology (OT) systems evolves. In 2019, risk advisory firm Kroll wrote about the potential of criminally motivated threat actors to take control of automated systems to drastically alter water, lighting, or temperature controls to effectively ruin a crop. The Cybersecurity & Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have recently published a comprehensive guidance document that will help organization ensure their OT and Industrial Control Systems (ICS) are properly configured. This article reviews that recent guidance.
Uber Delivers Security Lessons to Cannabis Industry After Recent Data Breach
The Cybersecurity & Infrastructure Security Agency (CISA) has produced alerts specifically on how weak security controls are routinely exploited for initial access, and implementing MFA remains one of the first mitigation steps for preventing data breaches.
In 2020 Microsoft reported that 99.9% of compromised accounts did not use MFA. While utilizing MFA is essential, not all MFA is created equally.
This article will briefly review types of MFA solutions, recent examples of how threat actors are bypassing MFA protocols, and what mitigating steps the cannabis industry should be implementing to fortify their data security.
Microsoft Security Tips for Mitigating Risk in Mergers and Acquisitions
Sixty-two percent of organizations that undertake mergers and acquisitions face significant cybersecurity risks or consider cyber risks their biggest concern post-acquisition. Threat actors that focus on corporate espionage often target the acquiring company, which we will refer to as the Parent, early in the bidding process to gain a competitive advantage. Other threat actors focus on planting backdoors in the entity being acquired, which we will refer to as the Acquisition with the intent of later compromising the Parent company.
A recent MJBizDaily article indicated that “Frank Colombo, Viridian’s director of analytics, said consolidation activity remained healthy in 2022, particularly when megadeals such as Trulieve Cannabis’ $2.1 billion acquisition of Harvest Health & Recreation are taken out of the equation.” As M&A remains a large part of the cannabis businesses landscape, organizations will want to be mindful of the added cybersecurity risk that may accompany such deals.
OpenSSL Releases Security Update
Earlier this week, OpenSSL released a Security Advisory, which, notably, is less severe than anticipated. Per the Advisory: “Pre-announcements of CVE-2022-3602 described this issue as CRITICAL. Further analysis based on some of the mitigating factors described above have led this to be downgraded to HIGH. Users are still encouraged to upgrade to a new version as soon as possible.” Datagog Security Labs did a nice “key takeaways” on this yesterday (see below). CISA posted: OpenSSL has released a security advisory to address two vulnerabilities, CVE-2022-3602 and CVE-2022-3786, affecting OpenSSL versions 3.0.0 through 3.0.6. Both CVE-2022-3602 and CVE-2022-3786 can cause a denial of service.
According to OpenSSL, a cyber threat actor leveraging CVE-2022-3786, “can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution,” allowing them to take control of an affected system. CISA encourages users and administrators to review the OpenSSL advisory, blog, OpenSSL 3.0.7 announcement, and upgrade to OpenSSL 3.0.7. For additional information on affected products, see the 2022 OpenSSL vulnerability CVE-2022-3602 GitHub repository, jointly maintained by the Netherland’s National Cyber Security Centrum (NCSC-NL) and CISA.
Natural Events
At Least 1 Dead, Multiple People Missing in Oklahoma After More than a Dozen Tornadoes Hit 3 States, Officials Say
At least one person was killed and multiple people are missing after tornadoes hit Oklahoma, Texas and Arkansas late Friday, damaging homes and knocking out power for thousands as officials launch search and rescue efforts.
The person who died was in McCurtain County in southeastern Oklahoma, which suffered significant storm damage after a possible tornado hit the city of Idabel, county emergency manager Cody McDaniel said. There are “multiple missing people,” he said. Late Friday, authorities were trying to determine the extent of damages and injuries, McDaniel said, adding, “It’s not good.”
While we are outside of the traditional tornado season, climate change is expanding seasons for severe weather and increasing the likelihood of these types of weather events occurring. We have previously blogged about Ready Business’ Severe Wind Tornado Toolkit which is a good tool to help with tornado related disaster preparedness.
Check out the latest blog highlighting issues important to cannabis security!
Tweet