The Green Room Podcast

Ep 43 - Cracking The Code, Is Your Cannabis Company Safe From Hackers? An Interview w/ Scott Lyons, CEO & Co-founder - Red Lion

November 16, 2021 Ronjini Joshua, Ben Michaels, Scott Lyons Episode 43
The Green Room Podcast
Ep 43 - Cracking The Code, Is Your Cannabis Company Safe From Hackers? An Interview w/ Scott Lyons, CEO & Co-founder - Red Lion
Show Notes Transcript

If you own a cannabis based company there's a good chance you've never thought about cyber security.  In this interview with Scott Lyons, CEO & Co-founder of Red Lion, he discusses how data is the new gold.  Scott is a "white hat" hacker who is bringing cyber security to the cannabis industry. 

Why does cyber security matter to cannabis companies - from the smallest operator to the largest enterprise?  Are you aware of how much data about you and your company are being leaked right now?  The cannabis industry needs to stay ahead of the hackers.   The cannabis industry is booming with new businesses being created everyday.  New businesses are ideal targets for cyberattacks due to them not being aware of potential threats and the fact it can take time before they realize they should put cyber security best practices in place.   

What would be the impact to your business if a cybercriminal was able to attack successfully?

A study by IBM and the Ponemon Institute determined that the average cost of a data breach exceeded $3 million. Plus, the potential to lose trade secrets, millions of dollars in lost cannabis crops, data breach of customer's sensitive information, ransomware attacks, and much more....   

Check out this podcast to learn how the best practices to keep your cannabis company safe.

About Red Lion:
Red Lion offers a wide range of cyber security consulting services.   Visit their website for information:  www.redlion.io

Red Lion - Home (facebook.com)
Red Lion Twitter 




Ronjini Joshua:

We caught up with Scott Lyons from Red Lion. He's an ethical hacker, or white hat hacker and talks about compliance and security will just in general for life, but also how important is going to be as we move into the cannabis industry and how compliance done right is of critical importance to our privacy, security, and how our important data should be protected. So this is a pretty funny and cool and eye opening interview on how we should all be looking at compliance and security and how we should be not using 1234 for our passwords. We are here with Scott Lyons. He is the founder and CEO of Red Lion, you have a lot of story to pass in your in your experience. So I'd love to first let's just talk about mjbizcon A little bit. Yeah. Is this your first MJ it is and and what is your like? What is your kind of like anticipation for the event? Well, I came here thinking that, you know, it's gonna be a normal run of the mill conference. Yeah.

Scott Lyons:

Right. And I'm sitting back seeing all of the manufacturers that are that are there, right, all the distributors and dispensaries and people that are selling their own custom wares, but aren't at scale. Right. So it's a real hodgepodge of stuff. Right, yeah, for but, you know, marijuana is as a vertical touches everybody's lives. You know, whether you're using something that's a hemp derivative, right? Or you have a family member that's taking something for a medicinal purpose, or you have to use it just to survive just to be able to feel function. Yeah. Yes. You know, the cannabis industry has really been able to revolutionize healthcare, and it will continue to do so for the next couple of years. Yeah, right. Yeah. into the future. And by next couple of years. I really mean, a lot. Yeah, love. twice as long. Yeah. Uh, you know, being able to see how the industry grows, and especially it being the 10th year here, right? Being able to see how the industry grows from here on out is going to be very interesting. Yeah, yeah. Well, which is why I like brings me to what you do as a as a job. Yeah. So let's talk a little bit about your journey your past and like, kind of your professional expertise and like, how did you want to come into the cannabis industry? So start from way back? So hi, everybody. My name is Scott Lyons. I go by the hacker handle of Crisper. I've actually been in the information security community for well over 25 years, I've done work for the federal government, I've done work for commercial entities. And I've been the CEO of a small information security services business called Red Lion for about the last six years at this point, right. We've done really big projects for really big businesses, and really helped a lot of companies to be able to chart security, compliance, system engineering, network engineering, and all of the above from all the sexy stuff. Oh, it's okay, I guess you could call it that. Yeah. But, um, you know, it really out here at mjbizcon. The point that I'm here for is to sit down with growers and distributors and manufacturers, and support companies to be able to say, Listen, supply chain security is a problem.

Ronjini Joshua:

Yeah. Well, this is a good time to because like, you know, all the other industries that you're probably been in technology, all this other stuff, those have been established over decades and decades. This is like kind of still, we still have like, a little of an entry point here and in cannabis, so you can solve these problems before they start getting crazy. Yeah,

Scott Lyons:

yeah. And that's really what we focus on. Yeah, making sure that an issue is not an issue. Before it's an issue. Right. Does that make sense? Yeah, no, absolutely. I hope it makes sense for you guys who are watching as well. Yeah, you know, the more that we can get out ahead of problems, the better off we're going to be and we're going to be prepared for not if we get hacked or breached, but when

Ronjini Joshua:

a lot of the conversations we've had with people in the industry have been about, you know, doing it right. Yeah. And I think that's really important. So what are you know, help us understand a little bit more about compliance and how it works and and what you're protecting? What are you protecting right? And what are you protecting the companies from and what are you protecting the customers from?

Scott Lyons:

So when dealing with compliance from an information security perspective, the biggest driver in compliance is called PCI or the Payment Card Industry DSS, so PCI DSS Data security standards, so Payment Card Industry Data Security Standard. That standard is what governs all of the credit cards that we use all the bank cards that we use. How money transfers, right? It's not just all crypto yet, right? So being able to help companies understand that if you'd process transmit or store, basically touch a credit card in any way, shape or form, it doesn't matter whether it's one for a business transaction, or it's 100 million. You're under PCI,

Ronjini Joshua:

like talking to you is making me nervous about all my credit card and bank accounts. Like just like, all my information, I just like, I have this wave of going over me like I'm just so unprotected right now.

Scott Lyons:

Right? Well, a lot of this rabbit hole can make you feel like that. Yeah, I'm gonna be honest with you know, we have a lot of people that get that overwhelming sense of fear of, Oh, my God, I'm not protected. Yeah. But there are people like me, right, white hats, white hat hackers, that are constantly working with businesses, working with compliance sets to drive not only innovation for protection, but also Defense Against the Dark Arts.

Ronjini Joshua:

I love it, too. What about you into hacking?

Scott Lyons:

Oh, man, I started at a very early age with computers. It was like to when I started with an Apple TV way back in the day. At seven I was I was I was writing code out of a book 14 wrote my first virus 17 was summarily banned from within 50 feet of all machines in my high school. Right. Oh, man, the stories from that one. Um, you know, I went through Penn State. Right. And right now currently, I'm the sitting incoming president to the board of alumni for Information Systems at Penn State. Right. I have a Master's for final Master's in Information Assurance. You know, that's, that's, that's not easy to do. Right. But my main focus has been, how do we drive the security inside of companies? How do we demystify what's going on inside of networks? Right. So understand the things that bump? Yeah. And then how do we get other people to understand the passion? Yeah. You know, at mjbizcon, everything is centered around cannabis. And cannabis right now, is still struggling as an industry, at least in my own humble opinion. No, I mean, once it gets federally regulated, then everything's gonna take off. Yeah. Right. But you see the big manufacturing companies of tobacco already starting to have entire fields worth of product and have product shelves and nitrogen. Right. So that way it doesn't doesn't spoil, right. It might not be nitrogen, but you get what I'm saying? Yeah, um, but they're already waiting for the green light. And we've seen states say that the federal level, well, you know, screw you. We're going to do this our way. Yeah. Right. And we've seen that with Colorado, we've seen that with California. You know, where I come from in Maryland, we have a we have it for medicinal use, but it needs to be opened up. Right. And the appropriation of those funds needs to be correctly identified and applied. Otherwise, what are we doing this for? Yeah, you know, we're trying to make this easier on ourselves. Right. Yeah, absolutely. Listen, life right now. And whatever universe you want to live in, right? It's not simple. Yeah. Right. We've got pandemic we're dealing with, we've got international actions we're dealing with, we've got our own our own internal government. Yeah. And family and everything that we have to it gets very impressive.

Ronjini Joshua:

Yeah. If you think about the, this world at scale. Yeah. I mean, it's a lot to take. Yes. Well, and that's probably why everyone's stressed out.

Scott Lyons:

Yeah. So at mjbizcon, what I'm doing is I'm trying to connect with companies that are either doing support, you know, providing support systems, or manufacturers for supply chain and say, Look, you need to call me or you need to call somebody. Right, not just the Ghostbusters, right. But you need to call somebody to get information security into your business. The problem across the board, let's let's talk about the big picture for a quick survey. Yeah,

Ronjini Joshua:

I was gonna ask you what is the big challenge 60 to

Scott Lyons:

70% of all businesses across the US do not have cyber insurance, period. Okay. Okay. That is an issue. Right. But when you try and scale that back for the cannabis industry, cannabis industry right now as a whole needs help. Yeah. Just like everybody else. Yeah, they have their other issues to deal with.

Ronjini Joshua:

They do. Yeah.

Scott Lyons:

And when you are a small business, you don't care about security. When you're meeting business, you might care about security. When you're large business. Yes, somewhat. Yes, somewhat care about security. But if you're an enterprise, then you definitely care about security. And that stratification, right, there is a major problem. All businesses need to do sales. Yeah, all businesses need to do security. Data is the new gold.

Ronjini Joshua:

Why do you think that is? Why do you think people have such a lack of concern for that?

Scott Lyons:

Because sales rules the roost? Yeah. In most companies, if you're not making sales, then what are you doing?

Ronjini Joshua:

If you pay your people yeah, there's nothing gonna secure. Yeah,

Scott Lyons:

you might as well close shop and go find a job. Yeah, you know, um, but even then, you know, we've had record unemployment over the last couple of months because of the mandates that are coming down from the White House. You know, so a lot of people are sitting back and saying, Well, if we're under 100 people, we can start our own company, start doing business. We don't have to deal with that mandate, but we're still generating revenue

Ronjini Joshua:

right now.

Scott Lyons:

So you have to have security as well. You know, here's the problem. If you think that Facebook is a great service, okay, I'm not I'm not I'm not sitting here telling you. It's not what I am telling

Ronjini Joshua:

you. He's lifting the veil.

Scott Lyons:

If it's free, you are the product. Yeah, that's a problem. Yeah. You know, we have big businesses, especially in tech that are not being open about what they're doing.

Ronjini Joshua:

Absolutely. And I nobody knows it, like none of the consumers. I mean, you know, it, obviously, I know, I work in tech. So like, I think consumers have this misconception that, you know, people are ethical. Everybody is ethical. They're doing the right thing. Of course, why would they? They said, you know, on the little thing, it says we will not sell your information to anyone, like, yeah, we won't sell it doesn't mean we won't use it. Yeah. It's

Scott Lyons:

just like reading the disclaimer for the google google home device and them saying, Well, we're listening for background ambient noise. Yeah, sure.

Ronjini Joshua:

You are. Yeah, okay. Yeah. Yeah. What

Ben Michaels:

is background ambient noise?

Ronjini Joshua:

They're listening like fart or something.

Scott Lyons:

The problem? Here's the problem. If Siri or Google Home, I forget the name just right now, if they hear a murder inside of the house, the cops can go to that device and pull the audio file out of it. Wow.

Ronjini Joshua:

Even though they weren't invited, they weren't invited.

Scott Lyons:

And if they can get warrants for that kind of stuff. Yeah. You know, so me personally, I have an apple home pod. It stays unplugged. Yeah. Unless I'm playing music and even then, the music is so loud that it's it's blaring into microphones, but they're trying to incorporate noise cancelling microphones into these things. So that way, no matter how loud you can hear it, you can hear it. Oh, yeah. Yeah. So what they're really trying to do is tune these to collect as much data as possible. Recently, hackers have shown that the iPhone alone collects over 7000 data points on you.

Ronjini Joshua:

Yeah, you know, it's so funny. I think a lot of people I mean, I've talked about this with other people. We're all like, oh, yeah, our devices are listening. And we're like laughing about it. Yeah. But I think what's important to know is what exactly are they collecting? Like? Can you give us some insight on like, what are the data points? 70,000? That's a lot of data

Scott Lyons:

over 7000. Right. Okay,

Ronjini Joshua:

so what what are those data points? What do they want to know about us

Scott Lyons:

everything? Literally, what they're trying to do is they're trying to say, well, the AI that's on the phone, right? You should this should sound really familiar, especially if you're using Google phone. Yeah, the AI on the phone is there to enhance delivery of the operating system and the device to the end user. But data is data so garbage in garbage out if you feed it if you feed an AI garbage, it's going to give you garbage in return. Right so it's all about training the AI and and if you use a VPN or virtual private network on your phone, it doesn't matter because the dial home to give that data back to Google Microsoft Apple, right? It's hard coded into the phone right so it doesn't matter where you go in the world with a VPN you are you are not protected. Right and if sorry. Yeah, it is breathtaking, right? It's absolutely beautiful.

Ronjini Joshua:

Oh my gosh, beautiful. I

Ben Michaels:

find this interesting and like maybe this isn't the best way to bring it in but like a lot of my friends are like my friend from Cyprus for instance. You know, like everyday like a lot of people in Europe they are VPN only they have crazy VPN and they use it a lot for like torrenting you know, movies and stuff like that but I also see like the protection of it also they lose out on some opportunities when they're in America and they you know, can't access certain things in Europe and then like vice versa. I mean, is that something you know that uh you know American should be paying more attention to is like downloading these you know, more exclusive you know, VPN networks that keep us you know, often keep us like a little bit more protected from being you know, seen by like CenturyLink and at&t or whoever

Scott Lyons:

by the carrier well you know, honestly and I'm gonna be I'm also gonna say that you know downloading of torrents it's not something that we you know, just don't disclaimer

Ben Michaels:

because I'm in film so I don't support

Ronjini Joshua:

that hiring is not cool people it's

Ben Michaels:

not physical and you're literally stealing Yeah, you know, so many people on the crew and, and I understand that but like, but like, but is it Yeah, is that something that you know, Americans should be doing not torrenting but like using VPN to protect themselves

Scott Lyons:

data Data Data is the new gold. So any way that you can get data, you can sell data, you can transfer data, anything that you can do with data, right? As long as you can make a sale in a business place, you're going to do it. So Verizon, at&t, CenturyLink, all those guys. The backbone is set up to be able to collect data, they can see everything that you do, if you use a VPN, they can't see it. Because of the way the connection protocols work, wow.

Ronjini Joshua:

But if you're doing that on your phone, would it matter?

Scott Lyons:

61 and a half a dozen? Yeah, you know, and the reason that I say that is because the metrics that a device is collecting about you gets gets sent to a hard coded server. So a VPN in the middle is not going to affect it. It'll go from your phone to the VPN endpoint back to the server. Right, right. And between your phone and the VPN endpoint, that's the protected communication link. But as soon as it hits that endpoint and goes

Ronjini Joshua:

to somewhere else, it's done. Game over,

Scott Lyons:

right. And we've actually been able to track bad actors like that.

Ronjini Joshua:

How I mean, how is it possible that more of us are not getting in trouble? I mean, I guess I guess a lot of people are being suffering from data, like data, I guess stealing data?

Scott Lyons:

Well, it depends to the to the length degree and amount that you do it. Yeah. There are legal frameworks that are in place that allow for data brokers to happen, right? Yeah, for Facebook to do what Facebook does, right? You know, I mean, let's be honest, if we're sitting around talking about green m&ms, and messenger happens to hear it. The next thing you know, a day later, you're gonna see ads for green m&ms, and Walgreens, and target and all of that stuff, because those retail companies want to get in front of you based on your demographics and your data. Right, you know, so you have to be very careful with what with with what you have on your phone, it can be the worst possible thing that you have in your pocket. You know, now, don't get me wrong, there are other worse things that you can have in your pocket. However, right as back in the 60s and 70s, we were we all said, you know, privacy, privacy, privacy, you know, down with the government flowers in the rifles, right. Nowadays, we've traded all that for access to the internet. Yeah. Wow. That's true. I traded it. We've made that trade. And we don't know that we've made that trade. Yeah, it's been a silent move against everybody. You know, and it just it, it's very difficult to overcome something that you don't see happening.

Ronjini Joshua:

Yeah, it's becoming second nature is you're doing it because that's the you feel like that's the only way it is. And yeah, I mean, it's

Scott Lyons:

crazy. And then and then you look at you look at what's happened over the last couple of years, with BLM, with, with the riots with everything else has happened. And you have to be able to sit back and say to yourself, do I believe what I'm seeing? Or is this an outside effector? Right, shifting the way that I look at things and what I view from my locality, right? Or Is somebody going on Craigslist saying I'm gonna pay you to protest?

Ronjini Joshua:

Absolutely. I mean, I think with both the pandemic, the and Black Lives Matter, everything that's happening socially.

Scott Lyons:

I'm saying, understand, I understand. I want to be very clear here. Yeah, injustice is injustice, and we need to deal with it. Yeah. Yeah, no, absolutely. Um, but the question is, how are we getting told that this is an injustice?

Ronjini Joshua:

Right? Well, no, it's it's not even. Yeah, it's not even the actual thing that you're talking about. It's the delivery mechanism. And

Scott Lyons:

that's it. Exactly. That's, that's what I'm trying to point out. Yeah. Trying to point Yeah, you know, that's responsible. What actually no, don't care. What I care about is the delivery method. Yeah. Right. And does the data that that correlated that delivery method, is that data secure? And did it come from the correct place?

Ronjini Joshua:

Who did it come from? Where did it go? Who?

Scott Lyons:

Is it Russia, China, North Korea? Yeah. Or is it somebody an internal bad actor or a bad group? Yeah. So the US will see,

Ronjini Joshua:

this is the thing, I think people I think people need to be a little protected from that level of sophistication, because it's like, that's a rabbit hole. And then, and then of course, then there's conspiracy theories. And then there's the lack of conspiracy there. There's a lack of questioning. So it's like, there's so much that can go on. I think it's just like, easier to just say, Okay, this is the status quo.

Scott Lyons:

Did you know that recently that there's there's a company and I forget the name, you can easily go and look it up. And I would totally, totally implore you to do the research on this. Right. There was a company that serves like 43 other businesses, but the businesses are at&t Verizon, like the big cell carriers, right? The personal mobile device that gets pushed down to all of us. There's company that handles the text messages for for these businesses. Okay, that had a threat actor inside of their network for five years. Wow. over 700 billion text messages right. The threat actor was able to see five years you have to understand that when you're dealing with threat actors and you're dealing with hackers, the meantime to detect or MTT D right mean time to detect is at least a year 365 days it's the same with a virus it takes

Ronjini Joshua:

a year to find them. Yes. And if and that was there for five years, yeah,

Scott Lyons:

that that group that group? No, no literally was a group we know that. Right? We have the data to be able to track trace back and we know for a fact you did it, right. But that group was in there undetected for five years. So they saw everything you know, so your your dick pic is totally belong in China. It's not secure. No. Yeah. You know, and also don't I gotta get this out here as well. Don't trust SMS as a piece of two factor authentication. Right? Walk with me for a second. Yeah. There are three factors of authentication, what you have what you know, what you are, what you have, what you know, and what you are. Okay. Okay. What you are is biometrics that you have is a phone, and what you know, is username and password. Okay, so if you have a company that says username, password, and we're going to text you a number that you have to put in, don't trust? Well use a physical device like a UB key. Right. They're dirt cheap and easy to set up. Use an app on the phone, like Google Authenticator, or do authenticator, or LastPass? Yeah, right. Ensure that you're using strong passwords 123456 It's not a strong password. What

Ronjini Joshua:

about 654321?

Scott Lyons:

Totally not strong. Just the same way. If I say not strong backwards, I totally would. The top most use passwords, 123456 is up at the top

Ronjini Joshua:

will actually use that. That's crazy. That's like the bathroom code.

Scott Lyons:

And, and, and let's let's add fuel to the fire here. When you're looking at your phone, and it's got numbers, right? Yeah, I can literally, you know, if I pull my phone up right now, and I start typing that number pad, or I see you typing, I can look directly at you know where your fingers are going. And I know the passcode of your phone. Okay, so don't use the numbers use alphanumeric or letters and numbers. Oh, stop using numbers. Okay, there's a finite a finite set of permutations to be able to crack a number based entry system. Right? Right. You know, you got to think it's it's one it's it's a zero through nine, right? It's 10. Numbers. Right? Right. So just just run the, the pot the probabilities of four

Ronjini Joshua:

characters until you're you get until you have to cut. Yeah,

Scott Lyons:

yeah. So you brute force it. Yeah. Right. But the problem is that the phones that we're using today, and the devices are not secure. 15 dot 0.2. Just came out for the iPhone. Did you update? I don't think so. Okay, if you did, it's the latest and greatest operating system, right? 15 is the version right? The zero I forget what the zeros but two is security update. And it's a 15 02. We already have backdoors that are remote, and we don't even need access to your phone. already written. Wow. Yeah, I can tell you that for a fact. Right? This is scary shit.

Ronjini Joshua:

Yeah. Right. Too much for people to handle.

Scott Lyons:

Oh my gosh, like, like, I really hope that somebody is not sitting at home, you know, like, getting paranoid, because that's not what we want here. Right? Yeah. What we want is for people to do the research and to become smart about what they're doing, who they're talking with, and how they're handling their data. Yeah, well, that's what we want.

Ben Michaels:

Speaking of handling the data. What I'm really curious about is, like a lot of dispensaries now are doing you know, give us your phone number, give us your email, and you know, where you're gonna get your points, you're gonna rack them up. And they're, I mean, they're collecting data themselves. You know, grocery stores do the same thing. Yeah, exactly. And when my buddy he refuses to give us and I'm like, but you know how much money you're missing out on at CVS. But you know, my question is, and just because this is like cannabis related, we'll focus. I'll focus mainly on that. Yeah. How dangerous and compromising Is it for me to release that information? And is that hackable and can that be used against me? Is the

Scott Lyons:

reward worth it? That's my question to you. And my question to you as well is the reward for doing something like that worth it. Ultimately, what you're doing is you're handing over your data, you're handing over your shot, I'm going off the grid. Go out hunt, kill and

Ronjini Joshua:

gather

Scott Lyons:

energy, green energy, you're handing over your data, your spending habits, your buying habits, when you're buying what you're buying. And and and let's take this up a notch and really scare you. You know, your phones have NFCs in the near field communication devices, right, what you're always offering so what department stores have done They've gotten to arfid and NFC. Right RFID and NFC, they can track you in the store and they know what your browsing habits are.

Ronjini Joshua:

Wow. Yeah. Oh, yes.

Scott Lyons:

Oh, yes. Oh, yeah. It's mind blowing the scary, you know, and it's a matter of time before the cannabis industry starts going in that method as well. And when companies in the cannabis industry understand that data is gold, and they figure out how to monetize data.

Ronjini Joshua:

Oh, and there's, there's technology companies, I mean, these technology companies, new data was gold long time ago, right? Like, I I've been working in tech for the last 20 years. And, you know, 10 years ago, 15 years ago, data mining and big data. That was like the big topic at that time. And I didn't really understand it. But now like, makes a lot of sense, right? Like it's coming back around. And it's like, okay, all these technologies are coming to fruition to take the data from you, because that's such an important piece of currency at this point.

Scott Lyons:

Did you know Apple's collecting data on you on your watching habits on the Apple TV?

Ronjini Joshua:

I'm sure. That makes sense. My question is, what

Scott Lyons:

are they doing with the watch? Because now the watch the Why do you want me to take my watch? On your wrists? Yeah.

Ronjini Joshua:

My biometric data. Exactly. Yeah, exactly.

Scott Lyons:

So how are we protecting ourselves? How are we protecting our supply? Right? So being out here at mjbizcon? It's really imperative. Yeah. To get these companies to understand that security, and especially cyber, can have a massive industry wide effect. If it's not taken care of. Recently, in the circles that I run in, which are the information security and privacy circles, we've been having very heated arguments about dealing with synthetic identities. Right. So basically creating a false view, right? Dealing with privacy on a national level, right. We have GDPR. In the EU, we have states that have privacy laws, but we need something federally mandated. Right in the United States. Yeah, when Zuckerberg went on a child when he went into Congress now, Zuckerberg was 20 to 30, if not 40 steps ahead of what Congress was asking. Right, the wrong questions were asked, we need to change that. And that's going to happen by one of two ways. Okay. Either the Congress critters who are in charge of that age out and we have new generations coming up. Or they communicate with the hacker community, they communicate with the information security community and say, Is this real? Does this question make sense helped me phrase it so that way we can get down to the nitty gritty and actually identify the method that we should use to approach

Ronjini Joshua:

when I saw your background? You know, like, that's, I think maybe that's another thing. You know, I'm in PR and marketing. So sure. So it's like the term hacker, you know, often has been negatively connotated. I'm

Scott Lyons:

400 pounds. I live in my mother's basement. Yeah, I'm kidding. Yeah.

Ronjini Joshua:

Absolutely. Well, and it's been negatively connotated. But like you were talking about white hat, black hat ethical hacking. Yeah. And I think one of the things that's important to understand is like the term doesn't mean it. The term itself is not negative. It's just what you're doing. And by the

Scott Lyons:

way, Ethical Hacking is just putting a spin on it. Yes. Right. Really. comes down to it comes down to who's paying you Yeah, right. Be honest. Yeah, absolutely. No, no BS here. Right. It comes down to who pays you? Yeah. If you're being paid by a government to defend white hat, right. You're being paid by government to attack like Russia, China, North Korea, Iran. Those guys Blackhat right. You don't care about life period. You just want to see the world. Burn. Yeah, right. A blackout? Yeah. Right. And if you if if you go either way, right. It's it's not a bisexual term. Yes. No, gray hat. Gray Hat. Okay. Right. So

Ronjini Joshua:

White, Black. Okay.

Scott Lyons:

So gray is like the the middle the middle ground between the two of them? Yeah, right. Me personally, I'm a white hat. Yeah. Right. Um, and I've done work for companies where I've seen state sponsored attacks, right, where I've been on the receiving end of what anonymous does, you know, and I'm going to tell you, it's not fun for the businesses. Yeah, it really isn't. But the question is, is what are you doing to get you to that point where these people are pissed off at you to come after you, and how are you going to deal with it? So that's why we say in information security, it's not if

Ronjini Joshua:

when so that is perfect segue into my question, when when should people be thinking about this, like five

Scott Lyons:

years ago?

Ronjini Joshua:

Well, you know, I'm like, legally, you said that right. Now cannabis has a ton of challenges.

Scott Lyons:

It does it from being federally regulated. Yeah. To everything, having the Forerunners be able to put the product on the shelves and have that product supply chain be trusted and vetted. You know, we're ultimately putting stuff in our bodies. Right? Whether it's smoke, whether It's oil, whether it's commies, whether it's whatever, right, right? Is that supply chain trusted? You know, the US was able to affect Iran's nuclear supply, right? nuclear supply chain with Stuxnet. Right? Which disrupted centrifuges in Iran from the US they did this. Okay. Right. What's the say Iran can't mess with? Yeah. Can't make sure that, you know, there's there there's arsenic that's put in, right, right. Or there's some other, you know, tetrodotoxin, or some shit. And I'm making that up and pull it out on my ass. But you get what I'm saying? You know, we don't know these things. Right. So how do we protect ourselves? How do we protect our businesses? How do we protect our livelihood? How do we protect our friend? How do we protect our spouse? You know, in doing the basics of information security is a start. Okay, not enough companies are doing the basics, right? What I wonder what would that so strong password using? Yeah, okay. Did you know the passwords are 30 years old? 30 to 35 years old? Yeah. That makes sense. Yeah. Yeah. And so there have been attempts to try to advance the technology, but

Ronjini Joshua:

in what the biometrics are? Yes, yes.

Scott Lyons:

There have been attempts to try to enhance the technology and move away from usernames and passwords, because it's so antiquated. Yeah. So broken. Yeah. Right. But in the past 10 years, there really hasn't been advances inside of information security to move us away from that kind of utility. The only thing that we do is we bolt on to bolt on to bolt on. Yeah. Right. And we've actually been having discussions about well, how do we fix this kind of stuff? Yeah. And the leading prevailing thought, at least in my own humble opinion, is to burn the internet to the ground get started started from scratch. I'm dead serious about this. I believe. That'll never happen because of so much commerce that has been bolted on top of the internet. Yeah, you know, and it's not just for porn, like, let me Let's cue. So how do we protect our businesses in an online world where it's day to day to data, the faster the better? And the quicker that we can get to things, the faster we can make a decision that hopefully works out in our benefit, right? So it's not if it's when, yeah, somebody breaks these chains. It's, it's, well,

Ronjini Joshua:

absolutely breathtaking. That's, that's the problem is like, that's when when it's broken, then they want to fix it. They don't want to they don't want to

Scott Lyons:

die for it. Yeah, a lot of companies are reactionary, but that comes down to the human condition. Yeah, Human Condition dictates that we're reactionary people, reactionary people, right. And it takes a lot for us to get out and be proactive, right, and get out of the out of the problem. So there's a conference that happens here in Vegas, once a year, right? There's actually a couple of conferences that week, but the big one is called DEF CON, def, CO. n, right. And at DEF CON, we host the world's most dangerous network, where if you connect to device, it's milliseconds to get out. Right? Or to have somebody else take control with it. Right. And at DEF CON, we address a lot of these issues of how do you protect yourself? What does the offensive capability look like? And then how do we smash the defensive capability on top of it to try to make it not a problem? Right? So So, measure countermeasure, right? And we've put a lot of thought into how do we get companies to do the basics, right? So strong username, password authentication, so strong authentication, two factor authentication, once you have what you know what you are, right, yeah. Don't use text message, use a YubiKey, or an app, right? Something that somebody cannot intercept. es es seven, which is the protocol that drives text messages is not will not and has not, ever shall be secure. Okay. And I said it that way, for a reason, right? Because I want you to go back and listen to what I just said. Right? Never be secure, ever. Right? That's why Apple has said, Well, there's an encryption on the iPhone for iMessage. Because that's their method for trying to secure that communication protocol that we all live on. Right? Yeah. So you know, strong authentication, two factor authentication, having antivirus in your systems for your for your business, right. EDR and endpoint detection and response system. Right? So find an EDR vendor, right? Crowd strikes a good one, you know, dark trace, right?

Ronjini Joshua:

These are for payments, right? No,

Scott Lyons:

this is just your your network, your network, just our know, right? We start at the basics, right? I don't care about the payment system just yet. I'll get to that. But start with the basics for your network. Yeah. Are you holding people's data? So remember those tags that we were talking about earlier, where somebody has over a username or not even not user name, email address, phone number, right demographic collection, right? Are you holding that data and is it secure? So for that, you need to look at compliance. Right, right. Compliance dictates what's known as sock two, SOC two, right and that comes out from Uh, I want to say the AICPA which is the Association for accountants, right certified accountants, but sock to certifies that you're collecting data points across your network, that you have processes in place for countermeasures. Right? That you can show that for at least a span of six to eight months that you have the correct utilization of that data and that you are fixing problems, right. So that's just internal to your network. Also, you need an MDM, or mobile device management, right? Yeah. Every person that is on a network these days has at least three to five devices. Yeah, your watch your phone, your computer, three devices right there. Are they secure? Are you watching the communication? If somebody brings a computer? Yeah. If somebody brings their computer into your network, yeah. What is your network doing to that computer? Right.

Ronjini Joshua:

So I'm in a hotel right now. I mean, yeah.

Scott Lyons:

Well, do you have kids? Yes. Okay. So let's say you say to you, you say to your kid, Bobby, I'm just making bread. I'm not gonna reveal names. But let's say Bobby, you know, you're driving me nuts. Here's my computer. You know, here's a website, go do homework. Yeah. Bobby doesn't want to do that. He's like, Man, this this shits lame, right? You know, I'm gonna go out. I'm gonna go out and do something fun. Right. Next thing you know, you've got pirate bay being pulled up on your computer, right? Pirate Bay is okay. We don't condone. I

Ronjini Joshua:

mean, I don't know pirate but yeah, no, no.

Scott Lyons:

I, I treat pirate bay as if everything that is on Pirate Bay has already been affected by China. Right? We leave that one a lot. Yeah. So, uh, but just for an example. He pulls up a website that, you know, gets gets affected on that machine. You that's your work machine? Yeah, you take that put that on the network at work. Now that machine has access to infect other machines. But the problem is, what is what is happening from work to your machine? Right, right. So everybody wants to work from home and working from home involves VPN. Yeah, right? We all know this, right? It's also known as dual homing a computer. So on one path at your home network. And on the other path, that's VPN? Network. Right? So how are you securing the business so that if the network gets extended into the house, you can pull the network back? Right, let's say we have to let you go for some odd reason. Right? How do we pull the network back? How do we pull back from your computer? How do we pull back from your phone? Yeah, how do we pull it back from your watch or any other device? Right? So doing the basics and really standing up and asset discovery program, so you know, what's on your network vulnerability assessment program, so that way, you know which machines need to be patched, right? Standing up a change control system inside of the inside of the business to understand and track those, those patches, right? Being able to do penetration testing, right? The PCI DSS that we were talking about earlier, right, the Payment Card Industry Data Security Standard is the reason that penetration testing is an actual thing inside of information security. Right? So it's not just payment card. It's not just payment card information. It's actually saying to a hacker or white hat. Can you come and break into my system and tell me how you did it? So that way, I can close the hole and put up the defenses? Right, right. So doing the basics for the network, and then doing the basics for your family? Yeah, right. So when you're at home, making sure you have antivirus. Don't click links that you don't know where they go to. Period. Don't click shit just to click it. I can't even tell

Ronjini Joshua:

you it's like that pushing the button. The red button, I just want to push button. Oh, man.

Scott Lyons:

I've dealt with companies and have I've had to recover businesses for when people who are not connected to the company have clicked something that cost the company millions in recovery. Right. And it's it's breathtaking, you know, and when you're in the business, know who can touch your computers, right there is a one of my friends who wanted to do a penetration test on a dispensary walked in as their IT staff. They let them right in. He grabbed one of their hard drives, went and sat an hour later with the owner of the dispensary and said, What if I told you that all of your proprietary information, your ingredients, your supply chain, what if I told you that was that was at risk? And naively The owner said, that's never gonna happen. My friend, like pulled a bunch into his bag and set the hard drive down right in front of them and said this is your go check it. I have it. I shouldn't have it. Okay, that's scary shit. I don't care who you are. Yeah. When you have somebody that is outside of your reach. come in as all your Yes. Yes, super scary. Right. But you know, here here at mjbizcon We've got a lot of companies that are doing physical security. Great. Love it wonderful. Not a lot of companies are doing cyber. Yeah, right. So when you look at how companies get breached You have to understand that 95 to 98% of all attacks are social engineering. Right? Okay. Now if you're not familiar with what that is, definitely go Google it because it's really wildly interesting. But the main method behind social engineering is making you do something that you don't want to do. Have I spoken with you recently about your car's extended warranty?

Ronjini Joshua:

Oh my god, I hate that so much.

Scott Lyons:

Wait, wait, it gets worse. In Email. Hello, I am connecting with you to give you the bank account details. Yes. And money to bring the prince of Nigeria. Nigeria. Right. Right. Right. How about this one? This one a couple years ago, when Zeus bot was come was out right one of the very first crypto lockers you have a FedEx package, click here to

Ronjini Joshua:

the one I like the most is your Social Security has been hacked. And you need to call us back right now. Yeah, and then you're like, holy shit, my Social Security. What? Doesn't make sense? It doesn't make sense.

Scott Lyons:

So for fun, sometimes my friends and I will keep those people that call us on the line and we'll will infect them.

Ronjini Joshua:

Oh, wow. That's funny. Yeah,

Scott Lyons:

I would do just so that they can't hurt. Yeah. Or grandma in Iowa. Yeah, that uses the computer to look at cat pictures. It cat. Okay, cat pictures is one of the number one uses of the internet, or one of the top uses of the internet, right? I can I can have cheeseburgers. You know, it's it's funny. And then you look at what's happening now and where industries are heading, especially dealing with cryptocurrency and NF T's. Right? If you don't know what those are definitely go to your research, right? The board at the board apes club? Yeah. Right? In NFT. And then we get into defy and, you know, new ways of moving money without government interaction. And it's it's wildly fascinating, you know, right now, with the methods that are out there. And I'm very bold and saying this, I'm probably gonna have a Fed knock on my door for this one. The IRS and others parties of the government are years behind regulation on what's going on with this stuff, especially when you're talking about decentralized environments. They're years behind it. Right? So, you know, how do you account for crypto on your on your on your IRS statement? Right? And you

Ronjini Joshua:

can't, can you know, you

Scott Lyons:

can because they put it under cap gains? Oh, there's a section for it. But there's there's gray area in there, where it's not defined of if you make a gain in crypto, and then you trade crypto for crypto for crypto for crypto tracking that, right? How are you tracking those gains? And then you put it into, okay, now I'm really releasing shit. When you put it into a D fi system, and you don't move it into a physical fiat currency. What happens it like there are so many nuances dealing with this right now. You know, everybody's sitting back saying well cryptocurrencies the new is the new is the new dollar, right. And recently, we've seen China kick all the crypto miners out of China. Right. So now you have companies contacting Juan Valdez and his Pack Mules, right to go into the mountains of China to pull the mines out. Right. We've seen that Texas has become a front runner for crypto. But if you remember back, was it last winter, winter before all of the green energy stuff? The windmills or solar all got frozen up in Texas had blackouts? What's going on there? Right? Like, let's be honest, this is gonna get interesting, right? We have NF T's now are non fungible tokens, being able to be sold on Coinbase and other exchanges, right? Open, see if you're, if you're not familiar with NF T's go to open c.io And take a look at what's there. Some of them can, you know, some of them are really good, a lot of its art, but it can be houses, it can be cars, it can be any anything. That's it, right. So, you know, if I wanted to tokenize the three of us sitting here and say, okay, you know, you'll own a piece of what we create right here. That can be done. That's crazy. Yeah, it's disgusting nuts. Now,

Ronjini Joshua:

it's a very wide world. Yeah, it is. It is.

Scott Lyons:

And when you talk about tokenization, inside of the marijuana industry, don't even get me started. Yeah,

Ronjini Joshua:

I mean, I've already seen NF T's in the marijuana industry, mostly are driven, but like, I mean, that's just a little hint. It's right. Yeah, yeah.

Scott Lyons:

It is, especially for what's on the horizon of dealing with marijuana pot as an industry. Yeah, you know, it may be a way to be able to move money for goods. I don't know.

Ronjini Joshua:

Absolutely. And I don't know. I don't

Scott Lyons:

I don't think any of us have a crystal ball that can accurately portray what's about to go down.

Ronjini Joshua:

Right. You know, but, but security is that key name, the name of the game is

Scott Lyons:

well, security is the way to protect. Yeah, you You know, not just yourself? Yes, you're not stopping as well. But

Ronjini Joshua:

you're Yeah, you're controlling at least as much as you can. Yeah, you know,

Scott Lyons:

yeah, you know, and if we can control what's going on in our lives, right, it'll give us a sense of normalcy. Because we as humans, that human nature we love really easily repeatable. Yeah, thanks. Yeah. Yeah, you know, the pandemic just threw all of our routines up into a tailspin. You know, for sure, um, and with what's going on in the media these days, you know, media wants us to know what they want us to know. Yeah. They don't want us to know the real truth. Yeah, yeah. But it's, it's, it's it's up to us as people to do the research. Discover the Truth. Yeah. And not just be a sheep. Yeah, absolutely. You know, so security is one method of protecting ourselves. There are definitely other methods. But here at mjbizcon, the main focus is, you know, how do we work with suppliers, growers, distributors and manufacturers? To say, yes, your supply chain is secure. Yes, the systems that you're using to log the transactions and be able to track shipments and this that and the other are secure, you're doing all the right things, that you're not introducing vulnerabilities that are unknown to a business that would then cause that business to be insecure. And that have blowback? Come back on

Ronjini Joshua:

you later. Yeah, absolutely. So all the breaches that happen over the year. So

Scott Lyons:

if you look at Walmart, and how Walmart does their supply chain, right, for you to be able to interact with Walmart, you have to be to Walmart standards, right. So if somebody that is up to Walmart standards gets breached, and then goes up field, or upstream into WalMart, now they can track it back to who who, right. You know, who, how it happened? Yeah, you know, so understanding the nuances and everything. That's something that we do. That's something that we specialize in. And that's something that everybody should have a vested interest in. I'm not saying you need to be an expert in any way, shape, or form. That's not the point. The point is wake up, don't be a sheep and look at it and say, am I protected? Is this something that I can deal with? Is the ROI like the exchange? Right, the return on investment? Is the exchange of my data. That important? Is it that value? Yeah. And I would say that every single person has an inalienable right. To privacy, and it needs to be in the Bill of Rights. Yeah. In alienable. unequivocal. Yeah, right. I'm pretty sure that's work.

Ronjini Joshua:

Yeah. I don't have the Thesaurus with me. But I yeah, I guess.

Scott Lyons:

But the problem is, we have lobbyists and third party interests that will try and keep that from happening. Sure. Everybody should have their own right to privacy. Everybody should be able to know what's going on with their data, especially seeing that we now live in a connected world and the fact that you don't, it is a stark, alarming problem that needs to be addressed. But in this industry, it's making sure that if somebody says I'm going to sell you green ape, right, it's actually green, it's actually grenade. Yeah, if somebody says, I'm going to sell you something with 100 milligram content in once in one gummy, they're not putting in outside chemicals or the the levels haven't been reduced by a third actor or, or threat actor third or threat, right. It's ensuring that the product and the capability will stay in line because people are going to build their lives around the stuff that's built here, you buy around the stuff that's built all over the place. So how can we secure it cyber is one of those pieces that we haven't looked at hardcore inside of the marijuana industry, but there are other industries that are getting whacked constantly. today. I was we were talking about this a minute ago. There was a company that does candy supply. Yeah.

Ronjini Joshua:

Today learn from the other industries. I mean, that's that, that we're in that prime position, right. Learn from all the mistakes that have already been made. Yeah. And improve.

Ben Michaels:

Yeah, yeah. Let's hold where do we how are we doing? Wait, he's downstairs? Oh, yes. Yeah. So we probably need

Scott Lyons:

to wrap it up. Yeah, we can wrap Yeah, that's fine. Okay.

Ronjini Joshua:

Um, what he said, Well, I think there was a point where we could wrap so I could just finish up. Yeah, yeah, I

Scott Lyons:

mean, right there. Perfect.

Ronjini Joshua:

Awesome. Thank you. I mean, this is this conversation could go on Yeah. could go on forever. But but that's the point is the conversation needs to start so thank you so much. So like this is kind of like the trigger of everyone having this conversation and starting this conversation security and and what you're doing and how you're protecting yourself and your customers, even your audience, whatever, whatever the case may be. Scott, thank you so much for being here.

Scott Lyons:

Thank you for having me.

Ronjini Joshua:

Obviously, all your information will be in the show notes, but

Scott Lyons:

not personal data. Please know. Yeah.

Ronjini Joshua:

Everybody go find Scott.

Scott Lyons:

CSP, three Rs, my handle, okay. Twitter, Facebook, Insta, whatever. I can find me on clubhouse if you have questions. Yeah, no, we're constantly throwing security rooms on drop in audio chat. Oh, that's awesome can find you can find me there or you know Casper underscore official ad on Instagram and the websites RedLion.io Perfect. Yep, this is what we do it this This isn't rocket science but it's difficult for a lot of people to understand. Yeah, I could do that. Thank you so much. Thank you.

Ronjini Joshua:

The Green Room podcast is brought to life by green seed PR, the cannabis green tech focus PR agency and a dedicated production team of editors mixers and show Booker's. A huge thank you to the vessel team for providing their studio for our recordings. Don't forget to subscribe and share the greenroom podcast with friends, colleagues and family. That way you'll never miss an episode and we keep the lights on. If you're feeling extra generous, please leave us a review on your favorite podcast listening platform. You can also find us on Instagram at Green Seed PR answered live video versions of all of our podcasts on YouTube. Would you like to be on the guest on the show? Or do you have a great guest referral? Awesome. So make your guests at Green Seed PR slash the hyphen green hyphen room. Thanks for listening and be well