Deficient user or administrator training regarding the vulnerabilities with, and operation of, CODEC streaming

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-17694	RTS-VTC 2365.00	SV-18868r1_rule	DCBP-1 IAAC-1 IAIA-1 IAIA-2 PRTN-1	Medium

Description
In conjunction with the SOP for VTU/CODEC streaming, users must be trained in the vulnerabilities of streaming, how to recognize if their CODEC is streaming, and how to deactivate streaming if it should not be active. Note: For additional information regarding the vulnerabilities associated with VTC streaming, see the discussion under RTS-VTC 2340

STIG	Date
Video Services Policy STIG	2020-02-25

Details

Check Text ( C-18964r1_chk )
[IP]; Interview the IAO to validate compliance with the following requirement: In the event the VTU/CODEC is connected to an IP based LAN, and if the CODEC supports streaming, ensure users/operators and administrators of a VTU receive training regarding streaming that addresses the following: - User awareness regarding the vulnerabilities streaming from a CODEC presents to conference confidentiality. - User awareness regarding accidental activation of streaming. - How to recognize the displayed indication provided by the VTU that it is in streaming mode. - How to terminate streaming, particularly if the CODEC should not be streaming. - The implementation and distribution of a temporary password for an approved CODEC streaming session using a one-time password that is not repeated and does not match any other user or administrative password. Note: This is a requirement whether steaming from a CODEC is approved or not. Interview VTC/CODEC administrators and user/operators to verify that they have received training on the vulnerabilities of streaming, recognition of CODEC streaming, and how to deactivate streaming when it is active. Have a sampling of these individuals demonstrate their knowledge. . This is a finding if deficiencies are found in any of these areas. Note the deficiencies in the finding details.

Check Text ( C-18964r1_chk )

[IP]; Interview the IAO to validate compliance with the following requirement:

In the event the VTU/CODEC is connected to an IP based LAN, and if the CODEC supports streaming, ensure users/operators and administrators of a VTU receive training regarding streaming that addresses the following:
- User awareness regarding the vulnerabilities streaming from a CODEC presents to conference confidentiality.
- User awareness regarding accidental activation of streaming.
- How to recognize the displayed indication provided by the VTU that it is in streaming mode.
- How to terminate streaming, particularly if the CODEC should not be streaming.
- The implementation and distribution of a temporary password for an approved CODEC streaming session using a one-time password that is not repeated and does not match any other user or administrative password.

Note: This is a requirement whether steaming from a CODEC is approved or not.

Interview VTC/CODEC administrators and user/operators to verify that they have received training on the vulnerabilities of streaming, recognition of CODEC streaming, and how to deactivate streaming when it is active. Have a sampling of these individuals demonstrate their knowledge.
.
This is a finding if deficiencies are found in any of these areas. Note the deficiencies in the finding details.

Fix Text (F-17591r1_fix)
[IP]; In the event the VTU/CODEC is connected to an IP based LAN, and if the CODEC supports streaming, Perform the following tasks: - Train CODEC user/operators and administrators regarding CODEC streaming addressing the following: > User awareness regarding the vulnerabilities streaming from a CODEC presents to conference confidentiality. > User awareness regarding accidental activation of streaming. > How to recognize the displayed indication provided by the VTU that it is in streaming mode. > How to terminate streaming, particularly if the CODEC should not be streaming. Additionally include this information in user’s agreements and guides.

Fix Text (F-17591r1_fix)

[IP]; In the event the VTU/CODEC is connected to an IP based LAN, and if the CODEC supports streaming, Perform the following tasks:
- Train CODEC user/operators and administrators regarding CODEC streaming addressing the following:
> User awareness regarding the vulnerabilities streaming from a CODEC presents to conference confidentiality.
> User awareness regarding accidental activation of streaming.
> How to recognize the displayed indication provided by the VTU that it is in streaming mode.
> How to terminate streaming, particularly if the CODEC should not be streaming.

Additionally include this information in user’s agreements and guides.