5 security experts share their best tips for ‘fringe’ devices

Some of the most hackable devices in your network are also probably the most-overlooked.

What is a ‘fringe’ device in IT?

For some, it’s a gadget everyone has forgotten about — a printer in a corner office, an Android tablet in a public area used to schedule conference rooms. A fringe device can also be one that’s common enough to be used in the office yet not so common that everyone is carrying one around or has one hooked up to the Wi-Fi every day.

As with any security concern, many of these devices are overlooked. There might be security policies and software used to track and monitor iPads and Dell laptops, but what about the old HP printer used at the receptionist’s desk? In a hospital, it might be a patient monitoring device. In a more technical shop, it could be a new smartphone running an alternate operating system.

While fringe devices are often overlooked and therefore may be vulnerable to attacks, they’re not extraordinarily difficult to lock down. The standard security practices still apply. Security experts say the fringe devices themselves aren’t the problem. It’s the fact that they’re allowed to exist without any protection. Here are some tips for making sure your fringe devices are safe.

1. Ask tough questions when speaking to vendors

One of the best tips when dealing with fringe devices is to ask some hard questions when dealing with the companies that make and sell them. You may already know about best practices for securing laptops and mobile devices, but there are too many open variables with unusual gadgets, says Sinan Eren, a vice president at security vendor Avast Software, and you have to get tough with vendors to make sure all the bases are covered.

For example, the devices that monitor vital signs in hospitals aren’t not normally considered attack vectors, but if a hacker did tamper with such a device remotely, the consequences could be dire, particularly for the patient. Nonetheless, many of these kinds of devices aren’t included in system vulnerability checks and aren’t updated properly or in a timely manner. Yet vendors should be able to answer basic questions about them — like whether the firmware is signed and updated regularly, and if the vendor does its own security reviews.

2. Make sure policies cover every possible gadget

What happens when someone walks into the office with a personal media player — one that’s brand new on the market. Maybe there's no possible threat, but what if there is? Michael Kemp, co-founder of security firm Xiphos Research, says the only answer is to make sure you have strict policies for every device, including any personal gadgets used at work.

[Related: Enterprise CIOs, think it's OK to ignore SMB security holes? Think again]

“Specific policies — such as disabling the USB port activity — can provide an excellent mechanism for combating some of the threats that the use of personal devices pose,” he says. “If individuals are using personal devices to interact with enterprise networks, such interaction should be limited. If such interaction is a regular occurrence, the devices should be managed, maintained, and bought within the auspices of the wider enterprise.”

3. Know what you’re dealing with

Identification is key when it comes to best security practices. And that can be difficult when you’re dealing with, say, an outdated gadget that was discontinued by its maker (which could be a company that doesn’t even exist anymore) or a less-common brand of network-attached storage device. Security software should be able to search for and identify even the most unusual devices connected to a network.

“The best strategy for dealing with unusual devices starts with identification,” says Morey Haber, vice president of technology at security vendor BeyondTrust. “Whether this is a form of automated discovery or informal personnel survey, the only way to manage the problem first starts with quantifying the risk.”

Join the CSO newsletter!

Error: Please check your email address.

More about AvastBeyondTrustDellHPLIFXUbuntu

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John Brandon

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place