The Threat Within
While stories about tech-savvy hackers and foreign state-sponsored web attacks make the biggest headlines – networks are most vulnerable to data breaches from less publicized culprits: internal users.
Whether intentionally or not, users on desktop computers and other peripheral devices inside a network have a tremendous capacity to do harm. According to a recent IBM cybersecurity study, “inadvertent insiders” were to blame for more than two-thirds of the total records compromised in the U.S. in 2017.
Within the U.S. government and military, sensitive data security breaches have caused agencies to demand a higher level of security from their IT vendors. The NIAP (National Information Assurance Partnership), which agencies rely on to test and certify the security capabilities of IT products, emphasizes the ability to combat these internal threats. They have rigorous requirements for products that connect with and manage users’ peripheral devices, such as the KVM switches in a network.
A KVM switch that’s not secure provides an open door for in-house users to:
- Access/remove restricted internal information
- Introduce malware network-wide
- Physically breach the device hardware
These vulnerabilities are even more of a threat in the BYOD (bring your own device) era in the workplace, where laptops, tablets, and smartphones often play dual roles as work and personal devices. These devices may not be as strictly regulated by IT security protocol and are vulnerable points that can introduce viruses and malware into a network.
A Secure KVM Solution
Select IT product manufacturers are enhancing the security capabilities of their KVM switches to address these challenges and to meet NIAP standards. Secure KVM switches allow users to access multiple computers with different security levels from a single console (keyboard, mouse, and monitor) while protecting data from accidental or unauthorized transfer when switching between systems. This protection starts with the internal construction of the KVM switch and extends to its ability to restrict the types of peripherals that can connect to it. Some specific features include:
- Isolated Channels. To prevent data being transferred when switching between authorized and unauthorized channels, KVM switches have separate circuits for each data channel.
- One-Way Communication. A step to prevent users from transferring data to an external device through a KVM switch. As handheld drives with mass data storage have become available, this has become necessary.
- Secure Emulation. To restrict the detection of connected devices when switching systems, keyboard and mouse emulation helps to protect data.
- Flash Drive Restriction. In an effort to prevent exposure to malware, external storage devices are blocked.
- Memory Clearing. After each data transmission, a secure KVM switch will continuously clear their internal memory to protect against memory mining.
- Tampering Protection. Device firmware cannot be reprogrammed. If someone were to tamper with and open the casing, KVM switches will automatically become inoperable.
- Push-Button Control. To switch between connected computers, physical access to the KVM switch is required.
These features align with NIAP requirements for the highest levels of secure switching used in the U.S. Department of Defense and Department of State SIPRNet (Secret Internet Protocol Router Network) and JWICS (Joint Worldwide Intelligence Communications System), a secure computer network used primarily within the intelligence community. For the most up-to-date standards of security, a KVM switch should meet NIAP’s Common Criteria Protection Profile for Peripheral Sharing Switches Version 3.0, also known as “PP3.0.”
Although the NIAP certification was developed to meet the strict security requirements of government agencies, it does not prevent products from being used in non-government applications. Meaning any organization, such as healthcare and private corporations, looking to protect sensitive data from cyberthreats can take advantage of the same protection levels that this class of products provide.