My wife works in a medium-to-high security U.S. government environment – nothing exciting, just records management, but she does handle genuine secret information, the kind of thing that could compromise ongoing operations or in extreme cases get someone killed. And security in her workplace is tight, if sometimes a little misguided, which makes me conscious of the security risks of mobile computing.

Basically, unfortunately, mobile computing is often the enemy of security. After all,we are talking about devices that are designed to be carried around, often in pockets. On the other hand, too often security is designed on the “better safe than sorry” principle of forbidding everything. So here is my take on the security risks created by common technology products.

First, by far the greatest security risk, and one of the hardest to detect, is the USB drive. It can be plugged into any computer or other network device with a USB port (and it is easy enough to add a USB card to a desktop computer with an open slot). A close second is the memory card. All of these are easily concealed. Once attached, virtually anything can be downloaded onto them and carried out of the building. And that works two ways. One popular way to infect a corporate network with malware is to use cheap USB drives. The criminal – or disgruntled former employee – doesn’t even have to get in the building, just scatter a few drives containing the malware around the parking lot some night and count on an innocent employee to pick one up, bring it inside, and plug it into a computer. Presto, the malware has a clear path to self-load into that computer and from there propagate throughout the company network.

The answer is first to educate employees on the dangers of using USB drives they pick up somewhere, and of the importance of maintaining company security in general. Then obviously the company network and devices on it should have up-to-date security that scans any new device added to it for malware and, in the case of the network, checks packets for suspicious code. But those may not work for a custom-made virus, and those are becoming more common.

For higher security situations, such as development labs, security may require the disconnection of physical removal of all USB ports from computing devices.

The second greatest security risk is the cell phone, particularly a phone with a camera. Where my wife works, camera phones have long been forbidden, even for employees (guests basically have to leave all electronic gadgets in their cars). The problem is that today it is virtually impossible to get a cell phone without a camera, and resolution of those cameras is increasing steadily. A 5 megapixel cell phone camera is certainly capable of capturing readable photos of documents and then transmitting them to an outside site. Secure locations can block cellular carriers inside buildings, although this is difficult and expensive, but guards cannot be asked to inspect all photos on every cell phone carried in and out of the facility every day to detect a spy.

I’ll discuss the security threat caused by Bluetooth and WiFi tomorrow.