Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-19624 | VVoIP/VTC 1740 (GENERAL) | SV-21765r1_rule | DCBP-1 ECSC-1 | Medium |
Description |
---|
The VTC STIG discusses the possibility of undesired or improper viewing of and/or listening to activities and conversations in the vicinity of a hardware based VTC endpoint, whether it is a conference room system or an office based executive or desktop system. If this was to occur, there could be inadvertent disclosure of sensitive or classified information to individuals without the proper clearance or need-to-know. This vulnerability could occur if the endpoint was set to automatically answer a voice, VTC, or collaboration call with audio and video capabilities enabled, or if the endpoint was compromised and remotely controlled. The stated requirements and mitigations involve muting the microphone(s) and disabling or covering the camera(s). These or similar vulnerabilities could exist in PC based communications/collaboration applications due to an auto answer feature or compromised application or platform. As such, the simplest mitigation would be to only operate the software that accesses the microphone and camera when they are needed for communication. This does not work well for a unified communications application that is used to enhance our communications/collaboration capabilities since the application would be running most, if not all of the time when the PC is operating. In this case, the microphone could be muted and camera disabled in software as a mitigation. However, this also may not work well due to the possibility of the communications/collaboration application, microphone, or camera could be remotely activated if the platform or a communications application is compromised. In this case positive physical controls may be required. We must also rely on our defense in depth strategy for protecting our PC applications, including our communications applications, from compromise. Physical disablement such as unplugging from the PC, using a physical mute switch, or covering a camera could work if using external devices. However, this mitigation would not work for embedded microphones and cameras as is the trend in laptops and monitors today. While it may not be easily feasible to physically disable an embedded microphone, the lens of an embedded camera can be covered. |
STIG | Date |
---|---|
Voice/Video over Internet Protocol (VVoIP) STIG | 2015-12-29 |
Check Text ( C-23917r1_chk ) |
---|
Interview the IAO to validate compliance with the following requirement: Ensure auto-answer capabilities of any voice, video, VTC, UC, or collaboration applications are disabled in the event the application provides audio or video communications services such that the microphone and/or camera could be activated automatically when an incoming call is received. Note: This does not apply to text based communications such as IM that does not activate a microphone or camera. Have the IAO or SA demonstrate the operation of the PC communications client applications on PCs in the organization, to determine how they function with regard to the “auto-answer” feature, how the feature is configured, and if it is a user configurable setting. Inspect a random sample of PCs to determine if communication apps are configured in compliance. Place calls to all or minimally a random sample of PCs to determine if any of them automatically answers the call. Inspect SOPs and training materials to determine if this mitigation requirement is disseminated to users. Interview a random sampling of users to determine if they are properly trained on this topic. This is a finding if any PC application automatically answers a call, or if the application is configured to allow auto-answer, or if the application cannot be configured to disable auto-answer. If this feature/capability is user configurable, this is a finding in the event SOPs and training materials do not address the auto-answer feature such that it is not used. Additionally, this is a finding if users are unaware of the related training. This is not a finding if by default the application does not automatically answer calls and such a feature cannot be activated. |
Fix Text (F-20328r1_fix) |
---|
Ensure auto-answer capabilities of any voice, video, VTC, UC, or collaboration applications are disabled in the event the application provides audio or video communications services such that the microphone and/or camera could be activated automatically when an incoming call is received. Note: This does not apply to text based communications such as IM that does not activate a microphone or camera. If a PC communications client application provides an auto-answer feature/function configure the application to disable the feature. OR If the auto-answer feature/function is user configurable, develop an SOP and training materials and train users to not activate the feature. Enforce the SOP by randomly checking their compliance. OR If a PC communications client application provides an auto-answer feature/function that cannot be disabled, replace the application with one that does not have the feature or one that can be configured to disable it. |