Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-21514 | VVoIP/VTC 1610 (GENERAL) | SV-23723r1_rule | ECSC-1 | Medium |
Description |
---|
Permitting hardware based VVoIP or VTC endpoints to browse the internet or enterprise intranet freely opens the endpoint to the possibility of inadvertently downloading malicious code to the endpoint for which it may have no protection. VVoIP and VTC endpoints cannot typically support host based intrusion detection or anti-virus software. While the downloaded malicious code might not effect the endpoint itself, the endpoint could be used by the malicious code as a launching pad into the network and attached workstations or servers. |
STIG | Date |
---|---|
Video Teleconference (VTC) STIG | 2015-12-29 |
Check Text ( C-25756r1_chk ) |
---|
Interview the IAO to validate compliance with the following requirement: Ensure hardware based VVoIP or VTC endpoint web browser capabilities that permit the endpoint to browse the internet or intranet are disabled unless such capabilities are specifically required for the proper function of the endpoint or to access specific external applications. Determine the web browsing capabilities of the hardware based VVoIP or VTC endpoints. This is a finding in the event the endpoint can access general web pages on the Internet or enterprise intranet other than approved external applications. NOTE: This requirement does not apply to limited web browsing capabilities required to access external applications and services that have been approved for accessibility on the endpoint and implemented by the enterprise. |
Fix Text (F-22304r1_fix) |
---|
Ensure hardware based VVoIP or VTC endpoint web browser capabilities that permit the endpoint to browse the internet or intranet are disabled unless such capabilities are specifically required for the proper function of the endpoint or to access specific external applications. |