Real estate is an expensive commodity for the federal government. The Public Building Service—the General Services Administration’s landlord agency—oversees 370 million square feet of federal office space for 1.1 million employees, for which agencies paid $11.4 billion in rent in fiscal 2015. At almost $31 a year per square foot, the average worker’s desktop costs about $385 a year. That comes to a whopping $423.5 million a year just for desktops.
It should come as no surprise that agencies want to get the most from their desktop real estate, and having multiple keyboards, monitors and mouses (KVM) on a desk is expensive. When workers have access to multiple computers and networks, switches can be used to switch a single set of these peripheral devices from one network to the other. But when one or more of these networks contain classified data that must be kept isolated from other networks, using a KVM switch could introduce vulnerabilities into the system.
The National Information Assurance Partnership (NIAP), which oversees implementation of Common Criteria security requirements for the NSA, has released an updated Protection Profile for Peripheral Sharing Switches to ensure that they can be safely used with classified networks by the intelligence and national security communities.
The first batch of products has been certified under the new profile, including three switches from Belkin, whose security features were used to help define the profile’s security baseline. Other certified vendors include HighSecLabs and Emerson Network Power.
The desktop is where networks converge and it plays host to a multitude of vulnerabilities. Even the lowly mouse can have programmable components and memory chips, making it vulnerable to attacks and a source of data leakage between systems. The new Protection Profile addresses a variety of desktop threats, including:
• Cross-computer flow, which involves compromising the KVM switch to give an intruder access to multiple networks or to leak data between connected computers. The shared peripherals also can be used to store data that is being exfiltrated.
• Unintended switching between computers or networks, either maliciously or through user error.
• Peripheral device threats, which can come from unauthorized devices or authorized but untrusted devices that are not properly secured.
• Audio threats, from microphones connected to a switch and that could be activated for eavesdropping, or from speakers that could be misused as microphones.
• Device tampering, which could undermine the security and functionality of a KVM switch.
• Unsafe failure, which could allow data leakage across connected computers of the switch fails.
To counter these threats, switches must isolate data flow, restrict audio output to analog signals to prevent exploitation of amplification by the computer audio codec, isolate user authentication functions from all other peripheral functions, require deliberate action by the user for switching, provide protection from exploits through untrusted peripheral devices, and resist tampering.
Common Criteria certification assures compliance with security requirements not only for U.S. federal government users, but for 25 other national governments. Protection Profiles are developed by NIAP and other governments in collaboration with industry working groups.