Ep 43 - Cracking The Code, Is Your Cannabis Company Safe From Hackers? An Interview w/ Scott Lyons, CEO & Co-founder - Red Lion - The Green Room Podcast

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Ronjini Joshua (00:11):
We caught up with Scott Lyons from Red Lion.
He's an ethical hacker, or whitehat hacker and talks about
compliance and security willjust in general for life, but
also how important is going tobe as we move into the cannabis
industry and how compliance doneright is of critical importance
to our privacy, security, andhow our important data should be

(00:34):
protected. So this is a prettyfunny and cool and eye opening
interview on how we should allbe looking at compliance and
security and how we should benot using 1234 for our
passwords.
We are here with Scott Lyons. Heis the founder and CEO of Red

(00:55):
Lion, you have a lot of story topass in your in your experience.
So I'd love to first let's justtalk about mjbizcon A little
bit. Yeah. Is this your first MJit is and and what is your like?
What is your kind of likeanticipation for the event?
Well, I came here thinking that,you know, it's gonna be a normal
run of the mill conference.
Yeah.

Scott Lyons (01:16):
Right. And I'm sitting back seeing all of the
manufacturers that are that arethere, right, all the
distributors and dispensariesand people that are selling
their own custom wares, butaren't at scale. Right. So it's
a real hodgepodge of stuff.
Right, yeah, for but, you know,marijuana is as a vertical

(01:40):
touches everybody's lives. Youknow, whether you're using
something that's a hempderivative, right? Or you have a
family member that's takingsomething for a medicinal
purpose, or you have to use itjust to survive just to be able
to feel function. Yeah. Yes. Youknow, the cannabis industry has
really been able torevolutionize healthcare, and it

(02:03):
will continue to do so for thenext couple of years. Yeah,
right. Yeah. into the future.
And by next couple of years. Ireally mean, a lot. Yeah, love.
twice as long. Yeah. Uh, youknow, being able to see how the
industry grows, and especiallyit being the 10th year here,
right? Being able to see how theindustry grows from here on out
is going to be very interesting.

(02:24):
Yeah, yeah. Well, which is why Ilike brings me to what you do as
a as a job. Yeah. So let's talka little bit about your journey
your past and like, kind of yourprofessional expertise and like,
how did you want to come intothe cannabis industry? So start
from way back? So hi, everybody.
My name is Scott Lyons. I go bythe hacker handle of Crisper.

(02:44):
I've actually been in theinformation security community
for well over 25 years, I'vedone work for the federal
government, I've done work forcommercial entities. And I've
been the CEO of a smallinformation security services
business called Red Lion forabout the last six years at this
point, right. We've done reallybig projects for really big
businesses, and really helped alot of companies to be able to
chart security, compliance,system engineering, network

(03:10):
engineering, and all of theabove from all the sexy stuff.
Oh, it'sokay, I guess you could call it
that. Yeah. But, um, you know,it really out here at mjbizcon.
The point that I'm here for isto sit down with growers and
distributors and manufacturers,and support companies to be able

(03:30):
to say, Listen, supply chainsecurity is a problem.

Yeah. Well, this is a good time to because like,
you know, all the otherindustries that you're probably
been in technology, all thisother stuff, those have been
established over decades anddecades. This is like kind of
still, we still have like, alittle of an entry point here
and in cannabis, so you cansolve these problems before they
start getting crazy. Yeah,

yeah. And that's really what we focus on. Yeah,
making sure that an issue is notan issue. Before it's an issue.
Right. Does that make sense?
Yeah, no, absolutely. I hope itmakes sense for you guys who are
watching as well. Yeah, youknow, the more that we can get
out ahead of problems, thebetter off we're going to be and
we're going to be prepared fornot if we get hacked or
breached, but when

a lot of the conversations we've had with
people in the industry have beenabout, you know, doing it right.
Yeah. And I think that's reallyimportant. So what are you know,
help us understand a little bitmore about compliance and how it
works and and what you'reprotecting? What are you
protecting right? And what areyou protecting the companies
from and what are you protectingthe customers from?

So when dealing with compliance from an
information securityperspective, the biggest driver
in compliance is called PCI orthe Payment Card Industry DSS,
so PCI DSS Data securitystandards, so Payment Card
Industry Data Security Standard.
That standard is what governsall of the credit cards that we
use all the bank cards that weuse. How money transfers, right?

(04:59):
It's not just all crypto yet,right? So being able to help
companies understand that ifyou'd process transmit or store,
basically touch a credit card inany way, shape or form, it
doesn't matter whether it's onefor a business transaction, or
it's 100 million. You're underPCI,

like talking to you is making me nervous about
all my credit card and bankaccounts. Like just like, all my
information, I just like, I havethis wave of going over me like
I'm just so unprotected rightnow.

Right? Well, a lot of this rabbit hole can make you
feel like that. Yeah, I'm gonnabe honest with you know, we have
a lot of people that get thatoverwhelming sense of fear of,
Oh, my God, I'm not protected.
Yeah. But there are people likeme, right, white hats, white hat
hackers, that are constantlyworking with businesses, working
with compliance sets to drivenot only innovation for

(05:56):
protection, but also DefenseAgainst the Dark Arts.

I love it, too.
What about you into hacking?

Oh, man, I started at a very early age with
computers. It was like to when Istarted with an Apple TV way
back in the day. At seven I wasI was I was writing code out of
a book 14 wrote my first virus17 was summarily banned from
within 50 feet of all machinesin my high school. Right. Oh,
man, the stories from that one.
Um, you know, I went throughPenn State. Right. And right now

(06:26):
currently, I'm the sittingincoming president to the board
of alumni for InformationSystems at Penn State. Right. I
have a Master's for finalMaster's in Information
Assurance. You know, that's,that's, that's not easy to do.
Right. But my main focus hasbeen, how do we drive the
security inside of companies?

(06:50):
How do we demystify what's goingon inside of networks? Right. So
understand the things that bump?
Yeah. And then how do we getother people to understand the
passion? Yeah. You know, atmjbizcon, everything is centered
around cannabis. And cannabisright now, is still struggling
as an industry, at least in myown humble opinion. No, I mean,
once it gets federallyregulated, then everything's

(07:13):
gonna take off. Yeah. Right. Butyou see the big manufacturing
companies of tobacco alreadystarting to have entire fields
worth of product and haveproduct shelves and nitrogen.
Right. So that way it doesn'tdoesn't spoil, right. It might
not be nitrogen, but you getwhat I'm saying? Yeah, um, but
they're already waiting for thegreen light. And we've seen
states say that the federallevel, well, you know, screw

(07:35):
you. We're going to do this ourway. Yeah. Right. And we've seen
that with Colorado, we've seenthat with California. You know,
where I come from in Maryland,we have a we have it for
medicinal use, but it needs tobe opened up. Right. And the
appropriation of those fundsneeds to be correctly identified
and applied. Otherwise, what arewe doing this for? Yeah, you

(07:56):
know, we're trying to make thiseasier on ourselves. Right.
Yeah, absolutely. Listen, liferight now. And whatever universe
you want to live in, right? It'snot simple. Yeah. Right. We've
got pandemic we're dealing with,we've got international actions
we're dealing with, we've gotour own our own internal
government. Yeah. And family andeverything that we have to it

(08:18):
gets very impressive.

Yeah. If you think about the, this world at
scale. Yeah. I mean, it's a lotto take. Yes. Well, and that's
probably why everyone's stressedout.

Yeah. So at mjbizcon, what I'm doing is I'm
trying to connect with companiesthat are either doing support,
you know, providing supportsystems, or manufacturers for
supply chain and say, Look, youneed to call me or you need to
call somebody. Right, not justthe Ghostbusters, right. But you
need to call somebody to getinformation security into your

(08:53):
business. The problem across theboard, let's let's talk about
the big picture for a quicksurvey. Yeah,

I was gonna ask you what is the big challenge 60
to

70% of all businesses across the US do not
have cyber insurance, period.
Okay. Okay. That is an issue.
Right. But when you try andscale that back for the cannabis
industry, cannabis industryright now as a whole needs help.
Yeah. Just like everybody else.
Yeah, they have their otherissues to deal with.

They do. Yeah.

And when you are a small business, you don't care
about security. When you'remeeting business, you might care
about security. When you'relarge business. Yes, somewhat.
Yes, somewhat care aboutsecurity. But if you're an
enterprise, then you definitelycare about security. And that
stratification, right, there isa major problem. All businesses
need to do sales. Yeah, allbusinesses need to do security.

(09:44):
Data is the new gold.

Why do you think that is? Why do you think people
have such a lack of concern forthat?

Because sales rules the roost? Yeah. In most
companies, if you're not makingsales, then what are you doing?

If you pay your people yeah, there's nothing
gonna secure. Yeah,

you might as well close shop and go find a job.
Yeah, you know, um, but eventhen, you know, we've had record
unemployment over the lastcouple of months because of the
mandates that are coming downfrom the White House. You know,
so a lot of people are sittingback and saying, Well, if we're
under 100 people, we can startour own company, start doing
business. We don't have to dealwith that mandate, but we're

(10:24):
still generating revenue

right now.

So you have to have security as well. You know,
here's the problem. If you thinkthat Facebook is a great
service, okay, I'm not I'm notI'm not sitting here telling
you. It's not what I am telling

you. He's lifting the veil.

If it's free, you are the product. Yeah, that's a
problem. Yeah. You know, we havebig businesses, especially in
tech that are not being openabout what they're doing.

Absolutely. And I nobody knows it, like none of
the consumers. I mean, you know,it, obviously, I know, I work in
tech. So like, I think consumershave this misconception that,
you know, people are ethical.
Everybody is ethical. They'redoing the right thing. Of
course, why would they? Theysaid, you know, on the little
thing, it says we will not sellyour information to anyone,
like, yeah, we won't sell itdoesn't mean we won't use it.

(11:14):
Yeah. It's

just like reading the disclaimer for the google
google home device and themsaying, Well, we're listening
for background ambient noise.
Yeah, sure.

You are. Yeah, okay. Yeah. Yeah. What

Ben Michaels (11:26):
is background ambient noise?

They're listening like fart or
something.

The problem? Here's the problem. If Siri or Google
Home, I forget the name justright now, if they hear a murder
inside of the house, the copscan go to that device and pull
the audio file out of it. Wow.

Even though they weren't invited, they weren't
invited.

And if they can get warrants for that kind of stuff.
Yeah. You know, so mepersonally, I have an apple home
pod. It stays unplugged. Yeah.
Unless I'm playing music andeven then, the music is so loud
that it's it's blaring intomicrophones, but they're trying
to incorporate noise cancellingmicrophones into these things.
So that way, no matter how loudyou can hear it, you can hear
it. Oh, yeah. Yeah. So whatthey're really trying to do is

(12:10):
tune these to collect as muchdata as possible. Recently,
hackers have shown that theiPhone alone collects over 7000
data points on you.

Yeah, you know, it's so funny. I think a lot of
people I mean, I've talked aboutthis with other people. We're
all like, oh, yeah, our devicesare listening. And we're like
laughing about it. Yeah. But Ithink what's important to know
is what exactly are theycollecting? Like? Can you give
us some insight on like, whatare the data points? 70,000?
That's a lot of data

over 7000. Right.
Okay,

so what what are those data points? What do they
want to know about us

everything?
Literally, what they're tryingto do is they're trying to say,
well, the AI that's on thephone, right? You should this
should sound really familiar,especially if you're using
Google phone. Yeah, the AI onthe phone is there to enhance
delivery of the operating systemand the device to the end user.
But data is data so garbage ingarbage out if you feed it if

(13:07):
you feed an AI garbage, it'sgoing to give you garbage in
return. Right so it's all abouttraining the AI and and if you
use a VPN or virtual privatenetwork on your phone, it
doesn't matter because the dialhome to give that data back to
Google Microsoft Apple, right?

(13:28):
It's hard coded into the phoneright so it doesn't matter where
you go in the world with a VPNyou are you are not protected.
Right and if sorry. Yeah, it isbreathtaking, right? It's
absolutely beautiful.

Oh my gosh, beautiful. I

find this interesting and like maybe this
isn't the best way to bring itin but like a lot of my friends
are like my friend from Cyprusfor instance. You know, like
everyday like a lot of people inEurope they are VPN only they
have crazy VPN and they use it alot for like torrenting you
know, movies and stuff like thatbut I also see like the
protection of it also they loseout on some opportunities when

(14:07):
they're in America and they youknow, can't access certain
things in Europe and then likevice versa. I mean, is that
something you know that uh youknow American should be paying
more attention to is likedownloading these you know, more
exclusive you know, VPN networksthat keep us you know, often
keep us like a little bit moreprotected from being you know,
seen by like CenturyLink andat&t or whoever

by the carrier well you know, honestly and I'm gonna
be I'm also gonna say that youknow downloading of torrents
it's not something that we youknow, just don't disclaimer

because I'm in film so I don't support

that hiring is not cool people it's

not physical and you're literally stealing Yeah,
you know, so many people on thecrew and, and I understand that
but like, but like, but is itYeah, is that something that you
know, Americans should be doingnot torrenting but like using
VPN to protect themselves

data Data Data is the new gold. So any way that
you can get data, you can selldata, you can transfer data,
anything that you can do withdata, right? As long as you can
make a sale in a business place,you're going to do it. So
Verizon, at&t, CenturyLink, allthose guys. The backbone is set
up to be able to collect data,they can see everything that you
do, if you use a VPN, they can'tsee it. Because of the way the

(15:25):
connection protocols work, wow.

But if you're doing that on your phone, would
it matter?

61 and a half a dozen? Yeah, you know, and the
reason that I say that isbecause the metrics that a
device is collecting about yougets gets sent to a hard coded
server. So a VPN in the middleis not going to affect it. It'll
go from your phone to the VPNendpoint back to the server.
Right, right. And between yourphone and the VPN endpoint,
that's the protectedcommunication link. But as soon

(15:55):
as it hits that endpoint andgoes

to somewhere else, it's done. Game over,

right. And we've actually been able to track bad
actors like that.

How I mean, how is it possible that more of us
are not getting in trouble? Imean, I guess I guess a lot of
people are being suffering fromdata, like data, I guess
stealing data?

Well, it depends to the to the length degree and
amount that you do it. Yeah.
There are legal frameworks thatare in place that allow for data
brokers to happen, right? Yeah,for Facebook to do what Facebook
does, right? You know, I mean,let's be honest, if we're
sitting around talking aboutgreen m&ms, and messenger
happens to hear it. The nextthing you know, a day later,
you're gonna see ads for greenm&ms, and Walgreens, and target

(16:38):
and all of that stuff, becausethose retail companies want to
get in front of you based onyour demographics and your data.
Right, you know, so you have tobe very careful with what with
with what you have on yourphone, it can be the worst
possible thing that you have inyour pocket. You know, now,
don't get me wrong, there areother worse things that you can
have in your pocket. However,right as back in the 60s and

(17:01):
70s, we were we all said, youknow, privacy, privacy, privacy,
you know, down with thegovernment flowers in the
rifles, right. Nowadays, we'vetraded all that for access to
the internet. Yeah. Wow. That'strue. I traded it. We've made
that trade. And we don't knowthat we've made that trade.
Yeah, it's been a silent moveagainst everybody. You know, and

(17:23):
it just it, it's very difficultto overcome something that you
don't see happening.

Yeah, it's becoming second nature is you're
doing it because that's the youfeel like that's the only way it
is. And yeah, I mean, it's

crazy. And then and then you look at you look at
what's happened over the lastcouple of years, with BLM, with,
with the riots with everythingelse has happened. And you have
to be able to sit back and sayto yourself, do I believe what
I'm seeing? Or is this anoutside effector? Right,
shifting the way that I look atthings and what I view from my
locality, right? Or Is somebodygoing on Craigslist saying I'm

(18:03):
gonna pay you to protest?

Absolutely. I mean, I think with both the
pandemic, the and Black LivesMatter, everything that's
happening socially.

I'm saying, understand, I understand. I want
to be very clear here. Yeah,injustice is injustice, and we
need to deal with it. Yeah.
Yeah, no, absolutely. Um, butthe question is, how are we
getting told that this is aninjustice?

Right? Well, no, it's it's not even. Yeah, it's
not even the actual thing thatyou're talking about. It's the
delivery mechanism. And

that's it. Exactly.
That's, that's what I'm tryingto point out. Yeah. Trying to
point Yeah, you know, that'sresponsible. What actually no,
don't care. What I care about isthe delivery method. Yeah.
Right. And does the data thatthat correlated that delivery
method, is that data secure? Anddid it come from the correct
place?

Who did it come from? Where did it go? Who?

Is it Russia, China, North Korea? Yeah. Or is
it somebody an internal badactor or a bad group? Yeah. So
the US will see,

this is the thing, I think people I think
people need to be a littleprotected from that level of
sophistication, because it'slike, that's a rabbit hole. And
then, and then of course, thenthere's conspiracy theories. And
then there's the lack ofconspiracy there. There's a lack
of questioning. So it's like,there's so much that can go on.

(19:19):
I think it's just like, easierto just say, Okay, this is the
status quo.

Did you know that recently that there's there's a
company and I forget the name,you can easily go and look it
up. And I would totally, totallyimplore you to do the research
on this. Right. There was acompany that serves like 43
other businesses, but thebusinesses are at&t Verizon,
like the big cell carriers,right? The personal mobile
device that gets pushed down toall of us. There's company that

(19:43):
handles the text messages forfor these businesses. Okay, that
had a threat actor inside oftheir network for five years.
Wow. over 700 billion textmessages right. The threat actor
was able to see five years youhave to understand that when
you're dealing with threatactors and you're dealing with
hackers, the meantime to detector MTT D right mean time to

(20:08):
detect is at least a year 365days it's the same with a virus
it takes

a year to find them. Yes. And if and that was
there for five years, yeah,

that that group that group? No, no literally was
a group we know that. Right? Wehave the data to be able to
track trace back and we know fora fact you did it, right. But
that group was in thereundetected for five years. So
they saw everything you know, soyour your dick pic is totally

(20:39):
belong in China. It's notsecure. No. Yeah. You know, and
also don't I gotta get this outhere as well. Don't trust SMS as
a piece of two factorauthentication. Right? Walk with
me for a second. Yeah. There arethree factors of authentication,
what you have what you know,what you are, what you have,
what you know, and what you are.
Okay. Okay. What you are isbiometrics that you have is a

(21:00):
phone, and what you know, isusername and password. Okay, so
if you have a company that saysusername, password, and we're
going to text you a number thatyou have to put in, don't trust?
Well use a physical device likea UB key. Right. They're dirt
cheap and easy to set up. Use anapp on the phone, like Google

(21:22):
Authenticator, or doauthenticator, or LastPass?
Yeah, right. Ensure that you'reusing strong passwords 123456
It's not a strong password. What

about 654321?

Totally not strong.
Just the same way. If I say notstrong backwards, I totally
would. The top most usepasswords, 123456 is up at the
top

will actually use that. That's crazy. That's
like the bathroom code.

And, and, and let's let's add fuel to the fire here.
When you're looking at yourphone, and it's got numbers,
right? Yeah, I can literally,you know, if I pull my phone up
right now, and I start typingthat number pad, or I see you
typing, I can look directly atyou know where your fingers are
going. And I know the passcodeof your phone. Okay, so don't

(22:14):
use the numbers use alphanumericor letters and numbers. Oh, stop
using numbers. Okay, there's afinite a finite set of
permutations to be able to cracka number based entry system.
Right? Right. You know, you gotto think it's it's one it's it's
a zero through nine, right? It's10. Numbers. Right? Right. So

(22:36):
just just run the, the pot theprobabilities of four

characters until you're you get until you have to
cut. Yeah,

yeah. So you brute force it. Yeah. Right. But the
problem is that the phones thatwe're using today, and the
devices are not secure. 15 dot0.2. Just came out for the
iPhone. Did you update? I don'tthink so. Okay, if you did, it's
the latest and greatestoperating system, right? 15 is
the version right? The zero Iforget what the zeros but two is

(23:03):
security update. And it's a15 02. We already have backdoors
that are remote, and we don'teven need access to your phone.
already written. Wow. Yeah, Ican tell you that for a fact.
Right? This is scary shit.

Yeah. Right. Too much for people to handle.

Oh my gosh, like, like, I really hope that
somebody is not sitting at home,you know, like, getting
paranoid, because that's notwhat we want here. Right? Yeah.
What we want is for people to dothe research and to become smart
about what they're doing, whothey're talking with, and how
they're handling their data.
Yeah, well, that's what we want.

Speaking of handling the data. What I'm
really curious about is, like alot of dispensaries now are
doing you know, give us yourphone number, give us your
email, and you know, whereyou're gonna get your points,
you're gonna rack them up. Andthey're, I mean, they're
collecting data themselves. Youknow, grocery stores do the same
thing. Yeah, exactly. And whenmy buddy he refuses to give us

(24:03):
and I'm like, but you know howmuch money you're missing out on
at CVS. But you know, myquestion is, and just because
this is like cannabis related,we'll focus. I'll focus mainly
on that. Yeah. How dangerous andcompromising Is it for me to
release that information? And isthat hackable and can that be
used against me? Is the

reward worth it?
That's my question to you. Andmy question to you as well is
the reward for doing somethinglike that worth it. Ultimately,
what you're doing is you'rehanding over your data, you're
handing over your shot, I'mgoing off the grid. Go out hunt,
kill and

gather

energy, green energy, you're handing over your
data, your spending habits, yourbuying habits, when you're
buying what you're buying. Andand and let's take this up a
notch and really scare you. Youknow, your phones have NFCs in
the near field communicationdevices, right, what you're
always offering so whatdepartment stores have done

(25:00):
They've gotten to arfid and NFC.
Right RFID and NFC, they cantrack you in the store and they
know what your browsing habitsare.

Wow. Yeah. Oh, yes.

Oh, yes. Oh, yeah.
It's mind blowing the scary, youknow, and it's a matter of time
before the cannabis industrystarts going in that method as
well. And when companies in thecannabis industry understand
that data is gold, and theyfigure out how to monetize data.

Oh, and there's, there's technology companies, I
mean, these technologycompanies, new data was gold
long time ago, right? Like, II've been working in tech for
the last 20 years. And, youknow, 10 years ago, 15 years
ago, data mining and big data.
That was like the big topic atthat time. And I didn't really
understand it. But now like,makes a lot of sense, right?
Like it's coming back around.
And it's like, okay, all thesetechnologies are coming to

(25:51):
fruition to take the data fromyou, because that's such an
important piece of currency atthis point.

Did you know Apple's collecting data on you
on your watching habits on theApple TV?

I'm sure. That makes sense. My question is,
what

are they doing with the watch? Because now the watch
the Why do you want me to takemy watch? On your wrists? Yeah.

My biometric data. Exactly. Yeah, exactly.

So how are we protecting ourselves? How are we
protecting our supply? Right? Sobeing out here at mjbizcon? It's
really imperative. Yeah. To getthese companies to understand
that security, and especiallycyber, can have a massive
industry wide effect. If it'snot taken care of. Recently, in

(26:38):
the circles that I run in, whichare the information security and
privacy circles, we've beenhaving very heated arguments
about dealing with syntheticidentities. Right. So basically
creating a false view, right?
Dealing with privacy on anational level, right. We have
GDPR. In the EU, we have statesthat have privacy laws, but we
need something federallymandated. Right in the United

(26:58):
States. Yeah, when Zuckerbergwent on a child when he went
into Congress now, Zuckerbergwas 20 to 30, if not 40 steps
ahead of what Congress wasasking. Right, the wrong
questions were asked, we need tochange that. And that's going to
happen by one of two ways. Okay.
Either the Congress critters whoare in charge of that age out

(27:21):
and we have new generationscoming up. Or they communicate
with the hacker community, theycommunicate with the information
security community and say, Isthis real? Does this question
make sense helped me phrase itso that way we can get down to
the nitty gritty and actuallyidentify the method that we
should use to approach

when I saw your background? You know, like,
that's, I think maybe that'sanother thing. You know, I'm in
PR and marketing. So sure. Soit's like the term hacker, you
know, often has been negativelyconnotated. I'm

400 pounds. I live in my mother's basement. Yeah,
I'm kidding. Yeah.

Absolutely.
Well, and it's been negativelyconnotated. But like you were
talking about white hat, blackhat ethical hacking. Yeah. And I
think one of the things that'simportant to understand is like
the term doesn't mean it. Theterm itself is not negative.
It's just what you're doing. Andby the

way, Ethical Hacking is just putting a spin
on it. Yes. Right. Really. comesdown to it comes down to who's
paying you Yeah, right. Behonest. Yeah, absolutely. No, no
BS here. Right. It comes down towho pays you? Yeah. If you're
being paid by a government todefend white hat, right. You're
being paid by government toattack like Russia, China, North
Korea, Iran. Those guys Blackhatright. You don't care about life

(28:37):
period. You just want to see theworld. Burn. Yeah, right. A
blackout? Yeah. Right. And ifyou if if you go either way,
right. It's it's not a bisexualterm. Yes. No, gray hat. Gray
Hat. Okay. Right. So

White, Black.
Okay.

So gray is like the the middle the middle ground
between the two of them? Yeah,right. Me personally, I'm a
white hat. Yeah. Right. Um, andI've done work for companies
where I've seen state sponsoredattacks, right, where I've been
on the receiving end of whatanonymous does, you know, and
I'm going to tell you, it's notfun for the businesses. Yeah, it
really isn't. But the questionis, is what are you doing to get

(29:16):
you to that point where thesepeople are pissed off at you to
come after you, and how are yougoing to deal with it? So that's
why we say in informationsecurity, it's not if

when so that is perfect segue into my question,
when when should people bethinking about this, like five

years ago?

Well, you know, I'm like, legally, you said that
right. Now cannabis has a ton ofchallenges.

It does it from being federally regulated. Yeah.
To everything, having theForerunners be able to put the
product on the shelves and havethat product supply chain be
trusted and vetted. You know,we're ultimately putting stuff
in our bodies. Right? Whetherit's smoke, whether It's oil,
whether it's commies, whetherit's whatever, right, right? Is

(30:05):
that supply chain trusted? Youknow, the US was able to affect
Iran's nuclear supply, right?
nuclear supply chain withStuxnet. Right? Which disrupted
centrifuges in Iran from the USthey did this. Okay. Right.
What's the say Iran can't messwith? Yeah. Can't make sure

(30:25):
that, you know, there's therethere's arsenic that's put in,
right, right. Or there's someother, you know, tetrodotoxin,
or some shit. And I'm makingthat up and pull it out on my
ass. But you get what I'msaying? You know, we don't know
these things. Right. So how dowe protect ourselves? How do we
protect our businesses? How dowe protect our livelihood? How

(30:46):
do we protect our friend? How dowe protect our spouse? You know,
in doing the basics ofinformation security is a start.
Okay, not enough companies aredoing the basics, right? What I
wonder what would that so strongpassword using? Yeah, okay. Did
you know the passwords are 30years old? 30 to 35 years old?
Yeah. That makes sense. Yeah.

(31:08):
Yeah. And so there have beenattempts to try to advance the
technology, but

in what the biometrics are? Yes, yes.

There have been attempts to try to enhance the
technology and move away fromusernames and passwords, because
it's so antiquated. Yeah. Sobroken. Yeah. Right. But in the
past 10 years, there reallyhasn't been advances inside of
information security to move usaway from that kind of utility.
The only thing that we do is webolt on to bolt on to bolt on.
Yeah. Right. And we've actuallybeen having discussions about

(31:40):
well, how do we fix this kind ofstuff? Yeah. And the leading
prevailing thought, at least inmy own humble opinion, is to
burn the internet to the groundget started started from
scratch. I'm dead serious aboutthis. I believe. That'll never
happen because of so muchcommerce that has been bolted on
top of the internet. Yeah, youknow, and it's not just for
porn, like, let me Let's cue. Sohow do we protect our businesses

(32:06):
in an online world where it'sday to day to data, the faster
the better? And the quicker thatwe can get to things, the faster
we can make a decision thathopefully works out in our
benefit, right? So it's not ifit's when, yeah, somebody breaks
these chains. It's, it's, well,

absolutely breathtaking. That's, that's the
problem is like, that's whenwhen it's broken, then they want
to fix it. They don't want tothey don't want to

die for it. Yeah, a lot of companies are
reactionary, but that comes downto the human condition. Yeah,
Human Condition dictates thatwe're reactionary people,
reactionary people, right. Andit takes a lot for us to get out
and be proactive, right, and getout of the out of the problem.
So there's a conference thathappens here in Vegas, once a
year, right? There's actually acouple of conferences that week,

(32:50):
but the big one is called DEFCON, def, CO. n, right. And at
DEF CON, we host the world'smost dangerous network, where if
you connect to device, it'smilliseconds to get out. Right?
Or to have somebody else takecontrol with it. Right. And at
DEF CON, we address a lot ofthese issues of how do you
protect yourself? What does theoffensive capability look like?

(33:10):
And then how do we smash thedefensive capability on top of
it to try to make it not aproblem? Right? So So, measure
countermeasure, right? And we'veput a lot of thought into how do
we get companies to do thebasics, right? So strong
username, passwordauthentication, so strong
authentication, two factorauthentication, once you have

(33:31):
what you know what you are,right, yeah. Don't use text
message, use a YubiKey, or anapp, right? Something that
somebody cannot intercept. es esseven, which is the protocol
that drives text messages is notwill not and has not, ever shall
be secure. Okay. And I said itthat way, for a reason, right?
Because I want you to go backand listen to what I just said.

(33:53):
Right? Never be secure, ever.
Right? That's why Apple hassaid, Well, there's an
encryption on the iPhone foriMessage. Because that's their
method for trying to secure thatcommunication protocol that we
all live on. Right? Yeah. So youknow, strong authentication, two
factor authentication, havingantivirus in your systems for
your for your business, right.

(34:15):
EDR and endpoint detection andresponse system. Right? So find
an EDR vendor, right? Crowdstrikes a good one, you know,
dark trace, right?

These are for payments, right? No,

this is just your your network, your network, just
our know, right? We start at thebasics, right? I don't care
about the payment system justyet. I'll get to that. But start
with the basics for yournetwork. Yeah. Are you holding
people's data? So remember thosetags that we were talking about
earlier, where somebody has overa username or not even not user
name, email address, phonenumber, right demographic

(34:47):
collection, right? Are youholding that data and is it
secure? So for that, you need tolook at compliance. Right,
right. Compliance dictateswhat's known as sock two, SOC
two, right and that comes outfrom Uh, I want to say the AICPA
which is the Association foraccountants, right certified
accountants, but sock tocertifies that you're collecting

(35:11):
data points across your network,that you have processes in place
for countermeasures. Right? Thatyou can show that for at least a
span of six to eight months thatyou have the correct utilization
of that data and that you arefixing problems, right. So
that's just internal to yournetwork. Also, you need an MDM,

(35:32):
or mobile device management,right? Yeah. Every person that
is on a network these days hasat least three to five devices.
Yeah, your watch your phone,your computer, three devices
right there. Are they secure?
Are you watching thecommunication? If somebody
brings a computer? Yeah. Ifsomebody brings their computer
into your network, yeah. What isyour network doing to that
computer? Right.

So I'm in a hotel right now. I mean, yeah.

Well, do you have kids? Yes. Okay. So let's say
you say to you, you say to yourkid, Bobby, I'm just making
bread. I'm not gonna revealnames. But let's say Bobby, you
know, you're driving me nuts.
Here's my computer. You know,here's a website, go do
homework. Yeah. Bobby doesn'twant to do that. He's like, Man,
this this shits lame, right? Youknow, I'm gonna go out. I'm
gonna go out and do somethingfun. Right. Next thing you know,
you've got pirate bay beingpulled up on your computer,
right? Pirate Bay is okay. Wedon't condone. I

mean, I don't know pirate but yeah, no, no.

I, I treat pirate bay as if everything that is on
Pirate Bay has already beenaffected by China. Right? We
leave that one a lot. Yeah. So,uh, but just for an example. He
pulls up a website that, youknow, gets gets affected on that
machine. You that's your workmachine? Yeah, you take that put
that on the network at work. Nowthat machine has access to
infect other machines. But theproblem is, what is what is

(36:47):
happening from work to yourmachine? Right, right. So
everybody wants to work fromhome and working from home
involves VPN. Yeah, right? Weall know this, right? It's also
known as dual homing a computer.
So on one path at your homenetwork. And on the other path,
that's VPN? Network. Right? Sohow are you securing the
business so that if the networkgets extended into the house,

(37:08):
you can pull the network back?
Right, let's say we have to letyou go for some odd reason.
Right? How do we pull thenetwork back? How do we pull
back from your computer? How dowe pull back from your phone?
Yeah, how do we pull it backfrom your watch or any other
device? Right? So doing thebasics and really standing up
and asset discovery program, soyou know, what's on your network
vulnerability assessmentprogram, so that way, you know

(37:30):
which machines need to bepatched, right? Standing up a
change control system inside ofthe inside of the business to
understand and track those,those patches, right? Being able
to do penetration testing,right? The PCI DSS that we were
talking about earlier, right,the Payment Card Industry Data
Security Standard is the reasonthat penetration testing is an

(37:50):
actual thing inside ofinformation security. Right? So
it's not just payment card. It'snot just payment card
information. It's actuallysaying to a hacker or white hat.
Can you come and break into mysystem and tell me how you did
it? So that way, I can close thehole and put up the defenses?
Right, right. So doing thebasics for the network, and then
doing the basics for yourfamily? Yeah, right. So when

(38:12):
you're at home, making sure youhave antivirus. Don't click
links that you don't know wherethey go to. Period. Don't click
shit just to click it. I can'teven tell

you it's like that pushing the button. The red
button, I just want to pushbutton. Oh, man.

I've dealt with companies and have I've had to
recover businesses for whenpeople who are not connected to
the company have clickedsomething that cost the company
millions in recovery. Right. Andit's it's breathtaking, you
know, and when you're in thebusiness, know who can touch
your computers, right there is aone of my friends who wanted to

(38:53):
do a penetration test on adispensary walked in as their IT
staff. They let them right in.
He grabbed one of their harddrives, went and sat an hour
later with the owner of thedispensary and said, What if I
told you that all of yourproprietary information, your
ingredients, your supply chain,what if I told you that was that

(39:13):
was at risk? And naively Theowner said, that's never gonna
happen. My friend, like pulled abunch into his bag and set the
hard drive down right in frontof them and said this is your go
check it. I have it. I shouldn'thave it. Okay, that's scary
shit. I don't care who you are.

(39:36):
Yeah. When you have somebodythat is outside of your reach.
come in as all your Yes. Yes,super scary. Right. But you
know, here here at mjbizconWe've got a lot of companies
that are doing physicalsecurity. Great. Love it
wonderful. Not a lot ofcompanies are doing cyber. Yeah,
right. So when you look at howcompanies get breached You have

(40:00):
to understand that 95 to 98% ofall attacks are social
engineering. Right? Okay. Now ifyou're not familiar with what
that is, definitely go Google itbecause it's really wildly
interesting. But the main methodbehind social engineering is
making you do something that youdon't want to do. Have I spoken
with you recently about yourcar's extended warranty?

Oh my god, I hate that so much.

Wait, wait, it gets worse. In Email. Hello, I am
connecting with you to give youthe bank account details. Yes.
And money to bring the prince ofNigeria. Nigeria. Right. Right.
Right. How about this one? Thisone a couple years ago, when
Zeus bot was come was out rightone of the very first crypto
lockers you have a FedExpackage, click here to

the one I like the most is your Social Security
has been hacked. And you need tocall us back right now. Yeah,
and then you're like, holy shit,my Social Security. What?
Doesn't make sense? It doesn'tmake sense.

So for fun, sometimes my friends and I will
keep those people that call uson the line and we'll will
infect them.

Oh, wow. That's funny. Yeah,

I would do just so that they can't hurt. Yeah. Or
grandma in Iowa. Yeah, that usesthe computer to look at cat
pictures. It cat. Okay, catpictures is one of the number
one uses of the internet, or oneof the top uses of the internet,
right? I can I can havecheeseburgers. You know, it's

(41:32):
it's funny. And then you look atwhat's happening now and where
industries are heading,especially dealing with
cryptocurrency and NF T's.
Right? If you don't know whatthose are definitely go to your
research, right? The board atthe board apes club? Yeah.
Right? In NFT. And then we getinto defy and, you know, new
ways of moving money withoutgovernment interaction. And it's
it's wildly fascinating, youknow, right now, with the

(41:55):
methods that are out there. AndI'm very bold and saying this,
I'm probably gonna have a Fedknock on my door for this one.
The IRS and others parties ofthe government are years behind
regulation on what's going onwith this stuff, especially when
you're talking aboutdecentralized environments.

(42:16):
They're years behind it. Right?
So, you know, how do you accountfor crypto on your on your on
your IRS statement? Right? Andyou

can't, can you know, you

can because they put it under cap gains? Oh,
there's a section for it. Butthere's there's gray area in
there, where it's not defined ofif you make a gain in crypto,
and then you trade crypto forcrypto for crypto for crypto
tracking that, right? How areyou tracking those gains? And
then you put it into, okay, nowI'm really releasing shit. When
you put it into a D fi system,and you don't move it into a

(42:52):
physical fiat currency. Whathappens it like there are so
many nuances dealing with thisright now. You know, everybody's
sitting back saying wellcryptocurrencies the new is the
new is the new dollar, right.
And recently, we've seen Chinakick all the crypto miners out
of China. Right. So now you havecompanies contacting Juan Valdez
and his Pack Mules, right to gointo the mountains of China to

(43:13):
pull the mines out. Right. We'veseen that Texas has become a
front runner for crypto. But ifyou remember back, was it last
winter, winter before all of thegreen energy stuff? The
windmills or solar all gotfrozen up in Texas had
blackouts? What's going onthere? Right? Like, let's be
honest, this is gonna getinteresting, right? We have NF
T's now are non fungible tokens,being able to be sold on

(43:38):
Coinbase and other exchanges,right? Open, see if you're, if
you're not familiar with NF T'sgo to open c.io And take a look
at what's there. Some of themcan, you know, some of them are
really good, a lot of its art,but it can be houses, it can be
cars, it can be any anything.
That's it, right. So, you know,if I wanted to tokenize the

(44:01):
three of us sitting here andsay, okay, you know, you'll own
a piece of what we create righthere. That can be done. That's
crazy. Yeah, it's disgustingnuts. Now,

it's a very wide world. Yeah, it is. It is.

And when you talk about tokenization, inside of
the marijuana industry, don'teven get me started. Yeah,

I mean, I've already seen NF T's in the
marijuana industry, mostly aredriven, but like, I mean, that's
just a little hint. It's right.
Yeah, yeah.

It is, especially for what's on the horizon of
dealing with marijuana pot as anindustry. Yeah, you know, it may
be a way to be able to movemoney for goods. I don't know.

Absolutely. And I don't know. I don't

I don't think any of us have a crystal ball that
can accurately portray what'sabout to go down.

Right. You know, but, but security is that key
name, the name of the game is

well, security is the way to protect. Yeah, you
You know, not just yourself?
Yes, you're not stopping aswell. But

you're Yeah, you're controlling at least as
much as you can. Yeah, you know,

yeah, you know, and if we can control what's going
on in our lives, right, it'llgive us a sense of normalcy.
Because we as humans, that humannature we love really easily
repeatable. Yeah, thanks. Yeah.
Yeah, you know, the pandemicjust threw all of our routines
up into a tailspin. You know,for sure, um, and with what's
going on in the media thesedays, you know, media wants us

(45:30):
to know what they want us toknow. Yeah. They don't want us
to know the real truth. Yeah,yeah. But it's, it's, it's it's
up to us as people to do theresearch. Discover the Truth.
Yeah. And not just be a sheep.
Yeah, absolutely. You know, sosecurity is one method of
protecting ourselves. There aredefinitely other methods. But
here at mjbizcon, the main focusis, you know, how do we work

(45:53):
with suppliers, growers,distributors and manufacturers?
To say, yes, your supply chainis secure. Yes, the systems that
you're using to log thetransactions and be able to
track shipments and this thatand the other are secure, you're
doing all the right things, thatyou're not introducing
vulnerabilities that are unknownto a business that would then
cause that business to beinsecure. And that have

(46:15):
blowback? Come back on

you later. Yeah, absolutely. So all the breaches
that happen over the year. So

if you look at Walmart, and how Walmart does
their supply chain, right, foryou to be able to interact with
Walmart, you have to be toWalmart standards, right. So if
somebody that is up to Walmartstandards gets breached, and
then goes up field, or upstreaminto WalMart, now they can track
it back to who who, right. Youknow, who, how it happened?
Yeah, you know, so understandingthe nuances and everything.

(46:43):
That's something that we do.
That's something that wespecialize in. And that's
something that everybody shouldhave a vested interest in. I'm
not saying you need to be anexpert in any way, shape, or
form. That's not the point. Thepoint is wake up, don't be a
sheep and look at it and say, amI protected? Is this something
that I can deal with? Is the ROIlike the exchange? Right, the
return on investment? Is theexchange of my data. That

(47:03):
important? Is it that value?
Yeah. And I would say that everysingle person has an inalienable
right. To privacy, and it needsto be in the Bill of Rights.
Yeah. In alienable. unequivocal.
Yeah, right. I'm pretty surethat's work.

Yeah. I don't have the Thesaurus with me. But
I yeah, I guess.

But the problem is, we have lobbyists and third
party interests that will tryand keep that from happening.
Sure. Everybody should havetheir own right to privacy.
Everybody should be able to knowwhat's going on with their data,
especially seeing that we nowlive in a connected world and
the fact that you don't, it is astark, alarming problem that

(47:50):
needs to be addressed. But inthis industry, it's making sure
that if somebody says I'm goingto sell you green ape, right,
it's actually green, it'sactually grenade. Yeah, if
somebody says, I'm going to sellyou something with 100 milligram
content in once in one gummy,they're not putting in outside
chemicals or the the levelshaven't been reduced by a third

(48:12):
actor or, or threat actor thirdor threat, right. It's ensuring
that the product and thecapability will stay in line
because people are going tobuild their lives around the
stuff that's built here, you buyaround the stuff that's built
all over the place. So how canwe secure it cyber is one of

(48:35):
those pieces that we haven'tlooked at hardcore inside of the
marijuana industry, but thereare other industries that are
getting whacked constantly.
today. I was we were talkingabout this a minute ago. There
was a company that does candysupply. Yeah.

Today learn from the other industries. I mean,
that's that, that we're in thatprime position, right. Learn
from all the mistakes that havealready been made. Yeah. And
improve.

Yeah, yeah. Let's hold where do we how are we
doing? Wait, he's downstairs?
Oh, yes. Yeah. So we probablyneed

to wrap it up.
Yeah, we can wrap Yeah, that'sfine. Okay.

Um, what he said, Well, I think there was a
point where we could wrap so Icould just finish up. Yeah,
yeah, I

mean, right there.
Perfect.

Awesome. Thank you. I mean, this is this
conversation could go on Yeah.
could go on forever. But butthat's the point is the
conversation needs to start sothank you so much. So like this
is kind of like the trigger ofeveryone having this
conversation and starting thisconversation security and and
what you're doing and how you'reprotecting yourself and your
customers, even your audience,whatever, whatever the case may

(49:36):
be. Scott, thank you so much forbeing here.

Thank you for having me.

Obviously, all your information will be in the
show notes, but

not personal data.
Please know. Yeah.

Everybody go find Scott.

CSP, three Rs, my handle, okay. Twitter, Facebook,
Insta, whatever. I can find meon clubhouse if you have
questions. Yeah, no, we'reconstantly throwing security
rooms ondrop in audio chat. Oh, that's
awesome can find you can find methere or you know Casper
underscore official ad onInstagram and the websites
RedLion.io Perfect. Yep, this iswhat we do it this This isn't

(50:11):
rocket science but it'sdifficult for a lot of people to
understand. Yeah, I could dothat. Thank you so much. Thank
you.

The Green Room podcast is brought to life by
green seed PR, the cannabisgreen tech focus PR agency and a
dedicated production team ofeditors mixers and show
Booker's. A huge thank you tothe vessel team for providing
their studio for our recordings.
Don't forget to subscribe andshare the greenroom podcast with
friends, colleagues and family.

(50:42):
That way you'll never miss anepisode and we keep the lights
on. If you're feeling extragenerous, please leave us a
review on your favorite podcastlistening platform. You can also
find us on Instagram at GreenSeed PR answered live video
versions of all of our podcastson YouTube. Would you like to be
on the guest on the show? Or doyou have a great guest referral?
Awesome. So make your guests atGreen Seed PR slash the hyphen

(51:06):
green hyphen room. Thanks forlistening and be well

All Episodes

Ep 43 - Cracking The Code, Is Your Cannabis Company Safe From Hackers? An Interview w/ Scott Lyons, CEO & Co-founder - Red Lion

Episode Transcript

Popular Podcasts

Bookmarked by Reese's Book Club

On Purpose with Jay Shetty

Dateline NBC

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}Ep 43 - Cracking The Code, Is Your Cannabis Company Safe From Hackers? An Interview w/ Scott Lyons, CEO & Co-founder - Red Lion