6.19 Ensure that User Credential Submission uses the action of 'block' or 'continue' on the URL categories

Information

Ideally user names and passwords user within an organization are not used with third party sites. Some sanctioned SAS applications may have connections to the corporate domain, in which case they will need to be exempt from the user credential submission policy through a custom URL category.

Rationale:

Preventing users from having the ability to submit their corporate credentials to the Internet could stop credential phishing attacks and the potential that a breach at a site where a user reused credentials could lead to a credential stuffing attack.

Impact:

Not preventing users from submitting their corporate credentials to the Internet can leave them open to phishing attacks or allow for credential reuse on unauthorized sites. Using internal email accounts provides malicious actors with intelligence information, which can be used for phishing, credential stuffing and other attacks. Using internal passwords will often provide authenticated access directly to sensitive information. Not only that, but a pattern of credential re-use can expose personal information from multiple online sources.

Solution

Navigate to Objects > Security Profiles > URL Filtering.
Choose the Categories tab. Set the User Credential Submitting action on all enabled URL categories is either block or continue, as appropriate to your organization and the category.
Under the User Credential Detection tab set the User Credential Detection value to a setting appropriate to your organization, any value except Disabled. Set the Log Severity to a value appropriate to your organization and your logging or SIEM solution.

Default Value:

Not Configured

See Also

https://workbench.cisecurity.org/benchmarks/13792

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-8, CSCv7|7.4

Plugin: Palo_Alto

Control ID: 89b406bd10566cb821695989ead10df732bea4c3b9925d15335b1d59a1394b86