STIGQter STIGQter: STIG Summary: Video Services Policy STIG Version: 1 Release: 11 Benchmark Date: 24 Apr 2020:

Deficient SOP or enforcement of One Time Use local meeting password

DISA Rule

SV-18867r1_rule

Vulnerability Number

V-17693

Group Title

RTS-VTC 2320.00 [IP][ISDN]

Rule Version

RTS-VTC 2320.00

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

[IP][ISDN]; Perform the following tasks:
Define and enforce policy and procedure that addresses the management and use of a “local meeting password” for access to meetings hosted or streamed by a CODEC. The SOP will include the following:
- Implementation and distribution of a temporary password for the session when use of the feature is required. This password is used one time and not repeated. This password must not match any other user or administrative password on the device.
- Disablement of the feature when its use is not required or the installation of a strong blocking password that is kept confidential. This password could be distributed as the temporary password when use of the feature is required if it is changed and kept confidential following the session.
- User instructions on how to properly set and manage the password if site policy permits the user to set the password instead of calling an administrator.
- User awareness training regarding the vulnerabilities associated with the reuse of meeting passwords.

Provide user training regarding the SOP and include it in user agreements and user guides.

Check Contents

[IP][ISDN]; Interview the IAO to validate compliance with the following requirement:

If the use of a local meeting password is required because it is supported by the VTU, ensure a “local meeting password” policy and procedure is in place and enforced along with user training that addresses the following:
- Implementation and distribution of a temporary password for the session when use of the feature is required. This password is used one time and not repeated. This password must not match any other user or administrative password on the device.
- Disablement of the feature when its use is not required or the installation of a strong blocking password that is kept confidential. This password could be distributed as the temporary password when use of the feature is required if it is changed and kept confidential following the session.
- User instructions on how to properly set and manage the password if site policy permits the user to set the password instead of calling an administrator.
- User awareness training regarding the vulnerabilities associated with the reuse of meeting passwords.

Note: In some instances, the local meeting password is also used for gaining access to media streamed from the VTU. While these are two different functions or entry points, and should not have the same password, the passwords for these functions are to be managed and used similarly. Streaming is discussed later in this document.

Inspect the SOP as well as user training materials, agreements, and guides to determine if the items in the requirement are adequately covered. Interview the IAO to determine how the SOP is enforced. Interview a sampling of users to determine their awareness and implementation of the requirement and whether the SOP is enforced. This is a finding if deficiencies are found in any of these areas. Note the deficiencies in the finding details.

Note: This requirement applies to VTC CODECs that can host a multipoint meeting or conference using an integral MCU. This is typically capable of supporting four to six endpoints. A “local meeting password” typically controls access to the MCU. In some cases, this password is also used to access conference streaming.

Note: This requirement applies to VTU CODECs that contain an integrated MCU


Note: During APL testing, this is a finding in the event one time “meeting passwords” are not supported by the MCU.

Vulnerability Number

V-17693

Documentable

False

Rule Version

RTS-VTC 2320.00

Severity Override Guidance

[IP][ISDN]; Interview the IAO to validate compliance with the following requirement:

If the use of a local meeting password is required because it is supported by the VTU, ensure a “local meeting password” policy and procedure is in place and enforced along with user training that addresses the following:
- Implementation and distribution of a temporary password for the session when use of the feature is required. This password is used one time and not repeated. This password must not match any other user or administrative password on the device.
- Disablement of the feature when its use is not required or the installation of a strong blocking password that is kept confidential. This password could be distributed as the temporary password when use of the feature is required if it is changed and kept confidential following the session.
- User instructions on how to properly set and manage the password if site policy permits the user to set the password instead of calling an administrator.
- User awareness training regarding the vulnerabilities associated with the reuse of meeting passwords.

Note: In some instances, the local meeting password is also used for gaining access to media streamed from the VTU. While these are two different functions or entry points, and should not have the same password, the passwords for these functions are to be managed and used similarly. Streaming is discussed later in this document.

Inspect the SOP as well as user training materials, agreements, and guides to determine if the items in the requirement are adequately covered. Interview the IAO to determine how the SOP is enforced. Interview a sampling of users to determine their awareness and implementation of the requirement and whether the SOP is enforced. This is a finding if deficiencies are found in any of these areas. Note the deficiencies in the finding details.

Note: This requirement applies to VTC CODECs that can host a multipoint meeting or conference using an integral MCU. This is typically capable of supporting four to six endpoints. A “local meeting password” typically controls access to the MCU. In some cases, this password is also used to access conference streaming.

Note: This requirement applies to VTU CODECs that contain an integrated MCU


Note: During APL testing, this is a finding in the event one time “meeting passwords” are not supported by the MCU.

Check Content Reference

I

Potential Impact

The inadvertent disclosure of sensitive or classified information to a caller of a VTU that may not have an appropriate need-to-know or proper security clearance.

Responsibility

Information Assurance Manager

Target Key

1418

Comments