April 21, 2017 by

Andrew Lee on Internet of Things and cybersecurity

As CEO for ESET North America, Andrew Lee brings the role a unique blend of corporate and security expertise. Having served as Chief Research Officer at ESET from 2004 to 2008, Mr. Lee was responsible for helping to build ESET’s reputation as a world-class research organization. He is a founding member of several respected cyber security organizations, serves on the board of NCSA (The National Cyber Security Alliance) and is co-chair of the San Diego Cyber Center of Excellence (CCOE), which works to accelerate the regional cyber economy. A frequent speaker at industry conferences, Mr. Lee is also a widely-published author of articles on antivirus and security, and also co-authored the “AVIEN Malware Defense Guide” with current ESET researcher David Harley. Mr. Lee holds an MSc degree in Computer Security from the University of Liverpool.

LIFARS: Tell us some background on you and how you got where you are today.

Andrew: I actually started out studying electronics engineering while working in an electronics factory and got interested in computers as in my job I did quite a bit of programming. Later I was working in local government and got involved in computer security, particularly in anti-malware. From there I ended up writing a few papers on the topic, and met some of the ESET people at various conferences. We developed a friendship and I was eventually asked to join the team in the USA. I worked as the Chief Research Officer for a few years, then joined an Indian antivirus company as their CTO. Then I got a call to come back to ESET and so here I am!

LIFARS: What is the industry biggest concern on Internet of Things(IoT) security?

Andrew: I think that the proliferation of low cost devices that have little available power for security features, coupled with few incentives (again cost and power) to update or patch these devices means that we very often find that security, if it exists at all, is an afterthought. Given that these devices are rarely updated (except with brand new hardware) there will be a lot of obsolete devices still pumping out personal data for years after their useful lives. One of my biggest concerns is that most of the data is held by 3rd party vendors, and there’s little control over how and where they store your data. Recently there was a case where a hobbyist drone manufacturer was sending all of the information about the registered user and flight information back to a server in China. Knowing where the parts of your ‘digital body’ are and how they are used is critical to protecting your privacy.

LIFARS:  What are the types of IoT and what devices are more in risk than others?

Andrew: Medical devices are a particular area of concern, these devices not only handle sensitive data, but their function can be critical to wellbeing and even life. For instance, consider an insulin pump or a wirelessly configured pacemaker. In the past both of those types of devices have been shown to have serious flaws that have allowed a remote, unauthorized attacker to affect their function. We should also be thinking about any device that holds financial data or has ordering capability – an example might be a smart refrigerator that knows when to order more food.

LIFARS: How do you think we can protect and manage our data that is moving to new technology like IoT?

Andrew: A key consideration is to ensure you know what is connected to your network, and what data it touches. Putting IoT devices onto your ‘guest’ network is a good idea, so that if they do get compromised the attacker can’t easily bridge into your private home network. If you’re using and allowing IoT devices on your corporate network (and there may be good reasons for this – e.g. tracking stock), then it’s even more important to ensure you understand the security implications. If possible, patch devices when the manufacturer releases updates and disconnect and wipe devices that are no longer used.


About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.

Related articles

Researchers Develop Mirai Malware Vaccine for Insecure IoT Devices

Researchers have developed a novel new way to combat the dreaded Mirai botnet, the malware behind a...

Read more arrow_forward

U.S. Senators introduce New Bill that sets IoT Standards for Federal Suppliers

U.S. Senators are planning to introduce new bill that sets IoT standards for federal suppliers....

Read more arrow_forward

Artificial Intelligence - The Future of Cybersecurity

The sheer number of cyber-attacks and threats present in today’s world is considerable. As the...

Read more arrow_forward