STIGQter STIGQter: STIG Summary: Video Services Policy STIG Version: 1 Release: 11 Benchmark Date: 24 Apr 2020:

Deficient SOP or enforcement regarding handling of incoming calls while in a conference.

DISA Rule

SV-18725r1_rule

Vulnerability Number

V-17598

Group Title

RTS-VTC 1140.00 [IP][ISDN]

Rule Version

RTS-VTC 1140.00

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

[IP][ISDN]; Perform the following tasks:

Ensure the following regarding incoming calls while the VTU is engaged in a conference:

- The VTU automatically rejects incoming calls, is administratively configured to return a “busy signal”, or optionally does so through the use of a user selected “do-not-disturb” feature.
AND/OR
- The VTU is configured to not automatically answer an incoming call and join it to an active conference (in progress) without user intervention. (i.e., the user must decide to answer the call or not based on the required source and caller information display. Answering the call affects the join.)
AND/OR
- A password, entered by the caller, is required to access the VTU’s integrated MCU. This password must be unique among all other passwords used by the system. This capability must not be functional at all times, i.e., it is only to be functional when the capability is required to be used.

Check Contents

[IP][ISDN]; Interview the IAO to validate compliance with the following requirement:

Ensure the following regarding incoming calls while the VTU is engaged in a conference:

- The VTU automatically rejects incoming calls, is administratively configured to return a “busy signal”, or optionally does so through the use of a user selected “do-not-disturb” feature.
OR
- The VTU is configured to not automatically answer an incoming call and join it to an active conference (in progress) without user intervention. (i.e., the user must decide to answer the call or not based on the required source and caller information display. Answering the call affects the join).
OR
- A password, entered by the caller, is required to access the VTU’s integrated MCU. This password must be unique among all other passwords used by the system. This capability must not be functional at all times, i.e., it is only to be functional when the capability is required to be used.

Note: In the event the VTU supports the “call-in/join via local meeting password” feature for the integrated MCU, the VTU should also have an administrative setting that disables this capability thereby forcing host action. In effect this setting would invoke an automatic “do-not-disturb” or return of a “busy” signal while the VTU is active.
The various VTC vendors implement VTU integrated MCU access control differently.

Examples are as follows:
Tandberg – Dial out and dial in with host action only – no local meeting password option.
Polycom – Dial-out and Dial-in w/ “meeting password” which is required to join a multipoint call or streamed meeting. This is a memory location used to set the local MCU or streamed media access or join password for access to the VTU and to set the endpoint password given to another MCU when calling into it. “This field can also be used to store a password required by another system that this system calls.”

Note: this pre-configurable “meeting password” violates unique and scripted password policies.

Note: During APL testing, this is a finding in the event this requirement is not supported by the VTU as an administrator configurable option and/or as a default condition. The desired capability is to block incoming calls during a VTC session by default without requiring the user to set the condition since the user may forget to do so. The user may have the capability to set the condition that temporarily turns off the “do-not-disturb” feature such that the call can be answered externally to the conference and then manually joined.

Interview the IAO to determine if this requirement is covered in a SOP and user training/agreements. Interview a sampling of users to determine their awareness and implementation of the requirement. Place a call to an endpoint that is already in a conference and witness its response or reaction.

Vulnerability Number

V-17598

Documentable

False

Rule Version

RTS-VTC 1140.00

Severity Override Guidance

[IP][ISDN]; Interview the IAO to validate compliance with the following requirement:

Ensure the following regarding incoming calls while the VTU is engaged in a conference:

- The VTU automatically rejects incoming calls, is administratively configured to return a “busy signal”, or optionally does so through the use of a user selected “do-not-disturb” feature.
OR
- The VTU is configured to not automatically answer an incoming call and join it to an active conference (in progress) without user intervention. (i.e., the user must decide to answer the call or not based on the required source and caller information display. Answering the call affects the join).
OR
- A password, entered by the caller, is required to access the VTU’s integrated MCU. This password must be unique among all other passwords used by the system. This capability must not be functional at all times, i.e., it is only to be functional when the capability is required to be used.

Note: In the event the VTU supports the “call-in/join via local meeting password” feature for the integrated MCU, the VTU should also have an administrative setting that disables this capability thereby forcing host action. In effect this setting would invoke an automatic “do-not-disturb” or return of a “busy” signal while the VTU is active.
The various VTC vendors implement VTU integrated MCU access control differently.

Examples are as follows:
Tandberg – Dial out and dial in with host action only – no local meeting password option.
Polycom – Dial-out and Dial-in w/ “meeting password” which is required to join a multipoint call or streamed meeting. This is a memory location used to set the local MCU or streamed media access or join password for access to the VTU and to set the endpoint password given to another MCU when calling into it. “This field can also be used to store a password required by another system that this system calls.”

Note: this pre-configurable “meeting password” violates unique and scripted password policies.

Note: During APL testing, this is a finding in the event this requirement is not supported by the VTU as an administrator configurable option and/or as a default condition. The desired capability is to block incoming calls during a VTC session by default without requiring the user to set the condition since the user may forget to do so. The user may have the capability to set the condition that temporarily turns off the “do-not-disturb” feature such that the call can be answered externally to the conference and then manually joined.

Interview the IAO to determine if this requirement is covered in a SOP and user training/agreements. Interview a sampling of users to determine their awareness and implementation of the requirement. Place a call to an endpoint that is already in a conference and witness its response or reaction.

Check Content Reference

I

Potential Impact

The inadvertent disclosure of sensitive or classified information to a caller of a VTU that may not have an appropriate need-to-know or proper security clearance.

Responsibility

Other

Target Key

1418

Comments