Modern-day security protection meets the enemy on the front lines: at the user console. According to Kaspersky, the assumption is that a data breach is caused by an outside hacker, but that's not always true.1 Internal users pose the greatest security threats. As reported by Cybint, 95% of cybersecurity breaches are caused by human error.2 And those errors most commonly occur at the user console. Examples of a breach might include lost or stolen hard copy notes, USB drives, computers, or mobile devices; an unauthorized person gaining access to a laptop, email account, or computer network; or someone sending an email with personal data to the wrong person. Cybercriminals and hackers will infiltrate your company through your weakest link, which is seldom in the IT department.3
Guard Your Sensitive Data with a Secure KVM Switch
To address these security concerns, businesses often use secure KVM switches, which provide extra security at the user console. Secure KVM switches ward off threats work by blocking data leakage between connected computers and peripherals. The switches also prevent eavesdropping through LCD monitors (EDID signal exchange), microphones, or common access card (CAC) devices. Built with true data path isolation between systems and networks, the switches defend against data leaks between secure ports and the outside world. A secure KVM switch isolates a classified network from a public or non-classified network.
NIAP Ensures Your Network is Protected
Providing user confidence against cyber threats, secure KVM switches in the U.S. can comply with standards developed by the National Information Assurance Partnership (NIAP) of the Common Criteria (CC), which is made up of cybersecurity specialists from public and private sectors of the economy who together create Protection Profiles (PP) based on essential safety requirements (ESR) handed down from within government for a specific technology type that will ensure achievable, repeatable, and testable requirements. Along with the National Institute of Standards and Technology (NIST), NIAP also approves Common Criteria Testing Laboratories to perform these security evaluations in private sector operations across the U.S, which is the global driving force for the widest available mutual recognition of secure IT products.
Case in point: To ensure that they introduce no additional risk when being deployed in the national security sector, secure KVM switches are evaluated according to a NIAP PP that describes security requirements for a Peripheral Sharing Switch (PSS) connecting a common set of peripherals to one or more attached computers.
The NIAP PP for secure desktop KVM provides a baseline set of requirements intended to mitigate well-defined and well-described threats. Certification for the latest NIAP PP simplifies product selection by government procurers, as well as by integrators and end-users in other markets.
Because cybersecurity threats evolve, the protection profile evolves as well to ensure certified products do not add risk to the deployed environment. NIAP recently introduced NIAP PP PSD V4.0 as the current profile for technologies including secure KVM switches. Established as the official current protection profile on Jan. 18, 2020, NIAP PP PSD V4.0 addresses upgrades and updates to the government’s security posture since NIAP PP PSD V3.0 was first published on February 13th, 2015.
What is NIAP PP PSD V4.0?
NIAP PP PSD V4.0 takes into account all of the technical and iterative decisions made to government requirements for KVM switches over the past six years. In addition to allowing for new interfaces, the new protection profile identifies other interfaces that are not allowed. Many of the requirements in NIAP PP PSD V4.0 are similar to those in 3.0 but have been renamed and substantially reorganized to permit more granular testing.
NIAP PP 4.0 includes the following requirements:
- Tests products claiming different video interfaces such as HDMI or DVI against different protocols specific to those interfaces
- Requires more stringent testing for audio isolation
- Mandates that vendors need only claim the peripherals their devices actually use via a modular base protection profile
- Restricts against a target of evaluation
- Restricts against certification of a matrix
- Provides more explicit guidance on allowed/prohibited device types (e.g. matrix devices no longer allowed)
- Presents isolation materials as an security target (ST) addendum or separate document
- Aligns granular requirements specifically with test activities so that it’s more clear from claimed requirements what specific tests were done
- Stipulates different security targets for different supported peripherals (e.g. CAC and non-CAC models are different configurations)
- Maintains a specific list of allowed and rejected sub-protocols based on the supported video protocols (DP, DVI, HDMI, USB-C, VGA)
- Makes tamper response optional, because some devices may have swappable cards for different peripheral types (in which case tamper seals are sufficient)
- Permits audio in is only if no other peripheral types are supported by the device (i.e. microphone cannot coexist with speakers)
- Prohibits PS/2 ports
- Allows multiviewers, but must use OSD to identify the active video channel(s)
When it comes to protecting devices at the desktop against cyber threats, best practices compel users to be skeptical when faced with requests (whether explicit or implicit) for information. Being vigilant with physical devices, passwords, downloads, and online activity goes a long way towards protecting sensitive information. For further protection, NIAP 4.0 PP is a valuable tool in the system administrator’s toolbox that protects sensitive information in the public and private sectors.
For more information about the differences between NIAP PP 3.0 and 4.0, read our blog “NIAP 4.0 vs. 3.0,” or download the free white paper, “Meeting Cybersecurity Threats with Secure KVM Switches.”