John Minasyan leads Belkin’s cybersecurity business unit focused on solutions to mitigate advanced threats at an operator’s desk. In this conversation with Help Net Security, he explains how secure KVM technology works, as well as how and where it can be used.
It’s a very practical thing to be able to control multiple devices by one or more sets of peripherals. Can you explain how secure KVM technology actually works?
A KVM switch allows one keyboard, mouse, and monitor(s) to be shared among multiple computers thus eliminating the need for redundant peripherals to be consuming valuable space on desks that have different systems converging in front of the same operator.
KVMs do this by exposing the same keyboard, mouse and monitor to all connected computers. Each computer sees the peripheral as if it was connected directly, and peripherals are activated when switched to that computer. While this is a great option for consolidating peripherals, it does create a cyber risk, especially in cases where the connected computers may be at different security levels or enclaves.
A simple Google search reveals a number of ways to hack a KVM, allowing data to flow from one connected computer to another. In sensitive applications where air-gap isolation is deemed necessary, this unmitigated data flow from one system to another basically bridges the air-gap. Secure KVMs are purpose-built, tested, and certified to physically block these potential data paths.
With the shift to a hybrid working environment came the increased usage of many different devices. Do you think secure KVM should be used in such an environment?
Most organizations faced with the advent of a remote workforce have implemented awareness training campaigns and policies to ensure that employees are the only ones using a company-issued computer and to lock or logoff the computer when they are not working. This is a way to minimize the potential of a phishing attack or downloaded malware infiltrating the corporate network.
While proper training and awareness can reduce the risk, it does not eliminate it. Human error or simple oversight is the easiest way for an attacker to compromise a system. An example of this is when employees are connected to the corporate network via a firewall. The encrypted nature of VPN tunnels easily bypass network perimeter defenses and give attackers the keys to the kingdom.
While Secure KVMs can’t prevent or block this scenario from happening, they provide an added layer of security so remote workers sharing their home monitor, keyboard or mouse between their personal computer and work-issued computer won’t inadvertently expose a compromised personal computer to a sensitive work computer.
Is there a difference between secure KVMs for government and military applications and those for everyday use? What are the main distinctions?
By its nature, a secure KVM is defined and certified by government standards bodies such as Common Criteria. These standards seek to test and designate commercial off the shelf equipment as safe to use on government and military networks.
While secure KVMs must meet these certification criteria, they are ultimately COTS products that are available for use on any sensitive network, be it government/military, healthcare, finance, utilities and infrastructure, or even a person with a gaming computer and work computer sharing the same keyboard, mouse, and monitor.
Many devices and connections can be an easy target to cyberattacks. How does the secure KVM prevent this from happening?
Secure KVMs have specific processors and electronic components that physically block potential data paths that could allow a compromised computer to be used to steal or transfer data to another system through shared peripherals.
Network cybersecurity provisions should still be utilized to make attacks difficult, but if isolation needs to be guaranteed while allowing peripherals to be shared, secure KVMS are the only viable solution.
There are different types of secure KVMs. When recommending one of them, what are your main criteria?
The qualification criteria from system to system has to do with the number of computers that need to be accessed, the number of monitors, and the video formats across the computers and monitors. KVMs are constructed to share the peripherals between 2, 4, 8, etc. systems and drive 1, 2, or more monitors.
Before Belkin introduced its first generation of universal secure KVMs in 2018, KVMS were also defined as DVI, HDMI, or DisplayPort models. With Belkin’s universal secure KVMs, a unique combo connector allowed each port to accept both DP and HDMI cables. An auto-sense circuit and internal converters automatically converted the input signals to the appropriate output formats needed by the connected monitors.
Finally, a full complement of custom cables from Belkin allowed the same KVM to connect to any DVI-D, HDMI, DisplayPort, or USB-C video output port on the computer and seamlessly drive any DVI-D, HDMI, DP, or USB-C port on the monitor, all without needing 3rd party video converters and the inherent risks, compatibility problems, and cost they introduce.