Check: VVoIP 1310 (GENERAL)
Voice Video Services Policy STIG:
VVoIP 1310 (GENERAL)
(in versions v3 r18 through v3 r15)
Title
Deficient training for the secure operation of PC desktop, presentation, or application sharing capabilities of a collaboration tool. (Cat II impact)
Discussion
Visual collaboration often requires the sharing or display of presentations, open documents, and white board information to one or more communicating endpoints. While the technology for doing this is different between hardware based endpoints, and PC based application endpoints, the vulnerability is the same. In both cases, the displayed information typically resides on a PC. While in presentation/sharing mode, care must be exercised so that the PC user does not inadvertently display and transmit information on their workstation that is not part of the communications session and not intended to be viewed by the other communicating parties. Users must be aware that anything they display on their PC monitor while presenting to a communications session may be displayed on the other communicating endpoints. This is particularly true when the PC video output is connected to a VTC CODEC since the information is displayed on all of the conference monitors. This presentation/sharing feature could result in the disclosure of sensitive or classified information to individuals that do not have a validated need-to-know or have the proper clearance to view the information. Thus the presentation/sharing feature presents a vulnerability to other information displayed on the PC if the feature is misused. This is a problem when sharing (displaying) a PC desktop via any collaboration tool using any connection method. The mitigation for this vulnerability is to develop policy and procedures on how to securely present to collaborative communications sessions . All users that perform this function must have awareness of the issues and be trained in the proper operational procedures. Such procedures may require that there be no non-session related documents or windows open or minimized on the PC while presenting or sharing. An additional requirement may be that the user may not permit others in a session to remotely control their PC. A similar issue is that some PC based collaboration applications can permit a user to allow other session participants to remotely control their PC. Depending upon how this feature is implemented and limited, it could lead to undesired activities on the part of the person in control and possible compromise of information that is external to the collaboration session. This would be the case if such sharing or remote control provided access to the local hard drive and non session related applications or network drives accessible from the controlled PC.
Check Content
Interview the IAO to validate compliance with the following requirement: Ensure users of PC based collaboration applications are trained to only share control of their PC or applications with other users that they are familiar with and/or can identify as trustworthy. Determine if training is provided such that users of PC based collaboration applications only share control of their PC or applications with other users with whom they are familiar with and/or can identify as trustworthy. Inspect training materials for related content. Interview a random sampling of users to determine if they are properly trained on this topic. This is a finding if the training or training materials are deficient.
Fix Text
Ensure users of PC based collaboration applications are trained to only share control of their PC or applications with other users that they are familiar with and/or can identify as trustworthy. Produce training materials and provide training such that users of PC based collaboration applications only share control of their PC or applications with other users with whom they are familiar with and/or can identify as trustworthy.
Additional Identifiers
Rule ID: SV-17069r1_rule
Vulnerability ID: V-16081
Group Title: Deficient User Trng: PC Collab App Shar’g Security
Expert Comments
CCIs
Number | Definition |
---|---|
No CCIs are assigned to this check |
Controls
Number | Title |
---|---|
No controls are assigned to this check |