Title

Deficient user or administrator training regarding the vulnerabilities with, and operation of, CODEC streaming (Cat II impact)

Discussion

In conjunction with the SOP for VTU/CODEC streaming, users must be trained in the vulnerabilities of streaming, how to recognize if their CODEC is streaming, and how to deactivate streaming if it should not be active. Note: For additional information regarding the vulnerabilities associated with VTC streaming, see the discussion under RTS-VTC 2340

Check Content

[IP]; Interview the IAO to validate compliance with the following requirement: In the event the VTU/CODEC is connected to an IP based LAN, and if the CODEC supports streaming, ensure users/operators and administrators of a VTU receive training regarding streaming that addresses the following: - User awareness regarding the vulnerabilities streaming from a CODEC presents to conference confidentiality. - User awareness regarding accidental activation of streaming. - How to recognize the displayed indication provided by the VTU that it is in streaming mode. - How to terminate streaming, particularly if the CODEC should not be streaming. - The implementation and distribution of a temporary password for an approved CODEC streaming session using a one-time password that is not repeated and does not match any other user or administrative password. Note: This is a requirement whether steaming from a CODEC is approved or not. Interview VTC/CODEC administrators and user/operators to verify that they have received training on the vulnerabilities of streaming, recognition of CODEC streaming, and how to deactivate streaming when it is active. Have a sampling of these individuals demonstrate their knowledge. . This is a finding if deficiencies are found in any of these areas. Note the deficiencies in the finding details.

Fix Text

[IP]; In the event the VTU/CODEC is connected to an IP based LAN, and if the CODEC supports streaming, Perform the following tasks: - Train CODEC user/operators and administrators regarding CODEC streaming addressing the following: > User awareness regarding the vulnerabilities streaming from a CODEC presents to conference confidentiality. > User awareness regarding accidental activation of streaming. > How to recognize the displayed indication provided by the VTU that it is in streaming mode. > How to terminate streaming, particularly if the CODEC should not be streaming. Additionally include this information in user’s agreements and guides.

Additional Identifiers

Rule ID: SV-18868r1_rule

Vulnerability ID: V-17694

Group Title: RTS-VTC 2365.00 [IP]

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.