5 security experts share their best tips for ‘fringe’ devices

Some of the most hackable devices in your network are also probably the most-overlooked.

managed security service providers
Credit: Thinkstock

What is a ‘fringe’ device in IT?

For some, it’s a gadget everyone has forgotten about — a printer in a corner office, an Android tablet in a public area used to schedule conference rooms. A fringe device can also be one that’s common enough to be used in the office yet not so common that everyone is carrying one around or has one hooked up to the Wi-Fi every day.

As with any security concern, many of these devices are overlooked. There might be security policies and software used to track and monitor iPads and Dell laptops, but what about the old HP printer used at the receptionist’s desk? In a hospital, it might be a patient monitoring device. In a more technical shop, it could be a new smartphone running an alternate operating system.

While fringe devices are often overlooked and therefore may be vulnerable to attacks, they’re not extraordinarily difficult to lock down. The standard security practices still apply. Security experts say the fringe devices themselves aren’t the problem. It’s the fact that they’re allowed to exist without any protection. Here are some tips for making sure your fringe devices are safe.

1. Ask tough questions when speaking to vendors

One of the best tips when dealing with fringe devices is to ask some hard questions when dealing with the companies that make and sell them. You may already know about best practices for securing laptops and mobile devices, but there are too many open variables with unusual gadgets, says Sinan Eren, a vice president at security vendor Avast Software, and you have to get tough with vendors to make sure all the bases are covered.

For example, the devices that monitor vital signs in hospitals aren’t not normally considered attack vectors, but if a hacker did tamper with such a device remotely, the consequences could be dire, particularly for the patient. Nonetheless, many of these kinds of devices aren’t included in system vulnerability checks and aren’t updated properly or in a timely manner. Yet vendors should be able to answer basic questions about them — like whether the firmware is signed and updated regularly, and if the vendor does its own security reviews.

2. Make sure policies cover every possible gadget

What happens when someone walks into the office with a personal media player — one that’s brand new on the market. Maybe there's no possible threat, but what if there is? Michael Kemp, co-founder of security firm Xiphos Research, says the only answer is to make sure you have strict policies for every device, including any personal gadgets used at work.

[Related: Enterprise CIOs, think it's OK to ignore SMB security holes? Think again]

“Specific policies — such as disabling the USB port activity — can provide an excellent mechanism for combating some of the threats that the use of personal devices pose,” he says. “If individuals are using personal devices to interact with enterprise networks, such interaction should be limited. If such interaction is a regular occurrence, the devices should be managed, maintained, and bought within the auspices of the wider enterprise.”

3. Know what you’re dealing with

Identification is key when it comes to best security practices. And that can be difficult when you’re dealing with, say, an outdated gadget that was discontinued by its maker (which could be a company that doesn’t even exist anymore) or a less-common brand of network-attached storage device. Security software should be able to search for and identify even the most unusual devices connected to a network.

“The best strategy for dealing with unusual devices starts with identification,” says Morey Haber, vice president of technology at security vendor BeyondTrust. “Whether this is a form of automated discovery or informal personnel survey, the only way to manage the problem first starts with quantifying the risk.”

1 2 Page 1