A PC Collaboration application does not identify all connected parties.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-19626	VVoIP 1730 (GENERAL)	SV-21767r1_rule	DCBP-1 ECSC-1	Medium

Description
Visual collaboration often requires the sharing or display of presentations, open documents, and white board information to one or more communicating endpoints. While the technology for doing this is different between hardware based endpoints and PC based application endpoints, the vulnerability is the same. In both cases, the displayed information typically resides on a PC. While in presentation/sharing mode, care must be exercised so that the PC user does not inadvertently display and transmit information on their workstation that is not part of the communications session and not intended to be viewed by the other communicating parties. Users must be aware that anything they display on their PC monitor while presenting to a communications session may be displayed on the other communicating endpoints. This is particularly true when the PC video output is connected to a VTC CODEC since the information will be displayed on all of the conference monitors. This presentation/sharing feature could result in the disclosure of sensitive or classified information to individuals that do not have a validated need-to-know or have the proper clearance to view the information. Thus, the presentation/sharing feature presents a vulnerability to other information displayed on the PC, if the feature is misused. This is a problem when sharing (displaying) a PC desktop via any collaboration tool using any connection method. There is little that can be done to mitigate this vulnerability other than to develop policy and procedures on how to securely present to collaborative communications sessions . All users that perform this function must have awareness of the issues and be trained in the proper operational procedures. Such procedures may require that there be no non-session related documents or windows open or minimized on the PC while presenting or sharing. An additional requirement may be that the user may not permit others in a session to remotely control their PC. A similar issue is that some PC based collaboration applications can permit a user to allow other session participants to remotely control their PC. Depending upon how this feature is implemented and limited, it could lead to undesired activities on the part of the person in control and possible compromise of information that is external to the collaboration session. This would be the case if such sharing or remote control provided access to the local hard drive and non session related applications or network drives accessible from the controlled PC. It is also imperative that a collaboration session participant know with whom he/she is communicating and sharing information and/or to whom they might give remote control access to their PC or shared application. This is so that the communicating individuals can have a trust relationship before sharing occurs.

Description

Visual collaboration often requires the sharing or display of presentations, open documents, and white board information to one or more communicating endpoints. While the technology for doing this is different between hardware based endpoints and PC based application endpoints, the vulnerability is the same. In both cases, the displayed information typically resides on a PC. While in presentation/sharing mode, care must be exercised so that the PC user does not inadvertently display and transmit information on their workstation that is not part of the communications session and not intended to be viewed by the other communicating parties. Users must be aware that anything they display on their PC monitor while presenting to a communications session may be displayed on the other communicating endpoints. This is particularly true when the PC video output is connected to a VTC CODEC since the information will be displayed on all of the conference monitors. This presentation/sharing feature could result in the disclosure of sensitive or classified information to individuals that do not have a validated need-to-know or have the proper clearance to view the information. Thus, the presentation/sharing feature presents a vulnerability to other information displayed on the PC, if the feature is misused. This is a problem when sharing (displaying) a PC desktop via any collaboration tool using any connection method. There is little that can be done to mitigate this vulnerability other than to develop policy and procedures on how to securely present to collaborative communications sessions . All users that perform this function must have awareness of the issues and be trained in the proper operational procedures. Such procedures may require that there be no non-session related documents or windows open or minimized on the PC while presenting or sharing. An additional requirement may be that the user may not permit others in a session to remotely control their PC. A similar issue is that some PC based collaboration applications can permit a user to allow other session participants to remotely control their PC. Depending upon how this feature is implemented and limited, it could lead to undesired activities on the part of the person in control and possible compromise of information that is external to the collaboration session. This would be the case if such sharing or remote control provided access to the local hard drive and non session related applications or network drives accessible from the controlled PC. It is also imperative that a collaboration session participant know with whom he/she is communicating and sharing information and/or to whom they might give remote control access to their PC or shared application. This is so that the communicating individuals can have a trust relationship before sharing occurs.

STIG	Date
Voice/Video over Internet Protocol STIG	2015-01-05

Details

Check Text ( C-23919r1_chk )
Interview the IAO to validate compliance with the following requirement: Ensure PC based collaboration applications identify all connected parties whether on a two party call or in a multiparty conference. Have the IAO or SA demonstrate that the PC based collaboration application identifies all connected parties such that a user can identify with whom information is shared or to whom application control is given.

Check Text ( C-23919r1_chk )

Interview the IAO to validate compliance with the following requirement:

Ensure PC based collaboration applications identify all connected parties whether on a two party call or in a multiparty conference.

Have the IAO or SA demonstrate that the PC based collaboration application identifies all connected parties such that a user can identify with whom information is shared or to whom application control is given.

Fix Text (F-20330r1_fix)
Ensure PC based collaboration applications identify all connected parties whether on a two party call or in a multiparty conference. Configure the collaboration application to display the identity of all parties engaged in a session or use one that can be configured to do so.